MBSA

  • Thread starter Thread starter Sherman H.
  • Start date Start date
S

Sherman H.

I am thinking about running Microsoft Baseline Security Analyzer to verify
how the security settings on our DC and member servers. Is this a good tool
for the purpose? Any problems have been identified on using this as an
audit tool?
 
Sherman H. said:
I am thinking about running Microsoft Baseline Security Analyzer to verify
how the security settings on our DC and member servers. Is this a good tool
for the purpose?
Click to expand...

It's one very good tool to catch the most common basic security
misconfigurations and missing critical patches. There are other good tools
that might also be of interest for a fuller picture.
Any problems have been identified on using this as an
audit tool?
Click to expand...

None I can think of.
 
What are other "good tools"?
Karl Levinson [x y] mvp said:
Sherman H. said:
I am thinking about running Microsoft Baseline Security Analyzer to verify
how the security settings on our DC and member servers. Is this a good tool
for the purpose?
Click to expand...

It's one very good tool to catch the most common basic security
misconfigurations and missing critical patches. There are other good tools
that might also be of interest for a fuller picture.
Any problems have been identified on using this as an
audit tool?
Click to expand...

None I can think of.
Click to expand...
 
If you want to go deep on your security, you can use something like nessus to
check out your vulnerabilities. MBSA is fine to get missed security updates,
service packs etc.. Nessus can do the rest. But it is much dificult to setup.

Sherman H. said:
What are other "good tools"?
Karl Levinson [x y] mvp said:
Sherman H. said:
I am thinking about running Microsoft Baseline Security Analyzer to verify
how the security settings on our DC and member servers. Is this a good tool
for the purpose?
Click to expand...

It's one very good tool to catch the most common basic security
misconfigurations and missing critical patches. There are other good tools
that might also be of interest for a fuller picture.
Any problems have been identified on using this as an
audit tool?
Click to expand...

None I can think of.
Click to expand...
Click to expand...
 
This is a good baseline (emphasis on the baseline) tool for analyzing
security vulnerabilities.

It does not (anyone correct me if I'm wrong on this for newer versions) take
into account roles or jobs a computer has. This can lead the MBSA to
recommend restricting security when it could lead to less desirable
consequences in your specific environment.

An example would be raising your LMCompatibility behavior (use and allowance
of what versions of NTLM the computer will use or respond to) which is a
common recommendation it tests for. If you have downlevel clients (such as
Windows 95) this may prevent thier connection to that machine.

I would be a little cautious about posting what vulnerabilities it finds to
the newsgroups, but let us know if we can help out.

--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
 
There are other tools such as LanGuard that can scan the network for
vulnerabilities. They offer a free time limited download to try out.

http://www.gfi.com/languard/

After that you are going to have to educate your self somewhat with
documentation that recommends a baseline security and then make additional
changes based on computer role and level of security needed and the use of
security templates to do such which can be managed via Group Policy. Also
there are a lot of built in tools such as EFS file encryption, Certificate
Services, and ipsec that can be used to further protect network resources.
Fortunately Microsoft has some great documentation including the Windows
2000 Security Hardening Guide, Windows 2003 Security Guide, and the Threats
and Counter Measures guide. The links below will take you to those
resources. --- Steve

http://www.microsoft.com/technet/security/prodtech/win2000/default.mspx
http://www.microsoft.com/technet/security/prodtech/win2003/default.mspx

Sherman H. said:
What are other "good tools"?
Karl Levinson [x y] mvp said:
Sherman H. said:
I am thinking about running Microsoft Baseline Security Analyzer to verify
how the security settings on our DC and member servers. Is this a good tool
for the purpose?
Click to expand...

It's one very good tool to catch the most common basic security
misconfigurations and missing critical patches. There are other good tools
that might also be of interest for a fuller picture.
Any problems have been identified on using this as an
audit tool?
Click to expand...

None I can think of.
Click to expand...
Click to expand...
 
When you scan using nessus, do you scan the Windows servers or you just scan
the border router, firewall, and DMZ?
Thanks.
Leonardo Camata said:
If you want to go deep on your security, you can use something like nessus to
check out your vulnerabilities. MBSA is fine to get missed security updates,
service packs etc.. Nessus can do the rest. But it is much dificult to setup.

Sherman H. said:
What are other "good tools"?
Karl Levinson [x y] mvp said:
I am thinking about running Microsoft Baseline Security Analyzer to verify
how the security settings on our DC and member servers. Is this a good
tool
for the purpose?

It's one very good tool to catch the most common basic security
misconfigurations and missing critical patches. There are other good tools
that might also be of interest for a fuller picture.

Any problems have been identified on using this as an
audit tool?

None I can think of.
Click to expand...
Click to expand...
Click to expand...
 
Back
Top