Review: Microsoft Baseline Security Analyzer

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715344

  • shendricks

    SSChasing Mays

    Points: 605

    I have found that the tool will sometimes return a false negative. After using the tool to find the missing patches, I have applied the patch and re-run the scan. It will still report that the patch I just installed is missing.

    Because of the false negatives and some of the other unalterable parameters (e.g., No more than two administrators), I don't get my servers to "pass" inspection. I use it to establish the baseline and then analyze the results to determine our acceptable levels.

    I agree with you that the security patch notification service is a life-saver. It's sometimes scary when you receive a flood of notifications, but better to know than not.


    Steve Hendricks
    MCSD, MCDBA
    Data Matrix

    shendricks@afsconsulting.com
    (949) 588-9800 x15

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715344

    Hadn't noticed that, but I didn't try to apply the patches. Still trying to get a handle on the servers here.

    Which patch failed?

    Steve Jones

    sjones@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/sjones

  • imarchenko

    SSC Journeyman

    Points: 79

    I have also installed all patches and rerurn tool.But I got the same warnings.In my case , patches were :8.00.0578,8.00.0608,8.00.0636,8.00.0650,8.00.0655

  • K. Brian Kelley

    SSC Guru

    Points: 114465

    There has been a bit of traffic off and on in the microsoft.public.security.baseline_analyzer Usenet group of false positives. I don't see any recently, but then again, traffic on that group is rather light. Most of the comments are from the early-mid June timeline.

    The report from Microsoft is they should be corrected in version 1.1. I believe there is also an issue for some users specifying the .xml file instead of the .cab file if you don't autodownload.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • zacek@improve.cz

    SSC Enthusiast

    Points: 144

    I also find few false negatives, but even positives. The more you use custom setting of security in registry / filesystem / group policies, the higher possibility of misses.

    I am very disappointed by combination of these tools: hfnetchk, windows update and MBSA. Many times I found "no problems - OK" using windows update - well, even Microsoft says it is not suited for servers, but... And I found in the meantime that hfnetchk is alerting about some problems - I applied some fixes, but in final I realized that security analyzer misses 5 hotfixes. Who the hell must know what hotfixes I miss except MS? The tools above all have problem with localized software (czech version windows, english version SQL server and combinations alike...)

    Plug & Play, Hotfix & Pray, Update & Hope

    JZ

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715344

    Amazing. I was just starting to use this to get a feel for my new environment and, while not perfect, it handled a number of my needs. I guess it's some custom code for me.

    Steve Jones

    sjones@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/sjones

  • K. Brian Kelley

    SSC Guru

    Points: 114465

    Keep in mind, MBSA is built upon a customized version of HFNetChk. So it will show similar issues to HFNetChk.

    None of these tools are intended as a catch all. They are to give a sysadmin a good idea what's going on. Hence the need for an old concept: server logs.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • danw

    SSCommitted

    Points: 1842

    It's a good start for MS but they still have alot of work to do. We have been using this and hfnetcheck for a while now... I have seen the false positive issue quite a bit, very annoying... hope they fix it soon.

    The other major dislike is the fact that you have to be sysadmin to run the tool. It's due to the fact that the tool doesn't check for any vulnerabilities, it just checks for the patches. If you want to perform a REAL security scan you need to check for the holes, not the plugs. If this tool sparks your security interest I would suggest trying out a real tool like Nessus.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply