Thank you for installing Microsoft® Baseline Security Analyzer version 1.2.
How to Use the Microsoft Baseline Security Analyzer
What's New in Microsoft Baseline Security Analyzer Version 1.2
System and Language Applicability
Reporting Bugs or Providing Feedback
The graphical user interface version of the tool is run by executing Mbsa.exe from the folder in which the tool was installed. The command-line version is run by executing Mbsacli.exe in a command window from the folder in which the tool was installed.
The following features have been added in Microsoft Baseline Security Analyzer (MBSA) version 1.2:
Microsoft Baseline Security Analyzer version 1.2 may be run on Windows« Server 2003, Windows 2000, or Windows XP computers. It can scan Windows NT® 4.0, Windows 2000, Windows XP, and Windows Server 2003 computers. Note: Only local scans can be performed against Windows XP Home Edition and Windows XP Professional computers that use the simple file sharing model. This tool will NOT operate on Windows 95, Windows 98, or Windows Me systems.
The following are the requirements when scanning a local computer:
The following are the requirements for a computer running the tool that is scanning remote machine(s):
The following are the requirements for a computer to be scanned remotely by the tool:
Please see article 303215 for more information on these services.
Users must have local administrative privileges on each computer being scanned, whether a local or remote scan is being performed.
Internet access is also required to download the mssecure.cab file from the Microsoft Download Center used for the security updates scan. If a previous copy of the file was downloaded in a prior scan, the tool will attempt to use the locally cached copy if an Internet connection is not detected.
XML parsers have shipped in each version of Internet Explorer since IE 5.01. However it is recommended to have the latest version of IE and the latest version of the MSXML parser installed.
The latest version of the MSXML parser is available from the following location:
Additional information on the Microsoft XML Parser is available from http://www.microsoft.com/xml.
The following parts of a scan are optional and can be turned off in the tool user interface prior to scanning a computer:
There are two types of scans that can be performed using the MBSA command line interface: MBSA-style scans and HFNetChk-style scans.
The MBSA-style scan will store results, as was done in MBSA V1.1.1, in individual XML files to later be viewed in the MBSA UI. MBSA-style scans include the full set of available Windows, IIS, SQL, Desktop Application, and security update checks. Note users will have to explicitly use the -baseline and -nosum switches to perform the same scan as done in the MBSA GUI.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks (note this will also skip the IE/Outlook zones and Office macro security checks)
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Updates - Skip security update checks
/sus <SUS server | SUS filename> - Check only for security updates approved at the specified URL of the SUS server or the file path to the approveditems.txt file. If a URL or path is not specified, the value stored in the registry will be used if available.
/s 1 - Suppress security update check notes
/s 2 - Suppress security update check notes and warnings
/nosum - Security update checks will not test file checksums
/nvc - Don't check for a new version of MBSA
/o <filename> - Default filename format is "%d% - %c% (%t%)", where %d% is the domain, %c% is the computername, and %t% is the date and time. %IP% can be used to include the IP address of the scanned machine. Note that report name variables from previous versions of MBSA will also function: "%domain% - %computername% (%date%)"
Note these report options cannot be combined with the security update scan options listed above.
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/v - Display security update reason codes
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
/unicode - Generate unicode output (Users running Japanese MBSA or scanning Japanese Windows machines should specify this switch)
The HFNetChk-style scan will check for missing security updates and will display scan results as text in the command line window, as is done in the standalone HFNetChk tool. MBSA V1.2 includes the "/hf" flag which will indicate an HFNetChk scan to the MBSA engine. The HFNetChk switches listed below can be used after the "/hf" flag is specified on the command line. Note users will have to explicitly use the -b, -v, and -nosum switches to perform the same scan as done in the MBSA GUI.
Note: the Office security update scan will NOT be performed with the /hf flag as it is performed outside of the HFNetChk engine. Office security updates can be scanned in the MBSA GUI (mbsa.exe) or the MBSA-style scan using mbsacli.exe.
Note: the MBSA-style scan parameters listed above cannot be combined with the /hf flag option.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe /hf" followed by any of the parameters below. For a full description of each parameter, please see KB article Q303215.
-h <hostname> - Scan the named NetBIOS computer name. Default location is the local host. Multiple hosts can be scanned by separating host names with a comma.
-fh <filename> - Scans the NetBIOS computer names specified in the named text file. Specify one computer name on each line in the .txt file, with a 256 name maximum.
-i <xxx.xxx.xxx.xxx> - Scans the named IP address. Multiple IP address can be scanned by separating each entry with a comma.
-fip <filename> - Scans the IP addresses specified in the named text file. Specify one IP address on each line in the .txt file, with a 256 entry maximum.
-r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Specifies IP address range to be scanned.
-d <domainname> - Specifies the domain name to be scanned.
-n - Specifies that all computers on the local network should be scanned. All computers from all domains in Network Neighborhood are scanned.
-sus <SUS server | SUS filename> - Check only for security updates approved at the specified URL of the SUS server or the file path to the approveditems.txt file. If a URL or path is not specified, the value stored in the registry will be used if available.
-b - Scans a computer only for those updates that are marked as baseline critical by the Microsoft Security Response Center.
-fq <filename> - Specifies the name of a file that contains Qnumbers to suppress on output. Specify one Qnumber per line. This switch only suppresses the specified item(s) from being displayed in the output; it does not remove the item(s) from consideration during the course of a scan.
-s - Suppresses NOTE and WARNING messages. The default is not to suppress either of these message types. The following options are used with this switch:
(1) Suppresses NOTE messages only.
(2) Suppresses both NOTE and WARNING messages.
-nosum - Specifies to not perform checksum validation for the security update files. You do not need to use this switch under typical circumstances.
-sum - Forces a checksum scan when scanning a non-English language system. Use this switch only if you have a custom XML file with language-specific checksums.
-z - Specifies to not perform registry checks. (Note when this switch is used with -history, registry checks will still be performed for those patches that only have registry key data and no file version information in the mssecure.xml file)
-history - Displays updates that have been explicitly installed, explicitly not installed, or effectively installed. (Updates that are effectively installed indicate that the update itself may not have been explicitly installed, but a later, superseding update was installed that contains the fixes from this earlier update.) This switch is not necessary for normal operation; you do not need to use it except under very specific circumstances. The following options are used with this switch:
(1) displays those updates that have been explicitly installed.
(2) displays those updates that have been explicitly not installed.
(3) displays those updates that have been effectively installed.
-v - Displays the reason why a test did not work in wrap mode. You can use this switch to display the reason why a security update is considered "not found" or if you receive a NOTE or WARNING message.
/nvc - Don't check for a new version of MBSA.
-o - Specifies the desired output format. The following options are used with this switch:
(tab) Displays output in tab-delimited format.
(wrap) Displays output in word-wrapped format.
-f <filename> - Specifies the name of a file in which to store the results. You can use the switch in both wrap and tab output.
-unicode - Generate unicode output (Users running Japanese MBSA or scanning Japanese Windows machines should specify this switch)
-t - Displays the number of threads that are used to run the scan. Possible values are 1 to 128, with the default value being 64. This switch can be used to throttle down (or up) the scanner speed.
-u <username> - Specifies the user name to use when scanning a local or remote computer or groups of computers. You must use this switch with the -p (password) switch.
-p <password> - Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the -u (username) switch. For security purposes, the password is not sent over the network in clear text. Instead, HFNetChk uses the challenge-response mechanism that is built into Windows NT 4.0 and later to secure the authentication process.
-x - Specifies the XML data source that contains the available security update information. The location may be an XML file name, a compressed XML .cab file, or a Uniform Resource Locator (URL). The default file is the Mssecure.cab file from the Microsoft Web site. When this switch is not used, the mssecure.xml file will be downloaded from the Microsoft Web site.
-? - Displays a menu. You can also call this switch by using the /? syntax. The menu is also displayed any time that you pass incorrect syntax at a command prompt.
Scan reports will be stored on the computer on which the tool is installed in the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this folder.
By default, a security update scan executed from the MBSA GUI or from mbsacli.exe (MBSA-style scan) will scan and report missing updates marked as critical security updates in Windows Update (WU), also referred to as "baseline" critical security updates. When a security update scan is executed from mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related updates will be scanned and reported. A user running an HFNetChk-style scan would use the -b option to scan only for WU critical security updates. When the SUS option is chosen, all security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA.
Note for products that are not installed on a scanned machine, the security updates check will not be performed for those products and will not be listed in the Security Update Scan Results table in the report. In addition, the Office security update scan will not be performed with the /hf flag as it is performed outside of the HFNetChk engine. Office security updates can be scanned in the MBSA GUI (mbsa.exe) or the MBSA-style scan using mbsacli.exe.
Password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition, attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user account during the password check. This check is not performed on domain controllers.
If this option is cleared prior to scanning a computer, both the local Windows and SQL account password checks will not be performed.
The IIS 6.0 Common Files are required on the local machine that is remotely scanning an IIS 6.0 server. The IIS 6.0 Common Files can be used to also scan downlevel IIS machines (e.g., IIS 5.0), however the IIS 5.0 Common Files cannot be used to remotely connect to and scan against a machine running IIS 6.0.
The tool checks for administrative vulnerabilities on each instance of SQL and MSDE found on the computer. All individual SQL checks will be performed on each instance of SQL and MSDE.
MSDE is a data engine built and based on core SQL Server technology. It is a redistributable database engine that supports single- and dual-processor desktop computers. MSDE is packaged in a self-extracting archive for ease of distribution and embedding. Since it is fully compatible with other editions of SQL Server, users can upgrade from MSDE to SQL Server if an application grows beyond the storage and scalability limits of MSDE.
Version 1.2 has localization support for Japanese, German, and French, including the ability to download localized versions of the mssecure.xml file from Microsoft. When a non-English machine is scanned for missing security updates without the associated localized mssecure.xml file, checksum checks will not be performed.
MBSA V1.2 can be used to scan up to 10,000 machines on a network at a time. More information on network scans is available in the MBSA White Paper.
An MBSA newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer
When reporting bugs, include the following information:
HFNetChk was developed for Microsoft by Shavlik Technologies LLC (http://www.shavlik.com).