Weighing MBSA against paid vulnerability scanners

If you’re only looking for the vulnerabilities Microsoft deems most important, then MBSA is your tool. If you need more, you’re better off assessing other commercial vulnerability scanners.

I’ve had a love-hate relationship with Microsoft Baseline Security Analyzer (MBSA) for a while. It started out...

sour, but the security scanning tool has begun to grow on me. MBSA provides a snapshot of higher-level Windows, SQL Server and IIS-related vulnerabilities. These are the most important vulnerabilities that Microsoft recommends testing for and are presented in a simple and concise fashion (Figure 1).

Figure 1: MBSA’s reports clearly display scan results. (click to enlarge)
MBSA’s reports clearly show which administrative vulnerabilities were found.

MBSA also offers scripting and connections with Visio capabilities, so you can view vulnerabilities on your network diagram. You can also run it on and against Windows 7 and Server 2008 R2-based systems. Microsoft has formed a partnership with Shavlik Technologies LLC (the company that wrote the MBSA code) to provide support for legacy Microsoft software via the Shavlik NetChk Limited tool.

That said, I urge all of my clients to remember that Microsoft is not a security vendor and not in the business of making the best vulnerability scanning tool on the market. That’s why there’s been the growth of companies like Qualys, GFI Software and Rapid7 over the past few years. Comparing MBSA with commercial vulnerability scanners quickly unveils MBSA’s limitations.

The following are examples of what commercial vulnerability scanners offer beyond MBSA’s capabilities:

  • They can find all (or at least most) known weaknesses, including those in the CVE dictionary. Commercial scanners don’t only find the issues that Microsoft deems most important.
  • They can exploit vulnerabilities to show what information can be gleaned from scans.
  • They can perform in-depth password cracking.
  • They can find flaws in other network hosts, such as Linux-based systems, firewalls, switches, wireless APs, third-party applications, etc. They don’t only locate flaws found in Microsoft-centric software.
  • They provide better reporting.
  • They allow you to analyze trends and long-term vulnerability management.

Microsoft positions MBSA for small and medium-sized businesses, so it’s not really considered an enterprise tool. The reality is that SMBs have enterprise-level vulnerabilities and need enterprise-ready tools. MBSA is a good start, but a third-party tool is your best bet for long-term protection.

MBSA is not a full-fledged vulnerability scanner that you can rely on to find all the important vulnerabilities in your environment. If you choose to deploy it, know what you’re getting into and understand its limitations before you check that vulnerability scanner item off your to-do list. The last thing you need is an overlooked vulnerability that winds up being exploited.

Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at [email protected].

Dig Deeper on Windows client management