Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

The Microsoft Baseline Security Analyzer

The Microsoft Basic Security Analyzer(MBSA) is a tool for scanning your PC (or a PC on the network) for missing patches and some common security vulnerabilities. It has a nice graphical interface and uses a custom version of HFNetChk as a back-end. It replaces the Microsoft Personal Security Advisor tool. The MBSA only runs locally under Windows 2000 and XP, but can be used to remotely scan hosts running NT (people needing to locally run such a tool under NT will have to use HFNetChk).

The MBSA scans for needed hotfixes and security vulnerabilities in the following products:

  • Windows NT 4.0, Windows 2000, and Windows XP
  • All system services, including IIS 4.0 and 5.0
  • SQL Server 7.0 and 2000
  • Internet Explorer 5.01 and later

It will also check for various password problems and other security issues associated with the those software products. The MBSA can also identify hotfixes that are not installed by Windows Update.

People administering a PC, or those installing non-Facilities supported software such as SQL Server or IIS, are encouraged to run the MBSA on their PCs and follow the recommendations that it gives. However, the data from the MBSA does need some interpretation at times, and there are a few things to be aware of when running this software, including:

  • Be sure to read the warnings if you decide to change the settings for RestrictAnonymous
  • Blank passwords will be flagged for disabled accounts
  • Accounts with non-expiring passwords will be flagged. This is not necessarily a security issue.
  • The tool will list administrative shares (IPC$, ADMIN$, C$, and one for each other drive). Please do not delete these particular shares if your host is in the SCS domain.
  • There may be issues with dependencies regarding services it flags as "unnecessary". Do not disable such services without making sure that these services are not depended upon by other services you wish to run.
  • It will flag custom security settings for IE as a potential risk, regardless of how tight they may (or may not) be.

The MBSA can be obtained from:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Please read the Help information that comes with the MBSA before running it, and refer to the documentation provided by the MBSA for information on how to correct problems that it finds. SCS Facilities does not provide support for this product.