Technical Reference for the MBSA Management Pack
Computer Attributes in the MBSA Management Pack
The MBSA Management Pack uses the following computer attributes that are installed with the Microsoft Operations Manager 2005 Management Pack:
Microsoft Operations Manager 2005 Agent
Microsoft Operations Manager 2005 Server
Computer Groups in the MBSA Management Pack
The MBSA Management Pack uses the following computer groups that are installed with the Microsoft Operations Manager 2005 Management Pack:
Microsoft Operations Manager 2005 Agent
Microsoft Operations Manager 2005 Server
Notification Groups in the MBSA Management Pack
None
MBSA Management Pack Task Details
Table 7 Management Pack Task Details
Task |
Description |
Displays Output |
Windows 2000 |
Windows Server 2003 |
Agent-Managed |
Server-Managed |
|---|---|---|---|---|---|---|
Download mssecure.cab from File Transfer server |
Initiates a File Transfer Response on the agent to download an updated mssecure.cab file from the configured File Transfer server. |
X |
X |
X |
X |
X |
Run MBSA Scan |
Runs the MBSA patch and vulnerability scan on the target computer. |
X |
X |
X |
X |
X |
Scripts in the MBSA Management Pack
MBSA Install and Run
Description
This script determines if MBSA is installed on a monitored computer. If it is not installed, this script installs MBSA. This script also runs an MBSA scan.
Type
JScript
Run Location
Agent computer.
Rules
The MBSA Install and Run script is associated with the following event rule:
\Baseline Security Analyzer 1.2\MOM Agent\Event Rules\Run vulnerability and security patch scan
This rule is disabled by default.
Script Parameters
Table 8 Script Parameters
Script Parameter |
Description and Default Value |
|---|---|
HistoryPatchScanCommand |
Runs the MBSA patch scan with the -history[n] command-line option. The variable [n] is set to 1, which displays the updates that have been explicitly installed. The value for this parameter is the command that runs scan: Syntax"%programfiles%\Microsoft Baseline Security Analyzer\mbsacli.exe" -hf -sms -x "%programfiles%\Microsoft Baseline Security Analyzer\MSSecure.cab" -f "%userprofile%\SecurityScans\MomHPScan.xml" -unicode -nvc -history 1 |
MBSAProductGuid |
The guid for MBSA: Syntax{5FA4690C-1975-4F94-9A64-274F29BD9221} |
MBSASetupFile |
The file for installing MBSA: SyntaxMBSASetup-en.msi |
PatchScanCommand |
Runs the MBSA patch scan. The value for this parameter is the command that runs the scan: Syntax"%programfiles%\Microsot Baseline Security Analyzer\mbsacli.exe" -hf -sms -x "%programfiles%\Microsoft Baseline Security Analyzer\MSSecure.cab" -f "%userprofile%\SecurityScans\MomPScan.xml" -unicode -nvc |
VulnerabilityScanCommand |
Runs the MBSA Vulnerability Scan. The value for this parameter is the command that runs the scan: Syntax"%programfiles%\Microsoft Baseline Security Analyzer\mbsacli.exe" -n Updates -o MomVScanNew -nvc |
MBSA Patch Scan Parser
Description
This script parses the MBSA Patch Scan log and generates events. Script parameters allow you to exclude or include specific items in the patch scan.
Type
JScript
Run Location
Agent computer.
Rules
The MBSA Patch Scan Parser script is associated with the following event rules:
\Baseline Security Analyzer 1.2\MOM Agent\Event Rules\Process patch scan results
\Baseline Security Analyzer 1.2\MOM Agent\Event Rules\Respond to Win32_PatchState Modification
These rules are enabled by default.
Script Parameters
Table 9 Script Parameters
Script Parameter |
Description |
Default Value |
|---|---|---|
ExcludeList |
This list of items to exclude from the patch scan. |
None |
IncludeList |
The list of items to include in the patch scan. |
None |
MBSA Vulnerability Scan Parser
Description
This script parses the MBSA Vulnerability Scan log and generates events.
Type
JScript
Run Location
Agent computer.
Rules
The MBSA Vulnerability Scan Parser script is associated with the following event rule:
\Baseline Security Analyzer 1.2\MOM Agent\Event Rules\Process vulnerability scan results
This rule is enabled by default.
Script Parameters
None.
Rules in the MBSA Management Pack
Baseline Security Analyzer 1.2\File Transfer Server
Table 10 Rules
Rule |
Type |
Enabled |
Severity |
Dependency notes and other notes |
|---|---|---|---|---|
Download mssecure.cab from https://www.microsoft.com |
Event |
Yes |
None |
Disable this rule if you are manually downloading the mssecure.cab file. For more information, see "Manually Downloading the MSSecure.cab File" earlier in this guide. |
Baseline Security Analyzer 1.2\MOM Agent
The MBSA Management Pack public views depend on rules in this rule group being enabled.
Table 81 Rules
Rule |
Type |
Enabled |
Severity |
Dependency notes and other notes |
|---|---|---|---|---|
Service Pack not installed |
Event |
Yes |
Warning |
|
Run Vulnerability and security patch scan |
Event |
No |
None |
This rule must be enabled for the following reports to run successfully:
|
Process vulnerability scan results |
Event |
Yes |
|
No alert is generated by default. |
Security patch not installed |
Event |
Yes |
Warning |
|
Download mssecure.cab from File Transfer server |
Event |
Yes |
None |
|
Process patch scan results |
Event |
Yes |
|
No alert is generated by default. |
Download Directory Creation Warning |
Event |
Yes |
Warning |
|
Respond to Win32_PatchState Modification |
Event |
Yes |
|
No alert is generated by default |
Collect Microsoft Security Baseline Analyzer events |
Collec-tion |
Yes |
None |
|
Baseline Security Analyzer 1.2\MOM Agent\IE Vulnerabilities
The Internet Explorer Vulnerability Alerts public view depends on rules in this rule group being enabled.
Table 12 Rules
Rule |
Type |
Enabled |
Severity |
Dependency notes and other notes |
|---|---|---|---|---|
IE Vulnerability: IE Zones are not configured for security |
Event |
Yes |
Critical Error |
|
IE Vulnerability: IE Enhanced Security configuration not enabled for Non-Administrators |
Event |
No |
Warning |
|
IE Vulnerability: IE Enhanced Security configuration not enabled for Administrators |
Event |
Yes |
Critical Error |
|
Baseline Security Analyzer 1.2\MOM Agent\IIS Vulnerabilities
The Internet Information Services Vulnerability Alerts public view depends on rules in this rule group being enabled.
Table 13 Rules
Rule |
Type |
Enabled |
Severity |
Dependency notes and other notes |
|---|---|---|---|---|
IIS Vulnerability: MSADC and Scripts virtual directories are installed |
Event |
No |
Warning |
|
IIS Vulnerability: IIS parent paths are enabled |
Event |
Yes |
Critical Error |
|
IIS Vulnerability: IISADMPWD virtual directory is installed |
Event |
No |
Warning |
|
IIS Vulnerability: IIS sample applications found |
Event |
Yes |
Critical Error |
|
IIS Vulnerability: IIS Lockdown Tool has not been run on this server |
Event |
Yes |
Critical Error |
|
IIS Vulnerability: IIS logging disabled |
Event |
No |
Information |
|
IIS Vulnerability: IIS on Domain Controller |
Event |
No |
Information |
|
Baseline Security Analyzer 1.2\MOM Agent\SQL Vulnerabilities
The SQL Server Vulnerability Alerts public view depends on rules in this rule group being enabled.
Table 14 Rules
Rule |
Type |
Enabled |
Severity |
Dependency notes and other notes |
|---|---|---|---|---|
SQL Vulnerability: Everyone group has more than Read permission to SQL registry keys |
Event |
Yes |
Critical Error |
|
SQL Vulnerability: SQL Server/MSDE password exposed in clear text log |
Event |
Yes |
Critical Error |
|
SQL Vulnerability: SQL Server/MSDE local account password is weak |
Event |
Yes |
Critical Error |
|
SQL Vulnerability: BUILTIN\Administrators is member of SQL SysAdmin role |
Event |
No |
Warning |
|
SQL Vulnerability: SQL Server/MSDE service accounts are running as LocalSystem |
Event |
No |
Warning |
|
SQL Vulnerability: SQL Server/MSDE using Mixed Mode Authentication |
Event |
No |
Warning |
|
SQL Vulnerability: SQL Server/MSDE directory access is not secure |
Event |
Yes |
Critical Error |
|
SQL Vulnerability: Guest account has access to one or more databases |
Event |
No |
Warning |
|
SQL Vulnerability: SQL Server/MSDE on Domain Controller |
Event |
No |
Information |
|
SQL Vulnerability: Non-SysAdmin user has CmdExec privileges |
Event |
Yes |
Critical Error |
|
SQL Vulnerability: Too many users in the SQL SysAdmin role |
Event |
No |
Warning |
|
Baseline Security Analyzer 1.2\MOM Agent\Windows OS Vulnerabilities
The Operating System Vulnerability Alerts public view depends on rules in this rule group being enabled.
Table 15 Rules
Rule |
Type |
Enabled |
Severity |
Dependency notes and other notes |
|---|---|---|---|---|
OS Vulnerability: Local account password blank or weak |
Event |
No |
Warning |
|
OS Vulnerability: Internet Connection Firewall is disabled |
Event |
No |
Information |
|
OS Vulnerability: Too many users in the local administrators group |
Event |
No |
Warning |
|
OS Vulnerability: Auto logon enabled |
Event |
Yes |
Critical Error |
|
OS Vulnerability: "Password never expires" set on local account |
Event |
No |
Warning |
|
OS Vulnerability: CurrentRestrictAnonymous registry setting dangerous |
Event |
Yes |
Critical Error |
|
OS Vulnerability: Automatic Updates not enabled |
Event |
No |
Warning |
|
OS Vulnerability: Local Guest account enabled |
Event |
Yes |
Critical Error |
|
OS Vulnerability: Logon/Logoff event auditing disabled |
Event |
No |
Information |
|
OS Vulnerability: File system is not NTFS |
Event |
Yes |
Critical Error |
|