Trusting Microsoft Baseline Security Analyzer 2.3

Not too long ago, Microsoft updated, or at least updated the version of the Microsoft Baseline Security Analyzer (MBSA). This tool has been around for a very long time. At first, the tool had great hope as it gave insight into settings that were not so easy to discover and other configurations that were proprietary to Microsoft.

Over the years, the tool continues to be updated without ever adding much value. And the tool is not named appropriately at all. “Baseline Security Analyzer” would indicate (to someone that had never seen it before) a tool that would give you a clear view of the security baseline for a computer you analyze. Unfortunately, this is not the case.

Before we start to dissect where the tool falls very short, let’s talk about what it does extremely well. The tool gives you one of the only views of your security updates based on the Microsoft manifest or even your own Software Update Services (WSUS) installation manifest.

The tool also gives you a good view of the local accounts (does not work for domain controllers) that are configured with blank or simple passwords. The term simple is defined by Microsoft as:

  • Password is the same as the user account name.

  • Password is the same as the computer name.

  • Password uses the word “password.”

  • Password uses the word “admin” or “administrator.”

I think we all would want it to do a much more robust check, but this is all we get in the year 2014.

The tool also checks for other security related settings, which you can see in Figure 1.

Figure 1. MBSA 2.3 security checks.

You can go through the list yourself, but let me point out a few items that are still in the product, which need to be updated or even removed.

  • File system – this checks to see if the system is running NTFS. You can’t even install a Windows operating system with anything but NTFS now.

  • Restrict Anonymous – this only checks one anonymous setting, which was updated with additional settings in Windows XP. The other anonymous settings could be set to anything and still allow anonymous connections.

  • Auditing – this only checks the basic auditing, which was improved in Windows Vista/Server 2008 with Advanced Auditing.

  • Services – this is a very basic check. It will only raise an issue if FTP, Telnet, WWW, or SMTP is installed.

There are so many security settings that are missing from this tool that it would make more sense to 1) take out everything except for the good features and then 2) create another tool that actually does look at security baselines.

We hope that Microsoft will create free, useful, complete, and updated tools like that for us moving forward. We had hopes that Microsoft Compliance Manager might be that tool, but it no longer is being updated or supported.

You Can Learn More About the ManageEngine Product Line By Going to

The original article/video can be found at Trusting Microsoft Baseline Security Analyzer 2.3

About the Author: Shannon Lewis

Leave a Reply Cancel reply