Re: Use of Microsoft Baseline Security Analyzer

["Woodruff, Dan" <daniel.woodruff () ROCHESTER EDU>]

Hi Ben,

 

We briefly used MBSA in limited areas a few years ago, but have since moved
on to relying on credentialed scans with Nessus. Nessus lets you plug in
credentials for SCCM as well, so it does a credentialed check of the
individual server and compares the results of what is found on the system
with what SCCM thinks is there. And rather than just relying on what the
registry says for installed patches, Nessus also checks versions of files on
the file system to make sure the patch is really there. We've had several
occurrences over the past 3-4 years where we installed a Microsoft patch,
then some third party software was installed that bundled a .dll or .ocx
which overwrote the patched version, leaving us vulnerable again. The
registry and SCCM were none the wiser since the file was
ripped-and-replaced, but Nessus was able to detect it and we could reinstall
the patches.

 

We've been big fans of Nessus here. Of course, MBSA is free and Nessus is
not.

 

I'd be glad to answer any questions about our specific setup off-list - just
let me know.

 

Dan Woodruff

University IT Security and Policy

University of Rochester

daniel.woodruff () rochester edu

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Benjamin Stein
Sent: Tuesday, January 19, 2016 5:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Use of Microsoft Baseline Security Analyzer

 

 

Hello all,

 

Are any of you using Microsoft Baseline Security Analyzer (MBSA) to
regularly scan servers and desktops for missing patches?

 

We are having a discussion internally about differences between the report
from Microsoft's tool and another vendor's patch management tool.  MBSA is
reporting missing patches that the other tool is not.  

 

Is MBSA broadly used and trusted?

                                         

Also wondering if anyone is successfully using mbsacli with lists of
computers reliably or if various factors (permissions, firewalls,
power-downs, etc.) make it too difficult to use broadly?

 

Thanks,

 

Ben

 

 

Benjamin Stein

Information Security Officer

California Cancer Reporting and Epidemiological Surveillance (CalCARES)
Program

Institute for Population Health Improvement

UC Davis Health System

1631 Alhambra Blvd, Ste. 200

Sacramento, CA, 95816

Phone:  916-731-2563

Email:  bstein () ccr ca gov <mailto:bstein () ccr ca gov> 

 

The CalCARES program partners with the California Department of Public
Health to manage the operations of the state mandated California Cancer
Registry program

Attachment: smime.p7s
Description: