Microsoft Baseline Security Analyzer 1.2.1 Frequently Asked Questions

 

As part of Microsoft’s continued commitment to security and to help with enterprise security compliance, Microsoft released MBSA 2.0 in July 2005 as a free standalone security update scan tool for Microsoft products.

Based on Microsoft Update and Windows Server Update Services (WSUS) technologies, MBSA 2.0 provides customers with authoritative security results consistent with Microsoft Update and WSUS, provides support for 64-bit and XP Embedded operating systems and includes dynamic support for new Microsoft products as they are released. Customers who meet the WSUS baseline of the latest supported products (found here) should already be using MBSA 2.0 in their environments.

For customers using legacy products not supported by MBSA 2.0, Microsoft Update and WSUS, Microsoft is working with partners to provide a new legacy support tool to be released in the future. Like MBSA scan tools, this new legacy scan tool will be provided to Microsoft customers at no charge.

For customers who may be using products that are not supported by WSUS, Microsoft encourages customers to use the earlier MBSA 1.2.1 tool combined with the Enterprise Scan Tool to obtain comprehensive security update detection until this new legacy scan tool is released.

In order to ensure customers have sufficient time for testing and migration, Microsoft will continue to support the MBSA 1.2.1 tool for legacy security update detection for at least six months after the new legacy security update tool is made available.

Microsoft expects delivery of this new legacy scan tool in Q1 of 2007.


Q. Does MBSA still support NT?

A. Microsoft ended Windows NT support December 31, 2004. However, the ability for MBSA 1.2.x to detect security updates on the NT platform has not been removed. Published updates for Windows NT have not been removed from mssecure.xml. Furthermore, MBSA 1.2.x will continue to scan for IIS 4.0, SQL and NT security mis-configurations in an unsupported manner. The next version of MBSA will not offer security update detection or security configuration assessment for the NT platform. Please refer to http://support.microsoft.com/lifecycle/ for more information.

Q. How can I use MBSA in an offline or secure environment that may require proxy authentication?

A.

You can manually download the signed English mssecure.cab file used for the security updates check in MBSA V1.2.1 from the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=18922. Place the downloaded CAB file in the MBSA installation folder.

The localized mssecure.cab files can be manually downloaded from the following locations:

These are the only supported locations where the signed mssecure.cab files can be downloaded for offline use.

Scanning for Microsoft Office product updates (local computer scans only) uses a somewhat different procedure in order to download the needed files:

  • Download INVCIF.EXE from http://go.microsoft.com/fwlink/?linkid=18842 and
    Download INVCM.EXE from http://go.microsoft.com/fwlink/?linkid=18452
  • Run INVCIF.EXE, and answer Yes to install the Office Update Inventory Tool, read the EULA and agree to its terms, and specify a local directory to expand the contents into, for example C:\TEMP\OfficeUpd). This will create multiple files including PatchData.XML and InventoryCatalog.HTML, as well as a directory named CIFS. A file called PUIDS.CIF will be extracted into the CIFS directory.
  • Run INVCM.EXE, and answer Yes to install the Office Update Inventory Tool, read the EULA and agree to its terms, and specify a local directory to expand the contents into, for example C:\TEMP\OfficeUpd). This will create multiple files including inventory.exe, convert.exe, OUDetect.dll required for scanning.
  • Copy all the files and directories in C:\TEMP\OfficeUpd into the C:\Microsoft Baseline Security Analyzer\OfficeUpd directory on the scanning machine. If you are prompted to overwrite existing files click “Yes”.

At this point run MBSA from the desktop icon or Start menu, or open a command prompt in the C:\Microsoft Baseline Security Analyzer folder and use mbsacli.exe. The files you just obtained will be used, although the tool will attempt to obtain them from the Internet and may lead to a timeout before the scan takes place using the local files.

Note: When manually downloading the files, users should re-download on a regular basis, to ensure the most recent releases by Microsoft are used in their computer scans. Microsoft releases updated versions of the files when new security bulletins are issued or updated.

  <div></div>
  <p>
    <br />
  </p>
</td>

Q. Are there any restrictions on how the MBSA detection catalog (mssecure.xml) can be used by non-Microsoft tools?

A. Yes, the following constraints must be observed for the MBSA detection catalog:

The data in the file represents the intellectual property of Microsoft and is copyrighted by Microsoft. Making modifications to the data in any way can lead to incorrect or inconsistent detection of missing updates and could place our customers at risk. Changes to the file schema and data may be implemented by Microsoft at any time. The data in the detection catalog may also be obtained from the KB articles and bulletins for each update, as well as from external sources. Data may be omitted from the file for certain bulletins for technical reasons. Which data are present or absent in the file should not be interpreted to have any significance outside MBSA update detection. Information in the file is based on released packages at the download center for Microsoft security updates / bulletins only, and it is common for there to be newer, non-security updates that may not have file details added to the catalog, such as for hotfixes.

Use of the catalog (mssecure.xml) outside MBSA is not supported. In addition, errors or missing data in the XML file will only be corrected if they impact an MBSA supported scenario. Technical questions are not answered by Product Support, but on a case by case basis commercially reasonable (best effort) help may be provided. The file itself must not be redistributed with another non-Microsoft product. Aside from being a violation of Microsoft's copyright, if the file becomes stale and is not updated regularly, computers could be scanned using old information and critical security updates not detected. MBSA is designed to automatically download the latest version of this file every time MBSA is used. In addition to the detection catalog, MBSA itself may not be redistributed or integrated with other non-Microsoft products.

Q. What versions of MBSA are supported?

A. Microsoft currently supports MBSA 1.2.1 and MBSA 2.0.1. MBSA 1.2.1 will be supported until six months after the MBSA 2.0 gap tool is released (see the MBSA home page for details). MBSA 2.0.1 is fully supported by Microsoft Product Support Services (PSS) and through the MBSA newsgroup available at:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer

Q. Do I need to uninstall MBSA 1.2 before installing MBSA 1.2.1?

A. No, MBSA 1.2.1 will automatically uninstall any previous version of MBSA before installing MBSA 1.2.1

Q. Does MBSA support 64-bit Windows?

A. MBSA 1.2.1 does not support 64-bit products, components, or platforms for either security update or vulnerability assessment checks. Even though MBSA 1.2.1 may provide results, they may not be accurate on 64-bit platforms. Customers should upgrade to MBSA 2.0 to obtain complete security update (patch) detection for 64-bit platforms. MBSA 2.0.1 vulnerability assessment checks are still limited to 32-bit only (see the MBSA 2.0 FAQ for details).

Q. What is the current version of MBSA? Why do I see conflicting version numbering in the product?

A. The latest version of MBSA is version 2.0.1 – which is also referred to as 2.0.6706.0 on some screens and in the “About Microsoft Baseline Security Analyzer” link. If you are running MBSA 1.2, you will see a message that a new version (MBSA 2.0) is available.

Q. What settings are required for a successful remote scan of a Windows XP SP2 machine?

A.

This is addressed in the "readme.html" file in the "Help" directory under the "#firewall" section. If you require remote scanning of Windows XP Service Pack 2 machines, these conditions must be met :

  • The Server service, Remote Registry service, and File & Print Sharing services must be enabled.
  • Remote machine scans are performed using TCP ports 139 and 445. In a multi-domain environment, where a firewall or filtering router separates the two networks, TCP ports 139 and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote network being scanned. You must allow these ports on the remote Windows Firewall.

Q. What operating systems are supported in MBSA V1.2.1?

A. MBSA can be installed and run locally on Microsoft Windows 2000 Server, Windows 2000 Professional, Windows XP Home Edition, Windows XP Professional, and Windows Server 2003. The tool can be run remotely over the network against Windows 2000 Server, Windows 2000 Workstation, Windows XP Professional, and Windows Server 2003. Windows XP Professional should be joined to a domain for MBSA to scan it remotely. Otherwise, the Local Security Setting must be set to "Classic - local users authenticate as themselves" and simple file sharing is disabled before a standalone Windows XP Professional machine can be scanned remotely. Running MBSA against Windows NT, 95, 98, ME, or Windows Vista systems is not supported locally or remotely.

Q. What applications/programs does MBSA scan?

A.

MBSA V1.2.1 scans for security misconfigurations in Windows 2000, Windows XP, Windows Server 2003, Microsoft Internet Information Services (IIS) 4.0, 5.0, and 6.0, Microsoft Internet Explorer (IE) 5.01 and 6.0, Microsoft SQL Server 7.0 and 2000, and Microsoft Office 2000, XP, and 2003.

Product MBSA V1.1.1 MBSA V1.2.1

The following can be scanned for missing security updates

   

Windows 2000

X

X

Windows XP

X

X

Windows Server 2003

X

X

Internet Explorer 5.01 and 6.0

X

X

Windows Media Player 6.4 and later

X

X

IIS 4.0, 5.0, 5.1, and 6.0

X

X

SQL Server 7.0 and 2000 (including Microsoft Data Engine)

X

X

Exchange 5.5 and 2000 (including Exchange Admin Tools)

X

X

Exchange Server 2003

 

X

Microsoft Office (local scan only; see list of products)

 

X

Microsoft Data Access Components (MDAC) 2.5, 2.6, 2.7, and 2.8

 

X

Microsoft Virtual Machine

 

X

MSXML 2.5, 2.6, 3.0, and 4.0

 

X

BizTalk Server 2000, 2002, and 2004

 

X

Commerce Server 2000 and 2002

 

X

Content Management Server (CMS) 2001 and 2002

 

X

Host Integration Server (HIS) 2000, 2004, and SNA Server 4.0

 

X

  <p>
    <br />
  </p>
  <table border="1" bordercolor="#eaeaea" cellpadding="0" cellspacing="0" id="ENDAC">
    <tbody>
      <tr valign="top">
        <td>
          <p>
            <strong>Note:</strong> For products that are not installed on a scanned machine, MBSA V1.2.1 will not perform the security updates check for those products and will not list them in the Security Update Scan Results table in the report.</p>
        </td>
      </tr>
    </tbody>
  </table>

  <p>
    <br />
  </p>
  <p>MBSA currently does not detect security updates for products that are not included in the list above, including Front Page Server Extensions, Outlook Express, .NET Framework, Internet Explorer 7, and others (see <a runat="server" href="http://support.microsoft.com/kb/895660">KB 895660</a> for a complete list). MBSA also does not support being installed on or scanning against the Windows Embedded family of products or 64-bit systems.</p>
  <p>
    <br />
  </p>
</td>

Q. What languages are supported by MBSA V1.2.1?

A. MBSA V1.2.1 is available in the following languages: English, German, Japanese, and French. As of April 15, 2004, the mssecure.xml file is localized to these four languages and will be automatically downloaded and used by the tool when a German, Japanese, or French machine is scanned. If the localized mssecure.xml files cannot be downloaded, MBSA will still scan non-English machines by using the English mssecure.xml file and disabling checksum checks during the security updates portion of the scan.

Q. Where are the MBSA security reports located?

A. The security reports, by default, are stored as XML files in: %userprofile%\SecurityScans.

Q. Why am I getting incorrect security update reports from MBSA even after I install updates flagged in the scan results?

A. Some security updates issued by Microsoft contain warnings or workarounds for items that the tools cannot easily scan, such as MS99-041, which did not include a patch, but rather a tool for users to modify a specific service on their systems. These types of security bulletins are referred to as "note" or "warning" messages. By default, HFNetChk will display these "note" and "warning" messages, unless the -s switch is used to suppress these messages. MBSA will also show "note" messages by default, and they are marked with blue asterisks in the scan reports to indicate that the tool could not confirm if the security bulletin fix was applied. Even after users apply a specific "note" security update, the tool will continue to include these security bulletins in the scan results. For more information on "note" messages, please see the following KB article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460&sd=tech.

In addition, users may see certain updates flagged as having greater file versions than expected (noted by yellow X's in the scan report). These warning messages are a result of files being updated by non-security related updates after a previous security-related update was applied to the system. MBSA V1.2.1 addresses many of these cases through its use of alternate file versions, which allows multiple sets of file details to be checked for a particular security update. This set of file details can cover both files from security updates as well as files from non-security updates.

Q. Why am I getting conflicting results between MBSA and Windows Update?

A. MBSA and Windows Update (WU) analyze systems in different ways. WU for instance only carries critical updates for the Windows operating system, whereas MBSA will report missing security updates for the Windows operating system and other Microsoft products such as SQL Server.

There are also cases where security updates are re-released, such as MS02-008 and MS02-009. MBSA will always ensure that you have the latest version of the update installed on your system. If you have the original version of the MS02-008 or MS02-009 update, MBSA will indicate that the update is not installed, since a newer release is available. However, Windows Update may not indicate that a newer version is available since it may be looking for different elements on the system to identify if this update is present or not. Microsoft is working to resolve this inconsistency so that MBSA, Windows Update, Microsoft Software Update Services, and SMS security patch management will all use the same rules for determining the presence of an update on Windows systems. This will ensure consistency for all customers with the tool that best meets their needs. In the mean time, users are encouraged to view the security bulletin for those updates that they may have installed in the past that MBSA reports as missing to ensure they indeed have the most recent version.

Q. Why does MBSA sometimes indicate my computer is compliant when other tools say it is not?

A. Some updates replace files that are currently in use by Windows. Some files are loaded into memory during the initial startup of Windows and are not reloaded until the next restart. Since MBSA checks the files on disk, it will report that the update is installed even though it is not effective until the next restart. Therefore, regardless of the tools used, we recommend the use of robust update deployment tools as part of a holistic security management strategy. Tools such as SMS, SUS, and many 3rd party products are able to track and enforce the reboot requirements of updates.

Q. How do I interpret the scores in MBSA scan reports?

A. MBSA displays different icons in the report score columns depending on whether a vulnerability was found on the scanned machine. For the system configuration checks, a red X is used when a critical check failed (e.g., a security update is missing, a user has a blank password). A yellow X is used when a non-critical check failed (e.g., an account has a non-expiring password). A green checkmark is used when a check passes (no issue was found for that particular check). A blue asterisk is used for best practice checks (e.g., checking if auditing is enabled), and a blue informational icon is used for checks that simply provide information about the machine being scanned (e.g., the operating system version of the scanned machine).

For the security update checks, a red X is used when MBSA confirms a security update is missing on the scanned machine. A yellow X is used for warning messages (e.g., machine does not have the latest Service Pack), and a blue asterisk is used for note messages (e.g., security updates that cannot be confirmed as installed on the machine). Scores currently cannot be changed/reassigned for system configuration checks, however users can suppress notes and warnings from being displayed using the -s option (in mbsacli.exe /hf and mbsacli.exe), and can suppress individual security updates from being displayed in the scan reports using the -fq option (in mbsacli.exe /hf).

Q. Why do I receive Connection to IIS Base Admin COM object could not be established when I try to scan IIS?

A. This error may appear when the version of IIS being scanned (on the target machine) is a higher version than on the machine that is running MBSA. This may also indicate that the IIS Common Files are not installed on the machine initiating the scan. If error code (0X80070005) is returned, it indicates access was denied by the remote IIS machine. This can occur when a remote machine running IIS is authenticated to via "net use" and scanned; and since the "net use" connection does not provide authorization for IIS administration, the calls to the remote IIS machine fail with "access denied". For more information, please see the Systems Requirements section in the readme.html file (installed with MBSA) or in the MBSA help file (linked to in the left hand pane of the tool GUI). Note that the IIS 6.0 Common Files are required on the local machine when remotely scanning an IIS 6.0 server.

Q. Why aren't blank passwords on Windows XP Home Edition flagged?

A. MBSA will not flag local user accounts with blank passwords for Windows XP machines that use simple file sharing (includes Windows XP Home Edition and Windows XP Professional machines not joined to a domain that have simple file sharing enabled). These machines by default do not allow accounts with blank passwords to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen.

Q. Did MBSA replace the Microsoft Personal Security Advisor (MPSA)?

A. Yes, MBSA replaced MPSA. MBSA is a superset of the Microsoft Personal Security Advisor (MPSA) tool as it includes all former MPSA checks. MBSA performs additional application checks (e.g., IIS, SQL) and can be used to scan both servers and workstations, locally and remotely over the network.

Q. Does MBSA replace HFNetChk?

A. MBSA V1.2.1 exposes HFNetChk switches through the MBSA command line interface (mbsacli.exe). The MBSA command line interface can be used to perform both MBSA scans (system configuration and security update checks) via mbsacli.exe as well as HFNetChk scans (security update checks only) via mbsacli.exe /hf.

Q. How do I use MBSA V1.2.1 to perform an HFNetChk-style scan?

A. Users familiar with the standalone HFNetChk tool can use MBSA V1.2.1 to perform the same type of scan. The MBSA V1.2.1 command line interface has a flag (/hf) to indicate an HFNetChk-style scan. Users can call "mbsacli.exe /hf" followed by a valid HFNetChk switch after the /hf flag. For those users who have scripts that call "hfnetchk.exe", they can simply replace this with "mbsacli.exe /hf" followed by a valid HFNetChk flag(s).

Q. What are the advantages of MBSA over HFNetChk?

A. MBSA is a superset of the HFNetChk technology. Whereas HFNetChk only deals with security updates and service packs, MBSA provides an easy-to-use interface and additional capabilities. These capabilities include examining Windows desktops and servers for common security best practices such as strong passwords, scanning servers running IIS and SQL Server for common security misconfigurations, and checking for misconfigured security zone settings in Microsoft Office and Internet Explorer. Since the release of MBSA V1.1, users can now use one tool versus two separate tools to scan for missing security updates as well as misconfigured system settings.

Q. Is the mssecure.xml file documented and/or supported by Microsoft?

A. The mssecure.xml file is only supported by Microsoft when used with MBSA or the SMS Feature Pack. Microsoft may make changes to this file schema based on new MBSA and SMS features, and therefore does not document the schema for use by other tools.

Q. What version of mssecure.xml is downloaded when I use MBSA?

A. MBSA will download the mssecure.cab file that matches the language of the machine(s) being scanned and extract the localized xml file for use in the scan. For example, if a user is remotely scanning a Japanese Windows machine, MBSA will attempt to download the Japanese mssecure.cab file to use in the remote scan. If a combination of non-English machines are scanned, MBSA will download the mssecure file that matches the machine language scanned as it encounters the machine in the scan. All localized builds of MBSA will fall back to downloading and using the English mssecure.cab file (with checksum checks disabled if scanning a non-English machine) if the matching localized mssecure file is not available. Security update data will be displayed in MBSA in the language that matches the mssecure.cab file language. For instance, if a user is running German MBSA on a French Windows machine and remotely scans a French machine, the scan results will be displayed in German (due to German MBSA being used), except for the information provided by the scanned system (e.g., dates, filenames) or taken from mssecure.xml, which will be in French.

Q. What are the required services and ports needed to run MBSA?

A. The required services are listed under the System Requirements section of the readme.html file (installed with MBSA) and in the MBSA help file (linked to in the left hand pane of the tool GUI). The mssecure.cab files are downloaded from the Microsoft Download Center over HTTP. Remote machine scans are performed using TCP ports 139 and 445. In a multi-domain environment, where a firewall or filtering router separates the two networks, TCP ports 139 and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote network being scanned.

Q. How does MBSA V1.2.1 work with Software Update Services (SUS)?

A. MBSA V1.2.1 provides support for performing the security updates portion of a scan against a local SUS server. Users can select this option in the MBSA UI or in the MBSA command line interface. This portion of the scan will then be performed against the list of approved security updates on the local SUS server, rather than against the complete list of available security updates listed in the mssecure.xml file downloaded by the tool at runtime. Note that all security updates that are checked as approved in the SUS UI, including those updates that have been superseded, will be scanned and reported by MBSA.

Q. How does MBSA work with the Systems Management Server (SMS)?

A. The SMS 2.0 Software Update Services Feature Pack or SMS 2003 provide enterprise customers with a security patch management solution for Windows 2000, and Windows XP clients. SMS uses MBSA technology to carry out automated, ongoing scans of client computers for installed or applicable security updates. This data is converted to and included in the Systems Management Server inventory information, and can also be viewed from a central point through web-based reporting. System administrators can select and import the latest Windows updates directly from Microsoft for distribution using Systems Management Server. For more information please see: http://www.microsoft.com/smserver/evaluation/overview/featurepacks/default.mspx (for SMS 2.0) or http://www.microsoft.com/smserver/evaluation/capabilities/patch.mspx (for SMS 2003). Users who are using SMS to handle their security scanning do not need to upgrade to MBSA 1.2.1 as there is no change to the security update scanning logic between MBSA 1.2 and MBSA 1.2.1.

Q. Why doesn't MBSA support DNS computer or domain names?

A. MBSA accepts NetBIOS computer and domain names and does not accept DNS computer or domain names (fully qualified domain names). MBSA accepts NetBIOS domain names and computer names in the format of domain\computername or workgroup\computername.

Q. How many machines can MBSA scan simultaneously?

A. MBSA (GUI and CLI) can scan up to 10,000 machines at a time. When scanning a domain or network with more than 10,000 machines, multiple scans will have to be performed against 10,000 machines at a time. If mbsacli.exe is used with the -fh switch (to input a text file with NetBIOS machine names to scan) or the -fip switch (to input a text file with IP addresses to scan), there is a maximum of 256 machine names and IP addresses that can be specified for each scan.

Q. Why do I receive a warning that the latest Internet Explorer 6.0 security update is missing even though I have Internet Explorer 7 installed?

A. MBSA 1.2.1 does not support Internet Explorer 7. This will cause MBSA 1.2.1 to report the latest Internet Explorer 6.0 security update as missing (not installed) even though the security update may not be applicable to a machine where Internet Explorer 7 is installed. This is also true for Internet Explorer vulnerability assessment (VA) checks, which may be likewise inaccurate once Internet Explorer 7 is installed. Customers should upgrade to MBSA 2.0.1 to obtain support for the latest Microsoft products, including Internet Explorer 7.

Q. Is MBSA supported by Microsoft?

A. Yes, the MBSA 1.2.1 tool is supported by Microsoft until six months after the release of the MBSA 2.0 gap tool. Customers are encouraged to update to MBSA 2.0.1 in advance of this release. Users can post technical questions on the public MBSA newsgroup at:

News server: Msnews.microsoft.com

Newsgroup: Microsoft.public.security.baseline_analyzer

Q. How can I submit questions or comments about MBSA?

A. There is a public newsgroup available for MBSA discussion at:

News server: Msnews.microsoft.com

Newsgroup: Microsoft.public.security.baseline_analyzer

Top of page Top of page