Scripting with the Microsoft Baseline Security Analyzer V1.2

Article
03/24/2009

Updated : July 1, 2005

Overview

The Microsoft Baseline Security Analyzer (MBSA) is a tool that allows users to scan one or more Windows-based computers for common security misconfigurations. MBSA will scan a Windows-based computer and check the operating system and other installed components, such as Internet Information Services (IIS) and SQL Server™, for security misconfigurations and whether or not they are up-to-date with respect to recommended security updates. This document provides guidance on the Microsoft Baseline Security Analyzer sample scripts, which demonstrate how to extend the capability of MBSA into a greater level of scale and reporting. Sample scripts are provided on an as-is basis. These samples use the XML reports generated by MBSA 1.2 only. The schema of those reports is not documented or supported by Microsoft except for use with MBSA. Microsoft may make changes to this schema without notice.

Use this document with the associated sample script download.

Background

MBSA generates individual reports in XML format, but only supports viewing them individually—there is no built-in dashboard or summarization of the results. In addition, there are limitations in the number of hosts MBSA can scan in batch-mode where computer names or IP addresses are read from an input file (/fh and /fip options.) Another limitation is the requirement to be a local administrator in order to scan the local computer.

For each of these cases, there are some great alternatives to broaden the capabilities of MBSA using scripting. This document provides example command lines, and the sample scripts needed to resolve many of these limitations. Because they are samples, you may adapt them for your needs and extend their functionality.

Frequently Asked Questions

Q: Who will use these reports (administrators, users, management)?

A: Users will benefit by being able to check their computer’s compliance levels without needing to be a local administrator (subject to how recently the administrator has scanned the computer remotely.) Administrators benefit from being able to establish more robust models for scanning, scanning more computers, and integrating the results into other solutions. Management will benefit from having access to an easy to use dashboard of the results, showing each item and the level of compliance as a percentage.

Q: What problems or limitations do these scripts help with?

A: BatchScan.js demonstrates how to bypass the limitation on the number of IP addresses or hosts that are supported by the /fh and /fip parameters of mbsacli.exe, as well as the limitation of a single computer only when using the /c parameter of an MBSA style scan. Rollup.js demonstrates how to combine the individual reports into a consolidated summary of each bulletin or check. Finally, Rollup.xslt demonstrates how to present the summary in an easy to use view and drill down to specific computers and compliance levels.

Q: How can these reports be used to make an organization more secure?

A: By allowing you to filter on just those checks or bulletins they are interested in, and to be able to see a summary view of the whole organization, you will be able to more quickly isolate the computers in the environment that pose the greatest risk. For a given vulnerability, a quick button click will list the computers out of compliance.

Q: What can I do to customize these scripts and reports?

A: The command line parameters allow you to select one or more bulletins or check IDs, so just by changing the command line you can control the scope of the data to be summarized / reported on. If you are familiar with XSLT and XML, you can also do more interesting integration with other solutions, such as doing a conversion of the XML reports into the SMS 2.0 and SMS 2003 MIF text file format and create a custom group class in the SMS database for centralized SQL reporting and enhanced security management. Another example would be to insert into the summary XML file any locally administered identifiers along with the bulletin—such as the change request ID used during the deployment of a particular bulletin.

Q: What do these scripts do?

A: Sample #1 demonstrates how you can perform a two-phase scan. Phase 1 using local administrative rights to push the resulting report back to each scanned computer; Phase 2 allows the local use of the scanned computer to view their report without needing to be a local administrator. Sample #2 shows you how you can scan an unlimited number of target computers using a text file as input. Sample #3 shows you how you can easily summarize the results into easy to use dashboards showing percentages and overall metrics of compliance.

Getting Started

In this document, you’ll find three samples that illustrate the scripting opportunities. Before using the samples, there are a few things to do. First, make sure you have installed MBSA 1.2 into the default installation folder (C:\Program files\Microsoft Baseline Security Analyzer) of the local computer. The BatchScan.js sample uses this location during the scanning process. Next, be sure you have obtained the script files from the download center and installed them into a folder on your computer, such as C:\MBSASamples. Based on the command lines included in each section of this document, you should create batch files using notepad.exe or an appropriate editor.

Be sure to refer to the section Valid Check Identifiers, because it provides a list of the identification numbers for each check, and the name of the check shows in the MBSA user interface.

Sample #1

This sample is based upon the need to perform two phases of scanning: 1) the first phase performs the scan and updates the target computers with the results; 2) the next phase is when the user of the computer needs to check the compliance of their computer but they do not have the local administrative rights to do so. There are several assumptions about this, the first being that there could be many computers in the list of computers to be scanned (please refer to Sample #2 for this case). The next assumption is that each computer may have more than one user. Sample #1 does not provide a means to update more than one user profile with the scan results. Additional scripting would be needed in order for the first phase of scanning to copy the report into each user profile, but should not be difficult. Before running this sample, be sure to review the command line options being used, and consult the product documentation for their specific meaning. The sample has limited the checks performed by MBSA to just the security update compliance in order to reduce the amount of time spent doing the scanning. Also, use the /sus option if you use SUS 1.0 and need to suppress results for non-approved updates (updates that are not approved by the administrator of the SUS server.)

ScanDemo.bat: Perform the first phase of scanning, and copy the results back to the user profile for later viewing.

set cname=%computername% 
set uname=%username% 
del "%userprofile%\SecurityScans\%cname%.xml"
"C:\Program Files\Microsoft Baseline Security Analyzer\mbsacli.exe" 
/nvc /nosum /c %cname% /n IIS+OS+SQL+Password /o %cname%
copy "%userprofile%\SecurityScans\%cname%.xml"
"\\%cname%\c$\Documents and Settings\%uname%\SecurityScans\"

ViewingDemo.bat: Users who are not local administrators may view the compliance report (consider giving them a desktop shortcut to make this easy.)

"C:\Program Files\Microsoft Baseline Security Analyzer\mbsa.exe" %computername%

Dd277363.mbsasc01(en-us,TechNet.10).gif

Sample #2

This demonstrates how to scan an unlimited number of computers or IP addresses from an input file. Just create a file in notepad and place any number of hosts or IP addresses in the file. Of course, an SMS or LDAP query could also be used to populate the txt file from an SMS collection or an AD container respectively. Be sure to review BatchScan.js regarding the use of a txt file that is encoded as UNICODE, as the sample may require modification based on the encoding of the output stream from your editor or other means of creating the file.

BatchScanDemo.bat:

cscript BatchScan.js /c listfile.txt

Sample #3

This sample is the key aspect of the samples, because it provides a reporting capability and can leverage the results from Sample #2 to provide an unlimited number of reports to be rolled up. By placing the check IDs or bulletin IDs on the command line, the script allows you to just look for specific items. When complete, open the resulting xml file in the browser and notice the “>>” and “<<” buttons for viewing specific computers. Finally, go to Excel and create an XML Data Source and use that to create a PivotChart. Excel can then be used to generate a pie chart of the results. Be sure to include the /nologo command line parameter as shown in these examples.

The files IE-Rollup.XML and Patch-Rollup.XML are provided so you can explore the behaviors without needing to have your own reports or wait for the rollup to be performed. Just open them in the browser (ensure Rollup.xslt is in the same folder.)

SingleCheckRollupDemo.bat:

cscript.exe /nologo rollup.js -c 179 >SingleCheckRollupDemo.xml

SinglePatchRollupDemo.bat:

cscript.exe /nologo rollup.js -b MS03-043 >SinglePatchRollupDemo.xml

MultiCheckRollupDemo.bat: Provides all the check IDs in a single command line for you to easily use.

cscript.exe /nologo rollup.js -c 101 102 104 106 107 110 115 117 118 119
121 122 123 124 126 127 174 176 177 178 179 201 203 204 205 206 207
212 213 215 216 217 218 219 301 302 307 308 309 311 314 315 316 415
416 417 418 419 420 421 422 423 >MultiCheckRollupDemo.xml

Dd277363.mbsasc02(en-us,TechNet.10).gif

MultiPatchRollupDemo.bat: Provides bulletin IDs in a single command line that you can easily use. These are the bulletins having a maximum severity rating of critical only, there are other bulletins beyond this list.

cscript.exe /nologo rollup.js -b MS01-055 MS01-056 MS01-058 MS01-059
MS02-005 MS02-008 MS02-009 MS02-010 MS02-013 MS02-015 MS02-018
MS02-019 MS02-022 MS02-023 MS02-024 MS02-025 MS02-027 MS02-028
MS02-029 MS02-032 MS02-033 MS02-039 MS02-040 MS02-041 MS02-042
MS02-044 MS02-047 MS02-048 MS02-052 MS02-053 MS02-055 MS02-056
MS02-058 MS02-061 MS02-063 MS02-065 MS02-066 MS02-068 MS02-069
MS02-072 MS03-001 MS03-004 MS03-006 MS03-007 MS03-008 MS03-011
MS03-014 MS03-015 MS03-017 MS03-020 MS03-023 MS03-026 MS03-030
MS03-032 MS03-037 MS03-039 MS03-040 MS03-041 MS03-042 MS03-043
MS03-044 MS03-046 MS03-048 MS03-049 MS03-051 MS04-001 MS04-004
MS04-007>MultiPatchRollupDemo.xml

Dd277363.mbsasc03(en-us,TechNet.10).gif

GroupIDRollupDemo.bat: Demonstrates how to use a group-level check ID and summarize results for the group, such as “MDAC Security Updates.”

cscript.exe /nologo rollup.js -c 415 >GroupIDRollupDemo.xml

Dd277363.mbsasc04(en-us,TechNet.10).gif

Note: when using Sample #3, it is important to recognize the following potential issues:

If the SecurityScans folder contains more than one report from a given computer, the older reports from that computer will be included in the summary data. For this reason, it is best to move all reports to an archive location each time a new scan is initiated. This will ensure that for each computer being scanned, there will be only one report (the most recent report.)
If a particular bulletin or check is being rolled up, it is possible the item does not exist in the report for one or more computers. If an item does not exist for a computer, it is considered to be “passed” that check. For example, searching for MS04-004 within a set of reports that were created in Jan ’04 would indicate that all the computers passed the MS04-004 check. The problem is that MS04-004 was not released until Feb ’04, so at the time the scans were performed the vulnerability could not be scanned for. Be sure that the set of reports you are rolling up are based on a version of the update catalog (MSSecure.XML) which was known to include the bulletin you are interested in.
The rollup process may take some time to complete! As you become familiar with these samples, use a small number of reports initially and get a sense for how long the scanning and rollup may take on your computer. Also, the more items on the command line you include for rollup, the longer the rollup will take.

Valid Check Identifiers

When using Sample #3, the only valid Check ID values are as indicated in this table. The sample will extract the name for the resulting XML output automatically, but the ID must be used to designate the specific check desired for rollup.

Check ID	Check Name
101	Windows Version
102	File System
104	Local Account Password Test
106	Password Expiration
107	Windows Guest Account
110	Autologon
115	Windows Security Updates
117	Restrict Anonymous
118	IE Zones
119	Auditing
121	Shares
122	Administrators
123	Services
124	Macro Security
126	Windows Media Player Security Updates
127	Exchange Server Security Updates
174	Office Security Updates
176	IE Enhanced Security Configuration for Administrators
177	IE Enhanced Security Configuration for Non-Administrators
178	Internet Connection Firewall
179	Automatic Updates
201	IIS on Domain Controller Test
203	SQL Server/MSDE Security Mode
204	Sysadmin role members
205	Exposed SQL Server/MSDE Password
206	SQL Guest Account
207	CmdExec role
212	SQL Server/MSDE Security Updates
213	Registry Permissions
215	Sysadmins
216	Folder Permissions
217	SQL Server/MSDE Account Password Test
218	Service Accounts
219	SQL Server/MSDE Status
301	SQL on Domain Controller Test
302	IIS Security Updates
307	IIS Logging Enabled
308	Sample Applications
309	IISAdmin Virtual Directory
311	IIS Parent Paths
314	IIS Status
315	IIS Lockdown Tool
316	MSADC and Scripts Virtual Directories
415	MDAC Security Updates
416	Commerce Server Security Updates
417	MSXML Security Updates
418	Microsoft VM Security Updates
419	BizTalk Server Security Updates
420	Content Management Server Site Builder Security Updates
421	Content Management Server Security Updates
422	Host Integration Server Security Updates
423	Content Management Server Site Stager Security Updates