Getting Familiar with MBSA 1.2.1


4 Δεκ 2013 (πριν από 4 χρόνια και 7 μήνες)

155 εμφανίσεις

©2004. All rights reserved.


Overall Features and Design

Tool Overview

Scanning / Performance


MBSA Details

Limitations of MBSA v1.1.1

What’s new in MBSA v1.2.1

Scripting with MBSA v1.2.1

©2004. All rights reserved.

Overall Features and Design

©2004. All rights reserved.

Tool Overview

Single executable that runs on Microsoft Windows

Windows XP, and Windows Server

2003 (/hf local scan also
works on Windows NT 4.0 SP4

Performs remote scans against Windows NT 4.0 SP4, Windows
2000, Windows XP, and Windows Server 2003 systems.

Focused on agent
less assessment, tactical deployment, being
easy to use
easy to take advantage of.

Installer package contains:

GUI (Mbsa.exe)

line interface (Mbsacli.exe)

Latest version is 1.2.1, just released August 16, 2004.

Prior version is 1.1.1 and 1.2, released June 2003 and January

©2004. All rights reserved.

MBSA Console


How it works*

Bulletin IDs

Product specific

File data

Registry data

KB article

*Only covers security patch scanning capabilities, not security configuration detection issues.

Checks MBSA version,
downloads and
verifies digital

Run MBSA on admin
system, specify

Scans target systems for
OS, OS components, and

to see if updates

Checks if the necessary
updates are missing.

Generates time
report of missing updates.


Download Center

©2004. All rights reserved.


Two main engines

MBSA engine for system configuration checks (about 60 different

HFNetChk engine for security update checks

style scan

System configuration checks and missing security updates

Offered through MBSA GUI (Mbsa.exe) or CLI (Mbsacli.exe)

Individual XML scan report created for each computer

Single threaded

/hf style scan

Only missing/installed security updates and SPs

Offered through Mbsacli.exe using /hf switch

Text output to screen or option to write text to file


©2004. All rights reserved.



Duration (seconds)

Resources (bytes)

Windows vulnerabilities


1 MB

Weak passwords


3.2 MB

IIS vulnerabilities


130 KB

SQL vulnerabilities


200 KB

Security Updates (/nosum)


6.5 MB



11 MB

Security Updates (/sum)


64 MB

Basis: Fully patched remote Windows XP SP1 on a busy 100
Mbps LAN

©2004. All rights reserved.

SUS Support

Perform security update by
pointing to local SUS Server for
approved updates.

GUI: MBSA reads registry for
SUS server info, or user types it in.

Command line.

Mbsacli.exe /sus

Mbsacli.exe /hf /sus

Scans for approved updates on
SUS server instead of all
available updates.

Reads ApprovedItems.txt file
through HTTP on SUS server.

©2004. All rights reserved.

SMS Support

Compatibility with SMS 2.0 Software Update Services Feature
Pack and SMS 2003

Pushes /hf to each client to perform local scan (Mbsacli.exe /hf)

Parses output

SMS administrators can centrally distribute security updates to clients

SMS 2003 is currently using MBSA v1.2

©2004. All rights reserved.

MBSA Details

©2004. All rights reserved.

MBSA v1.1.1 Limitations

Note messages are displayed for patches that can’t be

Products that don’t have detection

MSXML for MS02
008 (multiple KBs for multiple versions)

More than one patch for a single product targeted at a particular OS
(Mssecure.xml schema limitation)


9.0 for Windows 2000, Windows XP, Windows Server

for MS03

A version of an Internet Explorer 5.01 patch for Windows 2000 that
differs from Internet Explorer 5.01 on Windows XP

Sometimes can only check for registry key to determine if
patch is installed

Example: Common reg key for each Ntdll.dll version in MS03
whereas file version and checksums different

When a non
security update overwrites files previously
patched, MBSA flags the originally patched files as

No localized file details to use for checksum data, except for

©2004. All rights reserved.

What’s New in the MBSA v1.2 Family

UI Improvements

Tool localization (JA, DE, FR)

MSSecure.xml localization support (as available)

Upgrade support and new version notification

Revamped KB article

(September 23, 2004)

Complete list of products supported/unsupported

Updated list of notes/warnings/product names

Additional Products

Office Detection Tool integration (local scans only) for Office 2000
and later

Microsoft Data Access Components (MDAC), Microsoft XML Core
Services (MSXML), Microsoft Virtual Machine (JVM), eBiz


Alternate file versions (‘AFiles’)

Added Configuration Checks

©2004. All rights reserved.

Upgrade Notification

©2004. All rights reserved.

Event Logging

©2004. All rights reserved.

Supported Products

For Configuration Settings:

Windows NT 4.0 SP4,
Windows 2000,
Windows XP, Windows
Server 2003

Internet Information
Services (IIS) 4.0, IIS
5.0, IIS 6.0

SQL Server

7.0, SQL
Server 2000

Internet Explorer 5.01+

Office 2000, Office XP,
Office 2003

For Security Updates:

Windows NT 4.0 SP4, Windows 2000,
Windows XP, Windows Server 2003

IIS 4.0, IIS 5.0, IIS 6.0

SQL Server 7.0, SQL Server 2000/
Microsoft Data Engine (MSDE)

Internet Explorer 5.01+

Exchange 5.5, Exchange 2000, Exchange

Windows Media Player 6.4+

Office 2000, Office XP, Office 2003

MSXML versions 2.5, 2.6, 3.0, 4.0

MDAC versions 2.5, 2.6, 2.7, 2.8

Microsoft Virtual Machine (JVM)

Commerce Server 2000, Commerce
Server 2002

Content Management Server 2001,
Content Management Server 2002


2000, BizTalk 2002, BizTalk

Host Integration Server 2000, Host
Integration Server 2004 (+SNA Server

©2004. All rights reserved.

Alternate File Versions

“OR” logic to consider multiple sets of file details.

Handle case of non
security overwriting security updates.

A bulletin can have multiple patches for products targeted at
different operating systems.

Handle uniproc or multiproc patches, QFE/GDR branches

KB 824994

(Quick Fix Engineering / General Distribution Release)

Detection Checks the list of alternate files: if none match, the
missing patch message will reflect the file version of the first
file entry listed in MSSecure (whether it be a FileChangeID or

Alternate files are listed as “AFileChangeID”.

MBSA 1.1.1 ignores AFileChangeID entries and only recognizes
FileChangeID entries.

Maximizes backward compatibility with MBSA v1.1.1 until customers

©2004. All rights reserved.

Alternate File Versions in Detail

©2004. All rights reserved.

Other Improvements

File version checks on Multilingual User Interface (MUI)

Fixes bug where MBSA detected wrong file version numbers on
systems using MUI

Issue was known problem with GetFileVersionInfo API on Windows
2000 systems

Guest account check

Fixed bug where ForceGuest registry key wasn’t checked (Guest
account enabled is only flagged if simple file sharing isn’t used and if
ForceGuest isn’t enabled

KB 290403

Internet Explorer custom zone interpretation

MBSA now interprets custom zone settings and compares to
recommended default zone level settings

Event logging (with a link to Help and Support)


zone check collapsed into Internet Explorer zone
check and Office macro check

©2004. All rights reserved.

Additional Checks New to v 1.2.1

Internet Connection Firewall (ICF)

Check performed on local computer scans only

List each network connection with ICF status (disabled/ enabled and if
inbound ports are open)

No listing of which ports are open

Automatic Updates (AU)

Check performed on both local and remote machines

MBSA flags if AU is not enabled, or if it is enabled but not
configured to automatically download and install

Internet Explorer Enhanced Security Configuration
(Internet Explorer hardening)

Check performed on Windows Server

2003 only

Checks if IEESC is enabled for admins and non

©2004. All rights reserved.

Details on Localized Patch Scans files

MBSA tries to download .cab file that matches operating system
language of scanned computer (so patch data will match operating

If that fails, MBSA will look in the local folder for a previously
downloaded copy of this .cab file.

If that fails, MBSA will fall back to using the English file.

Language of scanned computer determines if checksum
checks are performed.

If operating system language of the scanned computer matches the
MSSecure file language being used in the scan, then checksum
checks will be performed.

Explicitly calling /sum or /nosum will force or prevent the use of

©2004. All rights reserved.

Office Update Scans

Integrated Office Update Inventory Tool 2.1

Office updates checked on local computer scans only, no remote

Office tool downloads separate Office update database files (similar to
HFNetChk downloading

Offline scanning uses similar workaround for getting detection catalog
onto scanning computer

Scanning limitations described in following support article:
“MBSA Version 1.2 Support for Microsoft Office Products”

Users running mbsacli.exe /hf will not receive an Office updates

Office detection logic not in HFNetChk

Office patch data not in Mssecure.xml

©2004. All rights reserved.

Default Scan Options

MBSA scan (GUI)


baseline aligns with Windows Update (WU) critical security updates

By default, notes and warnings are still shown

Checksum checks not performed (to match WU)

MBSA scan (Mbsacli.exe)


Checksum checks performed

By default, notes and warnings are still shown

HFNetChk scan (Mbsacli.exe /hf)


Checksum checks performed

Notes and warnings still shown by default

©2004. All rights reserved.


XML Parser (MSXML version 3.0 or later with latest SP

Required Services:

Computer being scanned locally

Workstation Service

Server Service

World Wide Web Service for IIS Vulnerability Checks

Computer that is running MBSA that performs remote scans

Workstation service

Client for Microsoft Networks

Computer being remotely scanned

Server service

Remote registry service

File and Print Sharing

©2004. All rights reserved.

Requirements (2)

IIS Common Files (required on local
computer when scanning remote IIS

Firewall Ports

Port 80 (HTTP)

Outbound from scanning computer

Needed to download Mssecure.xml file

TCP 139, 445

Inbound to scanned computer(s)

Needed to scan remote computers

UDP 137, 138

To authenticate to remote computer

User must be running as Local
Administrator for scanning

©2004. All rights reserved.

Scan Connections

style scans

MBSA will try to verify each machine account


Windows for Workgroups


Win32 API


Windows Socket Function

style scans

HF engine looks for two IP ports (TCP 139, 445) required for scanning
on each computer. Scan will fail if engine cannot connect to the ports.
This does not rely on ICMP.

©2004. All rights reserved.

Scripting with MBSA v1.2.1

©2004. All rights reserved.

Scripting with MBSA v1.2.1

Scripts for leveraging MBSA into other solutions:

Enable large
scale scanning and enable low
rights end
users to check
their own compliance without calling the helpdesk

Scan an unlimited number of computers or IP addresses from an
input file

Roll up the results across many reports into a single summary based
on one or more bulletin IDs or check IDs

More info (available upon release):

©2004. All rights reserved.

Scripting with MBSA v1.2.1 (2)

Sample of rolling up the results across many reports into a
single summary:

Open the resulting XML file in Internet Explorer:


>> button to show computer list in each category

<< button to collapse the computer name list

©2004. All rights reserved.



MSSecure.xml not publicly supported

MSSecure.xml only supported for MBSA

Classic File Sharing Supported

PowerPoint, Scripts, and Notes:

Thank YOU!

©2004. All rights reserved.

MBSA Support

MBSA public newsgroup

News server:


Internet resources

Home page


Technical white paper


(main MBSA KB article)


(note messages KB article)

Scripting with the Microsoft Baseline Security Analyzer v 1.2

MBSA Version 1.2 Support for Microsoft Office Products