Is your System Compliant with Microsoft’s Security Recommendations?

Although, you might have enabled Windows Updates to download and install the latest security patches automatically, it is a good practice to occasionally analyze your system against a baseline. Microsoft has a free tool that allows you to scan your computer and checks for compliance with Microsoft’s security recommendations.

The Microsoft Baseline Security Analyzer (MBSA) can check computers running Microsoft Windows Server 2008 R2, Windows 7, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP or Windows 2000. MBSA utilizes Windows Server Update Services.

Download Baseline Security Analyzer from here and install it on the computer you wish to scan. You must have administrator privileges when performing a scan.

MBSA allows you to scan a single computer using its name or IP address, and scan multiple computers using a domain name or a range of IP addresses. At the end of a scan, it allows you to view, print and copy scan reports, even those from previous scans. Furthermore, it advices you how to fix any issues that were found.

MBSA can be configured in many ways with various scan options as shown below:

Check for Windows administrative vulnerability – MBSA checks for security issues in the operating system, such as Guest account status, file-system type, available file shares, and members of the Administrators group.

Check for weak passwords – MBSA checks computers for blank and weak passwords.

Check for IIS administrative vulnerabilities – MBSA checks for security issues in IIS if installed such as sample applications and certain virtual directories present on the computer and if the IIS Lockdown tool has been run on the computer.

Check for SQL Server administrative vulnerabilities – MBSA checks administrative vulnerabilities related to SQL Server.

Check for Security updates – MBSA uses Microsoft Update and WSUS technologies to check for the latest security updates. It also uses an offline catalog that is updated by Microsoft every time new security updates are released.

Additionally, you can configure advanced options that best fit your environment but these are more intended for corporate environments.

The MBSA final report is quite comprehensive and it allows you to view more details related to the issues found. For every issue, the report provides a link to ‘What was scanned’, ‘Result details’ and ‘How to correct the issue’ as shown below:

For instance, if MBSA finds that your system is missing a security update then you can follow the instructions provided to install the missing fix and visit the respective security bulletin to verify the technical details associate with the vulnerability. Under the Administrative Vulnerabilities section the report lists recommended security best practices such as users’ passwords and firewall settings. These will help you take the necessary measures to harden the security of your system.

Running MBSA on regular basis and making sure that no critical issues (red marks) are found, and fix where necessary will make your system compliant with Microsoft’s security recommendations.