baseline

介绍 (Introduction)

Microsoft Baseline Security Analyzer is one of the tools provided by Microsoft to help administrators to scan systems (local and remote) for missing security updates and common security misconfigurations. It can scan the server operating system and SQL Server but also other products as well, such as Microsoft web server IIS.

Microsoft Baseline Security Analyzer是Microsoft提供的工具之一，可以帮助管理员扫描系统（本地和远程）是否缺少安全更新和常见的安全配置错误。 它可以扫描服务器操作系统和SQL Server，也可以扫描其他产品，例如Microsoft Web服务器IIS。

This article is about the installation process as well as the way to use it. The procedure has been performed on a Windows Server 2012 R2 Standard Edition but may also work on other systems as per software requirements and compatibilities.

本文介绍安装过程及其使用方法。 该过程已在Windows Server 2012 R2 Standard Edition上执行，但根据软件要求和兼容性，它也可能在其他系统上工作。

Here is what Microsoft says on its download page for the latest version of the tool at the moment this article is written:

撰写本文时，Microsoft在其下载页面上说的是该工具的最新版本：

To easily assess the security state of Windows machines, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

为了轻松评估Windows计算机的安全状态，Microsoft提供了免费的Microsoft Baseline Security Analyzer（MBSA）扫描工具。 MBSA包含图形和命令行界面，可以执行Microsoft Windows系统的本地或远程扫描。

MBSA 2.3 will scan for missing security updates, rollups and service packs using Microsoft Update technologies. To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.

MBSA 2.3将使用Microsoft Update技术扫描缺少的安全更新，汇总和Service Pack。 为了评估缺少的安全更新，MBSA仅扫描缺少的安全更新，更新汇总和Microsoft Update可用的Service Pack。 MBSA不会扫描或报告缺少的非安全更新，工具或驱动程序。

安装步骤 (Installation procedure)

Downloading the installer

下载安装程序

First off, you’ll need to get the installer executable. You can download it from its download page. You can download multiple versions at once (one per language and architecture).

首先，您需要获取安装程序可执行文件。 您可以从其下载页面下载它。 您可以一次下载多个版本（每种语言和体系结构一个）。

Once the files have been downloaded, put them on the server you’ll use as a host for the tool, or on a network share and go to the server of your choice.

下载完文件后，将它们放在您将用作该工具主机的服务器上，或放在网络共享上，然后转到您选择的服务器。

Running the installer

运行安装程序

We can now run the installer corresponding to our language and architecture. The following window will pop up:

现在，我们可以运行与我们的语言和体系结构相对应的安装程序。 将弹出以下窗口：

Just click on “Next” button.

只需单击“下一步”按钮。

The next panel is the license agreement you will have to approve and click on “Next” button:

下一个面板是您必须批准的许可协议，然后单击“下一步”按钮：

Now we must choose the destination directory. We can let it to its default or change it then click on the “Next” button:

现在，我们必须选择目标目录。 我们可以将其设置为默认值或更改它，然后单击“下一步”按钮：

Now we just have to confirm the install and let it run by clicking on the “Install” button:

现在我们只需要确认安装并单击“安装”按钮就可以运行它：

Once the installation is done, you’ll get the following popup on which you just have to click OK:

安装完成后，您将获得以下弹出窗口，只需单击“确定”即可：

Congratulations, Microsoft Baseline Security Analyzer is now installed. Let’s now see how to use it.

恭喜，现在已安装Microsoft Baseline Security Analyzer。 现在让我们看看如何使用它。

以图形方式运行该工具 (Running the tool graphically)

As we’ve just installed MBSA, we can see it in “Start Menu” or application screen:

由于我们刚刚安装了MBSA，因此可以在“开始菜单”或应用程序屏幕中看到它：

Let’s run it and see what the graphical interface look like:

让我们运行它，看看图形界面是什么样的：

As we can see directly from the image above, this tool can:

从上图可以直接看到，该工具可以：

• Scan a single computer by providing an IP or its NetBIOS name. 通过提供IP或NetBIOS名称扫描单个计算机。
• Do this scan for a group of computers 扫描一组计算机
• Have a look at existing reports (when we have some) 查看现有报告（如果有的话）

Let’s just click on “Scan a computer”:

让我们点击“扫描计算机”：

This switches to another dialog, where you’ll need to provide some parameters. The parameters are a NetBIOS computer name, an IP address and the name of the final report which is can be parameterized. In addition, we can check or uncheck options. These options will change the behavior of MBSA. They are shown in the following image:

这将切换到另一个对话框，您需要在其中提供一些参数。 这些参数是NetBIOS计算机名称，IP地址和可以设置参数的最终报告的名称。 此外，我们可以选中或取消选中选项。 这些选项将更改MBSA的行为。 它们显示在下图中：

Once everything is set up appropriately, you’ll find a button at the bottom right of the screen called “Start scan”. Just click on it.

正确设置所有内容后，您将在屏幕的右下方找到一个名为“开始扫描”的按钮。 只需单击它。

Here we go. The process can take several minutes.

开始了。 该过程可能需要几分钟。

In my case, for a remote server and every options checked, as shown above, it took approximately 10 minutes to complete without taking that much memory (16 MB) or CPU (0%).

就我而言，对于远程服务器并检查每个选项（如上所示），大约需要10分钟才能完成，而不会占用那么多的内存（16 MB）或CPU（0％）。

Unfortunately (or fortunately), I have to go through the whole report as it’s not an all green “everything is OK” message that is given by MBSA.

不幸的是（或幸运的是），我必须仔细阅读整个报告，因为它不是MBSA发出的完全绿色的“一切都很好”的消息。

One thing we can see is that the report is organized by default with “worst first” which is to me very valuable. The next thing that is really helpful is that for every scan issue, we can see at least what was scanned, in some cases a detailed report may be accessible and/or eventually a way to correct the issue:

我们可以看到的一件事是，默认情况下，该报告的组织方式为“最坏优先”。 接下来真正有用的是，对于每个扫描问题，我们至少可以看到所扫描的内容，在某些情况下，可以访问详细的报告和/或最终可以解决此问题的方法：

The “What was scanned” link opens an HTML description of the scanned aspect. Here is an example:

“已扫描的内容”链接打开已扫描方面HTML描述。 这是一个例子：

The “Result details” presents a detailed report of the analysis made by MBSA. For example, you will find this dialog displayed:

“结果详细信息”提供了MBSA分析的详细报告。 例如，您会发现此对话框显示：

We can see here that there are missing updates. The action to take can be pretty straight forward but we have a “How to solve” link. Let’s see what is displayed:

我们在这里可以看到缺少更新。 采取的行动可能非常直接，但是我们有一个“如何解决”链接。 让我们看看显示的内容：

The last thing we can see in the report, are the actions that we can do on the report, as shown at the bottom of the window:

我们可以在报告中看到的最后一件事是可以对报告执行的操作，如窗口底部所示：

• Print the report 打印报告
• Copy the report to clipboard 将报告复制到剪贴板
• Switch to another report 切换到另一个报告

运行该工具的其他方式：命令行 (Other ways to run the tool: command-line)

As the description stated, there is a command-line interface for the tool. Let’s introduce “mbsacli”. To run it, we have to open an invite or a PowerShell window and go to the installation directory of MBSA (or adapt PATH environment variable so that this folder is included).

如描述所述，该工具有一个命令行界面。 让我们介绍“ mbsacli”。 要运行它，我们必须打开一个邀请或PowerShell窗口，然后转到MBSA的安装目录（或修改PATH环境变量，以便将该文件夹包括在内）。

Here is a sample command I used to run against a remote server:

这是我曾经在远程服务器上运行的示例命令：

.\mbsacli.exe -target CHULG\si-s-serv236 /n os+sql+updates+password /qt /nd

。\ mbsacli.exe -target CHULG \ si-s-serv236 / n os + sql + updates + password / qt / nd

I won’t go too long on this because I think that might not interest everyone, except those who would want to automate the process, plus I’ve found, on the web, a script by Ben Wilkinson that seems to be much handier, but it’s just my opinion.

我不会花太多时间，因为我认为这可能不会引起所有人的兴趣，除了那些想使流程自动化的人之外，而且我在网上发现Ben Wilkinson的脚本似乎更方便，但这只是我的意见。

I invite you to read the description of this script and test it in a non-production environment.

我邀请您阅读此脚本的描述并在非生产环境中对其进行测试。

第一印象 (First impression)

I’ve tested multiple (security) baseline analyzers / assessment tools: Scuba, CIS-CAT, SQL Doctor and now this tool.

我已经测试了多个（安全）基线分析器/评估工具：Scuba，CIS-CAT，SQL Doctor，现在是该工具。

Each time I ran one of them, I was a little dubious on the output because there are recommendations that are far away from practical business needs and capabilities or that are justified in most cases except the particular one which we obviously meet.

每次运行其中一个时，我都会对输出结果有些怀疑，因为有些建议与实际的业务需求和能力相去甚远，或者在大多数情况下都是合理的，但我们显然可以满足特定的建议。

To me, those tools are not meant to be used for a strict assessment that must absolutely succeed but rather like as a set of indicators. Indicators that don’t succeed can be explained or not. When they can be explained, they need to be investigated in two ways: understanding and trial to explain. We are humans and can’t know everything. So, when a new aspect is raised, it’s the opportunity to learn from it, its purpose, its impact, its dependencies and the problem that it can cause. Once it’s done, you have all the cards in your hands to decide whether there is an acceptable reason to stay as is or not.

对我而言，这些工具并不是要用于必须绝对成功的严格评估，而应作为一组指标。 不能成功解释的指标可以解释。 当可以解释它们时，需要以两种方式进行研究：理解和尝试解释。 我们是人类，不可能一无所知。 因此，当提出一个新的方面时，就有机会学习它，它的目的，它的影响，它的依存关系以及它可能引起的问题。 一旦完成，你必须在你的手中所有的牌，以决定是否有一个可以接受的理由留下来的是与否。

Let’s illustrate this with an example. I found in the MBSA report that “Internet Explorer zones do not have secure settings for some users”. When I click on the result detail, it shows me the service account used for SQL Server (which cannot connect in another way than as a service) and that the setting concerns ActiveX. I don’t think it’s a problem at the moment as it’s a service account, no interactive session may run and no permission of xp_cmdshell is allowed in my installation. This reason seems acceptable to me and I will document it for the server on which I ran the tool. The documentation will be reviewed on regular basis and the reason will be reviewed each time. With experience or evolution of the situation in the environment, I may realize it was not an acceptable reason and it must absolutely be changed.

让我们用一个例子来说明。 我在MBSA报告中发现“ Internet Explorer区域对某些用户没有安全设置”。 当我单击结果详细信息时，它将显示用于SQL Server的服务帐户（该帐户无法以除服务之外的其他方式连接），并且该设置涉及ActiveX。 我认为这不是问题，因为它是服务帐户，无法运行任何交互式会话，并且在我的安装中不允许xp_cmdshell的许可。 这个原因对我来说似乎可以接受，我将在运行该工具的服务器上对其进行记录。 将定期检查文档，并且每次都会检查原因。 根据经验或环境状况的变化，我可能会意识到这不是一个可以接受的原因，因此必须对其进行绝对更改。

翻译自: https://www.sqlshack.com/how-to-install-and-use-microsoft-baseline-security-analyzer-mbsa/

baseline