Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
What is Microsoft Baseline Security Analyzer and its uses?
- Article
- 08/03/2022
- 2 minutes to read
In this article
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
Note
In accordance with our SHA-1 deprecation initiative, the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
The Solution
A script can help you with an alternative to MBSA’s patch-compliance checking:
- Using WUA to Scan for Updates Offline, which includes a sample .vbs script. For a PowerShell alternative, see Using WUA to Scan for Updates Offline with PowerShell.
For example:
The preceding scripts use the WSUS offline scan file (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
More Information
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
- Windows security baselines
- Download Microsoft Security Compliance Toolkit 1.0
- Microsoft Security Guidance blog
Feedback
Submit and view feedback for
You are here
Overview
The Microsoft Baseline Security Analyzer (MBSA) is a software tool that helps determine the security of your Windows computer based on Microsoft’s security recommendations. MBSA can be used to improve your security
management process by analyzing a computer or a group of computers and detecting missing patches/updates and common security misconfigurations. After you run a MBSA scan, the tool will provide you with specific suggestions for remediating security vulnerabilities. An MBSA scan can reduce and eliminate possible threats caused by security configuration problems and missing security updates. This document explains how to use MBSA from the graphical user interface (GUI).
Note: System administrators who wish to use the command line tool for scanning multiples systems remotely should refer to Microsoft’s How To: Use the Microsoft Baseline Security Analyzer.
Getting Started
Before installing MBSA, make sure that your computer meets the following minimum requirements:
- In order to perform a scan you MUST have administrator privileges.
- Software:
- The latest Windows Update Agent (WUA) client. MBSA automatically updates computers that need an updated WUA client if Configure computers for Microsoft Update and scanning prerequisites is selected.
- IIS 5.0, 5.1 or 6.0 (required for IIS vulnerability checks).
- SQL Server 2000 or MSDE 2.0 (required for SQL vulnerability checks).
- For the Operating System and Microsoft Office minimum requirements, please see the information at //msdn.microsoft.com/en-us/library/aa302360.aspx.
MBSA performs the following actions during a scan:
- Checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server.
- Scans a computer for insecure configuration settings. When MBSA checks for Windows service packs and patches, it includes in its scan Windows components, such as Internet Information Services (IIS) and COM+.
- Uses Microsoft Update and Windows Server Update Services (WSUS) technologies to determine what updates are needed.
Installing the MBSA Tool
To download MBSA from the SecureU SharePoint site, complete the following steps.
- Click the Download Now button on the Run Security Scans page for Windows.
- You may see a File Download – Security Warning window. If this window displays, click Run to download MBSA. It is safe to run or save this file.
- You may see an
Internet Explorer – Security Warning window. If this window displays, click Run to install MBSA. It is safe to run this file.
- The MBS Setup window displays. Click Next.
- Select the button next to I accept the license agreement and click Next.
- Select a destination for the installation and click Next.
- Click the Install button to start the installation.
- A window will display when the installation has been successfully completed. Click
OK.
Scanning Your System
- On the Programs menu, click Microsoft Baseline Security Analyzer.
- Click Scan a computer.
- Leave all options set to default and click Start Scan.
- MBSA
will download the list of latest security catalogue from Microsoft and begin the scan. Once the scan is complete, the scan results are shown in an organized report with several sections. Each section may require you to take different actions in order to remediate any problems that have been detected. On the left you will see a column labeled Score. Scan this list for any Red Xs
. A red X represents an item that needs to be fixed.
Note: Most computers will have results for Security Updates, Windows, and Desktop Applications. If you are running Windows Server, contact the 24/7 IT Help Desk for more information about these services.
How to Interpret the MBSA Scan Reports
MBSA generates a report file in the profile directory of the logged in user (%userprofile%). This report file is stored on the computer from which you ran the MBSA tool. MBSA displays different icons in the report score columns depending upon
whether a vulnerability was found on the scanned machine.
For the administrative vulnerability checks, a red X
For the security update checks, a red exclamation
mark
MBSA Scan Summary Sections
The MBSA scan summary is organized into sections. It also contains links that provide more detailed information, such as What was scanned, Result Details, and How to Correct this. The more often you run the scan, the less often you will be prompted to fix something.
Security Update Checks
The Security Updates section determines which available service packs and security updates for predetermined MS products match the state of your computer. If it has been a while since you last updated your computer, this will most likely be marked with a red X
Windows Checks
The Windows and Desktop Applications check determines if your current configuration leaves your computer vulnerable to easy attacks. Potential problems include weak passwords, Automatic Updates that are not turned on, Firewalls that are not turned on, or applications that need to be updated. If any of these items are marked with a red X
Additional System Information
The MBSA also provides additional information about the system that was scanned in a separate section.
Analyzing the Scan
- For each vulnerability, MBSA provides additional details about the scan via the What was scanned link, the Result details link, and the How to correct this link.
- The screen shot below displays the window that appears after you click on the Result details link. The Result details window contains details about the vulnerability (in this case, weak passwords).
- The screen shot below displays the window that appears after you click on the How to correct this link. The How to correct this window displays the recommended solution with step-by-step instructions.
- Once you have reviewed the report and corrected all the vulnerabilities, rerun MBSA to check that there are no more additional vulnerabilities that exist on your system.
Requirements for Performing Remote Scans
System administrators can also run remote scans by
selecting either the Check for IIS vulnerabilities or the Check for SQL vulnerabilities option. If you are not a system administrator, you should not run these scans. Contact the 24/7 IT Help Desk if you have questions or need assistance resolving problems uncovered by these scans.
Note: If either of these services is unavailable or disabled, the scan results will indicate this. The scan will result in an error if these
services do not have an exception configured in the Windows Firewall.