I perform security assessments and am interested in using the Microsoft Baseline Security Analyzer (MBSA) security auditing tool. But MBSA performs only 12 checks against Windows security settings—it doesn't check such things as user rights, other audit policies besides logon auditing, file-system permissions, or registry key permissions. Can I configure MBSA to include these more detailed checks? I'd like to have MBSA scan my systems by using standard best-practice documents such as the National Security Agency (NSA) security recommendations (available at http://nsa2.www.conxion.com/index.html) as the scanning criteria. I realize that Security Configuration Manager (SCM) can perform these checks, but SCM can't produce a printed report, which I need to document my findings.
MBSA doesn't support user enhancement or configuration. However, you can use a free version of Pedestal Software's SecurityExpressions WebScan, which is available at http://www.pedestalsoftware.com/secexp/webscan/scan.htm. Using the same XML hotfix database that HFNetChck uses, SecurityExpressions WebScan can scan your computer for missing hotfixes, service packs, and other security-related updates from Microsoft. SecurityExpressions WebScan can also scan your computer by using the NSA security recommendations for Windows 2000 or the Windows NT 4.0 Server Baseline Security Checklist.
The scan produces a printable, easy-to-read report that includes instructions for fixing discovered problems. SecurityExpressions WebScan is based on an ActiveX component that you run from Pedestal Software's Web site; however, the component runs on your local computer and sends no information to Pedestal Software unless you optionally let the component return anonymous statistical information. You can scan the local computer or other computers on your network to which you have Administrator access.