White Paper: Microsoft Benchmark Security Analyzer (MBSA) V1.2
Update Date: June 29, 2004
This page
Abstract The new features of MBSA V1.2 MBSA V1.2 function scan mode for security vulnerability checks
Summary
The Microsoft Baseline Security Analyzer (MBSA) tool allows users to scan one Windows-based computer to discover common security configuration errors. MBSA will scan Windows-based computers and check the operating system and other components (such as Internet Information Services (IIS), and SQL Server) to discover security configuration errors and make a patch through the recommended security updates.
Back to top
New features of MBSA V1.2
MBSA is a security assessment tool for Windows NT 4, Windows 2000, Windows XP and Windows Server 2003 systems, scanning operating systems, IIS, SQL, and desktop applications to discover common configuration errors and check if the following products are missing security updates. : Windows, Internet Explorer, Windows Media Player, IIS, SQL Server, Exchange, Microsoft Office, Microsoft Data Access Components, Microsoft Virtual Machine, MSXML, BizTalk Server, Commerce Server, Content Management Server and Host Integration Server. MBSA V1.2 was released in January 2004.
Since the release of V1.1.1, MBSA V1.2 has added the following features and updates:
Support other languages
MBSA V1.2 is now realized for Windows, German, French and Japanese version. Users can download the MBSA components of each language. These components download the MSSecure.xml files that contain localized security updates when the Microsoft Download Center supports a language. If there is no matching localized XML file, all localization components will reuse English MSSecure.xml files (disable checksum checking when scanning non-English computers).
Additional product support
MBSA V1.2 has added security update checks for the following products:
• Exchange Server 2003 • Microsoft Office (see a list of local scans; see a product list) • Microsoft Data Access Components (MDAC) 2.5, 2.6, 2.7 and 2.8 • Microsoft Virtual Machine • MSXML 2.5, 2.6, 3.0 and 4.0 • BizTalk Server 2000, 2002 and 2004 • Commerce Server 2000 and 2002 • Content Management Server (CMS) 2001 and 2002 • SNA Server 4.0, Host Integration Server (HIS) 2000 and 2004 Note: Newly integrated Office Update Inventory Tool (Office Update Library Tool) Add Microsoft Office Support.
Alternate file support
MBSA V1.2 has added a function of supporting an alternate version of the file. Files may have different version numbers and / or checkments, because:
• Security Update QFE (Quick Fix Engineering, Quick Repair Project) / LDR (Limited Distributed Release, Limited Distribution) and GDR (General Distributed Release, General Distribution Version) • Security Update multiprocessor version with single processor version • Non-Secure Announcement Updated to Security Announcement Update • Revised (Updated) Security Announcement MBSA's previous versions with yellow "X" tag and warning information (discovers "later versions") to report the above update. If any files listed in MSSecure.xml match the files found in the scanned computer, the MBSA V1.2 supported by the new alternate file can be canceled and verified.
Check new version
MBSA v1.2 can check if Microsoft has released a new version of MBSA. If a new version of MBSA is released, the system notifies the user via the GUI and CLI.
Check other Windows security vulnerabilities
MBSA V1.2 has added an inspection of the automatic update feature setting and checks for Internet Connection Firewall (Internet Connection Firewall, ICF). For automatic updates, MBSA will report whether this feature is enabled, whether it is configured to automatically download and automatically install updates, and whether to enable and control via Group Policy. For ICF, MBSA will scan all Internet connections on the computer that supports ICF, and reports whether the firewall is enabled and whether all ports are open to external communication.
Explain a custom Internet Explorer area
MBSA 1.2 can now explain the custom IE area settings and compare them with the recommended default area level settings. The scan report will identify separate locations with custom settings that have a default value that is recommended for the entire area.
New MBSA command line switch parameters
MBSA 1.2 adds the following new command line switching parameters, can be used with MBSACLI.exe or MBSACli.exe / HF:
• -unicore (to generate a UNICODE output for users who run the Japanese MBSA or the computer with Japanese version of Windows) • -NVC (Disable MBSA checks if there is an updated tool version)
Back to top
MBSA V1.2 function
MBSA V1.2 can scan computers that run the following system: Windows NT4, Windows 2000, Windows XP Professional, Windows XP Home Edition, and Windows Server 2003. MBSA can perform on any computer running the following system: Windows 2000 Professional, Windows 2000 Server, Windows XP Home, Windows XP Professional or Windows Server 2003.
Check system configuration
WINDOWS operating system
Typically, the MBSA scans the security issues in the Windows operating system (Windows NT 4, Windows 2000, Windows XP, Windows Server 2003), such as: "Guest" account status, file system type, available file sharing and management Member of the member. The instructions for each OS check are displayed in the security report and come with an instructions for fixing any discovered issues.
Internet Information Server
This group checks will scan security issues in IIS 4.0 and 5.0, such as the exemplary application and some virtual directories existing on your computer. This tool also checks if the IIS LockDown tool runs on your computer, helping administrators configuring and protect their IIS servers. The description of each IIS check will appear in the security report and come with an instructions for fixing any discovered issues. Microsoft SQL Server
This group checks the security issues existing in SQL Server 7.0 and SQL Server 2000, such as the type of authentication mode, SA account password status, and member qualification of the SQL Server account. The description of each SQL Server check is displayed in the security report and came with an instructions for fixing any discovered issues.
Check desktop applications
This group checks the Internet Explorer 5.01 area settings of each user account and the macro setting of Office 2000, Office XP, and Office System 2003.
Security update
The MBSA can determine which key security updates to the system by reference to the Microsoft's constant update and publishing the Extensible Markup Language, XML file (MSSecure.xml). This XML file contains information on which security updates can be used for specific Microsoft products. This file contains the security bulletin name and title and detailed data on specific product security updates, including: files in each update package and their versions and checksums, update the registry key applied by the installation package, Which updates can replace other updated information and numbers of related articles in the Microsoft Knowledge Base.
When you first run MBSA, the latter must get a copy of this XML file so that the tool can find a security update for each product. 1 This XML file can be obtained from the Microsoft Download Center website in a compressed form (digital signature .cab file). MBSA downloads this .cab file, and verifies the signature 2, and then extract this .cab file to the local computer that is running MBSA. It is worth noting that .cab file is a compressed file similar to the .zip file.
After extracting the .cab file, MBSA scans your computer (or selected computer) to determine the operating system, service packages, and programs you are running. The MBSA then parses the XML file and identifies a security update that can be used for the software combination you have installed. MBSA decides whether to install specific updates on a given computer: update the installed registry key, file versions, and check and run MBSA from the command line (if you run MBSA if). If any of these inspections fails, this update will be lacked in the scan report.
MBSA is not only scanning Windows security updates, but also scans updates related to other products. MBSA V1.2 Scan can be used for security updates for the following products.
• Windows NT 4.0 (unless scanning via MBSACli.exe / HF) • Windows 2000 • Windows XP • Windows Server 2003 • Internet Explorer 5.01 and subsequent versions (including Internet Explorer 6.0 for Windows Server 2003) • Windows Media Player 6.4 and subsequent versions • IIS 4.0, 5.0, 5.1 and 6.0 • SQL Server 7.0 and 2000 (including Microsoft Data Engine) • Exchange Server 5.5, 2000 (including Exchange Admin Tools) • Microsoft Office Local scanning; see the product list). • Microsoft Data Access Components (MDAC) 2.5,2.6,2.7 and 2.8 • Microsoft Virtual Machine • MSXML 2.5,2.6,3.0 and 4.0 • BizTalk Server 2000,2002 and 2004 • Commerce Server 2000 and 2002 • Content Management Server (CMS) 2001 And 2002 • SNA Server 4.0, Host Integration Server (HIS) 2000 and 2004 When using the MBSA GUI version (MBSA.exe), the -Baseline and -Nosum switch parameters will be used. -Baseline option The update is marked as a key security update in the Windows update. The -nosum option does not perform a checksum check.
When using the MBSA command line tool (MBSACLI.exe), the user must call the two switch parameters listed above to match the MBSA GUI scan results because they are not default. When the user performs the HFNetchk-Style scan by MBSACli.exe (using / hf switch parameters), they can also call the -Baseline, -V, and -Nosum switching parameters to match the GUI scan results.
Note that when MBSA is run in HFNETCHK mode (MBSACli.exe / HF), the Office security update will not be checked, as only through Office Update Inventory Tool code and use MBSA GUI and MBSACLI.exe to scan the Office update.
Software Update Services (SUS) 1.0 Support
MBSA V1.2 supports local security update scans for local SUS 1.0 servers. Users can select this option in the MBSA UI or MBSA command line interface. This partial scan will be performed in accordance with the list of security updates approved on the local SUS server, rather than the full list of available security updates listed in the MSSecure.xml file downloaded by the tool.
SYSTEMS Management Server
SMS 2.0 Software Update Services Feature Pack provides Enterprise customers with secure hotfix management solutions for Windows NT 4.0, Windows 2000, and Windows XP clients. This feature package uses MBSA technology to automatically scan the client computer to discover installed or available security updates. This data is converted and saved in the Systems Management Server library information, and can also be viewed from the central point through a web-based reporting function. For distributions that use Systems Management Server, system administrators can select and export the latest Windows updates directly from Microsoft. SMS 2.0 users using this feature package can refer to articles previously numbered 822643 in the Microsoft Knowledge Base to get updates to the Using this latest version of MBSA's functional package.
Back to top
Scan mode
Select the computer you want to scan
Single computer
The simplest operating mode of MBSA is to scan a single computer, typically appear as "automatic scan". When you select "Select a computer to scan", you can choose to enter the name or IP address of the computer you want to scan it. By default, when you select this option, the displayed computer name will be the local computer that runs the tool.
Multiple computers
If you select "Select Multiple Computers", you will have the opportunity to scan multiple computers. You can choose to scan the entire domain by entering a domain name, you can also specify an IP address range and scan all Windows-based computers within this range. 3
Requires administrator access
To scan a computer, you need administrator access. When performing "automatic scan", your account you use to run MBSA must also be an administrator or a member of the local administrator group. In the case where you want to scan multiple computers, you must be an administrator of each computer or a domain administrator.
Scan type
MBSA typical scan
The MBSA typical scan will perform a scan and save the results in a separate XML file so that you can view in the MBSA GUI (this is the same as MBSA V1.1.1). MBSA typical scans can be performed by MBSA GUI interface (MBSA.exe) or MBSA command line interface (MBSACli.exe). These scans include full set of Windows, IIS, SQL, and security update checks.
HFNetchk typical scan
The HFNetchk typical scan will only check the missing security update and display the scan results in the command line window in the form of the text, which is the same as the previously versions of the HFNetchk processing method. This type of scan can be executed by MBSACli.exe with an "/ HF" switch parameter (indicating the MBSA tool engine for HFNETCHK scanning). Note that this type of scan can be performed locally on the Windows NT 4.0 computer.
View security report
Each time you perform MBSA typical scanning, you will generate a security report for each computer that is scanned and saved in a computer that is running MBSA. The location of these reports will appear on the top of the screen (stored in the User Profile File Folder). The security report is saved in XML format.
You can easily sort these reports according to your computer name, scan date, IP address, or security assessment. This feature allows you to easily compare security scans over a period of time.
Network scan
MBSA can remotely scan up to 10,000 computers simultaneously from the central computer (assuming system requirements are the same as listed in the readme file). MBSA is designed to run in the domain through an account with local administrative privileges on each scanned computer.
In the firewall or filter router, in a multi-domain environment separated by two networks (two separate Active Directory Domains), TCP's 139 ports, and 445 ports, and UDP's 137 ports and 138 ports must be open so that MBSA connection and verification are scanned. Remote network. Scanning involving localized components / different operating system languages
MBSA downloads MSSecure.cab and extracts the MSSecure.xml file (including security update data available for each product) and checks if the scanned computer has the latest security update.
Currently, MBSA V1.2 provides four languages, and each language has four version of MSSecure.xml files, because different versions of products may have different file versions and / or checksums.
When running MBSACLI.EXE or MBSACLI.EXE / HF, checksum is performed. If the operating system language of the target computer matches the language of the MSSecure.xml file, the checksum is performed; otherwise, it will be skipped. Check and check if the version of the patch file in the target computer provides the highest level of confirmation of the exact file approved by Microsoft. The checksum checks can be enabled through the -Sum switch parameters in the command line, or disabled via the -nosum switch parameters.
The following list describes the various situations where the computer operating system, MSSecure.xml, and MBSA UI is using different languages:
• Japanese version of Japanese system with scanning Japanese systems MBSA
• Try to download the Japanese version MSSecure.cab file and display the scan results in Japanese. • The Japanese version of the French system is equipped with the Japanese version of the French system:
• In addition to information provided by the system [for example, date, file name, etc.] or information extracted from MSSecure.xml, other results are displayed by Japanese (because Japanese version of MBSA is installed). When scanning the French system, MBSA tries to download the French MSSecure.cab file. • German system with a German version of MBS can scan the German computer, but you can't download the German version MSSecure.cab file:
• Since MBSA cannot download the German version Mssecure.cab file, you will try to find previously downloaded CAB files in the local MBSA folder. If not, MBSA will re-download and use English version Mssecure.cab files and mssecure.xml files for secure update scans.
Back to top
Description of security vulnerabilities
Windows check
Administrator group member qualification
This check will determine and list the user accounts belonging to the local administrator group. If the number of individual managed accounts detected exceeds two, the tool will list these account names and tagged the check as a potential security vulnerability. In general, we recommend that the number of administrators should be minimized because the administrator can actually have full control over the computer.
Review
This check will determine whether audit function is enabled on the scanned computer. Microsoft Windows has an audit feature that tracks and logs specific events on your system, such as successful and failed login attempts. By monitoring the event log of the system, you can find potential security issues and malicious activities.
auto login
This check will determine if the Auto Login feature is enabled on the scanned computer, and the login password is stored in the registry or in a clear manner. If "Automatic Login" is enabled and the login password is stored in a clear text, the security report will reflect this situation as a serious security vulnerability. If "Auto Log in" is enabled and the password is stored in the form of encryption in the registry, then the security report will mark this situation as a potential security vulnerability.
Note: If you see a "ERROR Reading Registry" message, your remote registry service may not be enabled. "Automatic Login" stores your login name and password in the registry, so you can log in to Windows 2000 or Windows NT without having to enter your username or password when logging in to the user interface. However, "Automatic Login" will also allow other users to access your files and use your name to malicious damage to the system (for example, anyone who can physically contact the computer can start the operating system and automatically log in) . If you enable the Auto Login feature, do not want to change this, make sure that no sensitive information is stored on the computer. Since anyone who is physically able to touch your computer can use the automatic login function, you can only use this feature in a very trusted and secure environment.
You can store the password used to automatically log in in a clear text in a subtext text, or it can be encrypted as a local security (LSA) confidential.
Automatic update
This check will determine if an automatic update function is enabled on the scanned computer and how to configure in the enabled. Automatic update features allow your computer to automatically synchronize with Windows's latest updates, will be updated from the Windows Update site (or if you can download) from the local Software Update Services (SUS) server) directly to Your computer. Automatic updates can be used for Windows 2000 SP3 and higher.
Automatic updates can be configured to automatically download and install updates on your computer; notify the user to notify users soon before installation; or notify users before downloading and installing updates.
Check if there is unnecessary service
This check will determine if there is an enabled service in the Services.txt file on the scanned computer. Services.txt files are a configurable service list that should not run on a scanned computer. This file is installed and stored in the installation folder of the tool. The user's user should configure the Services.txt file to include those specific services to be checked on each of the scanned computers. By default, the Services.txt file installed with the tool contains the following services:
MSFTPSVC (FTP)
TLNTSVR (Telnet)
W3SVC (WWW)
SMTPSVC (SMTP)
The service is a program, as long as the computer is running the operating system, it runs in the background. The service does not require the user to log in. The service is used to perform the tasks that do not depend on the user, such as the fax service that is waiting for information.
Domain controller
This check will determine if the computer is receiving the scan for a domain controller.
For Windows XP, Windows 2000, or Windows NT domains, domain controllers authenticate domain login and maintain the server of the security policy and secure account primary database for this domain. The domain controller is responsible for managing users access to the network, including login, authentication, and access to directory and shared resources. The domain controller also saves all domain user accounts, including critical administrator accounts. For these reasons, the domain controller should be considered a key resource that needs to be strengthened. You should confirm whether you really need to use this computer as a domain controller and confirm if you take the appropriate step to strengthen access to this computer.
File system
This check will determine which file system is used on each hard disk to make sure it is an NTFS file system. NTFS is a secure file system that allows you to control or limit access to each file or directory. For example, if you want to allow your colleague to view your file, it is not allowed to make changes, then you can implement the access control list (ACL) provided using NTFS. Note: In order to make the inspection successfully executed, the drive must be shared by the management drive sharing area.
Guest account
This check will determine if a built-in guest account is enabled on the scanned computer.
The guest account is a built-in account that uses this account to log in to run Windows 2000 or Windows NT when a user does not have an account in a computer or domain, or if there is no account in any domain in which the computer is located. computer. On a Windows XP computer shared using a simple file, as part of the security model, all user connections on the network will map to the guest account. This situation will be labeled as a security vulnerability in the security report on the Windows NT, Windows 2000, and Windows XP computers (without using simple file sharing). This situation will not be labeled as a security vulnerability on a Windows XP computer shared using a simple file.
Internet Connection FireWall
This check will determine if Internet Connection Firewall (Internet Connection Firewall, ICF) is enabled on all active network connections on the scanned computer (for Windows XP and Windows Server 2003), and whether all inbounds are open in the firewall port. ICF is a firewall software that protects computers by controlling information delivered back and forth between your computer and Internet or other computers. ICF is included in Windows XP, Windows Server 2003 Standard Edition and Enterprise Edition.
Local account password
This check will find all local user accounts that use blank passwords or simple passwords. This check will not be performed on the domain controller. As a security measures, both Windows XP, Windows 2000, and Windows NT operating systems require user authentication through passwords. However, the security of any system depends on the technical and strategies (there are two aspects of managing the system for setting and managing the system). This check will enumerate all user accounts and check if someone adopted the following password:
• Password is blank • The password is the same as the user account name • The password is the same as the computer name • The password uses "password" word • Password uses "admin" or "administrator"
This check can also notify you any account that is disabled or currently locked.
MBSA will try to change the password in the target computer by using each of the above passwords. If this is successful, the account is using this password. MBSA will not reset or permanently change your password, but report your password too simple.
You should notice that this check may take a long time, depending on the number of user accounts on your computer. Therefore, the administrator may want to disable the check before scanning the domain controller they live.
Note: If audit feature is enabled on your computer, this check may generate event logging in the security log.
Operating system version
This check will determine what an operating system running on the scanned computer. Windows XP and Windows 2000 bring a higher level of reliability and availability for all of your business activities, such as more accurate control of file permissions.
Password expired
This check will determine if there is a local user account set a password that never expires. The password should be changed regularly to reduce the possibility of password attack. Each local user account that uses a never expired password will be listed. Limit anonymous user
This check will determine if the restrictanonymous registry registry is used to limit anonymous connections on the scanned computer.
Anonymous users can list certain types of system information, including usernames and their details, account policies, and shared names. Users who need to strengthen security can limit this feature to enable anonymous users to access information.
shared
This check will determine if there is a shared folder on the scanned computer. The scan report will list all shared content discovered on your computer, including administrative sharing and its shared level and NTFS level permissions.
Unless you need, you should turn off the shared area or should be accessed by shared level and NTFS level permissions, which is only available for specific users to achieve the purpose of protecting its shared area.
IIS check
MSADC and scripting virtual directory on IIS
This check will determine if the MSADC (Sample Data Access Script) and the script virtual directory are installed on the scanned Internet Information Services (IIS) computer. These directories typically contain some scripts that should be deleted when you don't need it, remove it to reduce the scope of the computer's attack.
The IIS Locking tool will close unnecessary features in IIS (such as this feature), thereby reducing the chance of system exposure to attackers.
IisadMPWD virtual directory
This check will determine if the IisadMPWD directory is installed on a scanned computer. IIS 4.0 allows users to change their Windows passwords and inform users that their password is coming. The IisadMPWD virtual directory contains files to use this feature, in IIS 4.0, IisadMPWD virtual directory will be installed as part of the default Web site. This feature is implemented as a set .htr file and an ISAPI extension called ISM.DLL, .htr file is located in the / system32 / inetsrv / iisadmpwd directory.
IIS on the domain controller
This check will determine if Internet Information Services (IIS) runs on a system as a domain controller. This situation will be marked as a serious security vulnerability in the scan report unless the scanned computer is a small businesses (SMALL Business Server).
We recommend that you do not run the IIS Web server on the domain controller. There is sensitive data on the domain controller (such as user account information), and should not be used as another role. If you run a web server on a domain controller, add the complexity of the security server security and prevent attack.
IIS lock tool
This check will determine if the IIS LockDown tool (part of the Microsoft Security Tool Kit) is running on the scanned computer. The working principle of the IIS LockDown tool is to close unnecessary features in IIS, thereby narrowing the attack surfaces that the attacker can utilize.
In the new installation of Windows Server 2003, IIS 6.0 does not require IIS LockDown tools because it has default lock (when configuring IIS roles, you must be directly enabled by IIS Administrator). For upgrading from IIS 5.0 to IIS 6.0, IIS LockDown should be used to ensure that the required services are enabled only on the server.
IIS log record
This check will determine if the Internet Information Services (IIS) logging is enabled, and whether W3C Extended Log File Format has been used. The IIS log record has exceeded the range of Windows event logging or performance monitoring features. The log can include anyone who has visited your site, and the visitor views what content, and the last viewing information is when it is. You can monitor access attempts to Web sites, virtual folders, or files, including success or unsuccessful. This includes events such as reading or writing files. You can choose an event to review any sites, virtual directories, or files. By regular review of these files, you can detect where your server or site may be attacked or other security issues. You can enable logging on each Web site, and select the log format. After the logging is enabled, logging is enabled for all folders of the site, but you can also disable log records for specific directories.
IIS father traffic
This check will determine whether ASPENABLEPArenTPaths settings are enabled on the scanned computer. By enabling parent roads on IIS, the Active Server Page (ASP) page can be used to use the relative path of the parent directory of the current directory - the path to the syntax.
IIS sample application
This check will determine if the following IIS sample file directory is installed on your computer:
/ INETPUB / IISSAMPLES
/ WinNT / Help / Iishelp
/ Program Files / Common Files / System / MSADC
Sample applications typically installed with IIS displays dynamic HTML (DHTML) and Active Server Pages (ASP) scripts and provide online documents.
SQL check
MBSA V1.2 scans all instances found in SQL Server and MSDE found in the scanned computer.
Member of the sysadmin role
This check will determine the number of members of the sysadmin role and display the results in the security report.
The SQL Server role is used to combine the login of the same operation permission. The fixed server role sysadmin provides all members of the system administrator privilege to it.
Note: If you see a "No Permissions to Access Database" error message, you may not have access to the Master database.
Grant cmdexec privileges with sysadmin
This check will ensure that cmdexec permissions are only granted sysadmin. All other cmdexec privileges will be listed in the security report.
The SQL Server Agent is a service on Windows XP, Windows 2000, and Windows NT, responsible for performing jobs, monitoring SQL Server and send alerts. With SQL Server Agents, you can use scriptization steps to automate some administrative tasks. The job is a specified operation sequence that the SQL Server agent executes in order. A homeware can perform a wide range of activities, including running Transact-SQL scripts, command line applications, and Microsoft ActiveX scripts. Users can create jobs to run frequent repetitive or program tasks, and jobs can also be notified to users by generating alerts.
SQL Server Local Account Password
This check will determine if there is a local SQL Server account using a simple password (such as a blank password). This check will enumerate all user accounts and check if there is an account using the following password:
• Password is blank • The password is the same as the user account name. Your account for any disabled or currently locked.
SQL Server authentication mode
This check will determine the authentication mode used on the scanned SQL Server.
Microsoft SQL Server provides two modes for improving security for this server: Windows authentication mode and mixing mode.
In Windows Authentication mode, Microsoft SQL Server relies on Windows to authenticate users. Then, the Windows user or group is granted access to the SQL Server. In mixed mode, the user may authenticate via Windows or via SQL Server. Users who have authenticated SQL Server will save the username and password in SQL Server. Microsoft strongly recommends always using Windows authentication mode.
Windows authentication mode
This security model allows SQL Server to authenticate users as other applications. The connection to the server is called trusted connection using this mode.
When you use a Windows authentication mode, the database administrator allows them to access the computer running SQL Server by granting the user to SQL Server permissions. The Windows Security Identifier (SID) will use users who use Windows to authenticate. In the case of using Windows SID, database administrators can directly grant access to Windows users or groups.
Hybrid mode
In SQL Server, when both clients and servers can use NTLM or Kerberos to log in to authenticate protocols, the hybrid mode will depend on Windows to authenticate users. If one of them cannot log in with a standard Windows, SQL Server requires username and password, and compares usernames and passwords with usernames and passwords stored in their system tables. Connections on the user name and password are called untrusted connections.
The reason why it provides a mixed mode for two: 1) Backward compatible with the old version of SQL Server; 2) Realize compatibility when SQL Server is installed to Windows 95 and Windows 98 operating systems. (The trusted connection is not supported on Windows 95 or Windows 98 computers that serve as the server.)
SQL Server Builtin / Administrats in the sysadmin role
This check determines whether the built-in Administrators (administrator) group is listed as a member of the sysadmin role.
Note: If you see a "No Permissions to Access Database" error message, you may not have access to the Master database.
The SQL Server role is a secure account that includes a collection of accounts with other security accounts. When managing permissions, it can be regarded as a separate unit. A role can include SQL Server login privileges, other roles, and Windows user accounts or groups.
The fixed server role has a scope that covers the entire server. These characters exist outside the database. Each member of a fixed server role can add additional logins to the same role. All members of the Windows Builtin / Administrators group (groups of local administrators) are members of the sysadmin role by default, which gives it full access to all of your databases.
SQL Server Directory Access
This check will verify that the following SQL Server directory will only grant access to SQL service accounts and local administrators: • Program Files / Microsoft SQL Server / MSSQL $ InstanceName / BINN • Program Files / Microsoft SQL Server / MSSQL $ InstanceName / Data • Program files / Microsoft SQL Server / MSSQL / BINN • Program Files / Microsoft SQL Server / MSSQL / DATA
This tool scans the access control list (ACL) on each folder in these folders and enumerates the users contained in the ACL. If any other user (except SQL service account and administrator) has access to or modifying these folders, the tool will mark this check into a security vulnerability in the security report.
SA account password exposed by SQL Server
This check will determine whether the SQL 7.0 SP1, SP2, or SP3 SA account password is written in a clear text form in the setup.iss and sqlstp.log / sqlspx.lstp.log / sqlspx.log files for the% WINDIR% and the% WINDIR% /% temp% directory. In SQL 2000, if the domain credentials are used to start the SQL Server service, the splstp.log / sqlspx.log file is also checked.
If you use a mixed mode authentication when setting SQL Server, the SA password is saved in the form of SQL Server 7.0 SP1, SP2, and SP3 in the form of SQL Server 7.0 SP1, SQLSTP.LOG files. If you use the Administrator of the Windows Authentication Mode (Recommended Mode) to select the domain evidence that is used when you automatically start SQL Server service, they only make the voucher dangerous.
SQL Server guest account
This check determines whether the SQL Server guest account has access to the access database (except Master, Tempdb, and MSDB). All databases with access to access will be listed in the security report.
Note: If you see a "No Permissions to Access Database" error message, you may not have access to the Master database.
In SQL Server, a user login account must obtain authorization to access the database and its objects one of the following modes.
1. The login account can be specified as a database user. 2. Login accounts can use the guest account in the database. 3. Windows group logins can be mapped to a database role. Then, a single Windows account belonging to the group can be connected to the database.
DB_OWNER or DB_ACCESSADMIN database role or Sysadmin fixed server role member can create database user account roles. One account can have multiple parameters: SQL Server login ID, database username (optional) and up to one role name (optional). The database user name can be different from the user's login ID. If the database username is not provided, the user's login ID and database username are exactly the same. After creating a database user, you can assign any number of roles to the user as needed. If the role name is not provided, the database user is only a member of the public role.
Members of DB_OWNER, DB_ACCESSADMIN or SYSADMIN roles can also create a guest account. The guest account allows any legal SQL Server login account to access the database even if there is no database user account. By default, guest accounts will inherit all privileges assigned to public roles; however, these privileges can be changed to make their permissions greater than or less than public role privileges.
SQL Server on the domain controller
This check will determine if the SQL Server is running on a system that serves as a domain controller. We recommend that you do not run SQL Server on a domain controller. The domain controller includes sensitive data (such as user account information), and should not be used as another role. If you run SQL Server on a domain controller, the complexity of protecting the server security and preventing attacks is added. SQL Server registry key security
This check will ensure that access rights to the EVERYONE (owner) is restricted to read permissions:
HKLM / SOFTWARE / Microsoft / Microsoft SQL Server
HKLM / Software / Microsoft / MSSQLServer
This situation will be marked as a serious security vulnerability in the security scan report on the access permissions for access rights to these registry entries.
SQL Server service account
This check will determine if the SQL Server service account is a member of the local or domain administrator group on the scanned computer, or whether the SQL Server service account is running in the Localsystem context.
On the scanned computer, the MSSQLServer and SQLServerAgent service accounts are checked.
Note: If you see a "No Permissions to Access Database" error message, you may not have access to the Master database.
Security update check
Service Pack is a comprehensive testing update assembly, which is mainly used to resolve the various issues that have emerged in Microsoft products in the user report. Typically, Service Pack repairs the problem found since the product is published. Service Pack has accumulated nature - each new service pack not only contains all new patches, but also contains all the patches in the previous service pack. They are designed to ensure that the newly released software and the driver are compatible, and include updates to fix the user discovery or by internal testing discovery.
The instant repair procedure is usually a temporary update for a specific error or security vulnerability. All instant fixes provided in a service pack's usage cycle will accumulate to the back Service Pack. Each security instant repair program identified by this tool has a Microsoft Security Announcement associated with this announcement contains details on the patch. The results of this check will determine which instant fixes are missing and provide a link to the Microsoft Web site so that you can see more information about each security announcement.
This test for this tool will ensure that you have the latest service packs and security updates for the following products and components:
• Windows NT 4.0 (unless scanning via MBSACli.exe / HF) • Windows 2000 • Windows XP • Windows Server 2003 • Internet Explorer 5.01 and subsequent versions (including Internet Explorer 6.0 for Windows Server 2003) • Windows Media Player 6.4 and subsequent versions • IIS 4.0, 5.0, 5.1 and 6.0 • SQL Server 7.0 and 2000 (including Microsoft Data Engine) • Exchange Server 5.5, 2000 and 2003 (including Exchange Admin Tools) • Microsoft Office Scan; see the L product list). • Microsoft Data Access Components (MDAC) 2.5,2.6,2.7 and 2.8 • Microsoft Virtual Machine • MSXML 2.5,2.6,3.0 and 4.0 • BizTalk Server 2000,2002 and 2004 • Commerce Server 2000 and 2002 • Content Management Server (CMS) 2001 And 2002 • SNA Server 4.0, Host Integration Server (HIS) 2000 and 2004 desktop application check
Internet Explorer Safety Area
This check will list the IE area security settings currently adopted and suggested on the scanned computer.
The Microsoft Internet Explorer Web Content Area divides Internet or intranet into areas with different security levels. This feature allows you to set global default settings for your browser to allow all content on the trusted site or for some types of content, such as: Java applet or ActiveX control, depending on the area where the Web site is located.
Internet Explorer browsing software with four predefined web content zones: Internet, local intranet, trusted sites and restricted sites. In the Internet Options option dialog box, you can set the security option you want for each region, then add a site in any area (except Internet) or remove the site, depending on the level of trust settings to the site. set. In an enterprise environment, administrators can set the area for the user. They can also add their trusted or delete the authentication certificate of the software publisher who don't trust so that users do not have to make a security decision when using the Internet.
For each security zone, you can choose high, medium and low levels, or custom security settings. Microsoft recommends that security is set to high for sites that cannot determine if there is a trusted area. Custom Options provide advanced users and administrators with more control over all security options, including the following:
• Access to files, ActiveX controls, and scripts • Features to Java applet • Site identity with Secure Sockets (SSL) authentication • Password protection with NTLM authentication (according to server Area, Internet Explorer can automatically send password information, prompting users to enter user and password information, or simply reject any login request)
Internet Explorer to enhance security configuration for administrators
This check identifies whether the Internet Explorer enhancement security configuration (Enhanced Security Configuration) is enabled for administrators on your computer running Microsoft Windows Server 2003. This check also identifies administrators who have enhanced security configured security configurations for administrators' Internet Explorer enhanced security configurations. Internet Explorer, non-administrators to enhance security configuration
This check identifies whether the Internet Explorer enhanced security configuration (Enhanced Security Configuration) is enabled for non-administrators on your computer that runs Microsoft Windows Server 2003. This check also identifies non-administratic users who use this Internet Explorer to enhance security configuration for non-administrators.
Office macro protection
This check will determine the security level of Microsoft Office XP, Office 2000, and Office 97 macro protection for each user. MBSA will also check PowerPoint, Word, Excel and Outlook.
Macros can automate repeated tasks. This saves time, but it will also be used to spread viruses, for example, when a user opens an infected document containing malicious macros. Open or share an infected document will spread the malicious macro to other documents on your system, or spread to other users.
Back to top
Additional resources
Microsoft Security Strategy and Solution
Microsoft Security Website: http://www.microsoft.com/china/security/
MBSA website: http://www.microsoft.com/china/technet/security/tools/MBsahome.mspx
Microsoft Security Response Center Security Announcement Severe Section System http://www.microsoft.com/technet/security/bulletin/Rating.MSPX [English]
Find a partner that can help provide Microsoft Security Solutions
Microsoft Certification Provider Directory
Http://directory.microsoft.com/resourcedirectory/solutions.aspx [English]
Microsoft Consultation Service
Http://www.microsoft.com/services/MicrosoftServices/cons.mspx [English]
1 Each time the MBSA is running, you will try to connect to the Internet to download the CAB / XML file from Microsoft. If an Internet connection is not established, the tool will look up a local copy of the CAB / XML file in the tool installation folder. Each time you successfully download the file during the scan, you will store a local copy on your computer to prevent subsequent scans to connect to the Internet. For those computers that have not been connected to the Internet, users can download this file separately from the Microsoft Download Center Site, and then copy to the computer running the tool.
The 2.cab file is a file that is signed by Microsoft Corportaion digital. The MBSA tool will verify the digital signature to ensure the authenticity of the file and make sure it is not replaced by the false file or damaged file.
3 When a domain or IP address range is given, MBSA will try to identify all the computers in the group. The tool will list the computers that cannot be identified and continue to scan those computers that respond. In the HFNetchk-Style scan, the HFNetchk engine will find two IP ports on all computers for scanning, if you are unable to access these ports, the scan will fail. This pre-scan check does not depend on ICMP. Back to top
