Microsoft security tools: MBSA and MSAT explained

Regular security assessments are crucial, but can be costly. In this tip, Michael Cobb explains how to use the Microsoft Baseline Security Analyzer and the Microsoft Security Assessment Tool for a thorough and free network and risk audit.

A comprehensive security policy should state the need for regular assessments and audits of the operating systems, applications and services running on the network. However, many vulnerability scanners are beyond the budget of a small IT department.

If you're a Microsoft-based organisation, however, you can use two free Microsoft security tools, the Baseline Security Analyzer 2.1 (MBSA) and the Security Assessment Tool (MSAT). Both tools provide easy ways to identify common security misconfigurations and offer information and recommendations about best practices for security within an IT infrastructure.

Microsoft Baseline Security Analyzer
The MBSA can help you stay on top of regular network auditing tasks by scanning both local and remote Microsoft systems for common security misconfigurations. It can also identify missing security updates and service packs available through the various Microsoft Update technologies, helping to ensure all machines are patched correctly. It can run vulnerability assessment checks for the following software:

  • Client versions of Windows, including Windows 7
  • Windows Server, including Windows Server 2008
  • SQL Server
  • Internet Information Server (IIS)
  • Internet Explorer
  • Microsoft Office

MBSA creates and stores individual security reports in XML for each computer scanned. These are displayed in HTML within the user interface and can be copied into other reports or audit records. The reports produced show severity ratings in accordance with Microsoft's security recommendations and, like most good security scanners, include not only details about any failed tests, but also suggest corrective measures, often with specific guidance on how to fix the problem, such as links to service packs or Microsoft Security Bulletins. Even if the network is up to date with patches, you may be surprised at how many administrator errors MBSA can pick up.

If the organisation is still using older versions of Microsoft products that aren't supported by MBSA 2.1, such as Office 2000, ISA Server 2000, and SQL Server 7.0 and 2000, check out the MBSA 2.1 companion tool Shavlik NetChk Limited, which is provided for free by Shavlik Technologies LLC. This utility analyses the patch status of those Microsoft products not supported by current Microsoft patch technologies and outputs the results to XML files that can be viewed via MBSA.

If you have Microsoft Office Visio, you can also download the Visio Connector for Baseline Security Analyzer. This add-on lets you view the results of an MBSA scan in a clear, comprehensive network diagram. The colour-coded graphics and diagrams make it easy to see where any problems are and which problems need prioritising, as well as impress the boss.

You may not necessarily need to fix every problem in an MBSA report. Certain vulnerabilities will not be applicable or will present a low risk to a particular system. Even if you do get to the point where MBSA doesn't report any vulnerabilities, that doesn't mean the system is perfectly secure; the scanner can only check for certain known vulnerabilities, so the system could still be vulnerable to unknown or emerging threats like zero-day attacks, thus, it's still necessary to watch out for Microsoft's security alerts. It's also a good idea to run the scan again after installing any patches to ensure they have been installed, and installed correctly . Also, if you want a second opinion regarding a vulnerability's severity, use the comprehensive vulnerability database maintained by Secunia. It allows you to search for vulnerabilities relating to a specific product or vendor, as well as those relating to a particular aspect of the system.

MBSA is an easy, straightforward tool to use, and there is plenty of supporting information if you need help. Microsoft offers a good MBSA FAQ, and if you're running a larger number of computers, then there's an on demand webcast that demonstrates how to use MBSA in common scenarios to improve the security update management process.

Microsoft Security Assessment Tool
As we all know, security is a never-ending task, so once you've run MBSA, installed the missing patches and implemented its other recommendations, continue the free security assessment with the Microsoft Security Assessment Tool, which is easy to use and can help measure the effectiveness of your current policies.

The Business Risk Profile questionnaire -- which helps measure how much risk is associated with the way a customer does business -- won't take long to fill in, but it may take some time to complete the assessment questionnaire. This questionnaire is used to evaluate the effectiveness of your security strategy over four areas of analysis: people, processes, resources and technology. The assessment uses the defence-in-depth concept -- layered defences that include technical, organisational and operational controls -- and is based on accepted standards and best practices, such as ISO 27001 and NIST-800.x.

Upon completion of the assessment, the tool gives recommendations and prescriptive guidance for managing the risks that have been highlighted for your particular environment, existing technology and current security posture. The recommendations are designed to move current security policies, processes and controls toward recognised best practices.

The tool also provides links to further relevant information with additional guidance from Microsoft's Trustworthy Computing Group. These resources can help to keep you up to date with emerging tools and methods that can improve your overall security, often for free.

Microsoft invites companies to upload their MSAT data to them. By doing this, you can gain access to the full MSAT report for your company, which you may save and print. You will also be able to compare your results with those of industry peers, and organisations of a similar size. Though, for privacy reasons, the MSAT only collects generic, non-identifiable information such as company size and industry, along with Business Risk Profile (BRP) and Defense-in-Depth Index (DiDI) scores. As the assessment is repeatable, it can be used to measure progress in achieving your organisation's security goals within its IT infrastructure over a period of time.

In addition to measuring the alignment of security risks and defences, this tool also measures the security maturity of your organisation. Security maturity refers to the evolution of strong security and maintainable practices. At organisations with relatively immature security, few security defences are employed and actions to security risks are reactive. Mature organisations, however, have established and proven processes that allow them to be more proactive and respond more efficiently and consistently when needed.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.


Read more on IT risk management