Another Layer of Defense… Microsoft Baseline Security Analyzer (MBSA)

Once installed, you can use the program via the GUI or command line. If utilizing the GUI, it is very straightforward as there are only three options available (scan a computer, scan multiple computers, and view existing security reports).

At the conclusion of a scan, a report will be produced at which time you will be presented with an overall assessment and a breakdown of each category analyzed. The score is broken down into four categories, which are depicted below.

• Green checkmark — check passed
• Yellow exclamation — check failed – (non-critical)
• Red “X” — check failed (critical)
• Blue “I” — additional information

An additional benefit with swg solutions is that the program depicts what was scanned, the result details, and how to fix the program. While MBSA shouldn’t be the only defense a user has on their system, it should definitely be in their arsenal.

When a scan is performed, the program reaches out to the Internet to get the latest information, in order to accurately depict the state of the system. There may be cases where an Internet connection is not feasible and in that case, you can use MBSA offline. The offline assessment would then only be able to provide the information it knows about as of the last time it scanned and had Internet access. The use MBSA offline yet still have updated information, you can air-gap a few files over to the system doing the scanning. The files needed to do an offline assessment are

• Security update catalog (wsusscn2.cab), available from the Microsoft website: http://go.microsoft.com/fwlink/?LinkID=74689.
• Windows Update Redistribution Catalog (wu redist.cab) at http://update.microsoft.com/redist/wuredist.cab.
• Authorization catalog (muauth.cab) for Windows Update site access, available from the Microsoft website or by examining the contents of the wuredist.cab file at http://update.microsoft.com/redist/wuredist.cab.
• Windows Update Agent standalone installers (if not already installed). The latest versions are available by examining the contents of the wuredist.cab file at http://update.microsoft.com/redist/wuredist.cab.

After downloading the files from the Microsoft website, copy all files listed above to the following folder on the computer performing the security update scan:
C :\Documents and Settings\\Local Settings\Application Data\Microsoft\MBSA\2.1 \Cache

If the command-line is your preference, below are the switches.

• MBSACLI [/target | /r | /d domain] [/n option] [/o file] [/qp] [/qe] [/qr] [/qt] [/listfile file] [/xmlout] [/wa | /wi] [/catalog file] [/nvc] [/ia] [/mu] [/nd] [/rd directory] [/?]
• MBSACLI [/l] [/ls] [/lr file] [/ld file] [/unicode] [/nvc] [/?]

Description: This is a command line interface for Microsoft Baseline Security Analyzer Parameter List:
/target domain\computer Scan named computer.
/target IP Scan named IP address.
/r IP-IP Scan named IP addresses range.
/list file file Scan named IP address or computer listed in the specified file.
/d domain Scan named domain (Use NetBIOS compatible domain name (Ex: MyDomain) instead of Fully Qualified Domain Name (Ex:Mydomain.com) ).
/n option Select which scans to NOT perform. All checks are performed by default. Valid values: “OS”, “SQL”, “IIS”, “Updates”, “Password”, Can be concatenated with “+” (no spaces).
/wa Show only updates approved on the WSUS server.
/wi Show all updates even if not approved on the WSUS server.
/nvc Do not check for a new version of MBSA.
/o filename Output XML file name template. Default: %D% – %C% (%T%).
/qp Do not display scan progress.
/qt Do not display the report by default following a single-computer scan.
/qe Do not display error list.
/qr Do not display report list.
/q Do not display any of the preceding items.
/unicode Output Unicode.
/u username Scan using the specified username.
/p password Scan using the specified password.
/catalog filename Specify the data source that contains the available security update information.
/ia Update the prerequisite Windows Update Agent components during a scan.
/mu Configure computers to use the Microsoft Update website for scanning.
/nd Do not download any files from the Microsoft website when scanning.
/xmlout Run in updates only mode using only mbsacli.exe and wusscan.dll. Only these switches can be used with this option: /catalog, /wa, /wi, /nvc, /unicode
/l List all reports available.
/ls List reports from the latest scan.
/lr filename Display overview report.
/ld filename Display detailed report.
/rd directory Save or Retrieve reports from the specified directory.
/? Display this help/usage.