Check Your Windows System For Vulnerabilities With Microsoft’s Free Baseline Security Analyzer

If you’re a regular reader here, this post will serve as a reminder that scanning for system vulnerabilities from time to time, is a prudent practice.

To help you assess the overall state of security on your computer (and close any open windows in Windows), Microsoft provides a free scanning tool – Microsoft Baseline Security Analyzer (MBSA), which will scan your system, and provide you with a report on your machine’s security – based on Microsoft’s security recommendations.

It’s important to remember that changes in system configuration may require additional use of MBSA in order to check the new configuration for compliance. This is particularly true when installing applications, or adding new optional components, which may install programs that have not been updated with the latest fixes.

For reference purposes, I’ve gathered the following statistics from the Iolo  Threat Center as of October 14, 2011. This data is in line with the data obtained from more comprehensive studies we’ve seen over the last several years.

October 14, 2011.

PCs without active virus protection: 56.16%
PCs without active firewall protection: 36.11%
Average number of security flaws: 29.44

If we contrast this data with Iolo’s Global System Status Details as of March 26, 2011, it appears as if we’re on a slippery slope.

March 26, 2011.

PCs without active virus protection: 53.42%
PCs without active firewall protection: 20.88%
Average number of security flaws: 13.56

_________________________________________________________

MBSA includes both a graphical and a command line interface, that can perform local or remote scans of Microsoft Windows systems. For this post I’ll focus on the graphical interface.

MBSA is capable of scanning not only a stand-alone system, but multiple systems as well.

The GUI is straightforward, and as you can see in the following screen capture – checkbox simple.

Scanning Options:

For each scan, the following options can be enabled, or disabled, as needed, in the MBSA user interface:

Check for Windows administrative vulnerabilities – scans for security issues such as Guest account status, file-system type, available file shares, and members of the Administrators group.

Check for weak passwords –  checks computers for blank and weak passwords during a scan.

Check for Internet Information Services (IIS) administrative vulnerabilities.

Check for SQL administrative vulnerabilities – checks for the type of authentication mode, account password status, and service account memberships.

Check for security updates (missing updates) – scans for missing security updates for the products published to the Microsoft Update site only.

The two areas, in the report, you will find most useful as a home user, are:

Security misconfiguration (less secure settings and configurations).

Missing security updates and service packs (if any).

The report will provide you with specific steps to take, should the application find issues.

The following screen capture from my test machine, illustrates the partial results of a typical scan – click to expand to original size.

In this test scan, MBSA has discovered – “2 service packs or update rollups are missing”. Clicking on – “Result details” brought up the following dialogue box and, as you can see, both IE 9 and Win 7 Service Pack 1, are not installed.

Microsoft didn’t leave me hanging though. Instead, simply clicking “How to correct this”,  brought up the following Microsoft help page which lays out an easy solution.

The following screen capture illustrates a portion of the report covering Administrative Vulnerabilities. In this area, you may find reminders that Microsoft may not necessarily agree with your personal preferences. Certainly, a number of mind rated a caution.

Should you find similar cautions following your scan, there’s no need to worry. Clicking on “How to correct this” for additional information, will help you determine if your personal preferences are safe. You may feel comfortable with your choices, despite Microsoft’s advice to the contrary.

Remember, you’re the boss.  

In order to run a scan with MBSA, you may need the IP address of your computer – an easy way to obtain this is here.

System Requirements: Windows 2000; Windows 7; Windows Server 2003; Windows Server 2008; Windows Server 2008 R2; Windows Vista; Windows XP; Windows XP Embedded. (32 bit and 64 bit).

Available languages: English, German, French, Japanese.

Download at: Microsoft

Note: Microsoft recommends viewing the readme.html file, before running MBSA the first time. If you are a regular reader here, I don’t think this is necessary, but….