Like Microsoft Software Update Services, the Microsoft Baseline Security Analyzer (MBSA) is a security toolkit component born out of the Microsoft Strategic Technology Protection Program (STPP).
MBSA v1.2 is available for download from the Microsoft website and provides a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows Server 2003, Windows 2000, and Windows XP systems and will scan for common security misconfigurations in the following Microsoft products:
- Windows NT 4.0.
- Windows 2000.
- Windows XP.
- Windows Server 2003.
- Internet Information Services (IIS) 4.0, 5.0, and 6.0.
- SQL Server 7.0 and 2000.
- Internet Explorer (IE) 5.01 and later.
- Office 2000, 2002 and 2003.
MBSA also scans for missing security updates for the following Microsoft products:
- Windows NT 4.0.
- Windows 2000.
- Windows XP.
- Windows Server 2003.
- IIS.
- SQL.
- Exchange.
- IE.
- Windows Media Player.
- MDAC.
- MSXML.
- VM.
- Office.
- Content Management Server.
- Commerce Server.
- Host Integration Server.
- BizTalk Server.
MBSA replaces and expands on the former HFNetChk tool to check for required hotfixes but two useful command line variants (which must be run from the folder where Microsoft Baseline Security Analyzer is installed) are:
mbsacli /hf -h computername -u username -p password
(used to check against the Microsoft Windows Update servers for missing hotfixes); and:
mbsacli /hf -h computername -sus susservername -u username -p password
(used to check against a specified SUS servers for missing hotfixes).
MBSA should be run periodically to check for security issues, finding workstations with vulnerabilities and/or weak passwords, allowing steps to be taken to force a user to take action.