The Microsoft Baseline The Microsoft Baseline Security AnalyzerSecurity Analyzer

A practical look….A practical look….

Overview of Network ManagementOverview of Network Management

Larger networks means:Larger networks means:More computers to manage.More computers to manage.

More computers to maintain.More computers to maintain.

Bigger security management issues. Bigger security management issues.

More computers to check for security holes. More computers to check for security holes.

IT Departments MustIT Departments MustContinue to manage workstations even during growth.Continue to manage workstations even during growth.

Effectively find solutions to remain efficient in network Effectively find solutions to remain efficient in network security management. security management.

The Microsoft Baseline Security The Microsoft Baseline Security AnalyzerAnalyzer

The Tool:The Tool:– Scans computers locally or remotely for any possible Scans computers locally or remotely for any possible

security hazards. security hazards. Weak Passwords.Weak Passwords.Unnecessary services that are running.Unnecessary services that are running.Firewall status.Firewall status.File SharesFile Shares

– Scans Microsoft related products or technologies for Scans Microsoft related products or technologies for any missing patches or updates. any missing patches or updates.

Microsoft Update PatchesMicrosoft Update PatchesMicrosoft Office UpdatesMicrosoft Office UpdatesMicrosoft Windows VulnerabilitiesMicrosoft Windows Vulnerabilities

The Microsoft Baseline Security The Microsoft Baseline Security AnalyzerAnalyzer

The Tool:The Tool:– Has the ability to scan itself or multiple Has the ability to scan itself or multiple

computers.computers.Up to 10,000 computers can be scanned. Up to 10,000 computers can be scanned.

The Microsoft Baseline Security The Microsoft Baseline Security AnalyzerAnalyzer

Installation Installation – Download the msi file from: Download the msi file from:

http://www.microsoft.com/technet/security/tools/mbsahome.mspxhttp://www.microsoft.com/technet/security/tools/mbsahome.mspx

– System RequirementsSystem RequirementsWindows NT 4.xWindows NT 4.xWindows 2000Windows 2000Windows XP or Windows XP or Windows Server 2003Windows Server 2003

– For Scanning: For Scanning: Locally: Must be an administrator user.Locally: Must be an administrator user.Remotely: Must have domain administrator privileges (or Remotely: Must have domain administrator privileges (or administrator access to the remote computer[s]).administrator access to the remote computer[s]).

The MSBA User InterfaceThe MSBA User Interface

Using The MSBAUsing The MSBALocal ScanLocal Scan– Click on “Scan a Click on “Scan a

Computer”Computer”– Select your computer Select your computer

using the drop down boxusing the drop down box– Click “Start Scan”Click “Start Scan”

Using The MSBAUsing The MSBARemote ScanRemote Scan– Click on “Scan a Click on “Scan a

Computer” or “Scan Computer” or “Scan Multiple Computers”Multiple Computers”

– Enter the computer Enter the computer name or select the name or select the domain to scan or domain to scan or enter an IP range.enter an IP range.

– Click “Start Scan”Click “Start Scan”

Using The MSBAUsing The MSBAThe ResultsThe Results

Single Computer ScanSingle Computer Scan– Report of the single computer scanned shows.Report of the single computer scanned shows.

Multiple Computer ScanMultiple Computer Scan– Select the report of the computer scanned. Select the report of the computer scanned.

Using The MSBAUsing The MSBA

The Security ReportThe Security Report

The Security ReportThe Security Report

Details of ReportDetails of ReportMost reports includes: Most reports includes:

Microsoft Office UpdatesMicrosoft Office UpdatesCritical Updates or PatchesCritical Updates or PatchesWeak Password CheckWeak Password CheckFile SystemsFile SystemsGuest AccountsGuest AccountsAdministrator AccountsAdministrator Accounts

Recommended is two. Recommended is two.

Windows VersionWindows VersionRecommended Settings in:Recommended Settings in:

– WindowsWindows– Internet ExplorerInternet Explorer– ServicesServices– FirewallFirewall– File SharingFile Sharing

Details of ReportDetails of Report

Details of ReportDetails of Report

Details of ReportDetails of Report

What is the Tool Doing?!What is the Tool Doing?!The MSBA uses a product and update catalogue from the Microsoft web site.The MSBA uses a product and update catalogue from the Microsoft web site.

Or a local intranet website that stores the catalogue. Or a local intranet website that stores the catalogue.

The MSBA parses through the catalogue (XML file) and compares certain values in the registry The MSBA parses through the catalogue (XML file) and compares certain values in the registry as well as scan the OS internally. as well as scan the OS internally.

Both remote and local scans are very similar however,Both remote and local scans are very similar however,To do a complete scan remotely, the remote registry service must be enabled. To do a complete scan remotely, the remote registry service must be enabled.

Some OpinionsSome OpinionsProsPros

Very flexible. Command line interface allows customized output.Very flexible. Command line interface allows customized output.Very efficient. Can scan up to 10,000 computers in one scan. Very efficient. Can scan up to 10,000 computers in one scan. Scans transparently. No downtime required.Scans transparently. No downtime required.General User Interface acts like a Wizard. (Step 1, 2, 3…)General User Interface acts like a Wizard. (Step 1, 2, 3…)

ConsConsSecurity scans do not take into account recently discovered vulnerabilities. Security scans do not take into account recently discovered vulnerabilities. Accuracy depends on Microsoft’s knowledge of vulnerabilities. Accuracy depends on Microsoft’s knowledge of vulnerabilities.

Only scans Microsoft technologies. Only scans Microsoft technologies.

Microsoft’s control of vulnerability information.Microsoft’s control of vulnerability information.– Ultimately, you will only know if Microsoft makes it known. At one point, Microsoft knew of a vulnerability for six months before information was released. Ultimately, you will only know if Microsoft makes it known. At one point, Microsoft knew of a vulnerability for six months before information was released.

Source: CBC News Online Article: Source: CBC News Online Article: – http://www.cbc.ca/story/world/national/2004/02/10/microsoft_040210.htmlhttp://www.cbc.ca/story/world/national/2004/02/10/microsoft_040210.html

Can give false alarms if you have set your own settings. Can give false alarms if you have set your own settings.

Some OpinionsSome Opinions

The Bottom LineThe Bottom Line– Very useful in enterprise style networks.Very useful in enterprise style networks.– A straightforward tool that allows any user to run it. A straightforward tool that allows any user to run it. – Free. Free.

Thank You!Thank You!

Kaleem MaxwellKaleem Maxwell