Microsoft Baseline Security Analyzer Automation

One of the topics that an Exchange administrator needs to care about is the level of security of the Exchange servers regarding the patching level from the Security Update. In wide IT environment, Security Updates are most of the time in charge of a dedicated administrator responsible for security updates deployment using application such like […]

One of the topics that an Exchange administrator needs to care about is the level of security of the Exchange servers regarding the patching level from the Security Update.

In wide IT environment, Security Updates are most of the time in charge of a dedicated administrator responsible for security updates deployment using application such like Microsoft Windows Server Update Services (WSUS). In some scenario, this means that the Exchange admin depends on the WSUS admin to have a global report of the fixes applied or not on a bunch of servers. One of the main consequences in that case is that some delay may occur to get the information.

We here propose to provide an easy and automate way to get the information on demand from a single workstation using command lines based on:

  • Microsoft Baseline Security Analyzer (MBSA) v.2.0.1 (available for download here)
  • MBSA 2.0 Scripting Samples (available for download here)

The purpose of the batch will be to run MBSA against several identified remote servers, and then parse all MBSA reports produced into a single XML file to get a global overview of all servers security update version.

Also, some corporate networks are protected from the Internet by a proxy and/or a firewall. The provided solution will help to not perform scanning against the Microsoft Update website, but using the offline security update cabinet file (WSUSScn2.cab)

As always, some requirements need to be fulfilled...

...On the workstation and the remote computers

  • It is imperative that all remote computers needed to be scan have been updated with the latest version of the Windows Update Agent (WUA) (available here).
  • In some case, the latest Windows Installer program should also be installed (available here).

...On the workstation only

Since security updates are released on the regular basis, it is mandatory to update frequently the offline security update cabinet file WSUSScn2.cab.

This cabinet is available in direct download using the following link http://go.microsoft.com/fwlink/?LinkId=76054.

Download the cabinet on the workstation, and move it in a directory ease of access. (ex: C:\Temp)

If you wish to include the download of the cabinet within the automation job, you will have to create the proper script. If you use a proxy authentication to get access to the Internet, the script should include code to provide the necessary credentials.

If you are not that involved with scripting, there are command line tools available on the Internet which permit downloading a file from a URL. Some tools even include parameters to perform an authentication against the proxy server.

Microsoft Baseline Security Analyzer (MBSA) v.2.0.1

If you are already familiar with MBSA, then you know that the GUI version allow you to generate report of remote servers from a workstation.

But did you know that MBSA also includes a command line tool allowing you to perform the same type of tasks and even more: MBSACli.exe.

When you need to scan several computers, you can only specify an IP range using MBSA GUI, while with MBSACli you are able to specify a list of the computers to be scanned.

For all command line parameters, type "mbsacli.exe /?" from a command prompt.

Full Article

Microsoft, Exchange, Server, Exchange Server 2007, BSAA, Baseline Security Analyzer Automation, Tips and Tricks, Tools, Security, Knowledgebase