Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available

This article contains information about the Microsoft Baseline Security Analyzer tool (MBSA). This tool centrally scans Windows-based computers for common security misconfigurations and generates individual security reports for each computer that it scans. MBSA runs on computers that run Windows Server 2003, Windows 2000, and Windows XP. MBSA can scan for security vulnerabilities on computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. MBSA scans for common security misconfigurations in Windows, Internet Information Services (IIS), SQL Server, Internet Explorer, and Microsoft Office. MBSA also scans for missing security updates in Windows, IIS, SQL Server, Internet Explorer, Windows Media Player, Exchange Server, Microsoft Data Access Components (MDAC), Microsoft XML (MSXML), Microsoft virtual machine (VM), Content Management Server, Commerce Server, BizTalk Server, Host Integration Server, and Office (local scans only). A graphical user interface (GUI) and command-line interface are available in version 1.2.1.

MBSA replaced the stand-alone HFNetChk tool and fully exposes all HFNetChk switches in the MBSA command-line interface (Mbsacli.exe). For additional information about MBSA, visit the following Microsoft Web site:

Download Information

English, French, German, and Japanese versions of MBSA are available from the Microsoft Download Center. Visit the following the MBSA Web page for direct links to download these versions: For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

How to Use MBSA

To run the GUI version of MBSA, start Mbsa.exe from the folder where the tool was installed. To run the command-line version, type the following command at a command prompt (from the folder where the tool was installed), and then press ENTER:

System and Language Applicability

You can run MBSA version 1.2.1 on computers that run Windows Server 2003, Windows 2000, or Windows XP. MBSA can scan computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. A Windows XP Home Edition computer cannot be scanned remotely. A Windows XP Professional computer can be scanned remotely if it is joined to a domain. If not joined to a domain, a Windows XP Professional computer can be scanned remotely only after the Local Security Setting is set to Classic – local users authenticate as themselves and simple file sharing is disabled.

For additional information about simple file sharing, click the following article number to view the article in the Microsoft Knowledge Base: MBSA cannot be used to scan computers that run Microsoft Windows 95, Windows 98, or Windows Millennium Edition.

MBSA 1.2.1 is localized for English, Japanese, German, and French.

System Requirements

The following list describes the system requirements to scan a local computer:

• Windows Server 2003, Windows 2000, or Windows XP.
• Internet Explorer 5.01 or later.
• An XML parser is required for the tool to function correctly. Microsoft recommends that you use the most recent version of the MSXML parser. See the notes later in this article about how to obtain an XML parser separately. On Windows 2000 systems that do not have MSXML 3.0 or later installed, Setup does not continue until the user installs the latest MSXML parser.
• The Workstation service and the Server service must be running.
• You must have the World Wide Web Service to perform local IIS administrative vulnerability checks.

The following list describes the system requirements for a computer that is running the tool and scanning remote computers:

• Windows Server 2003, Windows 2000, or Windows XP.
• Internet Explorer 5.01 or later.
• An XML parser is required for the tool to function correctly. Microsoft recommends that you use the most recent version of the MSXML parser. See the notes later in this article for information about how to obtain an XML parser separately. On Windows 2000 systems that do not have MSXML 3.0 or later installed, Setup does not continue until the user installs the latest MSXML parser.
• The IIS Common Files are required on the computer where the tool is installed to perform remote scans of IIS computers.
  
  Note The IIS 6.0 Common Files are required on the local machine when you remotely scan an IIS 6.0 server.
• The Workstation service and Client for Microsoft Networks are turned on.

The following list describes the system requirements for the computer you want to scan remotely by using the tool:

• Windows NT 4.0 Service Pack 4 (SP4) and later, Windows 2000, Windows XP (local scans only on Windows XP-based computers that use simple file sharing), or Windows Server 2003.
• IIS 4.0, 5.0, 5.1 or 6.0 (to perform IIS vulnerability checks).
• Internet Explorer 5.01 or later (to perform Internet Explorer security zones checks).
• SQL 7.0, 2000 (to perform SQL vulnerability checks).
• Office 2000, Office XP, or Office 2003 (to perform Office vulnerability checks).
• The following services must be installed: Server service, Remote Registry service, File and Print Sharing.

How to obtain the MSXML parser

XML parsers have shipped in Internet Explorer 5.01 and later. However, Microsoft recommends that you use the latest version of Internet Explorer and the latest version of the MSXML parser. To download the latest version of the MSXML parser, visit the following Microsoft Web site:

MBSA Scanning Options

The following parts of a scan are optional. You can turn them off in the GUI or command-line interface before you scan a computer:

• Windows operating system checks
• IIS checks
• SQL checks
• Security update checks
• Password checks

MBSA Command-Line Options

There are two types of scans that you can perform by using the MBSA command-line interface: MBSA-style scans and HFNetChk-style scans.

MBSA-Style Scans

Like MBSA V1.1.1, the MBSA-style scan stores results, in individual XML files to later be viewed in the MBSA GUI. MBSA-style scans include the full set of available Windows, IIS, SQL, Desktop Application, and security update checks.

Note To perform a scan with the same options as the MBSA GUI, users must explicitly use the /nosum switch.

To run the tool from the command line (from the MBSA installation folder), type mbsacli.exe, and use the following parameters.

• no option - Scan the local computer.
• /c domainname\computername- Scan the named computer.
• /i xxx.xxx.xxx.xxx - Scan the specified IP address.
• /r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scan the specified range of IP addresses.
• /d domainname - Scan the named domain.

Note You can concatenate these options. For example, you can use /n OS + IIS + Updates to skip IIS, Windows, and security update checks.

• /n IIS - Skip IIS checks.
• /n OS - Skip Windows operating system checks.
  
  Note When you use this switch, Internet Explorer and Outlook security zones and Office macro security checks are also skipped.
• /n Password - Skip password checks.
• /n SQL - Skip SQL checks.
• /n Updates - Skip security update checks.

• /sus SUS server | SUS filename - Check only for security updates that are approved at the specified SUS server, or at the file path of the Approveditems.txt file. Use one of the following options with the /sus switch:
  • The URL for the SUS Server. For example, http://server.
  • The URL or UNC path of the Approveditems.txt file. For example, http://server/Approveditems.txt.
  Note If a URL or path is not specified, the value stored in the registry of the client computer is used (if available). This registry value may be specified by the network administrator through Group Policy.
• /s 1 - Suppress security update check note messages.
• /s 2 - Suppress security update check note and warning messages.
• /s 3 - Suppress warnings except for service packs.
• /nosum - Security update checks will not test file checksums.

• /o filename By default, the output filename uses the format domain - computername (date).

• /e - List the errors from the latest scan.
• /l - List all the reports that are available.
• /ls - List the reports from the latest scan.
• /lr report name - Display an overview report.
• /ld report name - Display a detailed report.
• /v – Display security update reason codes.

• /? - Usage help.
• /qp - Do not display progress.
• /qe - Do not display error list.
• /qr - Do not display report list.
• /q - Do not display progress, error list, or report list.
• /f - Redirect the output to a file.
• /unicode – Generate unicode output. If you run a Japanese version of MBSA, or scan computers that run Japanese versions of Windows, it is a good idea to specify this switch.

HFNetChk-Style Scans

Like the stand-alone HFNetChk tool, the HFNetChk-style scan checks for missing security updates and displays scan results as text in the command-line window. To perform an HFNetChk-style scan with MBSA version 1.2.1, use the /hf flag with Mbsacli.exe.

Note To perform a scan with the same options as the MBSA GUI by using the /hf switch, you must explicitly use the -b, -v, and –nosum switches (description of switches below).

Note You cannot combine the MBSA-style scan parameters that are listed earlier with the /hfswitch option.

To run the tool from the command line (from the MBSA installation folder), type mbsacli.exe /hf, followed by one or more of the parameters that are listed later in this article.

Switches available with /hf flag

mbsacli /hf [-h hostname] [-fh filename] [-i ipaddress] [-fip filename] [-r ipaddressrange] [-d domainname] [-n] [-sus SUS server|SUS filename] [-fq filename] [-s 1] [-s 2] [-nosum] [-sum] [-z] [-v] [-history level] [-nvc] [-o option] [-f filename] [-unicode] [-t] [-u username] [-p password] [-x] [-?]

• -h hostname - Scans the named NetBIOS computer name. The default location is the local host. To scan multiple hosts, separate the host names with a comma (,).
• -fh filename - Scans the NetBIOS computer names that are specified in the text file that you named. Specify one computer name on each line in the .txt file, to a maximum of 128 names.
• -i xxx.xxx.xxx.xxx - Scans the named IP address. To scan multiple IP addresses, separate each IP address with a comma.
• -fip filename - Scans the IP addresses that you specified in the text file that you named. Specify one IP address on each line in the .txt file, with a maximum of 256 IP addresses.
• -r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scans a specified range of IP addresses.
  
  Note You can use the previous switches in combination. For example, you can use a command-line with the following format: mbsacli /hf –h hostname1,hostname2 -i xxx.xxx.xxx.xxx -fip ipaddresses.txt -r yyy.yyy.yyy.yyy-zzz.zzz.zzz.zzz
• -d domainname - Scans a specified domain.
• -n - Scans all the computers on the local network. All computers from all domains in Network Neighborhood (or My Network Places) are scanned

• -sus SUS Server|SUS filename or -sus SUS server - Check only for security updates approved at the specified URL of the SUS server, or at the file path of the specified Approveditems.txt file. If a URL or path is not specified, the value stored in the registry on the client computer will be used.
• -fq filename - Specifies the name of a file that contains the Qnumbers that you want to suppress on the output. Specify one Qnumber per line. This switch only prevents the specified items from appearing in the output; it does not remove the items from consideration during the course of a scan.
• -s 1 - Suppress security update check note messages.
• -s 2 - Suppress security update check note and warning messages.
• -nosum - Specifies not to perform checksum validation for the security update files. Typically, you do not require this switch.
• -sum - Forces a checksum scan when you scan a non-English language computer. Use this switch only if you have a custom XML file with language-specific checksums.
• -z - Specifies not to perform registry checks.
  
  Note When you use this switch with –history, registry checks will still be performed for those patches that only have registry key data and no file version information in the Mssecure.xml file.
• -v - Displays the reason why a test did not work in wrap mode. You can use this switch to display the reason why a security update is considered "not found" or if you receive a NOTE or WARNING message.
• -history [n] - Displays updates that have been explicitly installed, explicitly not installed, or both. Typically, you do not require this switch. However, you may require it under very specific circumstances. You have the following options with this switch:
  • 1 - Displays those updates that have been explicitly installed.
  • 2 - Displays those updates that have been explicitly not installed.
  • 3 - Displays those updates that have explicitly been installed and not installed.
  For example, use –history 1 to displays those updates that have been explicitly installed.
• -nvc – Do not look for a new version of MBSA.

• -o [option] - Specifies the output format that you want. You have the following options with this switch:
  • tab - Displays output in tab-delimited format.
  • wrap - Displays output in word-wrapped format.
• -f filename - Specifies the name of a file where you want to store the results. You can use the switch in both wrap and tab output.
• -unicode – Generate unicode output. If you run a Japanese version of MBSA, or scan computers that run Japanese versions of Windows, it is a good idea to specify this switch.

• -t - Displays the number of threads that are used to run the scan. By default, the value is 64, but possible values are 1 to 128. You can use this switch to increase or reduce the scanner speed.
• -u username - Specifies the user name to use when scanning a local or remote computer or groups of computers. You must use this switch with the -p (password) switch.
• -p password - Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the -u (username) switch. For security reasons, the password is not sent over the network in clear text. Instead, HFNetChk uses the challenge-response mechanism that is built into Windows NT 4.0 and later to secure the authentication process.
• -x - Specifies the XML data source that contains the available security update information. The location may be an XML file name, a compressed XML .cab file, or a URL. The default file is the Mssecure.cab file from the Microsoft Web site. If you do not use this switch, the Mssecure.xml file downloads from the Microsoft Web site.
• -? - Displays a menu. You can also call this switch by using the /? syntax. The menu also appears every time that you type incorrect syntax at a command prompt.

Detecting Updates

Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 changes how updates are detected. Additionally, because of better detection capabilities in MBSA version 1.2.1, some updates may be reported as "Not applicable," although the updates were reported as "Applicable" in the previous release.

For additional information about the differences between MBSA 1.1.1 and MBSA 1.2.1, click the following article number to view the article in the Microsoft Knowledge Base:

Notes About Scanning

Scan Reports

Scan reports are stored on the computer where the tool is installed in the %userprofile%\SecurityScans folder. An individual security report is created for each computer that is scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans that are created by the tool in this folder.

Security Updates Scan

By default, a security update scan that you carry out from the MBSA GUI or from Mbsacli.exe scans and reports missing updates that Windows Update marks as critical security updates (also known as baseline critical security updates). When you carry out a security update scan from Mbsacli.exe by using the /hf switch, all security-related security updates are scanned and reported on. A user who runs an HFNetChk-style scan must use the -b option to scan only for Windows Update critical security updates.

Password Checks

The password checks can add a lot of time to a scan, depending on the computer role and the number of user accounts on the computer. Additionally, attempts to check individual accounts for weak passwords can add Security log entries (logon or logoff events) if auditing is enabled on the computer. MBSA resets any account lockout policies that are detected on the computer so that no individual user accounts are locked out during the password check. This check is not performed on domain controllers.

If you do not select this option before you scan a computer, both the local Windows and SQL account password checks will not be performed.

IIS Checks

The IIS 6.0 Common Files are required on the local machine that is used to remotely scan an IIS 6.0 server. The IIS 6.0 Common Files can be used to also scan earlier versions of IIS machines (for example, IIS 5.0). However, the IIS 5.0 Common Files cannot be used to remotely connect to and scan a computer that is running IIS 6.0.

SQL Server Checks

The tool checks for vulnerabilities on each instance of SQL Server that it finds on the computer. It performs all the individual SQL checks on each instance.

Localized Windows Builds

MBSA version 1.2.1 can scan English, German, French, and Japanese localized versions of the Windows operating system. This support includes the ability to download localized versions of the Mssecure.xml file from Microsoft. Checksum checks will not be performed when you scan a non-English computer for missing security updates without the associated localized Mssecure.xml file.

Support Options

An MBSA newsgroup has been created for users to post questions and obtain information about tool updates, technical questions, and upcoming versions:

• News server: Msnews.microsoft.com
• Newsgroup: Microsoft.public.security.baseline_analyzer

If you are reporting bugs to the newsgroup, include the following information:

• Operating system and service pack version on the computer that is running the tool.
• Operating system and service pack version of the computer that is being scanned.
• Internet Explorer version on the computer that is running the tool.
• Internet Explorer version on the computer that is being scanned.
• Version of MBSA. You can locate this information by clicking About Microsoft Baseline Security Analyzer in MBSA.

MBSA was developed for Microsoft by Shavlik Technologies LLC. For additional information about Shavlik Technologies LLC, see the following Shavlik Technologies LLC Web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Error Messages

When you use the Mbsacli /hf tool, you may receive any one of the following error messages. The following list describes the error messages and how to resolve them. This error message indicates that Mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error, verify that this computer is on the network and that the host name and IP address are correct. You may receive this error message if a network problem prevents Mbsacli from scanning the specified computer. To resolve this error, verify that your computer (the computer that performs the scan) is correctly connected to the network and that you can remotely log on to the specified computer you want to scan. You receive this error message because a network or computer error occurred during the scan. To resolve this error, verify that your scanning computer is correctly connected to the network and that the computer you are scanning is still connected to the network. Additionally, make sure that the remote computer is running the Server service. You receive this error message because a general network error occurred. See your computer documentation for more information.You may receive this error message if no computer has the specified IP address. If there is a computer at this address, a personal firewall or port filtering device may be dropping packets that are going to TCP ports 139 and 445.You receive this error message because there is a computer at this IP address, but it is either not listening or is blocking access to TCP ports 139 and 445.You may receive this error message if the administrator has unshared the systemroot (typically C$ or similar) or has disabled the AutoShareServer(Wks) by using the registry.You receive this error message because the current or specified user account that performs the scan does not have administrative credentials for the computer that the user is scanning. To resolve this error, verify that the specified account is a member of the local administrators group on the computer you want to scan (or a member of a group that has local administrative credentials).To resolve this error, verify that the Server service is enabled on the remote computer and that you can remotely log on to that computer. Additionally, make sure that the Workstation service is running on the computer that performs the scan.To resolve this error, verify that the Remote Registry service is enabled on the computer you want to scan. You receive this error message because a general registry error occurred. See your computer documentation for more information.You receive this error message because a general registry error has occurred. There is no additional information that is available about this error message. To resolve this error message, verify that the Remote Registry service is enabled on the computer that you want to scan. The computer that you want to scan runs an operating system that the tool does not support. The computer that you want to scan may run a non-Microsoft operating system that is running SMB services, or it may emulate a Microsoft product in some other way. You may receive this error message when you scan beta or unreleased versions of Microsoft operating systems. You may receive this error message if you scan beta or unreleased versions of Microsoft service packs.You may receive this error message if the computer that is performing the scan is not connected to a network or cannot access the specified file or location.