E N D
1. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Getting Familiar with MBSA 1.2.1 Alfred BarkerGainesville College
http://www.gc.peachnet.edu/it/abarker
2. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Agenda Overall Features and Design
Tool Overview
Scanning / Performance
SUS / SMS
MBSA Details
Limitations of MBSA v1.1.1
What’s new in MBSA v1.2.1
Scripting with MBSA v1.2.1
3. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Overall Features and Design
4. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Tool Overview Single executable that runs on Microsoft Windows® 2000, Windows XP, and Windows Server™ 2003 (/hf local scan also works on Windows NT 4.0 SP4®).
Performs remote scans against Windows NT 4.0 SP4, Windows 2000, Windows XP, and Windows Server 2003 systems.
Focused on agent-less assessment, tactical deployment, being easy to use and easy to take advantage of.
Installer package contains:
GUI (Mbsa.exe)
Command-line interface (Mbsacli.exe)
Latest version is 1.2.1, just released August 16, 2004.
Prior version is 1.1.1 and 1.2, released June 2003 and January 2004.
5. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSAHow it works*
6. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scanning Two main engines
MBSA engine for system configuration checks (about 60 different checks)
HFNetChk engine for security update checks
MBSA-style scan
System configuration checks and missing security updates
Offered through MBSA GUI (Mbsa.exe) or CLI (Mbsacli.exe)
Individual XML scan report created for each computer
Single threaded
/hf style scan
Only missing/installed security updates and SPs
Offered through Mbsacli.exe using /hf switch
Text output to screen or option to write text to file
Multithreaded
7. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scale/Performance
8. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. SUS Support Perform security update by pointing to local SUS Server for approved updates.
GUI: MBSA reads registry for SUS server info, or user types it in.
Command line.
Mbsacli.exe /sus “http://mysusserver”
Mbsacli.exe /hf /sus “http://mysusserver”
Scans for approved updates on SUS server instead of all available updates.
Reads ApprovedItems.txt file through HTTP on SUS server.
9. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. SMS Support Compatibility with SMS 2.0 Software Update Services Feature Pack and SMS 2003
Pushes /hf to each client to perform local scan (Mbsacli.exe /hf)
Parses output
SMS administrators can centrally distribute security updates to clients
SMS 2003 is currently using MBSA v1.2
10. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA Details
11. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA v1.1.1 Limitations Note messages are displayed for patches that can’t be confirmed
Products that don’t have detection
MSXML for MS02-008 (multiple KBs for multiple versions)
More than one patch for a single product targeted at a particular OS (Mssecure.xml schema limitation)
DirectX® 9.0 for Windows 2000, Windows XP, Windows Server™ 2003 for MS03-030
A version of an Internet Explorer 5.01 patch for Windows 2000 that differs from Internet Explorer 5.01 on Windows XP
Sometimes can only check for registry key to determine if patch is installed
Example: Common reg key for each Ntdll.dll version in MS03-007, whereas file version and checksums different
When a non-security update overwrites files previously patched, MBSA flags the originally patched files as vulnerable.
No localized file details to use for checksum data, except for English.
12. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. What’s New in the MBSA v1.2 Family UI Improvements
Tool localization (JA, DE, FR)
MSSecure.xml localization support (as available)
Upgrade support and new version notification
Revamped KB article 306460 (September 23, 2004)
Complete list of products supported/unsupported
Updated list of notes/warnings/product names
Additional Products
Office Detection Tool integration (local scans only) for Office 2000 and later
Microsoft Data Access Components (MDAC), Microsoft XML Core Services (MSXML), Microsoft Virtual Machine (JVM), eBiz
Detection
Alternate file versions (‘AFiles’)
Added Configuration Checks
13. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Upgrade Notification
14. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Event Logging
15. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Supported Products For Configuration Settings:
Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003
Internet Information Services (IIS) 4.0, IIS 5.0, IIS 6.0
SQL Server™ 7.0, SQL Server 2000
Internet Explorer 5.01+
Office 2000, Office XP, Office 2003 For Security Updates:
Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003
IIS 4.0, IIS 5.0, IIS 6.0
SQL Server 7.0, SQL Server 2000/ Microsoft Data Engine (MSDE)
Internet Explorer 5.01+
Exchange 5.5, Exchange 2000, Exchange 2003
Windows Media Player 6.4+
Office 2000, Office XP, Office 2003
MSXML versions 2.5, 2.6, 3.0, 4.0
MDAC versions 2.5, 2.6, 2.7, 2.8
Microsoft Virtual Machine (JVM)
Commerce Server 2000, Commerce Server 2002
Content Management Server 2001, Content Management Server 2002
BizTalk® 2000, BizTalk 2002, BizTalk 2004
Host Integration Server 2000, Host Integration Server 2004 (+SNA Server 4.0)
16. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Alternate File Versions “OR” logic to consider multiple sets of file details.
Handle case of non-security overwriting security updates.
A bulletin can have multiple patches for products targeted at different operating systems.
Handle uniproc or multiproc patches, QFE/GDR branches
KB 824994 (Quick Fix Engineering / General Distribution Release)
Detection Checks the list of alternate files: if none match, the missing patch message will reflect the file version of the first file entry listed in MSSecure (whether it be a FileChangeID or AFileChangeID).
Alternate files are listed as “AFileChangeID”.
MBSA 1.1.1 ignores AFileChangeID entries and only recognizes FileChangeID entries.
Maximizes backward compatibility with MBSA v1.1.1 until customers upgrade.
17. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Alternate File Versions in Detail
18. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Other Improvements File version checks on Multilingual User Interface (MUI) systems
Fixes bug where MBSA detected wrong file version numbers on systems using MUI
Issue was known problem with GetFileVersionInfo API on Windows 2000 systems
Guest account check
Fixed bug where ForceGuest registry key wasn’t checked (Guest account enabled is only flagged if simple file sharing isn’t used and if ForceGuest isn’t enabled – KB 290403)
Internet Explorer custom zone interpretation
MBSA now interprets custom zone settings and compares to recommended default zone level settings
Event logging (with a link to Help and Support)
Outlook® zone check collapsed into Internet Explorer zone check and Office macro check
19. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Additional Checks New to v 1.2.1 Internet Connection Firewall (ICF)
Check performed on local computer scans only
List each network connection with ICF status (disabled/ enabled and if inbound ports are open)
No listing of which ports are open
Automatic Updates (AU)
Check performed on both local and remote machines
MBSA flags if AU is not enabled, or if it is enabled but not configured to automatically download and install
Internet Explorer Enhanced Security Configuration (Internet Explorer hardening)
Check performed on Windows Server™ 2003 only
Checks if IEESC is enabled for admins and non-admins
20. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Details on Localized Patch Scans MSSecure.cab files
MBSA tries to download .cab file that matches operating system language of scanned computer (so patch data will match operating system).
If that fails, MBSA will look in the local folder for a previously downloaded copy of this .cab file.
If that fails, MBSA will fall back to using the English file.
Language of scanned computer determines if checksum checks are performed.
If operating system language of the scanned computer matches the MSSecure file language being used in the scan, then checksum checks will be performed.
Explicitly calling /sum or /nosum will force or prevent the use of checksums
21. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Office Update Scans Integrated Office Update Inventory Tool 2.1
Office updates checked on local computer scans only, no remote checking
Office tool downloads separate Office update database files (similar to HFNetChk downloading Mssecure.cab)
Offline scanning uses similar workaround for getting detection catalog onto scanning computer
Scanning limitations described in following support article: “MBSA Version 1.2 Support for Microsoft Office Products”
http://go.microsoft.com/fwlink/?LinkId=19025
http://www.microsoft.com/technet/security/tools.mbsaqa.mspx
Users running mbsacli.exe /hf will not receive an Office updates scan
Office detection logic not in HFNetChk
Office patch data not in Mssecure.xml
22. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Default Scan Options MBSA scan (GUI)
Uses -baseline, -v, -nosum
-baseline aligns with Windows Update (WU) critical security updates
By default, notes and warnings are still shown
Checksum checks not performed (to match WU)
MBSA scan (Mbsacli.exe)
Uses -sum
Checksum checks performed
By default, notes and warnings are still shown
HFNetChk scan (Mbsacli.exe /hf)
Uses -sum
Checksum checks performed
Notes and warnings still shown by default
23. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Requirements XML Parser (MSXML version 3.0 or later with latest SP – go.microsoft.com/fwlink/?Linkid-16533
Required Services:
Computer being scanned locally
Workstation Service
Server Service
World Wide Web Service for IIS Vulnerability Checks
Computer that is running MBSA that performs remote scans
Workstation service
Client for Microsoft Networks
Computer being remotely scanned
Server service
Remote registry service
File and Print Sharing
24. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Requirements (2) IIS Common Files (required on local computer when scanning remote IIS computers)
Firewall Ports
Port 80 (HTTP)
Outbound from scanning computer
Needed to download Mssecure.xml file
TCP 139, 445
Inbound to scanned computer(s)
Needed to scan remote computers
UDP 137, 138
To authenticate to remote computer
User must be running as Local Administrator for scanning
25. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scan Connections MBSA-style scans
MBSA will try to verify each machine account
NetWkstaGetInfo() - Windows for Workgroups
LookupAccountName – Win32 API
Gethostbyaddr – Windows Socket Function
HFNetChk-style scans
HF engine looks for two IP ports (TCP 139, 445) required for scanning on each computer. Scan will fail if engine cannot connect to the ports. This does not rely on ICMP.
26. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scripting with MBSA v1.2.1
27. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scripting with MBSA v1.2.1 Scripts for leveraging MBSA into other solutions:
Enable large-scale scanning and enable low-rights end-users to check their own compliance without calling the helpdesk
Scan an unlimited number of computers or IP addresses from an input file
Roll up the results across many reports into a single summary based on one or more bulletin IDs or check IDs
More info (available upon release):
www.microsoft.com/technet/security/tools/mbsahome.mspx
28. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scripting with MBSA v1.2.1 (2) Sample of rolling up the results across many reports into a single summary:
Open the resulting XML file in Internet Explorer:
29. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Questions? Caveats
MSSecure.xml not publicly supported
MSSecure.xml only supported for MBSA
Classic File Sharing Supported
PowerPoint, Scripts, and Notes:
http://www.gc.peachnet.edu/it/abarker
Thank YOU!
30. ©2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA Support MBSA public newsgroup
News server: msnews.microsoft.com
Newsgroup: microsoft.public.security.baseline_analyzer
Internet resources
Home page http://www.microsoft.com/technet/security/tools/mbsahome.mspx
FAQ http://www.microsoft.com/technet/security/tools/mbsaqa.mspx
Technical white paper http://www.microsoft.com/technet/security/tools/mbsawp.mspx
320454 (main MBSA KB article)
306460 (note messages KB article)
Scripting with the Microsoft Baseline Security Analyzer v 1.2http://www.microsoft.com/technet/security/tools/mbsascript.mspx
MBSA Version 1.2 Support for Microsoft Office Productshttp://www.microsoft.com/en-us/assistance/HA010884161033.aspx