Using the Microsoft Baseline Security Analyzer

If you've been following the news about Microsoft security tools, you're probably aware that 6 weeks ago Microsoft released the Microsoft Baseline Security Analyzer (MBSA), which has received a fair amount of negative coverage in the press.

The gist of the complaints echoes what I wrote last year about the Microsoft Personal Security Advisor (MPSA) tool: The information the tool provides isn't as useful as it could be, and you need to understand what each reported entry means before you'll find the tool useful. The MBSA tool has replaced the MPSA, so the fact that it has similar problems isn't surprising because it uses the same design philosophy.

Most of the complaints stem from the fact that many of the security flaws that the tool finds appear on almost any computer. Given all the hype about security flaws in Microsoft OSs, the tool often makes computers appear to be more insecure than they are, and most users can't determine which reported exposures are important and which aren't.

For example, you can lock down Microsoft Internet Explorer (IE) so that it won't run any code it finds on any Web page, but if you haven't configured Internet zones, the MBSA tool will still send you a security alert. Do you have a security problem? Probably not. But if you don't completely understand what the tool is telling you, you'll probably start worrying. If you're a user in the corporate world who thinks you're being a good citizen by running this tool, you might start calling the IT Help desk to warn IT about all the security holes that the MBSA tool has discovered on your system. IT personnel have enough to do without having to calm users' unnecessary fears.

Nevertheless, I believe that the MBSA tool is very useful for systems administrators, especially those responsible for supporting client systems. The ability to scan multiple computers from a single console is one of the tool's useful features. On my small office/home office (SOHO) network of 12 computers, many of which I modify regularly when I'm doing research and testing, keeping track of each machine's security patches and configuration can be a pain. But I can use the MBSA tool to scan the entire domain or a specific IP address range. I generally don't scan the entire domain because the servers that I run for the network are in a known state. But for all the other systems, I simply tell the MBSA tool to scan the IP address range to, where I know all the client systems reside. The tool skips addresses that have no computer attached. (I did discover that the tool slows down if the requested range includes computers that aren't running supported Windows OSs—Windows XP, Windows 2000, or Windows NT 4.0.)

If you have the knowledge level of a good network administrator and you haven't tried the MBSA tool, it's worth a look. If the tool helps secure your network, it's well worth your time.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.