Does the MBSA create any vulneribilities

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Several services running and opened ports, these are the
preresiquities for successul running of MBSA.
Under the required services are those such
- Remote Registry service
- Server service
- Workstation service
- File and Printer Sharing service
- Automatic Updates service

Does the vulneribility bilance not get worse if these services are active ?
I don't need file and printer sharing for any other purposes.
The same applies to remote registry and automatic update.
Please note, I wish use the MBSA as a report generator only.
No updates shall be installed by this tool. Why the automatic update then ?
I affraid, through the suspicious services the protection of my system
will decrase.

What vulneribilities from not yet patched are these services affected with ?

Does the MBSA can work without IE being set to default browser ?
 
MBSA does not install updates but the automatic updates service needs to be
started. What can be done to minimize risk of enabling services you don't
need is to configure the Windows Firewall to only accept network traffic for
MBSA scans from the IP address of the admin workstation doing the scan and
such workstation should be clean and secured. Planning security always
involves balancing risk and convenience. Not doing the MBSA scans could also
be a security risk or take much longer to on each computer individually. --
Steve
 
Steven L Umbach said:
MBSA does not install updates but the automatic updates service needs to be
..............
Click to expand...


Thank you for your explanation.
A single workstation only connected to internet via a broadband modem is in
focus here. Therefore I don't see any application of one yours sentence in my
use case:
"...to only accept network traffic for MBSA scans from the IP address of the
admin workstation doing the scan and such workstation should be clean and
secured...".

The MBSA will connect with Microsoft servers only in my case.
 
For a single computer you do not need to have those services enabled - those
are only needed for remote scanning of computers on your network. It should
work fine and it will connect to the Microsoft server only to download the
file that contains the list of updates to check for and that will be done
via normal HTTP web traffic. --- Steve
 
Back
Top