Which of the following statements is true regarding Microsoft Baseline Security Analyzer (MBSA)

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

What is Microsoft Baseline Security Analyzer and its uses?

Article
08/03/2022
2 minutes to read

Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.

MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.

Note

In accordance with our SHA-1 deprecation initiative, the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.

The Solution

A script can help you with an alternative to MBSA’s patch-compliance checking:

Using WUA to Scan for Updates Offline, which includes a sample .vbs script. For a PowerShell alternative, see Using WUA to Scan for Updates Offline with PowerShell.

For example:

The preceding scripts use the WSUS offline scan file (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.

More Information

For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.

Windows security baselines
Download Microsoft Security Compliance Toolkit 1.0
Microsoft Security Guidance blog

Feedback

Submit and view feedback for

Overview

The Microsoft Baseline Security Analyzer (MBSA) is a software tool that helps determine the security of your Windows computer based on Microsoft’s security recommendations. MBSA can be used to improve your security management process by analyzing a computer or a group of computers and detecting missing patches/updates and common security misconfigurations. After you run a MBSA scan, the tool will provide you with specific suggestions for remediating security vulnerabilities. An MBSA scan can reduce and eliminate possible threats caused by security configuration problems and missing security updates. This document explains how to use MBSA from the graphical user interface (GUI).
Note: System administrators who wish to use the command line tool for scanning multiples systems remotely should refer to Microsoft’s How To: Use the Microsoft Baseline Security Analyzer.

Getting Started

Before installing MBSA, make sure that your computer meets the following minimum requirements:

In order to perform a scan you MUST have administrator privileges.
Software:
- The latest Windows Update Agent (WUA) client. MBSA automatically updates computers that need an updated WUA client if Configure computers for Microsoft Update and scanning prerequisites is selected.
- IIS 5.0, 5.1 or 6.0 (required for IIS vulnerability checks).
- SQL Server 2000 or MSDE 2.0 (required for SQL vulnerability checks).
- For the Operating System and Microsoft Office minimum requirements, please see the information at //msdn.microsoft.com/en-us/library/aa302360.aspx.

MBSA performs the following actions during a scan:

Checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server.
Scans a computer for insecure configuration settings. When MBSA checks for Windows service packs and patches, it includes in its scan Windows components, such as Internet Information Services (IIS) and COM+.
Uses Microsoft Update and Windows Server Update Services (WSUS) technologies to determine what updates are needed.

Installing the MBSA Tool

To download MBSA from the SecureU SharePoint site, complete the following steps.

Click the Download Now button on the Run Security Scans page for Windows.
You may see a File Download – Security Warning window. If this window displays, click Run to download MBSA. It is safe to run or save this file.
You may see an Internet Explorer – Security Warning window. If this window displays, click Run to install MBSA. It is safe to run this file.
The MBS Setup window displays. Click Next.
Select the button next to I accept the license agreement and click Next.
Select a destination for the installation and click Next.
Click the Install button to start the installation.
A window will display when the installation has been successfully completed. Click OK.

Scanning Your System

On the Programs menu, click Microsoft Baseline Security Analyzer.
Click Scan a computer.
Leave all options set to default and click Start Scan.
MBSA will download the list of latest security catalogue from Microsoft and begin the scan. Once the scan is complete, the scan results are shown in an organized report with several sections. Each section may require you to take different actions in order to remediate any problems that have been detected. On the left you will see a column labeled Score. Scan this list for any Red Xs
. A red X represents an item that needs to be fixed.
Note: Most computers will have results for Security Updates, Windows, and Desktop Applications. If you are running Windows Server, contact the 24/7 IT Help Desk for more information about these services.

How to Interpret the MBSA Scan Reports

MBSA generates a report file in the profile directory of the logged in user (%userprofile%). This report file is stored on the computer from which you ran the MBSA tool. MBSA displays different icons in the report score columns depending upon whether a vulnerability was found on the scanned machine.
For the administrative vulnerability checks, a red X

is used when a critical check failed (for example, a user has a blank password). A yellow X
is used when a non-critical check failed (for example, an account has a password that does not expire). A green checkmark
is used when a check passes (that is, no issue was found for that particular check). A blue asterisk
is used for best practice checks (for example, checking if auditing is enabled). A blue informational icon
is used for checks that simply provide information about the computer being scanned (for example, the operating system version of the scanned computer).
For the security update checks, a red exclamation mark
is used when a security update is missing or a security check could not be performed from the scanned computer. A yellow X is used for warning messages (for example, the computer does not have the latest service pack or update rollup). A blue star is used for informational messages indicating that an update is not available to the computer because it has not been approved on the Update Services server. Scores cannot be changed or reassigned for system configuration checks.

MBSA Scan Summary Sections

The MBSA scan summary is organized into sections. It also contains links that provide more detailed information, such as What was scanned, Result Details, and How to Correct this. The more often you run the scan, the less often you will be prompted to fix something.

Security Update Checks

The Security Updates section determines which available service packs and security updates for predetermined MS products match the state of your computer. If it has been a while since you last updated your computer, this will most likely be marked with a red X

. Running updates on your computer will fix these problems.

Windows Checks

The Windows and Desktop Applications check determines if your current configuration leaves your computer vulnerable to easy attacks. Potential problems include weak passwords, Automatic Updates that are not turned on, Firewalls that are not turned on, or applications that need to be updated. If any of these items are marked with a red X

, then a How to correct this link will display. Click this link to open a page with instructions for correcting the problem.

Additional System Information

The MBSA also provides additional information about the system that was scanned in a separate section.

Analyzing the Scan

For each vulnerability, MBSA provides additional details about the scan via the What was scanned link, the Result details link, and the How to correct this link.
The screen shot below displays the window that appears after you click on the Result details link. The Result details window contains details about the vulnerability (in this case, weak passwords).
The screen shot below displays the window that appears after you click on the How to correct this link. The How to correct this window displays the recommended solution with step-by-step instructions.
Once you have reviewed the report and corrected all the vulnerabilities, rerun MBSA to check that there are no more additional vulnerabilities that exist on your system.

Requirements for Performing Remote Scans

System administrators can also run remote scans by selecting either the Check for IIS vulnerabilities or the Check for SQL vulnerabilities option. If you are not a system administrator, you should not run these scans. Contact the 24/7 IT Help Desk if you have questions or need assistance resolving problems uncovered by these scans.
Note: If either of these services is unavailable or disabled, the scan results will indicate this. The scan will result in an error if these services do not have an exception configured in the Windows Firewall.

What are some of the features of Microsoft Baseline Security Analyzer MBSA )?

The MBSA provides built-in checks to determine if Windows administrative vulnerabilities are present, if weak passwords are being used on Windows accounts, the presence of known IIS and SQL administrative vulnerabilities, and which security updates are required on each individual system.

What is the purpose of Microsoft Baseline Security Analyzer MBSA )?

Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server.

What happened to Microsoft Baseline Security Analyzer?

Microsoft support and updates for MBSA has ended. The current version 2.3 does not offer official support for Windows 10 or Windows Server 2016. The Microsoft MBSA webpage has been removed.

Which Windows log contains information about system startup shutdown and status changes for key system processes?

The Windows event log is a detailed record of system, security and application notifications stored by the Windows operating system that is used by administrators to diagnose system problems and predict future issues.