MBSA 2.1 Frequently Asked Questions

Microsoft Baseline Security Analyzer (MBSA) 2.1 is an easy to use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems.

MBSA 2.1 provides full support for the latest Windows Update Agent (WUA) clients installed by Microsoft Update and Windows Server Update Services (WSUS) servers. MBSA 2.1 also provides an updated graphical interface for Windows Vista and Windows Server 2008, full-64-bit installer, MBSA tool and vulnerability assessment (VA) check support, as well as revised and updated VA checks for SQL Server 2005 and Windows XP Embedded platforms.

MBSA 2.1 is an update to MBSA 2.0.1 to provide full Windows Update Agent support to resolve "Computer has an older version of the client and security database…" warnings, provide full scanning support for Windows Vista and Windows Server 2008 platforms, and provide improved support for the Windows Embedded platform. MBSA 2.1 also makes two important functional changes based on customer feedback:

• From the command line, customers can now save completed MBSA scan reports to a specific directory or network share using the /rd option in mbsacli. This will allow administrators to script MBSA to output completed scan reports to a specific network share to assist in consolidating MBSA scan reports.
• In both the command-line and GUI interface, MBSA will no longer automatically update the Windows Update Agent (WUA) on the target machines scanned by MBSA. Administrators will now need to select the option to "Configure computers for Microsoft Update and scanning prerequisites" to install the latest WUA agent on each scanned machine. Automatic installation was the default setting in earlier versions of MBSA. The new default (which disables automatic updating of clients) may cause an increase in scan failures for clients that require a newer WUA client, but ensures administrators that an MBSA scan will not install any revised or updated files on target machines. The command-line interface includes the new /ia option to deliberately enable automatic updates of the WUA client. This replaces the previous /nai option to disable automatic updating of the WUA client – which was the default behavior in earlier MBSA versions.

MBSA 2.0 offers extended security configuration checks beyond the other Microsoft updating technologies. Furthermore, MBSA 2.1 is designed to be used in conjunction with Microsoft Update (MU), Windows Server Update Services (WSUS), the SMS Inventory Tool for Microsoft Updates (ITMU), and System Center Configuration Manager (SCCM) 2007 in order to audit and verify the update state of a target machine. MBSA 2.1 offers consistency with the other tools since it also utilizes the common Windows Update Agent (WUA) infrastructure.

No. For vulnerability assessment (VA) checks, MBSA 1.2.1 and 2.0 support the same products. For security update detection, MBSA supports all products supported by Microsoft Update, which is the official source for all security updates for products supported by Microsoft Update. Some products have not yet been added to Microsoft Update and therefore updates to these products are not yet available. This includes Office 2000 and various consumer applications, as well as products that are out of support, such as Windows NT 4. Microsoft recommends that customers who primarily have Windows 2000+, Office XP+, Exchange 2000+, and SQL 2000 SP4+ environments should upgrade to MBSA 2.1. Over time, all Microsoft products will be supported through Microsoft Update and the latest version of MBSA will automatically support them. No new products will be added to MBSA 1.2.1 as it is no longer supported. You can find more information about supported versions of MBSA at the MBSA home page.

MBSA 2.1 scans for administrative vulnerabilities as well as missing security updates for a variety of Microsoft products. Scanning for administrative vulnerabilities is supported for Windows 2000; Windows XP; Windows Server 2003; Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0; Microsoft Internet Explorer 5.01, 5.5, and 6.0 (including Internet Explorer 6.0 for Windows XP SP2 and Internet Explorer 6.0 for Windows Server 2003); Microsoft SQL Server 7.0, SQL Server 2000 and SQL Server 2005; and Microsoft Office 2000, Office XP, and Office 2003.

Scanning for security updates is based on the Microsoft Update catalog. To view the products that MBSA 2.1 can check for missing security updates, refer to the Products Supported by WSUS page. The list of products will change over time as new detection logic is published through Microsoft Update.

Note: For products that are not installed on a scanned computer, MBSA does not perform the security updates check for those products and does not list them in the Security Update Scan Results table in the report.

MBSA will detect a WSUS-managed client and correctly offer only the updates that have been approved by the WSUS administrator. MBSA also allows an administrator to configure MBSA so that the Microsoft Update site is not used for security update evaluation in either the graphical and command-line versions. .The completed MBSA scan report will include which sources were used to assess the security state – WSUS Server, Microsoft Update live site, or Microsoft Update (offline) using the wsusscn2.cab file – and will also provide the download location for each update as appropriate.

Any update published on Microsoft Update as a security update, update rollup, or service pack can be scanned using MBSA. In rare cases, there may be an exception for a unique issue that has security implications. These updates have been defined by Microsoft as follows:

Security update—A broadly released fix for a product-specific security-related vulnerability. Security vulnerabilities are rated based on their severity which is indicated in the Microsoft security bulletin as critical, important, moderate, or low.

Update rollup—A tested, cumulative set of hotfixes, security updates, critical updates, and updates packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).

Service pack—A tested, cumulative set of all hotfixes, security updates, critical updates, and updates, as well as additional fixes for problems found internally since the release of the product. Service packs may also contain a limited number of customer-requested design changes or features.

If you have corporate hotfixes installed on the scanned computer, detection will observe those updates based on file version as determined by Microsoft. Typically files with a newer than expected version would be accepted, unless Microsoft had determined that a higher versioned file was not secure, in which case the update would be offered in the report.

Note: Updates such as the Malicious Software Removal Tool will be offered by MBSA due to their relationship to certain security issues. This tool has been classified as an update rollup.

Microsoft Update is a Web site that can scan a single computer and indicate missing/needed updates and install them as a group, along as the computer is connected to the Internet and can reach the Microsoft Update Web site. MBSA allows multiple computers to be scanned for missing/needed updates at one time by remote scan, whether or not the target computers can access the Internet and the Microsoft Update web site. By allowing computers to be configured for Microsoft Update, MBSA helps customers using Windows and Microsoft Update to get updated for other Microsoft products more easily. This is because when MBSA performs this configuration task, both the scanning performance is improved and the target computer's Automatic Updates will receive notifications from Microsoft Update. If Automatic Updates has been configured to download and install updates, the move of Automatic Updates from Windows Update to Microsoft Update will offer improved security. MBSA does not perform the installation of updates, it only scans for updates and has the ability to configure the computer to use Microsoft Update for update management.

Note: Microsoft Update also offers users non-security updates such as "Critical Updates" and "Optional Updates." These non-security updates are not offered by MBSA.

Beginning with SMS 2003 Service Pack 1 and in all versions of SCCM 2007, SMS and SCCM have an integrated tool to access the Windows Update Agent directly for scanning security updates, and they do not use MBSA for scanning. SMS no longer uses MBSA to perform security scans, but rather uses the Microsoft Update technologies used by SMS 2003, SCCM 2007, WSUS Server, SBS Server and MBSA.

MBSA provides support for performing the security updates portion of a scan against the Update Services server that each scanned computer is assigned to as well as performing a standalone scan for customers without an Update Services server. Although administrators can select options in the MBSA to ignore or exclusively observe the Update Services approved list of updates, by default the security scan is performed against the list of approved security updates on the Update Services server and against the complete list of available security updates available in the Microsoft Update catalog. Items not approved on the Update Services server for the scanned computer are given an informational score only and do not count against the cumulative security assessment score. Items that are approved, but are not installed on the target computer, are given an appropriate warning and are considered security risks.

MBSA provides an Advanced Update Services option to allow target computers that do not have an assigned Update Services server to report an error so that they can be clearly identified to the helpdesk. From a command prompt, this is provided by the /wa (WSUS approved) option.

MBSA is localized into four languages: English, German, French, and Japanese. The underlying update detection will accurately scan target computers in any language supported by the Microsoft Update and Windows Server Update Services technologies.

Not directly, but this file is supported when used in conjunction with the public Windows application programming interface (API) provided by Windows Update Agent. The API accepts this file only with a valid digital signature from Microsoft and uses it to perform a scan of the specified computer. Refer to the Windows Server Update Services Software Development Kit (SDK) for details.

The MBSA EULA must be accepted by the end customer, which prevents MBSA from being integrated into third-party solutions or redistributed by other means.

Product Support Services (PSS) and Customer Support Services (CSS) support only the latest version of MBSA.

Because clients can be scanned using an online source (Microsoft Update or an assigned Update Services server) in addition to the offline catalog (wsusscn2.cab), the report can include a specific heading called "Catalog synchronization date". If the offline catalog was used, the time that catalog was generated is displayed in the report and can be used to determine if the latest catalog was used. To check the version of the offline catalog, follow these procedures:

Step 1: If you do not have the file, download it from http://go.microsoft.com/fwlink/?LinkId=76054 and save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab. You may use any folder, but this is where MBSA will store the file after MBSA has downloaded it.

Step 2: Open C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab using any program able to view an archive file type of *.cab.

Step 3: Open package.cab from the wsusscn2.cab file, and then the package.xml file inside it.

Step 4: View the OfflineSyncPackage header element for the CreationDate. It should be set to a value such as "2005-06-01T18:42:49Z" (for example). Use the value you find to determine when the file was generated by Microsoft.

The latest version of MBSA is version 2.1, which is also referred to as 2.1.2104.0 in the About Microsoft Baseline Security Analyzer link in the graphical interface or when run in the command-line interface. . If a newer version of MBSA is released, MBSA will automatically report that a newer version of MBSA is available in the graphical and command-line interfaces. In the command-line interface, this check can be disabled with the /nvc option.

MBSA can be installed, run on, and scan Windows 2000 Service Pack 3 or later, Windows XP Home Edition, Windows XP Professional, Windows Server 2003, Windows Vista, and Windows Server 2008, with a few considerations. Although MBSA can be installed on Windows XP Home Edition and can perform a local scan, a computer running Windows XP Home Edition cannot be scanned remotely for administrative vulnerabilities. Windows XP Professional can be scanned remotely if it is joined to a domain. If it is not joined to a domain, a computer running Windows XP Professional can be scanned remotely only after the Local Security Setting is set to Classic - local users authenticate as themselves and simple file sharing is disabled.

MBSA does not run on Windows XP Embedded and Windows IA64 platforms, but remote scans against these platforms are fully supported. Windows 2000 Datacenter is not supported by MBSA because the required Windows Update Agent is not supported on this version.

Clustered SQL Server configurations are supported for local administrative vulnerability scanning, however several specific checks are now documented in the MBSA help for specific limitations in a remote scan. Scanning for security updates uses Windows Update Agent.

Previous versions of MBSA would automatically attempt to install the lastest Windows Update Agent on each target machine. With the release of MBSA 2.1, the default setting is meant to prevent installation of any revised WUA client unless the option to "Configure computers for Microsoft Update and scanning prerequisites" is selected by the administrator. Without enabling this feature, the required WUA client may not be present on the scanned computer. This may lead to an increase in the number of warnings listed below, but ensures that – by default – no changes are made to the target machines without administrator consent. If the WUA agent is missing or is a lower version than required to perform a security scan, the completed MBSA scan report will include one of the following errors:

• "Computer has an older version of the client and security database demands a newer version"


Or

• "Windows Update Agent not found or the computer is not running Windows 2000 SP3 or later"

No. Windows Update Agent is an integrated part of the Windows platform and an important part of security that enables you to obtain updates from an Update Services server or from Microsoft Update as needed. All Windows computers with an Internet connection running Windows 2000 SP3 or later with Automatic Updates configured, or who have accessed the Microsoft Update Web site, will automatically be updated to the latest version of the WUA client.

Windows Update Agent is a Windows component. This component provides update management and is tightly integrated into the Windows platform. With the recent increase in security, it has become preferable to access and assess machines using a dedicated client present on the machine, rather than leaving the client open to easy access to its root directory and its local registry. For customers with clients that do not connect to the Internet or an Update Services server, MBSA can be used to automatically deploy this Windows component using the "Configure computers for Microsoft Update and scanning prerequisites" option or the /ia option in the command-line interface.

No. But when MBSA 2.0 scans a computer that is managed by a WSUS Server it will automatically report update status that includes the administrator settings for the WSUS approved updates.

The required services are listed in the MBSA Help file (linked to in the left-hand pane of MBSA user interface). These requirements include Remote Registry service, Server service, Workstation service, File and Printer Sharing service, and Automatic Updates service. The wsusscn2.cab file is downloaded from the Microsoft Web site over HTTP based on your Internet Explorer settings. Remote computer scans are performed by using TCP ports 135, 139, and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned.

MBSA does not flag local user accounts with blank passwords for computers running Windows XP using simple file sharing (includes computers running Windows XP Home Edition and computers running Windows XP Professional that are not joined to a domain and that have simple file sharing enabled). By default, these computers do not allow accounts with blank passwords to log on to the computer remotely over the network or for any other logon activity except at the main console logon screen.

Yes, this table describes the support for each platform. Some platforms are provided limited support in this version. Windows 2000 SP4 is a minimum requirement, in addition to the availability of Windows products for each processor type.

When scanning computers running a Windows XP Embedded edition or an Itanium-based (IA64) computer, the administrator must manually install and configure the appropriate WUA client.

Yes. Office 2000 is not supported by Microsoft Update, so MBSA will not provide security update scans for Office 2000 products. Also, MBSA and Microsoft Update do not support Office installations performed from an Administrative Installation Point (AIP). For more information on AIP installations, please refer to Knowledge Base Article 903773, "No Microsoft Office updates are displayed when you use Microsoft Update or Windows Server Update Services."

No. The latest version of MBSA 2.x will either install into a separate folder and can be run concurrently with MBSA 1.2.1. Once the changes in functionality between MBSA 1.2.1 and MBSA 2.0 have been thoroughly reviewed, you can uninstall MBSA 1.2.1 using Add or Remove Programs. Before removing MBSA 1.2.1, we recommend that you review Microsoft Knowledge Base article 895660 to ensure full coverage for products in your environment.

MBSA uses your Internet Explorer settings to perform the download. Use the Internet Options settings page of Internet Explorer to configure these settings.

To configure proxy settings in Internet Explorer

1. In Internet Explorer, click Tools and then click Internet Options.
2. Click Connections, and then click LAN Settings.
3. Do one of the following:

   If your network is configured to support auto detection of proxy servers, select Automatically detect settings.

   Or

   If your network is not configured to support auto detection of proxy servers, select Use a proxy server for your LAN, and then type the name or IP address of the proxy server in the Address box. If the proxy server uses a nonstandard port, type the port number in the Port box.

You can either perform the scan using the mbsacli command-line utility with the /nd (do not download) parameter, or you can perform the scan using the GUI. Before scanning you must copy the necessary files to the computer performing the scan. Four types of files are required:

• Security update catalog (wsusscn2.cab), available from the Microsoft Web site
• Windows Update Redistribution Catalog (wuredist.cab) located at http://update.microsoft.com/redist/wuredist.cab
• Authorization catalog (muauth.cab) for Windows Update site access, available from the Microsoft Web site or by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab
• Windows Update Agent standalone installers (if not already installed):
  • For x86-based computers (WindowsUpdateAgent30-x86.exe) or
  • For x64-based computers (WindowsUpdateAgent30-x64.exe) or
  • For ia64-based computers (WindowsUpdateAgent30-ia64.exe), the latest versions are available by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab

After downloading the files from the Microsoft Web site, copy all files listed above to the following folder on the computer performing the security update scan:
C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache

Important: To ensure that MBSA has access to the most current versions of these files, you should download them on a weekly basis or after any release of security bulletins from Microsoft. This is especially important in the case of the security update catalog (Wsusscn2.cab) because Microsoft releases an updated version of this file whenever new security bulletins are released or updated.

When you run MBSA to perform security update checks on remote computers, MBSA deploys the Windows Update Agent to the remote computer. Although an ia64 version of the Windows Update Agent (WindowsUpdateAgent30-ia64.exe) is available for Itanium-based computers, MBSA does not automatically deploy this version. It must be installed and configureed on Itanium-based computers before performing a security scan on those computers.

Step 1: Review system requirements

MBSA cannot scan a remote computer protected by a firewall unless the firewall is configured to open the ports that MBSA uses to communicate with the computer. The Windows Update Agent implements a remote scanning interface based on DCOM. The account being used to scan must possess local administrator rights. The computer must also be configured to meet the following conditions:

• The Server service, Remote Registry service, and File and Print Sharing service must be running on the remote computer.
• The required ports must be open on the firewall.
• The Windows Update Agent must be installed and the Automatic Updates service must not be disabled.

Remote computer scans are performed using TCP port 135, a dynamic or static DCOM port, and ports 139 and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. You must allow these ports to be open on the remote firewall if a personal firewall is being used.

Note: The use of DCOM for remote scanning through Windows Firewall on all versions of Windows XP may require a post-SP2 hotfix as described in Microsoft Knowledge Base article 895200. Customers may now obtain this fix by installing the COM+ update (Microsoft Knowledge Base article 902400) using these procedures:

1. Download the update from http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-42D7-8E57-58656A3FB2F7 on the Microsoft Download Center.
2. Copy the update to the computer you are updating and open a command prompt on that computer.
3. Run the update using the command-line options described in Microsoft Knowledge Base article 824994 (specifically, the /B:SP2QFE command-line option). Doing this will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes, in addition to the fixes released in the security bulletin MS05-051.

Step 2: Configure Unmanaged Computers

DCOM allocates a dynamic port by default, but a firewall blocks access to these ports unless explicitly opened by using the following procedure:

1. Open port 135 and a custom port in your firewall (some firewalls may allow port 135 by default). The port you select should be checked to ensure it is appropriate, or not associated with other applications.
2. Configure Windows Update Agent to use this static custom port by setting a registry key as follows: HKEY_LOCAL_MACHINE\Software\Classes \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n” (where n is the port number you have decided to use.) You may also configure the endpoint using the Component Services application in Control Panel. The Windows Update Agent - Remote Access endpoint is located under the path Component Services\Computers\My Computer\DCOM Config. Right-click and select Properties, then use the Endpoints tab on the Properties page to configure the static port.

Step 3: Configure Managed Computers

Use Group Policy to deploy specific administrative firewall and COM+ settings to target computers. You may use the Group Policy editor to create the needed configuration settings as documented in “Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2”, in the section entitled “Deploying Windows Firewall Settings With Group Policy”.

Windows Firewall Settings: The following Windows Firewall settings should be used:

• Windows Firewall: Allow remote administration exception. Used to enable remote configuration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).
• Windows Firewall: Allow file and print sharing exception. Used to specify whether file and printer sharing traffic is allowed.
• Windows Firewall: Define port exceptions. Used to specify excepted traffic in terms of TCP and UDP ports. In this step, define the same ports as you selected for unmanaged computers and from the system requirements step.

Additional details on the settings available within the administrative template for Windows Firewall have been documented in “Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2” the sections labeled "Enabling Remote Administration" and “Adding Static Ports to Windows Firewall’s Default Exceptions List.”

COM+ Settings: The COM+ endpoint registry settings for the Windows Update Agent can be configured through Group Policy as part of a startup script. Guidance on how to assign startup scripts can be found on the Microsoft Web site: http://technet2.microsoft.com/WindowsServer/en/library/65aa4e48-8b1f-42bc-b20f-64f67367dadc1033.mspx?mfr=true. The script must include the following command: reg add HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492} /v Endpoints /t REG_MULTI_SZ /d ncacn_ip_tcp,0,n /f (where n is the port number you have decided to use).

Note: When using this method, be aware that additional administrative template settings may be needed in order to remove this registry setting when the functionality is no longer desired.

By default, a scan uses the Update Services server the client is assigned to, if any, as well as the Microsoft Update catalog. The results are compared and any unapproved Update Services updates are given an informational score (blue star) in the report. This allows MBSA to report best practice guidance on the settings for each update with or without an Update Services server.

Using the advanced options, security auditors can choose not to scan with the Update Services list of approved updates or Update Services administrators can choose not to scan with the Microsoft Update list of available updates and focus only on the approved set of updates.

If an administrator chooses not to scan with the list of available updates on Microsoft Update, clients without an Update Services server cannot be scanned and will return an error, indicating they may not be getting the correct set of managed updates.

Although the first scan on a particular client will take a longer period o time than usual, subsequent scans will be much faster since the Microsoft Update and WUA configurations will already be established. On subsequent scans, performance depends upon the speed of the connection to the Microsoft Update site or Update Services server, as well as how recently the client has synchronized the catalog from its server. The number and types of products installed can also influence the performance of a scan. Be sure to check these timings based on your own hardware configuration and server settings since performance will vary.

Note: Scanning for the various administrative vulnerabilities can add time to this process, particularly when performing the check for weak passwords.

Scanning in MBSA is not performed in parallel unless multiple copies of MBSA are run at the same time to scan different computers. Mbsacli.exe can be used with the new /listfile (list of computer names or IP addresses) parameter to scan computers listed in a text file containing computer names or IP addresses. This file can be a maximum of 100 MB in size. Using scripting (not provided with the MBSA download package) administrators can populate this text file from an Update Services server target group or from Active Directory.

MBSA downloads the wsusscn2.cab file at the initial scan, or any time the file has changed on the Microsoft Web site. Internet activity caused by MBSA can be completely eliminated by using the /nvc (no tool version check), /catalog (offline catalog file), and /nd (do not download) parameters of the command-line tool described in MBSA Help.

Note: To ensure that MBSA has access to the most current versions of these files, you should download them on a weekly basis or after security bulletins are released by Microsoft. This is especially important in the case of the security update catalog (wsusscn2.cab) because Microsoft releases an updated version of this file whenever new security bulletins are released or updated.

The previous MBSA detection engine has been replaced with the Windows Update Agent, and it has been fully integrated into the MBSA-style scan. For users accustomed to the /HF mode of scanning in previous versions of MBSA, a lightweight solution requiring only Mbsacli.exe and Wusscan.dll is provided using the /xmlout (xml data) parameter. This parameter provides basic output to the console in XML format, making integration with other solutions fast and easy. The output includes all the data elements of the /HF mode and more.

Although the /HF parameters have been replaced with updated MBSA features, a local security update scan that does not include administrative vulnerabilities can be performed using a minimum of MBSA files.

To perform a local security update scan, copy the MBSACLI.EXE and WUSSCAN.DLL files from a full MBSA installation to a new directory on the local machine. You must also download the latest version of the security update catalog (wsusscn2.cab) file and place it in the C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache directory.

• Security update catalog (wsusscn2.cab), available from the Microsoft Web site

If this is the first attempt to scan the target machine using MBSA 2.0 or you want to ensure the WUA client on the local machine is updated to the latest version, you must also place the authorization catalog and latest Windows Update Agent installer file in the same C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache directory.

• Authorization catalog for Windows Update site access (Muauth.cab), available from the Microsoft Web site
• The appropriate platform-specific Windows Update Agent (if not already installed). The latest versions for each platform can be found by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab.

The /XMLOUT switch must be used to output scan results in this mode. And only a subset of the MBSA command-line features is available in this ("MBSA lite") mode:

• /catalog (to specify an alternate location for the wsusscn2.cab file)
• /wa (show only updates approved on WSUS server)
• /wi (show all updates regardless of those approved on WSUS server)
• /nvc (do not check for newer version of MBSA)
• /nd (do not attempt to download files from Microsoft Update site)
• /unicode (render out in Unicode compliant format)

When using the /xmlout parameter, you must explicitly redirect the XML output into a file using standard console redirection. Also, the XML results must be processed separately from MBSA because they observe a different format than the full MBSA report files. The benefit of this parameter is to avoid the full installation package of MBSA 2.0 when only checking for updates on a single computer. If the minimum system requirements are met, only the engine files mentioned above are needed.

Yes. MBSA 2.1 fully supports security update scans on x86, x64 and ia64 platforms. MBSA 2.1 supports vulnerability assessment (VA) scans on x86 and x64 platforms.

Yes. MBSA 2.0 can scan Windows XP Embedded remotely for security updates if the appropriate Windows Update Agent is already present (not all versions of Windows XP Embedded support installation of the WUA client). Scanning for common security misconfigurations is supported when scanning Windows XP Embedded. Refer to MBSA Help for a detailed description of the security update scanning and administrative vulnerability checking features, and limitations for these platforms.

Note: All MBSA system requirements must be met, so check with the computer's manufacturer or the system administrator of the computer. These requirements include the Workstation, Server, Remote registry, File and Print services and an up-to-date WUA client as listed in the MBSA Help file.

In addition to the current audit message written to the event log, additional events may be written based on the new remote installer used by MBSA to configure the target computer to use Windows Update Agent or Microsoft Update for scanning. An example of an event:

Event Type:Information
Event Source:MBSA
Event Category:None
Event ID:1
Date:3/12/2005
Time:1:33:44 PM
User:domain\username
Computer:computer
Description: Security analysis complete.
Scanned from nnn.nnn.n.n.
Microsoft Baseline Security Analyzer version 2.1.nnnn.0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp

You must copy the catalog file to the local computer before attempting the scan and supply a local path to the file.

When using the MBSA command-line tool (Mbsacli.exe) to scan the local computer, you cannot use a Universal Naming Convention (UNC) path or a mapped network drive as the argument to the /catalog (offline catalog file) parameter.

Valid example commands include:

Mbsacli.exe /catalog wsusscn2.cab (current directory)
Mbsacli.exe /catalog c:\catalogs\wsusscn2.cab (fully qualified path)
Mbsacli.exe /catalog \folder\wsusscn2.cab (relative path)

Several checks return a best practice score rather than a failed or potential risk score. These checks provide a link to corrective steps and guidance on the check that should be carefully reviewed. Examples of this include the following checks:

• Incomplete Updates
• Windows Firewall
• SQL Server - Service Accounts
• SQL Server - Sysadmin role members

The Incomplete Updates check will only report a yellow icon (potential risk) when at least one supported update is in a restart required state. Because there could be other updates in this state that cannot be determined because they were packaged in an older version of the installer, a complete check, and thus a passing score cannot be provided.

The Windows Firewall check will report a green icon (passing score) only when the firewall in enabled without any exceptions. All other configurations will report a blue icon as a means of exposing the details of the settings in the event the exception policy has been deemed safe by the computer administrator.

The two SQL Server checks (Service Accounts and Sysadmin role members) will always report a blue icon because a passing score may not be within the support policy for products that redistribute MSDE or WMSDE derivatives of SQL Server 2000. Only the products that use MSDE or WMSDE can assess the security of the configuration.

Maximum Severity corresponds to the maximum severity rating of the security bulletin issued by Microsoft. For a given security bulletin, there may be several affected products each having a different severity rating. The maximum severity represents the severity associated with the affected product having the highest level of severity within the bulletin.

This value allows administrators to better prioritize update risk and deployment urgency. The Download item allows direct access to the update package that contains the fix for the security issue. This update package linked to by the report is the actual software update required based on the configuration of the computer that was scanned. When viewing a report for another computer, the update package may not be appropriate for the computer running the report viewer, so keep this in mind when downloading update packages.

This value is included in reports only when the offline catalog was used for the scan. When the security update catalog includes Microsoft Update (offline), this will be the case. Using the /catalog (offline catalog file) command-line parameter can ensure that this value is available for all reports and allows a more precise comparison of reports based on a specific point in time for customers that used this field in previous versions of MBSA.

This can often occur depending upon the binding order of installed adapters. Both the adapter binding order and the number of installed adapters may affect this. For the most consistent identification of scanned computers, the use of the computer name is recommended, particularly when IP addresses are allocated by Dynamic Host Configuration Protocol (DHCP).

Yes, this is a known issue in the Windows Small Business Server products. This may appear if the SBS Backup User has been used by the backup task at least one time, and will continue until that same user account has been logged into at the console interactively at least one time.

Yes. The updated samples are available at the Microsoft Download Center. The Microsoft Office Visio 2007 Connector for MBSA 2.1 is also a recommended download that may provide even more functionality than what is provided by the script samples.

Text output is provided by default when using Mbsacli.exe. This can be suppressed using the /qt (quiet text output) parameter and is the same output provided by the /ld (list report details) option.

Updates listed in the security update sections of the report represent items that have not been replaced by any newer updates. Many updates released by Microsoft are cumulative and include previous fixes, so it is commonly the case that additional levels of protection are also being provided. The fixes that are included from previous updates in the currently installed updates can be obtained from the security bulletin or the fixlist for the update. Also, when installing an update, you can use this section of the report to confirm that the update has been installed by scanning the computer again when the update installation has completed (including any required restart of the computer).

No, the checks and scores used in MBSA cannot be modified. You can, however, use a script and filter out the items you are not interested in monitoring or reporting on.

These ratings help you prioritize and manage the risk associated with the security bulletin findings. A link to additional information is provided at the bottom of each MBSA report using the Result Details for security update checks. Visit the Microsoft Web site to review the specifics of each rating, and how to apply them in your environment.

MBSA displays different icons in the report score columns depending on whether a vulnerability was found on the scanned computer. There are two distinct types of checks performed by MBSA: administrative vulnerability (VA) checks and security update checks.

For the administrative vulnerability checks, a red X is used when a critical check failed (for example, a user has a blank password). A yellow X is used when a non-critical check failed (for example, an account has a password that does not expire). A green checkmark is used when a check passes (that is, no issue was found for that particular check). A blue asterisk is used for best practice checks (for example, checking if auditing is enabled), and a blue asterisk informational icon is used for checks that simply provide information about the computer being scanned (for example, the operating system version of the scanned computer).

For the security update checks, a red X is used when MBSA confirms that a security update is missing from the scanned computer. A yellow X is used for warning messages (for example, the computer does not have the latest service pack or update rollup), and a blue star is used for informational messages indicating that an update is not available to the computer because it has not been approved on the Update Services server. Scores cannot be changed or reassigned for system configuration checks.

Some updates replace files that are currently in use by Windows that cannot be fully installed until Windows is restarted. Updates installed using Automatic Updates, Windows Update, or Microsoft Update will provide an indication of this condition in the MBSA report: a partially installed update will be reported as not installed because a restart is required. In addition, any update that is not fully applied pending a restart is also indicated in the Windows Administrative Vulnerabilities section of a completed scan report. This VA check is not specific to any particular update, but does reflect the potential risk associated with updating any product and not restarting the computer if the update requested a restart. MBSA Help includes instructions you can use to inspect an update package and determine if it is packaged with this version of the installer.

Updates for multiple products within the same bulletin will be shown as different product families in the Issue column of the report summary. Each product-specific variation within the bulletin typically includes a different Knowledge Base article number, however in some cases, there could be multiple updates within the same product category.

For example, if a security bulletin applies to both Windows Media Player and SQL Server, the report summary lists two separate issues, with two separate Result Details to be viewed. In this example, each item would have the same bulletin ID, the standard naming convention for update titles would include the Knowledge Base article number, and the Description column would link to the support article Web page for the issue.

Another example is when more than one product exists within the same family, such as Windows Messenger and Windows Media Player (both are components of Windows). This example would provide separate updates in the same Result Details section of the report but share the same bulletin ID. If the product-specific Knowledge Base article ID is needed, the report can be viewed in any XML viewing program (such as Notepad or Internet Explorer), and the KBID attribute will contain the article number.

Finally, shortly after Microsoft Update is released, additional IDs will be included with published updates in the MBSA 2.0 report that will directly relate to individual vulnerabilities addressed by the bulletin (typically in a "CAN-..." or "CVE-..." format as listed in the actual security bulletin). A new version of MBSA 2.0 will not be needed, only the new data to be published with the updates being released.

No, the results are stored in the report in the order they are returned to MBSA from the Windows Update Agent. This version of MBSA does not support user-configured sorting in the reports, although the reports can be exported to Excel and sorted or processed by a script to present a certain order to an external application.

MBSA reports on security-related best practices. The Windows Malicious Software Removal Tool is a cumulative, monthly update that removes the residue from known malicious software that may be left behind even after the security bulletin has been applied to the computer. Unless this tool is run periodically, there could be malicious files or settings present on the computer.

Some updates published to Microsoft Update do not include links, however in most cases the security bulletin link will allow users to access the needed information.

The security reports are stored as .mbsa files in XML format in: %userprofile%\SecurityScans by default. With the release of MBSA 2.1, completed MBSA scan reports can be placed in another directory or network share using the /rd (Report Directory) option in the command-line interface. The graphical interface does not support this new feature.

Remote scanning requires that the most current version of the Windows Update Agent be present on the computer running MBSA, so you must install it before scanning remotely. Although MBSA includes a feature that you can use to automatically install the agent, you can also install it manually. You can obtain the installer from the Microsoft Download Center using one of the following links as appropriate for the computer reporting the error message:

• For x86-based computers (WindowsUpdateAgent30-x86.exe) or
• For x64-based computers (WindowsUpdateAgent30-x64.exe) or
• For ia64-based computers (WindowsUpdateAgent30-ia64.exe), the latest versions are available by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab

MBSA 2.1 uses a security update cabinet file (wsusscn2.cab) that is formatted differently than the previous version (wsusscan.cab). The reason for this change is described in Microsoft Knowledge Base article 926464. You will need to download the new offline scan file, wsusscn2.cab, by clicking http://go.microsoft.com/fwlink/?LinkId=76054. Save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache\wsusscn2.cab.

MBSA and the Windows Update Agent require Windows 2000 Service Pack 3 or later. The version check performed by MBSA uses the system registry, so if a remote computer being scanned has the Remote Registry Service disabled, this error will appear. To correct this, ensure the Remote Registry Service is running on the target computer.

This message may appear if the remote installer has been blocked by antivirus or anti-spyware products when performing a remote scan of a computer with the Configure computers for Microsoft Update and scanning prerequisites option selected. You can configure the software that is preventing the MBSA installer from completing the installation to allow MBSA to update the target computer, or you can update the computer manually using the instructions in the FAQ topic MBSA uses files that it downloads from the Internet, but the computer I want to use to scan my network doesn't have Internet access. How can I use MBSA in an offline and secure environment?

This error may appear for several reasons:

• If the client computer has a registration for an Update Services server, and the server cannot be contacted by the agent, this error will be returned.
• If the server is on the network, but the client cannot contact the server, this error may also happen and indicates a possible problem in the proxy server configuration or connectivity issues that prevent the network name resolution process from allowing the client to locate the server on the network.

Check the proxy settings of the computer running MBSA, and ensure the assigned WSUS server is accessible on the network.

When downloading the Microsoft Update offline catalog (wsusscn2.cab) before each attempt to scan, downloaded files are checked for a valid Microsoft digital signature before being used. When the file is missing, or the digital signature cannot be verified, these errors may occur.

To avoid this error message, it is recommended that the update (see Microsoft Knowledge Base article 835732) be installed on all Windows 2000 computers running MBSA to perform scanning.

This error may also appear if you use a proxy server such as Microsoft ISA 2000 Server if it does not include a policy that permits anonymous access to the Microsoft Update site. A resolution for this is described in Microsoft Knowledge Base article 885819.

Another cause for this issue may be that Internet Explorer is set to offline mode (Work Offline). MBSA requires either IE to be in online mode and be able to successfully pass through any proxy servers to obtain the wsusscn2.cab file, or you may need to use the steps to obtain the necessary catalog and authentication files as detailed elsewhere in this FAQ for using the wsusscn2.cab file in offline or secure modes when Internet connectivity isn’t available.

Also be sure to confirm both the scanning and target machines have the latest versions of the WUA client, which can also be obtained at the following locations:

• For x86-based computers (WindowsUpdateAgent30-x86.exe) or
• For x64-based computers (WindowsUpdateAgent30-x64.exe) or
• For ia64-based computers (WindowsUpdateAgent30-ia64.exe), the latest versions are available by examining the contents of the wuredist.cab file located at http://update.microsoft.com/redist/wuredist.cab

This error means that the version of WUA is lower than the minimum required version stated in wsusscn2.cab. Unless the WUA version is equal or greater than the version needed by wsusscn2.cab, scanning the computer will return an error.

To correct this, ensure the latest version of WUA is installed on the target computer. To have MBSA automatically correct this error, be sure to select the option to "Configure computers for Microsoft Update and scanning prerequisites" or use the /ia option in the command-line tool.

This error indicates that the Windows Update Agent was not able to communicate with the assigned Update Services server because of proxy configuration setting on the target computer. If a proxy server is in use, check the target computer's Internet Explorer Internet Options settings and ensure the Update Services server is in the proxy bypass list using either the Bypass proxy server for local addresses setting, or using the Advanced button in the exception list. Using the proxy bypass allows end-users to access the Internet via the proxy server, yet directly access local intranet servers. This is also needed to allow WUA to contact the WSUS server on the local network.

This error is common when scanning based on an IP address range. This is because MBSA will convert the range into a list of specific IP addresses for that range and attempt to resolve each IP address into the associated NetBIOS computer name. When that name resolution cannot be performed because the computer is switched off, or the IP address is not in use, this error will be returned.

The error can also happen when using a domain name of domain members are not accessible on the network, such as a laptop computer roaming outside the wireless network, or a desktop computer that has been shut down.

If you specify a DNS fully qualified domain name (FQDN) as the domain to be scanned, you will also see these errors. In that case, you need to use the NetBIOS compatible domain name.

While it is recommended that the service run as a low privileged account, the application that installed SQL Server/MSDE may require it to run with higher privileges. For example, instances of WMSDE currently are required to run as LocalSystem, and therefore need to be exempt from this check. WMSDE is a derivative of MSDE meant for use by Windows Server 2003 operating system components, such as Windows SharePoint Services. Check the documentation accompanying the application for information on the minimum level of privileges required.

For these reasons, this is an expected message when scanning specific Microsoft products that include MSDE or WMSDE, such as:

• Windows Server Update Services
• Windows Sharepoint Services
• Windows Small Business Server
• Microsoft ISA Server 2004
• Universal Description, Discovery, and Integration (UDDI)

In many installations (particularly in enterprise environments) it is useful for administrators to distinguish between the roles of the operating system administrator and the SQL Server administrator. In such scenarios it might be useful to remove the local Windows administrators' membership in the SQL Sysadmin role. However, instances of WMSDE currently are required to have the local Windows administrators' membership in the SQL Sysadmin role, and therefore need to be exempt from this check. WMSDE is a derivative of MSDE meant for use by Windows Server 2003 operating system components, such as Windows SharePoint Services. Check the documentation accompanying the application for information on the minimum level of privileges required.

For these reasons, this is an expected message when scanning specific products that include MSDE or WMSDE, such as:

• Windows Server Update Services
• Windows Sharepoint Services
• Windows Small Business Server
• Microsoft ISA Server 2004
• Universal Description, Discovery, and Integration (UDDI)

Before removing the BUILTIN\Administrators group from SQL Server, it is recommended that there be at least one other login that has administrative capabilities in SQL Server. Certain applications may rely on the ability of the BUILTIN\Administrators group to be able to administer SQL Server.

When scanning and viewing reports, MBSA