Tip

Weighing MBSA against paid vulnerability scanners

I’ve had a love-hate relationship with Microsoft Baseline Security Analyzer (MBSA) for a while. It started out sour, but the security scanning tool has begun to grow on me. MBSA provides a snapshot of higher-level

    Requires Free Membership to View

Windows, SQL Server and IIS-related vulnerabilities. These are the most important vulnerabilities that Microsoft recommends testing for and are presented in a simple and concise fashion (Figure 1).

Figure 1: MBSA’s reports clearly display scan results. (click to enlarge)

MBSA also offers scripting and connections with Visio capabilities, so you can view vulnerabilities on your network diagram. You can also run it on and against Windows 7 and Server 2008 R2-based systems. Microsoft has formed a partnership with Shavlik Technologies LLC (the company that wrote the MBSA code) to provide support for legacy Microsoft software via the Shavlik NetChk Limited tool.

That said, I urge all of my clients to remember that Microsoft is not a security vendor and not in the business of making the best vulnerability scanning tool on the market. That’s why there’s been the growth of companies like Qualys, GFI Software and Rapid7 over the past few years. Comparing MBSA with commercial vulnerability scanners quickly unveils MBSA’s limitations.

The following are examples of what commercial vulnerability scanners offer beyond MBSA’s capabilities:

  • They can find all (or at least most) known weaknesses, including those in the CVE dictionary. Commercial scanners don’t only find the issues that Microsoft deems most important.
  • They can exploit vulnerabilities to show what information can be gleaned from scans.
  • They can perform in-depth password cracking.
  • They can find flaws in other network hosts, such as Linux-based systems, firewalls, switches, wireless APs, third-party applications, etc. They don’t only locate flaws found in Microsoft-centric software.
  • They provide better reporting.
  • They allow you to analyze trends and long-term vulnerability management.

Microsoft positions MBSA for small and medium-sized businesses, so it’s not really considered an enterprise tool. The reality is that SMBs have enterprise-level vulnerabilities and need enterprise-ready tools. MBSA is a good start, but a third-party tool is your best bet for long-term protection.

MBSA is not a full-fledged vulnerability scanner that you can rely on to find all the important vulnerabilities in your environment. If you choose to deploy it, know what you’re getting into and understand its limitations before you check that vulnerability scanner item off your to-do list. The last thing you need is an overlooked vulnerability that winds up being exploited.

ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

This was first published in October 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.