LAB 5a: Securing Windows using Baseline

LAB 5a: Securing Windows using Baseline

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

The Microsoft® Baseline Security Analyzer (MBSA) is a tool that allows users to scan one or more Windows®-based computers for common security misconfigurations. MBSA will scan a Windows-based computer and check the operating system and other installed components, such as Internet Information Services (IIS) and SQL Server™, for security misconfigurations and whether or not they are up-to-date with respect to recommended security updates.

Security Updates

· MBSA can determine which critical security updates are applied to a system by referring to an Extensible Markup Language (XML) file (mssecure.xml) that is continuously updated and released by Microsoft. The XML file contains information about which security updates are available for particular Microsoft products. This file contains security bulletin names and titles, and detailed data about product-specific security updates, including: files in each update package and their versions and checksums, registry keys that were applied by the update installation package, information about which updates supersede others, related Microsoft Knowledge Base article numbers, and much more.

· When you run MBSA for the first time it must obtain a copy of this XML file so that the tool can find the security updates that are available for each product.¹ The XML file is available on the Microsoft Download Center Web site in compressed form (digitally signed .cab file). MBSA downloads the .cab file, verifies the signature², and then decompresses the .cab file to the local computer on which MBSA is running. Note that a .cab file is a compressed file that is similar to a .zip file.

· After the .CAB file is decompressed, MBSA scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. MBSA then parses the XML file and identifies security updates that are available for your combination of installed software. MBSA determines if a specific update is installed on a given computer by evaluating three items: the registry key that is installed by the update, the file version(s), and the checksum (if running MBSA from the command line) for each file that is installed by the update. If any one of these checks fail, the update will be flagged as missing in the scan report.

· MBSA not only scans for Windows security updates but also for updates associated with other products.

1. Use the MBSA GUI version (mbsa.exe)

2. When you choose the "Pick a computer to scan" action you have the option of entering the name or IP address of the computer you wish to scan. By default, when you pick this option the computer name displayed will be the local computer on which the tool is running.

Every time that you perform an MBSA-style scan, a security report is generated for each scanned computer and saved on the computer on which MBSA is running. The location of these reports is listed at the top of the screen (stored under the user profile folder). Security reports are saved in an XML format.