Users slam Microsoft Security Analyser

[InfoSec News <isn () c4i org>]

http://www.vnunet.com/News/1130844

By James Middleton 
11-04-2002

Microsoft released the Baseline Security Analyser (MBSA), a free tool
which analyses Windows systems for common security misconfigurations,
earlier this week. But users have already slammed it as just a GUI
version of the software giant's HfNetChk.

Since the release last year of Microsoft's command line hot fix
network security checker, administrators have clamoured for a release
with more functionality.

The only alternative to date is a paid-for tool called HFNetChkPro,
developed by Microsoft and Shavlik Technologies, which costs $5,000
for a 250-desktop licence.

Users are concerned that MBSA misses an opportunity to provide a
viable free security tool, and means that users will have to keep
paying.

Damien Adams, of technical services firm ScienTech, said: "For
Microsoft to suggest that users should pay for tools to fix problems
in its software is insulting.

"Now that Microsoft is pushing security, and is even going to venture
into the security market, will we have to pay for patches? A majority
of Microsoft's security market exists because of holes in its
software."

His feelings were echoed by other Microsoft users on the company's
Security Focus mailing list who agreed that buying products which have
incredible layers of complexity built into their systems, and then
being charged for tools to identify and fix inherent problems, is
indeed insulting.

On a technical level, MBSA was compared to a GUI version of HfNetChk,
and is still seen to be lacking the more useful features offered by
commercial alternatives.

Terry Atkison, of services firm BestNetPC, confirmed that the tool
"seems to be a cleaner looking GUI version of HfNetChk. It found a
couple of missing hotfixes on one of the machines, and it also scanned
for other security vulnerabilities."

But another user, Brian Heathfield, said: "Results were quite mixed:  
on one machine it flagged nearly every fix as not knowing if they were
applied."

So far, the initial feedback on MBSA has prompted Microsoft customers
to flame the company for coming up with nothing more than a way to
"further inundate Microsoft admins with information".

Microsoft's recent forays into security have been described as a
"token effort" and the MBSA has been labelled as nothing more than a
port scanner. "How long have such things already been widely
available?" asked one user.

More information on MBSA can be found here.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.