Windows 7 / Getting Started

Vulnerability Checks

MBSA will scan computers for several security issues. It uses Windows Management Instrumentation queries to inspect the system for the following vulnerabilities:

Check for Windows Administrative Vulnerabilities MBSA inspects the system for basic security issues such as whether more than one user is a member of the Administrators group, the Guest account is enabled (it should be disabled), NTFS is used on all the drives, and any folders are being shared.

Check for Weak Passwords MBSA checks for blank or weak passwords on each local account on the system. A strong password will have at least eight characters and use a combination of at least three of the four character types (uppercase, lowercase, numbers, and symbols).

Check for IIS Administrative Vulnerabilities This check looks for vulnerabilities in Internet Information Services (IIS) versions 5.0, 5.1, and 6.0. It also checks to see whether the IIS Lockdown Tool has been run on these versions. If IIS is not installed on the scanned system, this check is skipped.

Check for SQL Administrative Vulnerabilities This check looks for vulnerabilities in both SQL Server instances and the Microsoft Data Engine (MSDE) that is installed on any scanned computers. If SQL Server or MSDE is not installed on the system, this check is skipped.

Check for Security Updates This check scans all systems to determine whether all current security updates are installed. It uses the same technology that is used by WSUS and SCCM to scan the computers. However, if your network is not using WSUS or SCCM, this is a valuable tool to determine easily whether clients are up to date. A green check indicates that no missing security updates were identifi ed. Missing updates are marked with a red X, and missing service packs or update rollups are marked with a yellow X.

Tip The easiest way to verify that unmanaged clients have installed updates is by using MBSA Clients managed by WSUS or SCCM will be checked using those tools, but if clients aren't being managed by WSUS or SCCM, they can be checked with MBSA.

The security updates check gives you several additional options, including these:

Configure Computers for Microsoft Update And Scanning Prerequisites If a client doesn't have the Windows Update Agent installed, it can't be scanned. However, selecting this setting allows you to install the Windows Update Agent and other prerequisites automatically on the target computers so that they can be scanned.

Advanced Update Services Options Two additional update services options are available for clients that are configured to receive updates from WSUS servers. If your environment is not using WSUS, these settings won't be used.

Scan Using Assigned Windows Server Update Services (WSUS) Servers Only This option can be used in an environment where WSUS is being used. It will scan only computers that are configured to receive updates from WSUS servers.
Scan Using Microsoft Update Only This option allows you to compare clients against the list of updates available from Microsoft instead of the list of updates that have been approved on the WSUS server.

MBSA provides a report on the findings for each scan. Reports include information on any issues that are found and also provide instructions on how to fix any of the issues.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 and Other software Up to Date
  2. Understanding Windows Live
  3. Updates versus upgrades
  4. Why updates are important
  5. Windows Update
  6. Windows Update: The essentials
  7. Types of Updates
  8. Completing an Update
  9. Configuring automatic Updating
  10. Windows Update Applet and Functions
  11. Manually Install Updates Using Windows Update
  12. Action Center
  13. Updates Do Not Install Properly
  14. Other Windows Update Settings
  15. Configuring Windows 7 Update to Use a Proxy Server
  16. Can't Find Hidden Update
  17. Viewing and Changing Installed Updates
  18. Can't Uninstall Current Update
  19. Upgrade Windows Anytime
  20. Understanding Windows Server Update Services
  21. Windows Update Policies
  22. Updating Drivers
  23. Using Device Manager to Update Drivers
  24. Windows Update Driver Settings
  25. Windows 7 Service Packs
  26. Basic Service Pack Information
  27. Installation of Service Packs
  28. Installing and Removing Software
  29. Installation via CD or DVD
  30. Problem Installing from Disc
  31. Installation via Downloaded Program
  32. Viewing and Changing Programs
  33. Uninstalling Software
  34. Compatibility Issues in 64-Bit Version
  35. Upgrade Issues with 64-Bit Windows 7
  36. Other Program Compatibility Issues
  37. Side-by-Side Installs and Virtual Registries
  38. Removing Updates from Windows 7
  39. Thwarting Exploits with DEP
  40. Microsoft Baseline Security Analyzer
  41. Picking Computers to Scan
  42. Vulnerability Checks
  43. Installing MBSA
  44. Running the MBSA
  45. Running the MBSACLI
  46. MBSACLI Location
  47. Running in an Isolated Environment
  48. Using Windows Server Update Services
  49. WSUS Updates
  50. WSUS Requirements
  51. Installing, Configuring, and Using WSUS
  52. Adding the Application Server and Web Server (IIS) Roles
  53. Installing the Report Viewer
  54. Installing WSUS
  55. Configuring Group Policy Settings for WSUS
  56. Creating a GPO to Configure Clients to Use WSUS
  57. Verifying That Clients Are Using GPO Settings for WSUS
  58. Verifying That Clients Are Using GPO Settings with GPResult
  59. Creating Computer Groups on WSUS
  60. Approving Updates in WSUS
  61. Viewing WSUS Reports