Assignment: Microsoft Baseline Security Analyzer

Introduction

The Microsoft Baseline Security Analyzer (MBSA) is a powerful tool to identify missing security updates and common security misconfigurations in a networked environment. This lab will involve researching to understand the theoretical implications of improper configuration, as well as the practical aspect of using MBSA to identify configuration issues and perform remediation.

Background Information

1. About "MBSA"

The Microsoft Baseline Security Analyzer (MBSA) is a powerful tool used by system administrators, information security professionals, and internal auditors to identify missing security updates and common security misconfigurations in a networked environment. Based on its findings, it provides security recommendations and offers specific remediation guidance. In particular, MBSA performs routine checks to ensure system integrity - missing patches, user account access, firewall settings, and running services - just to name a few. MBSA can be used to scan an individual computer or to scan multiple computers on a network. In its advanced configuration, it can be used to scan certain types of computers such as servers subscribing to Windows Server Update Services (WSUS).

2. Utility of MBSA

In general, the corporate sector does not patch all of their systems as frequently as necessary. This makes them fall victim to vulnerabilities that could have been solved if patching had occurred. A recent example of this was the Conficker Worm which upon its release would not have infected computers that had been fully patched six months prior.

One of the main purposes behind MBSA is to identify similar vulnerabilities. MBSA checks to see if patches have been installed and it reports which ones have not been installed. Tools such as MBSA can be used as a preventative control or a detective control. These tools can help save companies enormous amounts of lost revenue from potential data leaks, intrusions, and other infiltrative consequences.

Goal

The purpose of this lab is to familiarize you with proper Windows configurations, as well as identify how certain improper configurations can allow a system to become compromised. This lab will involve researching to understand the theoretical implications of improper configuration, as well as the practical aspect of using MBSA to identify configuration issues and perform remediation. At the end of this lab, you should be familiar with how malware can be used to compromise a system, the consequences of not having strong account passwords, and overall system management.

Questions (Provide a minimum 100-word, fact-based response for each question. Be quantitative, show lab results, and show in-line citations, where appropriate. Include overall reference list at the end.)

1. Focus on the overall "security assessment" risk rating that appears at the top of your report. Considering what security measures you (or the computer owner) have undertaken for your computer, does the assessment surprise you? Why or why not? What measures should you plan to undertake if the green checkmark did not appear?
2. a. What does MBSA do to check for weak local account passwords?
b. Why is it important to have a strong password on local user accounts especially in a corporate environment?
c. Explain why it is important to have a password expiration policy set.

3. Malware can affect a computer in multiple ways. Having automatic updates turned off, not allowing Windows to update, and disabling the Windows firewall and setting exceptions in the Windows firewall are all tell-tale signs of this. Explain
a. how malware is able to accomplish this, and
b. also what type of malware could be used.
Please be as specific and fact-based as possible regarding types of malware using credible references to support your answers.

4. On local machines (home) computers, it is traditionally acceptable to have Windows automatically update the system with patches. In a corporate environment, typically system administrators will set domain computers to manually install updates. Through this process, the administrators will decide if a patch is necessary for their environment 's standard operation expectancy (SOE). Typically they would use Windows Server Update Services (WSUS) to push out the updates to the computers, which is a highly time consuming process.

Conficker is one of the most recent examples of an infection that leveraged a vulnerability that could have been avoided through a patch had already been released. Yet, it spread like wildfire, infecting millions of corporate environments.

o Explain what Conficker is, which systems were vulnerable, which vulnerability it exploited, which Microsoft patch fixed the vulnerability, and the reason(s) that it is necessary to test new patches as they are
released. Please be as specific and fact-based as possible regarding types of malware using credible references to support your answer.

o How would MBSA be used to detect the missing patch in a corporate environment?

5. If you were preparing the next version of MBSA, what new feature would you add? Why?