Overview of the Microsoft Baseline Security Analyzer

This content is 21 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Like Microsoft Software Update Services, the Microsoft Baseline Security Analyzer (MBSA) is a security toolkit component born out of the Microsoft Strategic Technology Protection Program (STPP).

MBSA v1.2 is available for download from the Microsoft website and provides a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows Server 2003, Windows 2000, and Windows XP systems and will scan for common security misconfigurations in the following Microsoft products:

  • Windows NT 4.0.
  • Windows 2000.
  • Windows XP.
  • Windows Server 2003.
  • Internet Information Services (IIS) 4.0, 5.0, and 6.0.
  • SQL Server 7.0 and 2000.
  • Internet Explorer (IE) 5.01 and later.
  • Office 2000, 2002 and 2003.

MBSA also scans for missing security updates for the following Microsoft products:

  • Windows NT 4.0.
  • Windows 2000.
  • Windows XP.
  • Windows Server 2003.
  • IIS.
  • SQL.
  • Exchange.
  • IE.
  • Windows Media Player.
  • MDAC.
  • MSXML.
  • VM.
  • Office.
  • Content Management Server.
  • Commerce Server.
  • Host Integration Server.
  • BizTalk Server.

MBSA replaces and expands on the former HFNetChk tool to check for required hotfixes but two useful command line variants (which must be run from the folder where Microsoft Baseline Security Analyzer is installed) are:

mbsacli /hf -h computername -u username -p password

(used to check against the Microsoft Windows Update servers for missing hotfixes); and:

mbsacli /hf -h computername -sus susservername -u username -p password

(used to check against a specified SUS servers for missing hotfixes).

MBSA should be run periodically to check for security issues, finding workstations with vulnerabilities and/or weak passwords, allowing steps to be taken to force a user to take action.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.