As a reseller of computer hardware and software, you may occasionally have customers ask you to verify that their networks are secure. While verifying the security of an entire network is a huge undertaking, it is relatively easy to perform a check to make sure that servers and workstations have the latest security patches and adhere to Microsoft's security best practices. The tool of choice for doing so is the Microsoft Baseline Security Analyzer (MBSA).
You can download Microsoft Baseline Security Analyzer versions 2.0.1 and 2.1, currently in beta testing, from Microsoft. For the purposes of this article, I demonstrate version 2.1, because it is the only version of MBSA that is fully compatible with Windows Vista.
Downloading and installing MBSA version 2.1 is easy. The download is only 1.3 MB in size (at least for the current beta of the X86 version). Once the download completes, the installation process consists of little more than accepting the end-user license agreement and verifying the installation path.
When you finish installing Microsoft Baseline Security Analyzer, a shortcut to it will appear on the Start | All Programs menu. When you launch MBSA for the first time, you will be given the choice of either scanning a computer or scanning multiple computers, as shown in Figure A. Assuming that your purpose in running MBSA is to validate the security of a particular configuration, you will want to choose the option to scan a computer.
Figure A: You can use the "Scan a Computer" option to validate a single computer's security configuration.
Click Next and you will be prompted to enter either the name or the IP address of the computer that you want to run the scan against. As you can see in Figure B, the local computer is selected by default. If you need to run a scan against a remote Windows Vista machine, then you must download version 3.0 of the Windows Update Agent (WUA 3.0).
Figure B: You must specify either the name or the IP address of the computer that you want to scan.
As you can see in the figure above, MBSA allows you to customize the name of the report that it produces and choose the types of tests that it runs. It's worth taking a moment to go through the lists of tests, because the defaults aren't always appropriate for every system.
Once you have decided which tests to run, click the "Start Scan" button. MBSA will take a few minutes to download security updates from Microsoft and then begin the scan.
Figure C: This is the resulting report after the completed scan.
When the scan completes, the resulting report will look something like the one that's shown in Figure C. I wrote this article on my laptop in a hotel room, and the hotel's firewall prevents the MBSA from downloading the updated security settings, but the rest of what you see in the figure should be fairly accurate.
MBSA allows you to sort the report so that the most pressing issues are listed first. This makes it less likely that you will overlook an important issue that's buried deep within the list of results.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.