[unisog] microsoft baseline security analyzer

Anderson, Kelly kjanders at umich.edu
Fri May 16 22:42:32 GMT 2003

Unfortunately, this is what many think is the case, however, it turns
out to be marketing fluff.  The most current Hfnetchk is version 4.
>From what I hear, Microsoft will not be updating their MBSA Hfnetchk
engine to keep in step with Shavlik's release.  It had something to do
with the fact that MS didn't want to license it from Shavlik or

And we've found gross discrepancies between what MBSA tells us and what
Hfnetchk v4 tells us.  

There have been numerous postings about MBSA/Hfnetchk on both NTBugTraq
and the Windows-hied lists since its release, if anyone is interested.  


-----Original Message-----
From: Allen Chang [mailto:allen at rescomp.berkeley.edu] 
Sent: Friday, May 16, 2003 5:57 PM
To: Anderson, Kelly
Cc: nick nelson; 
Subject: RE: [unisog] microsoft baseline security analyzer

I believe MBSA is an updated version of Hfnetchk. There is a command
line option and the GUI version allows you to scan entire IP ranges. It
also scans for IIS and SQL configuration vulnerabilities.

"MBSA uses the HFNetChk tool technology to scan for missing security
updates and service packs for Windows, IE, IIS, SQL, Exchange, and
Windows Media Player. MBSA will create and store individual XML security
reports for each computer scanned and will display the reports in the
graphical user interface in HTML."

"Q: Does MBSA V1.1 replace HFNetChk?

A: MBSA V1.1 fully exposes all HFNetChk V3.81 switches through the MBSA
command line interface (mbsacli.exe). Microsoft will be removing
HFNetChk as a standalone offering since MBSA V1.1 can now be used to
perform both MBSA-style scans as well as HFNetChk-style scans. "

Allen Chang
Network Security Coordinator
Residential Computing
UC Berkeley

On Fri, 16 May 2003, Anderson, Kelly wrote:

> Hi Nick,
> MBSA is a useful tool, but you will want to use Shavlik's Hfnetchk 
> program to get the best picture of your patching needs - it simply 
> does a better job than MBSA in identifying patches needed.  Plus, you 
> can script it to scan multiple machines.  We're using it as the 
> "ultimate" authority on patching.
> Have fun!
> -Kelly
> ***********************************************
> Kelly J. Anderson, MCSE
> Windows 2000 Infrastructure
> University of Michigan
> http://www.umich.edu/~lannos/win2000
> ***********************************************
> United for Peace and Justice
> http://www.unitedforpeace.org
> ***********************************************
> -----Original Message-----
> From: nick nelson [mailto:snelson at valdosta.edu]
> Sent: Thursday, May 15, 2003 7:20 PM
> To: unisog at sans.org
> Subject: [unisog] microsoft baseline security analyzer
> 'lo folks..
> I've recently been (as of today) assigned the job of running microsoft

> baseline security analyizer on our network of 4000 or so windows PCs 
> and securing the ones that come up as critical risks, or however they 
> word it.
> I've ran the test (it's running tonight, overnight). There was about 
> 700 PCs identified as severe risks when I left, so it's obviously 
> going to be quite the task.
> Does anyone have any recommendations on what the team can do to make 
> this easier? Obviously a lot of these will be windows updates needing 
> done, is there any way to do remote windows updates? Also, does anyone

> have any kind of documents/websites/templates they give to users 
> (mostly
> faculty) helping them secure their windows 2000/xp machiens, ie,
> a good password, not having open shares, running windows updates, etc.
> etc.
> Any help would be appreciated, I'm not exactly a microsoft fan, nor 
> guru, so this should be interesting :)
> cheers,
> nick
> --
> nick at arpa.com            |     arpa.com :: the mainstream runs shallow
> snelson at valdosta.edu     |     Office of Information Technology
> A: Top posters
> Q: What's the most annoying thing about email these days?

More information about the unisog mailing list