Vulnerability Checks
MBSA will scan computers for several security issues. It uses Windows Management Instrumentation queries to inspect the system for the following vulnerabilities:
Check for Windows Administrative Vulnerabilities MBSA inspects the system for basic security issues such as whether more than one user is a member of the Administrators group, the Guest account is enabled (it should be disabled), NTFS is used on all the drives, and any folders are being shared.
Check for Weak Passwords MBSA checks for blank or weak passwords on each local account on the system. A strong password will have at least eight characters and use a combination of at least three of the four character types (uppercase, lowercase, numbers, and symbols).
Check for IIS Administrative Vulnerabilities This check looks for vulnerabilities in Internet Information Services (IIS) versions 5.0, 5.1, and 6.0. It also checks to see whether the IIS Lockdown Tool has been run on these versions. If IIS is not installed on the scanned system, this check is skipped.
Check for SQL Administrative Vulnerabilities This check looks for vulnerabilities in both SQL Server instances and the Microsoft Data Engine (MSDE) that is installed on any scanned computers. If SQL Server or MSDE is not installed on the system, this check is skipped.
Check for Security Updates This check scans all systems to determine whether all current security updates are installed. It uses the same technology that is used by WSUS and SCCM to scan the computers. However, if your network is not using WSUS or SCCM, this is a valuable tool to determine easily whether clients are up to date. A green check indicates that no missing security updates were identifi ed. Missing updates are marked with a red X, and missing service packs or update rollups are marked with a yellow X.
Tip The easiest way to verify that unmanaged clients have installed updates is by using MBSA Clients managed by WSUS or SCCM will be checked using those tools, but if clients aren't being managed by WSUS or SCCM, they can be checked with MBSA.
The security updates check gives you several additional options, including these:
Configure Computers for Microsoft Update And Scanning Prerequisites If a client doesn't have the Windows Update Agent installed, it can't be scanned. However, selecting this setting allows you to install the Windows Update Agent and other prerequisites automatically on the target computers so that they can be scanned.
Advanced Update Services Options Two additional update services options are available for clients that are configured to receive updates from WSUS servers. If your environment is not using WSUS, these settings won't be used.
Scan Using Assigned Windows Server Update Services (WSUS) Servers Only This option can be used in an environment where WSUS is being used. It will scan only computers that are configured to receive updates from WSUS servers.
Scan Using Microsoft Update Only This option allows you to compare clients against the list of updates available from Microsoft instead of the list of updates that have been approved on the WSUS server.
MBSA provides a report on the findings for each scan. Reports include information on any issues that are found and also provide instructions on how to fix any of the issues.
In this tutorial:
- Windows 7 and Other software Up to Date
- Understanding Windows Live
- Updates versus upgrades
- Why updates are important
- Windows Update
- Windows Update: The essentials
- Types of Updates
- Completing an Update
- Configuring automatic Updating
- Windows Update Applet and Functions
- Manually Install Updates Using Windows Update
- Action Center
- Updates Do Not Install Properly
- Other Windows Update Settings
- Configuring Windows 7 Update to Use a Proxy Server
- Can't Find Hidden Update
- Viewing and Changing Installed Updates
- Can't Uninstall Current Update
- Upgrade Windows Anytime
- Understanding Windows Server Update Services
- Windows Update Policies
- Updating Drivers
- Using Device Manager to Update Drivers
- Windows Update Driver Settings
- Windows 7 Service Packs
- Basic Service Pack Information
- Installation of Service Packs
- Installing and Removing Software
- Installation via CD or DVD
- Problem Installing from Disc
- Installation via Downloaded Program
- Viewing and Changing Programs
- Uninstalling Software
- Compatibility Issues in 64-Bit Version
- Upgrade Issues with 64-Bit Windows 7
- Other Program Compatibility Issues
- Side-by-Side Installs and Virtual Registries
- Removing Updates from Windows 7
- Thwarting Exploits with DEP
- Microsoft Baseline Security Analyzer
- Picking Computers to Scan
- Vulnerability Checks
- Installing MBSA
- Running the MBSA
- Running the MBSACLI
- MBSACLI Location
- Running in an Isolated Environment
- Using Windows Server Update Services
- WSUS Updates
- WSUS Requirements
- Installing, Configuring, and Using WSUS
- Adding the Application Server and Web Server (IIS) Roles
- Installing the Report Viewer
- Installing WSUS
- Configuring Group Policy Settings for WSUS
- Creating a GPO to Configure Clients to Use WSUS
- Verifying That Clients Are Using GPO Settings for WSUS
- Verifying That Clients Are Using GPO Settings with GPResult
- Creating Computer Groups on WSUS
- Approving Updates in WSUS
- Viewing WSUS Reports