Microsoft Baseline Security Analyzer

August 4, 2010, by | Start Discussion


Launching the MBSA GUI

Download  Microsoft Baseline Security Analyzer from

http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-4…

To launch the MBSA GUI, perform the following:

Windows – click on the “Microsoft Baseline Security Analyzer” icon on the desktop. Alternatively, it can be found via Start -> Programs -> Microsoft Baseline Security Analyzer 2.0.1

Connection Manager

To begin scanning, click the “Scan a computer…” button at the bottom to specify the computer you want to scan. You can enter either the computer name or its IP address:

Security report name:

The report name can be generated using characters or hard coded names. For e.g.:

A suggested name could be MailServer-%D% – %C% (%T%)

where “%D% = domain, %C% = computer, %T% = date and time, %IP% = IP address”

The default “options” to scan are as follows:

  1. Check for Windows administrative vulnerabilities
  2. Check for weak passwords
  3. Check for IIS administrative vulnerabilities
  4. Check for SQL administrative vulnerabilities
  5. Check for security updates
    • Configure computers for Microsoft Update and scanning prerequisites
    • Advanced Update Services options:
      • Scan using assigned Update Services servers only
      • Scan using Microsoft Update only

System Requirements

This section describes the system requirements for computers running or being scanned by MBSA.

Requirements for Running MBSA to Scan the Local Computer

  • The computer must be running Microsoft Windows Server™ 2003, Windows 2000 Service Pack 3 or later, or Windows XP.
  • Internet Explorer 5.01 or later must be installed.
  • An XML parser is required in order for the tool to function correctly. It is recommended that the most recent version of the MSXML parser be installed (. On Windows 2000 systems that do not have MSXML 3.0 or later installed, setup will not continue until the user installs the latest MSXML parser.
  • The World Wide Web Service is required if you want to perform local IIS administrative vulnerability checks.
  • Windows Update Agent 2.0 is required to scan for updates.
  • The following must be enabled:
    • Workstation service
    • Server service

Requirements for Running MBSA to Scan Remote Computers

  • The computer must be running Microsoft® Windows® Server 2003, Windows 2000 Service Pack 3 or later, or Windows XP.
  • Internet Explorer 5.01 or later must be installed.
  • An XML parser is required in order for the tool to function correctly. It is recommended that the most recent version of the MSXML parser be installed.  On Windows 2000 systems that do not have MSXML 3.0 or later installed, setup will not continue until the user installs the latest MSXML parser.
  • The IIS Common Files are required on the computer performing remote scans of IIS computers. The IIS 6.0 Common Files are required on the local computer when remotely scanning an IIS 6.0 server.
  • Windows Update Agent 2.0 is required to scan for updates.
  • The following must be enabled:
    • Workstation service
    • Client for Microsoft Networks.

Requirements for a Computer to Be Scanned Remotely

  • The computer must be running Windows 2000 Service Pack 3 or later, Windows XP (unless using simple file sharing), or Windows Server 2003. Itanium-based computers must be running Windows Server 2003 or Windows Server 2003 with SP1.
  • Internet Explorer 5.01 or later is required for IE zone checks.
  • IIS 5.0, 6.0 is required for IIS product and administrative vulnerability checks.
  • Microsoft SQL Server version 7.0 or 2000 or Microsoft Data Engine or Microsoft SQL Server 2000 Desktop Engine (MSDE) is required for SQL product and administrative vulnerability checks.
  • Windows Update Agent 2.0 is required to scan for updates.
  • Microsoft Office System 2003, Office 2000, or Office XP is required for Office product and administrative vulnerability checks.
  • Windows Installer 3.0 or later is required for Office product updates checks.
  • The following must be enabled:
    • Server service
    • Remote Registry service
    • File and Print Sharing
  • Distributed COM (DCOM) is required for remote security update scanning.

To run MBSA, you must be logged in with an account that has local administrative privileges on each computer being scanned either locally or remotely.

Internet access is required on the computer running MBSA in order to download an offline catalog (CAB) file from the Microsoft Web site. If a previous copy of the file was downloaded in a prior scan, the tool will attempt to use the locally cached copy if an Internet connection is not detected. The file will be downloaded and used for a scan based on the available connectivity of the target computer to the Microsoft Update site. If the target computer can utilize a connection to Microsoft Update, a more efficient scan can be used with less network utilization than the .cab file.

Obtaining an XML Parser

XML parsers have shipped in each version of Internet Explorer since version 5.01. However, it is recommended to have the latest version of Internet Explorer and the latest version of the MSXML parser installed.

The latest version of the MSXML parser is available from the Microsoft Web site.

Additional information on the Microsoft XML parser is available from the Microsoft XML Developer Center.

Scanning Options

The following checks are optional. Before scanning a computer, you can choose whether or not to run these checks.

Check for Windows administrative vulnerabilities

Selecting this option scans for problems in a way that Windows is configured on the target computer. The factors include the number of members of the local Administrators group, file-system type, and whether Windows Firewall enabled are checked and reported.

Check for weak passwords

Selecting this option tests the passwords of local user accounts to determine whether any are blank or have other problems that might allow them to be guessed easily.

Check for IIS administrative vulnerabilities

Selecting this option checks for Internet Information Services (IIS) administrative vulnerabilities. When scanning servers running IIS, the computer running MBSA must have the Common Files installed for the highest version of IIS to be scanned. For example, to scan servers running IIS 6.0, the IIS 6.0 Common Files must be installed on the computer running MBSA.

Check for SQL Server administrative vulnerabilities

Selecting this option checks for administrative vulnerabilities on each instance of Microsoft SQL Server, Microsoft Data Engine, or Microsoft SQL Server 2000 Desktop Engine (MSDE) running on the target computer.

Note:

Scanning SQL Server running in a cluster configuration can produce erroneous errors for Sysadmin role members, guest account, and account password tests.

Check for security updates

Selecting this option checks the target computer for missing Microsoft Windows and Microsoft Office updates. When you select this option, you can also specify the following options

  • Configure computers for Microsoft Update and scanning prerequisites

Selecting this option installs the current version of Microsoft Update Agent on the target computer if it is absent or out of date and configures the target computer to meet other requirements for scanning for security updates.

  • Scan using Update Services servers only

Selecting this option scans only for those security updates that are approved on the computer's Update Services server. The Microsoft Update Web site or an offline catalog is not used.

  • Scan using Microsoft Update only

Selecting this option uses only the security update catalog downloaded from the Microsoft Update Web site to determine the updates to be checked. Updates that are not approved on the computer's Update Services server are reported as though they were approved.

Security Checks

This section lists the security settings that Microsoft Baseline Security Analyzer version 2.0.1 checks during a full scan. Note that if a product is not installed on a computer being scanned, the corresponding product checks will not be performed and will not be reflected in the MBSA scan reports.

  • Security update checks

Scanning computers for security updates utilizes Windows Server Update Services. MBSA provides integration for Update Services administrators and is a comprehensive standalone tool for the information technology professional.

  • Windows checks
    • Check for account password expiration:
    • Check for file system type on hard drives
    • Check if Auto Logon feature is enabled
    • Check if Guest account is enabled
    • Check the Restrict Anonymous registry key settings
    • Check the number of local Administrator accounts
    • Check for blank or simple local user account passwords
    • Check if unnecessary services are running
    • List the shares present on the computer
    • Check if Windows auditing is enabled
    • Check the Windows version running on the scanned computer
    • Check if Internet Connection Firewall is enabled
    • Check if Automatic Updates is enabled
    • Check if incomplete updates require the computer to be restarted
  • IIS checks
    • Check if the IIS Lockdown tool (version 2.1) was run on the computer
    • Check if IIS sample applications are installed
    • Check if IIS parent paths are enabled
    • Check if the IIS Admin virtual folder is installed
    • Check if the MSADC and Scripts virtual directories are installed
    • Check if IIS logging is enabled
    • Check if IIS is running on a domain controller
  • SQL Server checks
    • Check if Administrators group belongs in Sysadmin role
    • Check if CmdExec role is restricted to Sysadmin only
    • Check if SQL Server is running on a domain controller
    • Check if sa account password is exposed
    • Check SQL Server installation folders access permissions
    • Check if Guest account has database access
    • Check if Everyone group has access to SQL Server registry keys
    • Check if SQL Server service accounts are members of the local Administrators group
    • Check if SQL Server accounts have blank or simple passwords
    • Check the SQL Server authentication mode type
    • Check the number of Sysadmin role members
  • Desktop application checks
    • List the Internet Explorer security zone settings for each local user
    • Check if Internet Explorer Enhanced Security Configuration is enabled for Administrators
    • Check if Internet Explorer Enhanced Security Configuration is enabled for non-Administrators
    • List the Office products security zone settings for each local user

Command-Line Tool

Instead of the MBSA graphical user interface (GUI) tool, you can use the MBSA command-line tool to perform local and remote security scans and to display reports from previous scans. The tool is located in the directory where MBSA 2.0.1 was installed (by default, %programfiles%Microsoft Baseline Security Analyzer 2).

Syntax

To perform a full scan of one or more computers:

MBSACLI [/target {[domain]computer | IP} | /r IP-IP | /d domain]
[/n option[+option...]] [/o template] [/qp] [/qr] [/qe] [/qt] 
        [/q] [/listfile file]  [/wa | /wi]
 [/catalog file] [/nvc] [/nai] [/nm]
        [/nd] [/u username /p password] 

To scan the local computer for updates only, sending the results to standard output (STDOUT) in XML:

MBSACLI [/xmlout] [/unicode] [/wa | /wi] [/nd] [/catalog file]

To scan one or more computers for updates only, creating reports that can be displayed by MBSA:

MBSACLI [/target {[domain]computer |
                      IP} | /r IP-IP | /d domain]
        [/n OS+IIS+SQL+Password]
        [/o template] [/qp] [/qr] [/qe]  
        [/qt]    
        [/q] [/unicode] [/listfile file]
        [/wa | /wi] [/catalog file] [/nvc] [/nai] [/nm] [/nd] [/u username /p password] 

To display a report:

MBSACLI [/l] [/ls] [/lr report] [/ld report] [/nvc] 

To display usage information:

MBSACLI [/?]

Parameter

You cannot use any of these parameters more than once each time you run the command.

/target [domain]computer | IP

Scans the specified computer. You can identify the computer by using its IP address or its name and, optionally, the domain to which it belongs.

/r IP-IP

Scans all the computers that are identified by a range of IP addresses.

/d domain

Scans all the computers in the specified domain.

/n option[+option…]

Excludes the specified scan types from the scan. You can specify the following options, separating them with a plus sign (+):
       OS
Excludes Windows administrative vulnerability checks
SQL
Excludes SQL Server administrative vulnerability checks
       IIS
Excludes IIS administrative vulnerability checks
       Password
Excludes password vulnerability checks

/o template

Specifies the template that MBSA uses when naming the XML output file. You can use these symbols to represent computer-specific information:

%d%

Replaced with the name of the computer's domain

%c%

Replaced with the name of the computer

%t%

Replaced with the date and time when the scan was performed

%IP%

Replaced with the computer's IP address

The default file-name template is %d – :%c% (%t%).
You can also use the variable names that were supported by previous versions of MBSA: %domain%, %computer name%, and %date%.

/qp

Does not display scan progress.

/qr

Does not display the report list.

/qe

Does not display the error list.

/qt

Does not display the text output after scanning a single computer.

/q

Does not display scan progress, the report list, the error list, or text output.

/listfile file

Scans the computers identified in a file. The file argument is the path and name of a text file in ASCII or Unicode format that contains one or more IP addresses or computer names. Each IP address or computer name must appear on a separate line.

/xmlout

Checks the local computer for security updates only, displaying the results as XML text. To save the report in a file, use command redirection to redirect standard output (STDOUT) to a file, for example, mbsacli /xmlout > output.xml.

For more information about using this parameter, see Security Updates Scan.

/wa

Scans only for security updates that are approved on the computer's Update Services server. The Microsoft Update web site and the offline catalog are not used. This parameter cannot be used with the /wi parameter.

/wi

Uses only the Microsoft Update web site or offline catalog for security update information. Updates that are not approved on the computer's Update Services server are displayed as though they were approved. This parameter cannot be used with /wa parameter. Use this parameter to scan computers whose assigned Update Services servers are not available.

/catalog file

Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is Wsusscan.cab, which is downloaded from the Microsoft Web site. When this parameter is not used, Wsusscan.cab is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care. The file argument must specify a file located on the computer performing the scan.

/nvc

Prevents MBSA from checking for a newer version of MBSA.

/nai

Prevents MBSA from installing or updating the Windows Update Agent on the computer being scanned. When this parameter is used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.

/nm

Scans computers by using an offline catalog instead of the Windows Update site. Depending on the size of the offline catalog and network load, using this parameter may cause MBSA to take more time to or more network bandwidth.

/nd

Do not download any files from the Microsoft Web site when scanning. Use this parameter to prevent the download of Wsusscan.cab, Muauth.cab, WindowsUpdateAgent20-x86.exe and WindowsUpdateAgent20-x64.exe during the scanning process. When this parameter is selected, MBSA will use any previously downloaded copies of the files. If you want, you can download the files yourself and place them in C:Documents and SettingsusernameLocal SettingsApplication DataMicrosoftMBSA2.0Cache. This parameter applies only to downloads from the Microsoft Web site to the scanning computer. Downloads from the scanning computer to the target computer are automatic and cannot be disabled if the corresponding features are used.

/u username /p password

Specifies the user name and password to be used when scanning a remote computer. The /u and /p parameters must be used together and cannot be used when scanning the local computer. The specified user must have administrative privileges on the computer being scanned. For security purposes, the password is not sent over the network in clear text. Instead, MBSA uses the Windows challenge-response mechanism to secure the authentication process.

/l

Lists all available reports.

/ls

Lists reports from the most recent scan.

/lr report

Displays an overview of the specified report.

/ld report

Displays the details of the specified report. When scanning a single computer, this is the default behavior unless the /qt parameter is used.

/unicode

Produces the report with Unicode characters. Users running Japanese MBSA or scanning computers running Japanese Windows should specify this parameter.

/?

Displays usage information for the command-line tool.

Selecting a computer to scan

Use the following parameters to specify the computer to be scanned. If you do not specify one of these parameters on the command line, MBSA scans the local computer, that is, the computer on which it is running.

/target [domain]computer

Scans the named computer. The domain or workgroup name is optional.

/target nnn.nnn.nnn.nnn

Scans the computer identified by the specified IP address.

/r nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn

Scans the computers identified by a range of IP addresses.

/listfile filename

Scans each computer identified by name or IP address listed in the specified file. Place each computer name or IP address on a separate line in either an ASCII or UNICODE format text file.

/d domain

Scans all computers in the specified domain.

Excluding specific checks

To exclude a specific check from scan, use the /n parameter with the keyword for that check. The following are the keywords you can use with the /n parameter.

/n IIS

Skips IIS checks

/n OS

Skips Windows Operating System (OS) checks. This also skips the Internet Explorer and Outlook zone checks and the Office macro security checks.

/n Password

Skips password checks.

/n SQL

Skips SQL Server/MSDE checks.

/n Updates

Skips security update checks.

Specifying parameters for security update checks

The following parameters determine how a security update check is performed and reported.

/wa

Scans only using an assigned Update Services server. Unapproved updates are not listed. This parameter checks for security updates using only the computer's assigned Update Services server. MBSA will not utilize the Microsoft Update site or the offline catalog when scanning. This parameter cannot be use with the /wi parameter. If a scanned computer does not have an Update Services server assigned, the scan will return an error. Unapproved updates are displayed as an informational result.

/wi

Scans only using Microsoft Update. Updates that are not approved on the target computer's assigned Update Services server are shown as though they were approved. This parameter checks for security updates using only the Microsoft Update site or the offline catalog. It does not use the target computer's assigned Update Services server when scanning. This parameter cannot be used with the /wa parameter. Default is to show unapproved updates as an informational result.

/xmlout

Checks the local computer for security updates only, displaying the results as XML text.

/catalog file

Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is Wsusscan.cab, which is downloaded from the Microsoft Web site. When this parameter is not used, Wsusscan.cab is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care.

/nai

Prevents MBSA from installing or updating the Windows Update Agent on the computer being scanned. When this parameter is used, computers that do not have the required version Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.

/nm

Scans computers by using an offline catalog instead of the Windows Update site. Depending on the size of the offline catalog and network load, using this parameter may cause MBSA to take more time to or more network bandwidth.
Scanning only for security updates

Using /xmlout specifies that MBSA only checks for security updates and displays scan results as XML text in the command line window. Only the MBSA engine (Mbsacli.exe and Wusscan.dll) files are needed for this type of scanning, and only the parameters listed below can be used with this parameter:

  • /catalog
  • /wa
  • /wi
  • /nvc
  • /nd
  • /unicode

When using the /xmlout parameter, you must explicitly redirect the XML output into a file using standard console redirection. Also, the XML results must be processed separately from MBSA because they observe a different format than the full MBSA report files. The benefit of this parameter is to avoid the full installation package of MBSA 2.0.1 while checking for updates on a single computer. If the minimum system requirements are met, only the engine files are needed and can be easily copied from another computer having a full installation present.

Displaying results and details

You can use the MBSA command-line interface to list or display reports produced by previous scans. These report parameters cannot be combined with scanning parameters.

/l

Lists all the reports that are available.

/ls

Lists the reports from most recent scan.

/lr report

Displays an overview of the named report.

/ld report

Displays details of the named report. Unless the /qt parameter is used, this is the default behavior whenever MBSA scans a single computer.

General Notes

Scan Reports

Scan reports are stored on the computer on which MBSA is installed, in the SecurityScans folder of the user's profile (%userprofile%SecurityScans). MBSA creates an individual security report for each computer that it scans, either locally or remotely. Report files are named with the file extension .mbsa, which is a registered file association for MBSA, so that clicking on the file in Windows Explorer will start MBSA to view the report.

Security Updates Scan

When you perform a security update scan, all security-related updates are checked and reported. If a target computer has a registered Update Services server, the report will indicate which updates have not been approved on the Update Services server using an informational score. When you select the Scan using Update Services servers only check box or use the /wa parameter on the command line, only security updates marked as approved by the Update Services administrator are checked and reported by MBSA.

In addition, updates that are installed and not yet superseded by another update will be included in the Current Update Compliance section of the report. When an update has been superseded by another update and both are installed, the report will only reflect the more recent update and not both. When available during update publication, related IDs will be included in the report as they have been listed in the Technical Details section of the security bulletin.
Security update checks are not performed for products that are not installed on a scanned computer, and these checks are not listed in the Security Update Scan Results table in the report.

For more information, see Scanning Options; you can also access this topic while running MBSA.

Partially Installed Updates

For updates installed by using Windows Update, Microsoft Update, or Automatic Updates that required a restart of the computer that was postponed by the user, the report will indicate that the update is not installed because the required reboot has not occurred. In this case, restarting the computer and scanning again will cause the update to report the proper installation status.

For updates that were installed by directly downloading or running the update, but for which a required system restart was postponed, MBSA will provide an indication of the pending restart under the Windows Check named Incomplete Updates. This capability is available only for those updates that were built using the standard installer (update.exe) with a minimum version of 6.1.22.0.

Localized Versions

MBSA 2.0.1 has console localization support for Japanese, German, and French, but has the ability to scan localized OS versions of the target computers independently of the console language. This is because all languages supported by Microsoft Update can be scanned equally, but the results are stored in the language of the MBSA console installation.
The following examples illustrate scenarios that may be encountered when using different languages of the operating system and of the MBSA console:

  • A Japanese system with the Japanese version of MBSA installed that scans a Japanese system: results of scanning a Japanese target computer are shown in Japanese.
  • A French system with the Japanese version of MBSA installed that scans a French system: Results are shown in Japanese due to the Japanese version of MBSA installed.

Remote (Network) Scans

MBSA can be used to scan a domain or a range of IP addresses from a central computer given the system requirements listed earlier in this topic. When performing remote scans, you must run MBSA while logged on with an account that has local administrative privileges on each computer being scanned. When using the MBSA command-line tool to perform scans, you can either run the tool while logged on with an account with local administrative privileges on each computer, or you can use the /u and /p parameters to supply the user name and password of such an account. In a multidomain environment where a firewall or filtering router separates the two networks (two separate Active Directory® domains), TCP ports 139 and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote servers being scanned.

Error Reporting

Microsoft Baseline Security Analyzer displays an error if any of the following occurs:

  • A user attempts to scan the computer but is not a local administrator on the computer being scanned.
  • A computer being scanned does not respond to an initial connection attempt from the computer on which the tool is running. This may be the result of an invalid host name or IP address, or it may be a network connectivity issue.
  • A remote computer being scanned does not have the proper services enabled.
  • IIS Common Files are not installed on the computer running MBSA when performing a remote scan of an IIS server.
  • The computer running MBSA does not have Internet access to download the .cab file required to perform the security update check during a scan. If a previous copy of the .cab file was downloaded in a prior scan, the tool will attempt to use this locally cached copy if an Internet connection is not detected.

Security Implications of Remote Scanning

If you use MBSA to scan remote computers, you should be aware of two aspects that might affect your network's security.
Updating Windows Update Agent on Target Computers

When scanning a target computer for security updates, MBSA relies on Windows Update Agent (WUA) running on the target computer. If the target computer does not have the current version of WUA installed, MBSA by default installs the required version of WUA. If you are a network administrator and are concerned that a hostile user on the Local Area Network (LAN) might be able to intercept the WUA installation files and corrupt them or substitute malware (such as a Trojan horse program) for the installation files while they are being transmitted to the target computers, you can prevent this default behavior. (An MBSA user who is not a network administrator, such as a user scanning only the local computer, need not be concerned about this risk.) When using the Windows-based MBSA application, clear the Configure computers for Microsoft Update and scanning prerequisites check box before performing a security update scan. When using the MBSA command-line tool, specify the /nm and /nai options on the command line.

If you prevent MBSA from installing or updating WUA on target computers, you can use one of several methods to ensure that the current version of WUA is installed on each target computer:

  • Rely on Windows Server Update Services to install WUA on the target computer
  • Register the target computer with the Microsoft Update Web site
  • Manually install WUA on each target computer
  • Deploy WUA within a system image

The following sections describe each of these methods in greater detail. In addition to these methods, you can deploy WUA using a software distribution product, such as SMS or a third-party solution.

Important

When MBSA updates WUA on a target computer, it downloads and executes two files in addition to the WUA files: Mbsa2ri.exe and Mbsa2mu.exe. If you choose to allow MBSA to automatically update WUA on target computers, and if you are concerned that these files or the WUA files could be tampered with in transit, you should consider using a secure network protocol such as IPsec to secure the network transmission. See the Microsoft web site for information about

IPsec.

Using Windows Server Update Services

Windows Server Update Services (Update Services) enables network administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows Server 2003, and Windows XP operating systems. By using Update Services, you can fully manage the distribution of updates that are released through Microsoft Update to computers in your network. Computers that are assigned to an Update Services server automatically receive the current version of WUA, enabling them to be scanned by MBSA. To learn more about Update Services, see the Microsoft Web site.

Using the Microsoft Update Web Site

You can configure target computers to obtain the current version of WUA directly from Microsoft Update and to configure the target computer to use Microsoft Update when being scanned. To do so, log on each target computer as an administrator, connect to the Microsoft Update Web site and follow the instructions provided there.

Manually Installing WUA

If you want to maintain maximum control over how WUA is installed or updated on target computers, you can manually install WUA on each target computer. Doing so requires that you execute the appropriate WUA installation program on each target computer, either by logging on interactively and then running the installation program, or using a software distribution system such as Microsoft Systems Management Server.

You can obtain the necessary WUA installation programs from the Microsoft Web site:

  • For x86-based computers: WindowsUpdateAgent20-x86.exe
  • For x64-based computers: WindowsUpdateAgent20-x64.exe
  • For Itanium-based computers: WindowsUpdateAgent20-ia64.exe

Deploying WUA Within a System Image

If you are configuring new computers that are being built from a disk image, you can install WUA on the master computer, register the master computer with Microsoft Update, or both, before creating the master image. Be sure you are familiar with how to prepare a Windows system image. For more information, see the Microsoft Web site.

MBSA and Administrator Accounts

Scanning with MBSA requires you to run MBSA with an account that is an administrator on all scanned computers. Depending upon how your network has been secured, this can introduce significant risk should the user-account be compromised, but it is necessary to be able to scan for certain vulnerabilities. If this risk is acceptable, you should take steps to mitigate this risk. For example, making this account a member of the Domain Admins group requires less administrative overhead because the account automatically has the required rights on all potential clients, but if the account is compromised, the risk to the enterprise is severe. You should consider creating a special account for this purpose and enabling the account only when it is needed to scan domain computers. Making the account a local administrator on each target computer but not a member of the Domain Admins group requires you to manage this account on every target computer, but the risk of compromise is limited to the target computers themselves, not to the domain as a whole. You can further mitigate the threat by using only Kerberos authentication, which is less vulnerable to attacks than LanMan authentication, but doing so might require an upgrade to Active Directory.


Prasanna is an Information Security professional since past 5 years. She works as an Identity and Access management professional for Accenture. Prasanna is a Sun Certified Integrator for Identity Manager 7.1. Her experience includes working with Sun Identity Manager, Oracle Identity Manager, Sun Directory Server, risk assessment, auditing, vulnerability scanners and creating reports for vulnerabilities and suggested patches.

Leave a Reply