Setup and Configuration of the MBSA Management Pack

  • Article

In addition to importing the Microsoft Baseline Security Analyzer Management Pack, the following additional configuration is required:

Configure a file transfer server:

  • Install the MOM agent.

  • Install Internet Information Services (IIS).

  • Create a Web Virtual Directory to point to the MSSecure.cab file.

  • Configure the Background Intelligent Transfer Service (BITS) to run either manually or automatically.

Configure the MBSA Management Pack:

  • Add the file transfer server to the MBSA File Transfer Server computer group.

  • Enable Management Pack rules.

  • Add the file transfer server address to the MOM Global settings.

Configuring a File Transfer Server

The file transfer server hosts the MSSecure.cab file and makes this file available to MOM agent computers through an IIS virtual directory. In order for the MSSecure.cab file to be automatically updated from the Microsoft.com Web site, the file transfer server must be configured with access to the Internet. Alternatively, you can manually drop the MSSecure.cab file onto this server. The file transfer server must be running either Windows Server 2000 Server or Windows Server 2003.

Note

The MSSecure.cab file is downloaded by the MBSA Management Pack once a day. If you do not want to wait for the Management Pack to automatically download this file when you initially set up the file transfer server, then you can either use the corresponding task from the MOM Operator console to download this file on demand or you can manually download this file. For more information, see "Manually Updating the MSSecure.cab File" later in this guide.

Installing the MOM Agent

Begin configuring the file transfer server by first installing the MOM agent on the server. For more information, see Chapter 6 "Discovering Computers and Deploying Agents" in the MOM 2005 Deployment Guide.

Installing Internet Information Services (IIS)

If IIS is not already installed on the server, use the Add/Remove Windows Components wizard to install it.

To install IIS:

  1. Point to Start, Settings, and click on Control Panel.

  2. Double-click on Add/Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Click the Components button in the top right corner of the dialog box.

  5. In the Windows Components wizard, select IIS and click Next.

  6. Complete the Add/Remove Windows Components wizard.

Creating a Web Virtual Directory to Point to the MSSecure.cab File

The agent installation process creates the following directory: \Program Files\Microsoft Operations Manger 2005\Downloaded Files\managment_group. This directory hosts the MSSecure.cab file. The MSSecure.cab file is made available to MOM agent computers through an IIS virtual directory that you create.

Additionally, in order for agent computers to access the updated MSSecure.cab file through the virtual directory, the directory must allow access to the Internet Guest Account. The Internet Guest Account name is typically IUSR_<computer_name>, where <computer_name> is the name of the computer.

To create a virtual directory to host the MSSecure.cab file:

  1. In Control Panel, select Administrative Tools, and then select Internet Information Services (IIS) Manager.

  2. In the tree view under the server name, navigate to Web Sites, Default Web Site.

  3. Right-click Default Web site, click New, and then click Virtual Directory.

  4. In the Virtual Directory Creation Wizard, assign the following alias name for the virtual directory: "MBSA". Click Next.

  5. Browse to the following directory: \Program Files\Microsoft Operations Manager 2005\Downloaded Files\management_group. Click Next.

  6. On the Access Permissions page, select the Read permission and clear all other permissions.

  7. Finish the wizard.

To allow access to the Internet Guest Account

  1. Navigate to the following directory: \Program Files\Microsoft Operations Manager 2005\Downloaded Files\management_group.

  2. Right-click on the directory and select Properties.

  3. Click the Security tab and click Add.

  4. In the Select this object type, make sure that Users is included as an object type.

  5. Next to the From this location edit box, click Locations, select the file transfer computer, and click OK.

  6. In the Enter the object names to select box, enter IUSR_< computer_name >, where <computer_name> is the name of the file transfer server. For example, IUSR_server1.

  7. Click OK.

  8. On the Security tab, highlight the Internet Guest Account. Allow the following permissions:

    • Read & Execute

    • List Folder Contents

    • Read

Configuring the Background Intelligent Transfer Service (BITS) to Run

The MBSA Management Pack uses the BITS service to download updated versions of the MSSecure.cab file from the Microsoft.com Web site. In Windows 2000 Server, the MOM agent has the necessary privileges to automatically start this service. In Windows 2003, you must configure this service with one of the following options:

  • Configure the service to start automatically and then start the service.

  • Configure the service to start manually. MOM will then start the service when needed.

To Configure the BITS Service:

  1. Point to Start, Programs, Administrative Tools, and click on Component Services.

  2. In the tree pane, click Services.

  3. In the details pane, right-click Background Intelligent Transfer Service and click Properties.

  4. In the Startup type drop-down menu, select either Automatic or Manual.

  5. If you selected Automatic, then under Service status, click Start.

  6. Click Apply.

Configuring the MBSA Management Pack

Configuration for the MBSA Management Pack includes adding the file transfer server to the File Transfer Server computer group and enabling corresponding rules.

Adding the File Transfer Server to the MBSA File Transfer Server Computer Group

To add the file transfer server to the MBSA File Transfer Server Computer Group:

  1. In the MOM Administrator console, navigate to Management Packs, Computer Groups.

  2. Right-click the MBSA File Transfer Server computer group and click Properties.

  3. Click the Included Computers tab, and click Add.

  4. Navigate to and select the name of the file transfer server.

Enabling Management Pack Rules

Ensure that the following MBSA Management Pack rules are enabled. The only rule that is disabled by default is the Run vulnerability and security patch scan rule. This rule installs MBSA on agent computers, in addition to running the MBSA scans. Therefore, this rule must be enabled before you can use the MBSA tasks from the MOM Operator console.

Table 5 MBSA Management Pack Rules that must be enabled

Rule Group Location

Rule

Default State

File Transfer Server

Download mssecure.cab from https://www.microsoft.com

Enabled

MOM Agent

Run vulnerability and security patch scan

Disabled

 

Security patch not installed

Enabled

 

Process patch scan results

Enabled

 

Process vulnerability scan results

Enabled

Add the File Transfer Server Address in MOM Global Settings

In order for MOM agents to automatically download updated versions of the MSSecure.cab file from the File Transfer Server, the MOM Global settings must include the Web address to the virtual directory.

To add the File Transfer Server address:

  1. In the MOM Administrator console, navigate to Administration, Global Settings.

  2. In the details pane, right-click Web Addresses and click Properties.

  3. Click the Web Addresses tab.

  4. Under Custom Web Addresses, type the address in the File Transfer Server Address text box using the following format: http://servername.