Microsoft Baseline Security Analyzer (MBSA) is a free tool, designed for IT professionals of small and medium-sized businesses. Given its clear graphical user interface however, it also serves as a great security tool for personal use. MBSA analyzes the security setup of local and networked Windows computers and can identify common security misconfigurations or missing updates.
You can download MBSA 2.2 from the Microsoft Download Center. It is available for 64-bit (x64) and 32-bit (x86) Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Moreover, it comes in four different languages: German (DE), English (EN), French (FR), and Japanese (JA).
Getting Started
The startup interface of MBSA is very simple and basically offers only three options: scan a computer, scan multiple computers, or view existing security scan reports. The sidebar also offers links to the program documentation and the Microsoft security website.
Note that you require Administrator rights for all machines that you wish to scan. You can scan a single or multiple systems based on the computer name or IP address. If you select to scan multiple computers, you need to enter a domain name or a range of IP addresses.
For this demonstration I went with scanning a single computer.
The scanning options are straightforward, although not necessarily clear for the inexperienced user. If you don't understand what some of the options mean, click the > Scanning Options link at the bottom for detailed explanations. The information will load in a separate Internet Explorer window.
The scan merely takes a few seconds and returns an overview of issues found in different categories. Each item is scored and a summary of the result is provided, along with links to further information material.
Checks that were passed receive a green score, items that could not be checked are marked with a grey minus, room for improvements is highlighted by a blue score, a yellow score indicates a non-critical vulnerability and a red score alerts the user to a failed check and thus a critical security issue. Follow the respective links for detailed information about what was scanned or instructions on how an issue can be corrected.
All reports are saved and can be accessed at a later time for reference. You can also print or copy your report to the clipboard.
Conclusion
Microsoft Baseline Security Analyzer is a very good tool to quickly get an overview of security-related settings on your Windows machine. Instructions for correcting detected security misconfigurations are very clear and should therefore be easy to follow for the average user. Overall, the documentation is surprisingly detailed and well done, almost as if Microsoft expected non-IT folks to use this tool.
It must be said though that fixing most configurations does require some basic understanding of how Windows works. For example an issue with the file system is not necessarily security relevant and the instructions do not provide information on how to find the drive that doesn't run NTFS. Moreover, some issues require advanced knowledge and should be left to the experts to be fixed, for example setting a password expiration.
For more information, also have a look at this article from Microsoft Patterns & Practices: How To Use the Microsoft Baseline Security Analyzer.
What is your opinion? Do you think this is a useful tool? Please share your thoughts!
Image credits: beboy