Microsoft Baseline Security Analyzer (MBSA)
Software misconfiguration is one of the most common reasons for security breaches. You can use the MBSA to detect common configuration errors on Windows 2000, XP and Server 2003 computers and to determine whether critical security updates are missing. You can download MBSA 2.0 from the Microsoft Web site at http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx#EEAA. The latest MBSA update file will be downloaded automatically.
MBSA replaced the Microsoft Personal Security Advisor. It includes all MPSA functionality plus additional application scans (IIS, SQL, Office) and can be run both locally and remotely across the network. It is also a superset of the HFNetChk tool.
You can scan multiple machines simultaneously with MBSA. The Windows Update Agent must be installed on client computers (some service packs include the agent and it will be installed automatically on systems connected to the Internet). MBSA can be used with or without a WSUS server. To scan a remote computer that’s behind a firewall (or running a personal firewall), TCP ports 135, 139 and 445 and UDP ports 137 and 138, along with a dynamic or static DCOM port, must be open.
The current version is 2.0, which supports Windows 2000 SP3 and later operating systems and scans components not supported by previous versions, including DirectX, .NET framework, Windows Media Player 10, Outlook Express and the 64 bit editions of Windows XP and Server 2003.
There are some products scanned by MBSA 1.2.1 that are not supported by version 2.0. You should use the earlier version if you run BizTalk Server 2000, 2002 or 2004, Commerce Server 2000 or 2002, Content Management Server 2001 or 2002, Host Integration Server 2000 or 2004, SNA Server 4.0 or Office 2000. You can install version 2.0 in a separate directory and run it concurrently with version 1.2.1. When you no longer need the older version, you can uninstall it via Add/Remove Programs.
After installation, MBSA will appear in the Programs menu. The graphical interface is shown in Figure A. You can select whether to scan a single computer or a range of computers.
Figure A: MBSA graphical interface
To begin a scan, you enter the IP addresses of the computer(s) that you want to include in the scan, as shown in Figure B.
Figure B: Enter the IP address(es) of the computer(s) you want to scan
You can select what you want MBSA to check for:
- Windows administrative vulnerabilities
- Weak passwords
- IIS administrative vulnerabilities
- SQL administrative vulnerabilities
- Security updates
MBSA will return the results for each of the systems. You can also use the command line interface if you want to use a script to automate the scan.
You can find detailed instructions on using MBSA under different conditions (for example, in an environment that requires proxy authentication, or to scan a computer that doesn’t have an Internet connection) in the MBSA FAQ at http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx.
Malicious Software Removal Tool
Microsoft’s Malicious Software Removal Tool scans and checks fir Sasser, Blaster, MyDoom and other common viruses, worms, Trojans and malware. If it finds them, it removes them. The tool is updated on a monthly basis. It runs on Windows 2000, XP and Server 2003.
The Malicious Software Removal Tool is not designed to be a substitute for running an anti-virus program.
You can either run the tool directly from the Web site at http://www.microsoft.com/security/malwareremove/default.mspx or you can download it and run it from your hard disk. You need to be logged on with an administrative account to run the tool. Your browser security settings may interfere with running the tool from the Web page, in which case you’ll need to either change them or download the tool to your computer.
After it runs, the tool will display a report showing the malicious software for which it checked and your computer’s infection status, as shown in Figure C.
The tool creates a log file in the \debug folder of your WINDOWS directory (or the directory in which you installed the OS, if you named it differently). The log file is named mrt.log. The log file is a text document that details the results of running the tool, as shown in Figure D.
Figure D: The mrt.log file is created by the Malicious Software Removal Tool
To download the tool, go to the Microsoft Download Center at http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en. It’s a 959 KB file and comes in twenty-four different language versions.
If you have Windows Update set to automatic updates, a new version of the tool will be delivered and installed and will run each month when it’s released. This version runs in the background. If it finds malware, it will display a status message the next time you start Windows.
The tool sends information back to Microsoft by default. You can disable this function by adding a registry key and value. Navigate to the following registry key:
Create a new key named MRT. Within the new key, create a new REG_DWORD value called:
Set the value data to 1.
For more information on deploying the tool in an enterprise environment using WSUS, SMS and Group Policy-based scripts, see KB article 891716 at http://support.microsoft.com/?kbid=891716.
Microsoft purchased the Giant anti-spyware technology in December 2004 and has developed Microsoft Windows Anti-Spyware, which is currently in public beta testing. You can download it from the Microsoft Download Center at http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en. You must be an administrator to install the tool. It runs on Windows 2000, XP and Server 2003 with IE 6.0 or higher.
After you install the software, the Setup Assistant will open and you can configure the following features:
- Automatic updates to download the latest spyware database information automatically.
- Real-time protection to monitor and prevent spyware from being installed.
- SpyNet community to report potential threats back to Microsoft when they’re found on your computer.
After configuring these options, you can run a quick scan with one click. See Figure E for a look at the Settings configuration interface.
The anti-spyware beta also includes the following advanced tools:
- System Explorers for viewing and modifying such things as your browser helper objects, downloaded ActiveX programs, IE settings, startup applications, applications connected to the Internet, and more.
- Browser Restore for setting a default home page and search page that can be quickly restored if a browser hijacker changes these settings.
- Tracks Eraser to delete history logs, temporary folders and stored application information to ensure privacy.
In October, Microsoft announced an enterprise-level anti-spyware product that will also protect against rootkits, viruses and worms. It’s called Microsoft Client Protection and a beta is expected to be released by the end of the year. It will provide for centralized management and Active Directory integration. The rootkit detection feature will be based on Microsoft’s Strider technology (see http://research.microsoft.com/csm/strider/).