Microsoft KB Archive/895660

= Microsoft Baseline Security Analyzer (MBSA) 2.0 is available =

Article ID: 895660

Article Last Modified on 6/28/2007

-

APPLIES TO


 * Microsoft Baseline Security Analyzer 2.0

-





INTRODUCTION
Microsoft Baseline Security Analyzer (MBSA) 2.0 is an easy-to-use tool that helps small and medium-sized businesses evaluate their security according to Microsoft security recommendations. The tool also offers specific remediation guidance. This article discusses the availability of MBSA 2.0. This article also explains how to upgrade to the new version.

MBSA 2.0 includes many improvements and new features. We recommend that most customers use MBSA 2.0. To download MBSA, visit the MBSA home page at the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

MBSA 2.0 includes the following key features:
 * Severity ratings
 * Local and remote scans for Microsoft Office XP security updates
 * Additional guidance for locating updates and taking appropriate action
 * CVE-IDs for supported updates
 * Improved help content
 * Compatibility with Windows Server Update Services
 * Automatic Microsoft Update registration and agent update
 * Detection of updates on Windows XP Embedded and on 64-bit versions of Microsoft Windows
 * Security Update Detection for newer products including Internet Explorer 7.0, Windows Media Player 10 and 11, Outlook Express and .Net Framework not supported by MBSA 1.2.1

MBSA 2.0 detects products that are currently supported by Microsoft Update, the central catalog of updates for Microsoft products. Microsoft Update replaces Windows Update. Windows Update only updates Microsoft Windows operating system products. Microsoft Update hosts the detection logic for MBSA 2.0 and other tools.

MBSA 1.2.1 and the monthly editions of the Enterprise Scan Tool (EST) support several legacy products that Microsoft Update may not support. Customers can choose to use MBSA 1.2.1 and all the monthly Enterprise Scan Tools to determine comprehensive security update compliance. For more information about how to obtain and use the Enterprise Scan Tool, click the following article number to view the article in the Microsoft Knowledge Base:

894193 How to obtain and use the Enterprise Scan Tool

The MBSA 1.2 tool will be discontinued 6 months after the release of the MBSA 2.0 gap tool (see the MBSA home page for detailed information). After this date, MBSA 1.2.1 will no longer be supported and the MSSecure.xml file that is automatically downloaded by MBSA 1.2 will no longer be updated to include new security bulletins. We encourage customers to migrate to MBSA 2.0 before this date to guarantee continued security bulletin detection.

Note Microsoft is committed to providing accurate security update detection and deployment for all MSRC security updates for supported Microsoft customers. These include all Systems Management Server (SMS) managed clients. Therefore, catalog data for Microsoft SMS 2.0 or SMS 2003 with the Software Update Services (SUS) Feature Pack will continue to be updated to guarantee continued security update detection for SMS 2.0 or SMS 2003 customers. The Extended Security Update Inventory Tool will also be updated to guarantee comprehensive detection and deployment for all Microsoft security issues that are listed on the Microsoft Security Bulletin Search Web page. To use the Microsoft Security Bulletin Search, visit the following Web site:

http://www.microsoft.com/technet/security/current.aspx

MBSA 2.0 provides comprehensive compliance detection for customers who have Microsoft products supported by Microsoft Update installed in their environments. To realize comprehensive security compliance with MBSA 2.0, an add-in tool for MBSA 2.0 will be released in 2007 to detect products that are earlier than the Microsoft Update baseline of supported products. 6 months after the release of this tool, MBSA 1.2.1 will be decommissioned.

The following table lists the security update detection tools that we provide for various Microsoft products. See the &quot;More Information&quot; section for important references and for information about how to download tools.


 * Indicates products that make up the minimum Microsoft Update baseline.


 * Indicates support for security updates only, not for update rollups or service packs. To view the specific security updates that are supported in each tool, see the &quot;More Information&quot; section.



MORE INFORMATION
We recommend that all customers use MBSA 2.0 to determine their security update compliance. However, to deploy updates, we recommend any of the Microsoft comprehensive update management solutions, such as Windows Server Update Services (WSUS) or Systems Management Server (SMS) 2003 with Service Pack 1 (SP1).

For detection-only, Microsoft provides two MBSA scanning options :
 * MBSA 2.0
 * MBSA 1.2.1

MBSA 2.0 is the recommended option as it provides a near complete security update report. MBSA 2.0 dynamically increases its supported product list as needed for new security updates as they are made available.To obtain comprehensive security update reports using MBSA 1.2.1, multiple monthly editions of the Enterprise Scan Tool are provided to augment MBSA 1.2.1 detection.

If I choose MBSA 2.0 now, will I need MBSA 1.2.1 in the future?

All customers should upgrade to MBSA 2.0. Any gaps in MBSA 2.0 detection (based on Microsoft Update) will be resolved with the release of an MBSA 2.0 gap tool to be released in 2007 (see the MBSA home page for more information). Microsoft is committed to unifying on the WSUS technologies. These technologies include Microsoft Update, WSUS Server and SMS with the Inventory Tool for Microsoft Update (ITMU). Therefore, customers should move away from MBSA 1.2.1 as soon as possible and well in advance of the 6 month timeframe after the MBSA 2.0 gap tool will be released.

Do I have to use both MBSA 1.2.1 and MBSA 2.0?

No. In environments where products supported by Microsoft Update are installed, customers should use MBSA 2.0 exclusively. For customers who have products that are earlier than the Microsoft Update baseline of support (which include Office 2000 products), the MBSA 2.0 gap tool should be used to augment MBSA 2.0 results.

To use MBSA 2.0
If your installed products meet the minimum baseline for Microsoft Update, you can obtain the greatest detection coverage by using MBSA 2.0 and the latest Enterprise Scan Tool. To do this, follow these steps:
 * 1) Review the products that are listed as the minimum baseline for the Microsoft Update catalog. These products include the following:
 * 2) * Windows 2000 with Service Pack 3 (SP3) or Service Pack 4 (SP4), Microsoft Windows XP, and Microsoft Windows Server 2003
 * 3) * Microsoft SQL Server 2000 with Service Pack 4 (SP4)
 * 4) * Microsoft Exchange 2000 with SP3
 * 5) * Microsoft Office XP
 * 6) If the products that you use match this baseline, use MBSA 2.0 to detect and to manually apply required updates. Otherwise, use MBSA 1.2.1.

To use MBSA 1.2.1
Several products that are supported by MBSA 1.2.1 are currently unavailable in Microsoft Update. Therefore, MBSA 2.0 cannot scan for them. Until the updates for these products are provided in the upcoming MBSA 2.0 gap tool, you may have to continue to use MBSA 1.2.1 and the Enterprise Scan Tools.

Note Updates to the MBSA 1.2.1 catalog will end 6 months after the release of the MBSA 2.0 gap tool. At that time no new updates will be added to the MSSecure.XML catalog for MBSA 1.2.1 customers. Althought the MBSA 1.2.1 catalog will remain available for scanning these earlier products, new updates to for supported products will be published only to Microsoft Update (which MBSA 2.0 uses). We strongly encourage all users of MBSA 1.2.1 to upgrade to MBSA 2.0 and update any command-line output to make sure that any scripts or migration issues are resolved before the MBSA 1.2.1 catalog is no longer updated.

To use MBSA 1.2.1, follow these steps:  To confirm that MBSA 1.2.1 is the correct option for your needs, review the products that are unavailable in Microsoft Update(see the table earlier in this article and refer to the WSUS Support Product list). These products include the following:  FrontPage Server Extensions 2002 Microsoft (Step-by-Step) Interactive Training Microsoft Office 2000 Microsoft Exchange 5.0 and 5.5 Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 with Service Pack 3a (SP3a) Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft SNA Server 4.0</li> Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, and Microsoft BizTalk Server 2004</li> Microsoft Commerce Server 2000 and Microsoft Commerce Server 2002</li> Microsoft Content Management Server 2001 and Microsoft Content Management Server 2002</li> Outlook 2003 with Business Contact Manager</li> SharePoint Team Services 2002 (STS)</li> Windows SharePoint Services (WSS)</li></ul> </li> If you use the products that are listed in step 1, use MBSA 1.2.1 to obtain a security compliance report.</li> To complete the compliance process, run each monthly version of the Enterprise Scan Tool that is indicated in the following table. Then, install the updates that are not yet supported by Microsoft Update. </li></ol>

Note: After the MBSA 2.0 gap tool is released in 2007, customers can obtain comprehensive security update detection by using MBSA 2.0 and the gap tool. Customers do not have to use MBSA 1.2.1 and the multiple monthly editions of the Enterprise Scan Tool after the MBSA 2.0 gap tool has been released.

<div class="references_section">