Last week, I reported that Microsoft plans to release a new security-analysis tool, Microsoft Baseline Security Analyzer (MBSA), which Microsoft is codeveloping with Shavlik Technologies". Since then, I've spoken about the new tool with Lara Sosnosky, product manager at Microsoft, and Mark Shavlik, founder of Shavlik Technologies.
Sosnosky said that MBSA is essentially a superset of Microsoft Personal Security Advisor (MPSA), Microsoft's Web-based security scanner. MBSA will scan servers and remote systems and will also contain the functionality in Microsoft's existing security-analysis tool, HFNetChk, which scans for installed or missing hotfixes. (MBSA contains HFNetChk's compiled code.) The tool will ship as an executable that runs on local systems instead of from a Microsoft-hosted Web site.
Because MBSA is a superset of MPSA, you'll likely see MPSA's functionality in the MBSA tool. MPSA scans a workstation and reports on a wealth of security aspects, such as missing security patches and settings for a variety of system components. MPSA's list of checks (to be seen in MBSA) includes scans that relate to password strength and length parameters, Microsoft Internet Explorer (IE) and Microsoft Outlook Express security (including security zones), Microsoft Office macro protection, RAS Manager security, system auditing, file-system security, anonymous connections, automated logons, shares, Administrator group membership, and service parameters.
When scanning servers, MBSA will be able to inspect various services to some degree. For example, when inspecting a Microsoft SQL Server installation, MBSA will check whether the systems administrator account has a blank password, which users the SysAdmin group includes, and whether the default installation directory has properly set the ACLs. In another example, when MBSA scans a Microsoft IIS server, MBSA will check for installed sample applications. The list of checks performed against a server is more extensive, but these examples give you a basic idea of what to expect.
The first version of MBSA will ship as both a GUI-based and command-line-based tool, so you'll be able to run MBSA from batch files and use task schedulers to launch the tool. The initial MBSA release will have its various checks hard-coded, so the only control users will have over which checks MBSA performs will be to tell the tool whether to scan services and which services to scan. Users will define the services to scan through a text-based script file.
MBSA will run on Windows XP Professional, XP Home, Windows 2000 Server, and Win2K Workstation. The tool will scan all OSs (whether server or workstation versions) from Windows NT 4.0 through XP. The tool's reporting subsystem will produce XML-based output, and the GUI will render the XML into readable HTML for the user.
Shavlik said that after Microsoft releases MBSA, his company will release an updated version of its current EnterpriseInspector security scanner product. The updated EnterpriseInspector will have a look and feel similar to MBSA and will be compatible with MBSA's scanning ability. Shavlik said that EnterpriseInspector will become a superset of Microsoft's MBSA much as Shavlik's commercially available HFNetChkPro is a superset of Microsoft's free HFNetChk tool. Expect to see even more scanning functionality with EnterpriseInspector once Shavlik releases the updated version.
One advantage of the updated EnterpriseInspector product will be its use of a SQL Server 2000 back end, which Shavlik already includes in the current EnterpriseInspector version. By using a database server to store collected security information, EnterpriseInspector will let users perform more tailored scanning features and obtain better reporting styles. For example, EnterpriseInspector will be able to use the stored data to perform cross scans, such as listing the top-10 least-secured IIS or SQL servers. Advanced users will be able to define additional scanning parameters that will permit other types of customized scanning.
Microsoft and Shavlik have tentatively scheduled the release of both MBSA and the MBSA-compatible EnterpriseInspector for late March, but that time frame could slip. Release depends on debugging the code and coordinating the date-driven and version-dependent aspects of the tools as they relate to the various renditions of Microsoft products. I'll notify you when the tools become available.
