Patch Scanning with MBSA

If you can’t verify a security control is in place… then don’t count on it being in place. In talking to a friend, a large part of his company’s security protections relied on their firewall, Anti-virus, and patching. As we dug deeper into it, I found that they don’t really review the firewall logs, and both the AV and OS/Software patches were pushed centrally, but that’s where their process ended. They did no verification to make sure that the patches were successfully installed. Unfortunately, this practice of not validating the company’s protection mechanisms is fairly common.

Not every company can justify running out and buying Retina, or Shavlik’s NetChk, but it’s hard to argue with just getting an initial scan done to gauge the existing patch status using a free tool like Microsoft’s MBSA (Microsoft Baseline Security Analyzer.) If you haven’t looked at this tool recently (or have never looked at it), it’s work checking out. Let’s start with the negative. It only scans against Microsoft systems, it only scans against some Microsoft products (it won’t tell you if users are running vulnerable versions of Adobe Reader or Firefox), and you need to run the scan with an account that has administrative privileges on the system being scanned.

Now for the good stuff. MBSA can scan a single system, IP range, or all of the computers in your domain. It offers a gui and command line options. In addition it not only scans for missing Windows patches, but it scans for missing SQL and IIS patches, as well as common configuration vulnerabilities. These common configuration vulnerabilities include things like weak password configurations, enabled guest accounts, firewall status, whether IIS sample applications are installed, SQL install folder permissions, CmdExec access, and more. With the quality of the scans, I think that (after proper testing), most small businesses should look at performing a scan of their whole network, and mid-large companies that don’t validate their patch status should at least look into performing scans against their key systems (you may be surprised at what you’ll find.)

Okay, so with that… let’s take a look at the tool.  To begin with, MBSA can currently be downloaded from here: http://technet.microsoft.com/en-us/security/cc184924.aspx.

The download and installation is straightforward, so I won’t go over it here. After installing and launching MBSA, you’re presented with a screen asking if you want to scan one computer, multiple computers, or view the reports from previous scans. If you select to scan multiple computers, you’re presented with the following window which lets you select what domain/IP range you want to scan, and what you want to scan for.

MBSA configuration menu

Then just click “Start Scan” and let it run. The reports are easy to read, and have links to more information on what was checked, and how to fix errors.
After the scan completes, you’ll be able to view the reports from the main page.

MBSA Scan results  

Details to the problem found, and steps to fix it are available for each issue by clicking the link below it.

MBSA Scan results detail window  

The command line tool (mbsacli.exe) is installed by default in the same directory that MBSA was installed to. It can be ran by just opening a command prompt in the directory where mbsacli.exe is located, and running

mbsacli /r 192.168.1.1-192.168.1.101

(where /r stands for range, and the IP range you want to scan is specified after it)

MBSA command line interface window

mbsacli offers additional options for specifying the username and password to use to connect to the remote computer, as well as what checks to run. The scan results can be viewed from the command line, or from the gui tool.