Microsoft Baseline Security Analyzer (MBSA) is a free security analysis tool for operating Windows systems and a number of software products Microsoft(Internet Information Services, SQL Server, Internet Explorer and etc.). The term "Baseline" in the name MBSA should be understood as a certain reference level at which the security of the OS can be considered satisfactory. MBSA allows you to scan computers running Windows operating systems for major vulnerabilities and for recommended security updates. It is critical to know which updates are installed and which ones should be installed on your OS. MBSA provides this verification by referring to an ever-growing Microsoft base data in XML format, which contains information about the updates released for each of the Microsoft software]. You can work with the MBSA program through the graphical interface and the command line. In this lesson, only the first option will be considered.
The MBSA interface is based on Internet browser Explorer. The main window of the program is divided into two areas (Fig. 2). Since the MBSA session is configured using the wizard, the left pane contains the steps of the wizard, and the right pane contains the main window describing the actions of each step.
Rice. 2. Main window of Microsoft Baseline Security Analyzer 2.0
At the first step "Welcome", you must select one of the actions (see Fig. 2):
ü Scan this computer (Scan a computer);
ü Scan more than one computer;
ü View existing security reports from MBSA.
When starting MBSA for the first time, you must select the first or second option. On the next step of the wizard in the main window, you need to set the scan parameters for the computer (s) running Windows (Fig. 3). You can enter the name or IP address of the computer to be scanned (by default, the computer on which MBSA was launched is selected).
The user who launched MBSA must have administrator rights for this computer or be a member of the system administrators group. In the case of scanning multiple computers, the user must have administrator rights on each of the computers, or better - domain administrator rights.
Rice. 3. Selecting Computer and Scanning Options in MBSA 2.0
After selecting the computer (s) to scan, you need to set scan options:
ü checking Windows OS;
ü checking passwords;
ü checking IIS services;
ü check SQL Server;
ü check for installed security updates.
More detailed information about MBSA checks can be obtained from the official Microsoft website. For example, when the "password check" option is set, MBSA checks the accounts on the computer. local users that use blank or simple passwords (this check is not performed on servers acting as domain controllers) of the following combinations:
ü the password is empty;
ü the password matches the name of the user account;
ü the password is the same as the computer name;
ü the word "password" is used as a password;
ü The words "admin" or "administrator" are the password.
This check also displays messages about blocked accounts.
After all the options are set, you must click on the link below "Start scan" (see Fig. 3). The first time you scan MBSA, you need an internet connection to download from the Microsoft website Download Center(http://www.microsoft.com/downloads) XML file containing the current reference base vulnerabilities. MBSA first downloads this file in a zipped cab file, then, after checking its signature, unzips it to the computer from which it will run.
It is also possible to work MBSA without an Internet connection in offline... To do this, you need to download the above file and place it in the appropriate directory.
After the cab file is unzipped, MBSA will start scanning the specified computer (s) to determine operating system, sets of updates and used programs. MBSA then parses the XML file and determines the security updates that are available for the installed software. In order for MBSA to determine which update is installed on the scanned computer, it needs to know three points: the registry key, the file version, and checksum for each file installed with the update.
If any data on the scanned computer does not match the corresponding items in the XML file, MBSA will determine the corresponding update as missing, which will be reflected in the final report.
After scanning a single computer, MBSA will automatically launch the "View security report" window and display the scan results. If several computers were scanned, then you should select the "Pick a security report to view" mode to see the scan results. The report generated by MBSA is divided into five sections:
ü Security Update Scan Results,
ü Windows Scan Results,
ü Internet Information Services (IIS) Scan Results,
ü SQL Server Scan Results,
ü Desktop Application Scan Results.
Some sections are further broken down into sections dedicated to specific computer security issues and provide system information for each of the checks listed in Table 1. A description of each check of the operating system is reflected in the report along with instructions on how to eliminate the detected vulnerabilities.
Exercise. Working with Microsoft Baseline Security Analyzer 2.0
In this lab, you will learn how to use the MBSA 2.0 Security Analysis Tool. First, you will configure your computer running Windows XP Professional to allow MBSA to run without an Internet connection, and then scan and generate a progress report.
Exercise 1: Preparing a Windows XP Professional Computer for Offline MBSA Operation
Check if you have an MBSA shortcut on your desktop. If a shortcut is found, then do exercise 2.
If there is no shortcut, then follow these steps:
ü Launch Internet Explorer or any other browser and type the following address into address bar:
http://download.windowsupdate.com/v6/windowsupdate/redist/standalone/windowsupdateagent20-x86.exe.
ü Download offline installer updated agent windows updates and install it on a Windows XP Professional computer.
ü Save the downloaded file to the following folder: C: \ Documents and Settings \
ü A shortcut to Microsoft Baseline Security Analyzer 2.0 should appear on the desktop
Exercise 2: Checking the Local Computer with MBSA 2.0
1. On the desktop, double-click the shortcut for MBSA 2.0.
2. MBSA will start in graphical wizard mode and the first "Welcome to the Microsoft Baseline Security Analyzer" window will appear. Click on the "Scan a computer" link.
3. The next window of the MBSA wizard will load, where you need to set the scan options. By default, the Computer name field will display the name of the current computer on which you started MBSA. In the scan options, clear the Check for IIS administrative vulnerabilities check box.
5. Since there is no Internet connection, the message "Filed to download security update database" will first appear under the scan progress bar. After a few seconds, MBSA will begin the offline scanning process with the text "Curently scanning<Имя компьютера>".
6. After the scan is finished, a report with the results will be loaded.
7. Study the report carefully. Translate it and show it to the teacher.
1. What is a vulnerability?
2. List the typical vulnerabilities.
3. Explain the main approaches to detecting vulnerabilities.
4. What does the term "Baseline" mean?
5. In what modes can you work with MBSA?
© 2015-2019 site
All rights belong to their authors. This site does not claim authorship, but provides free use.
Date the page was created: 2016-04-12
The main task of this article is to provide material to administrators that will allow them to run MBSA periodically, in automatic mode and send reports to addresses Email... This will greatly increase the level of security awareness on the corporate network.
Within the framework of corporate infrastructure it is required to have up-to-date information about the state of the security level. Despite the fact that there are decent products on the market that allow producing auto scan according to the given templates, they have enough high price... Microsoft has released a product called Microsot Baseline Security Analyzer that checks Microsoft products for vulnerabilities.
The main goal of this article is to provide administrators with material that will allow them to run MBSA periodically, in automatic mode and send reports to e-mail addresses. This will greatly increase the level of security awareness on the corporate network.
Within the framework of MBSA, it is possible to launch a scan through the command line - mbsacli.exe. The command has a number of keys that will allow you to control the scan.
Checking domain \ computer by name |
||
Checking by IP address |
||
Start IP address - end IP address |
Checking a range of IP addresses |
|
File name.txt |
Checking a file with a list of IP addresses |
|
domain name |
Domain check |
|
Choosing which check not to run. Options: "OS" (operating system), "SQL" (SQL server), "IIS" (ISS web server), "Updates" (updates), "Password" (passwords). When typing, you must use the "+" without space Example: OS + SQL + ISS + Updates + Password |
||
Show only updates approved on WSUS. |
||
Show all updates, even if they are not accepted by WSUS. |
||
Do not check new version MBSA |
||
File name |
Report title template. has parameters:% D% - domain name,% С% computer name,% T% - time,% IP% - IP address. Default:% D% -% C% (% T%). |
|
Do not show the verification process. |
||
Do not show a report when checking one computer. |
||
Do not show error report. |
||
Do not show report. |
||
Do not show all of the above |
||
Report in UNICODE |
||
Username |
Username used for scanning. |
|
User password |
User password used for scanning. |
|
File name |
Specifies a data source that contains information about available security updates. |
|
Updates taking into account Windows conditions Update Agent |
||
Checking for site updates Microsoft Update. |
||
Do not download updates from the Microsoft Update website when checking. |
||
Run the scan in update-only mode using only mbsacli.exe and wusscan.dll. This key can only be used with the keys: / catalog, / wa, / wi, / nvc, / unicode. |
||
Show all reports. |
||
Show reports for the last scan |
||
File name |
Show general report. |
|
File name |
Show drill-down report |
|
Directory name |
Directory for saving scan reports. |
Having at our disposal information on the keys used by the mbsacli.exe command, we can compose our own scan script according to our requirements. The task is as follows: it is necessary to check computers (a range of IP addresses) using the data of the WSUS service and save the report in a specific directory; the format of the report is: computer name - time. The command will look like this:
mbsacli.exe /r [initialIP address] - [endIP address] /q /wa /o%IP% -%T% /u [Domain / Username] /p [user password] /rd [directory where reports will be saved]
After a while, reports about nodes in the range of IP addresses will appear.
This task will highlight the main security issues that administrators will need to investigate to fix vulnerabilities.
But very often WSUS lacks some fairly critical updates for systems. MBSA will help identify these problems. It is enough to run the above command with the / mu switch instead of / wa. To report files in Issue - Windows Security Updates will show you what updates are required for this computer.
Check Automation
As shown above, you need to have two reports that show the difference between the installed updates from WSUS and the available updates on Microsoft Update. To do this, you need to use two different folders for storing reports divided by scan dates.
An execution file (.bat) for testing MBSA using WSUS would look like this:
@echo off
cdc: / (Report storage folder) /WSUS
MD% date: ~ -10%
mbsacli.exe / r [elementaryIP] - [finiteIP] / q / wa / rd c: / (Folderstoragereports) / WSUS /% date: ~ -10%
An execution file (.bat) for checking MBSA using Microsoft Update server will look like this:
@
echooff
cdc: / (Report storage folder) /MU
MD %
date:~-10%
cd "C: \ Program Files \ Microsoft Baseline Security Analyzer 2"
mbsacli.exe / r [elementaryIP] - [finiteIP] / q / mu / rd c: / (Folderstoragereports) / MU /% date: ~ -10%
Bat files are distinguished by the / wa or / mu keys, which specify the update comparison area, and the folders in which the reports should be saved.
The bat files do not contain the / u and / p keys with the username and password parameters. This is done because there is no need to store passwords in open form in bat files. For security, you need to use the "Task Scheduler", which configures: on behalf of which user the bat-file will be executed.
Within the system Microsoft Windows there is a "Task Scheduler", which allows you to perform the necessary actions in certain time... It also allows you to add the required arguments. In our case, these are two keys / u and / p with parameters Username and password
For this we create new task choosing the item "Create a simple task" and give a description for it (Fig. 1).
In the "Task trigger" window, set the frequency of the scan (once a week is enough) (Fig. 2).
In the "Weekly" window, set the time of the check (the time must be working time, since the scanned computer must be turned on. (Fig. 3).
In the "Action" window, select the action "Run the program". (fig. 4).
In the "Run the program" window, select through the "Browse" button, the bat-file intended for scanning from using WSUS(fig. 5).
After creating a task, you need to open its properties and in the "General" tab specify the item "Run regardless of user registration", which will allow you to perform tasks without the need to register in the system, for example, on the server (Fig. 6)
We perform the above steps to create a second scan task using updates from the Microsoft Update server and specifying the appropriate bat file.
Conclusion. The Microsoft Baseline Security Analyzer product does not have rich functionality due to its "free" option, but due to the use of various switches with parameters in the command line, it can increase the level of information about the security state and obtain information to eliminate vulnerabilities in a corporate environment.
Command line management also allows administrators to automate the process of obtaining the required security status reports.
The familiar function of checking the presence of all necessary updates Windows OS. The owners of others have to look for other solutions. There are many programs that analyze the system for vulnerabilities. But what about a situation when you need to find out if updates for the system have been missed? Does the system comply with the security guidelines of the developers themselves? In this case, I would not hope for work. How would he not believe that the corporation from Redmond has nothing to offer for such a case.
Microsoft Baseline Security Analyzer
Today I will talk about a program released by Microsoft itself for the analysis of Windows systems, designed for system administrators (for IT Professionals), but quite suitable for use in an environment of ordinary / home users.
The program is called Microsoft Baseline Security Analyzer (MBSA). Free to use, available for both x32-bit systems and x64 systems. Supports all OS starting from Windows 2000.
MBSA is offered in 4 languages: English, French, German, Japanese. Unfortunately, there is no Russian language.
Of the shortcomings, I note the need to connect to the Internet for normal work programs, and, again, the absence of the Russian language (there are those who want to make a translation ?!).
Step 1. Download and install
So, go to: https://www.microsoft.com/en-us/download/details.aspx?id=55319 and click the big red Download button.
In the pop-up window, select the type of our OS x32 or x64, and click blue button"Next", after which the download will start.
The size of the program is only 1.7 MB.
We launch the installer, which, after all clicks "Next" and the acceptance of persons. agreement, will display a message about successful completion.
MBSA installation completed successfully.
Step 2. Settings and start of analysis
In the main window of the program, select "Scan a computer". In the next window, mark the necessary items for setting up our analysis.
Leave the "Computer name" "IP address" "Security report name" items "as is".
I'll tell you about the items that will be needed:
- Check for Windows administrative vulnerabilities- Check for Windows administrative vulnerabilities such as Guest user status, public folders, type file system and etc.
- Check for weak passwords- check for vulnerable, read "weak" passwords.
- Check for security updates- check for security updates.
- Scan using Microsoft Update only- scan using only Microsoft Update. (select this item)
- Scan using offline catalog only- scan using only the local directory (select if there is no Internet connection)
More detailed descriptions of the program items in the section "Learn more about Scanning Options" Scanning will start after clicking "Start scan".
Step 3. Analysis and elimination of vulnerabilities
The report after scanning will reflect the security status of the computer according to the manufacturer's version.
My XP has security holes.
In Windows 7, the analysis revealed problems with the Guest and user passwords.
To eliminate the found vulnerabilities, we find a line with a red shield. For example "Windows Security Updates". We select the item "Result details", and we see a detailed list with missing updates.
XP support has ended and some updates are hard to find.
Instead of a conclusion
I tried to talk about a simple and affordable way system analysis. Many users practically do not think about the security of their computer, naively believing that these problems will not affect them.
National Open University "INTUIT": www.intuit.ru Pavel Lozhnikov, Evgeny Mikhailov Lecture 7. Systems for analyzing the security of a corporate network
(vulnerability detection) using the example of products: Microsoft Baseline Security Analyzer and XSpider
One of the main elements of the information security of the network infrastructure are the operating systems of computers, since they accumulate the overwhelming majority of the used protection mechanisms: means of differentiating access to resources, user authentication, audit of events, etc. The security level of the organization's network infrastructure directly depends on the effectiveness of protection of operating systems generally.
This lesson will cover software to analyze the security of Microsoft operating systems, such as:
Microsoft Baseline Security Analyzer (MBSA);
Security scanner XSpider 7.0 (manufactured by LLC "Positive Technologies", Russia).
Primarily
To complete the labs in this lesson, you must have two computers (virtual machines are possible). The following software products must be installed on a single computer running Windows XP Professional:
Microsoft Baseline Security Analyzer (MBSA); XSpider 7.0;
Microsoft SQL Server 2000
Magnum v. 1.0.4, consisting of the following programs: MySQL Server, Apache Web Server, PHP Web Application Development Environment.
The last two software products are installed to detect vulnerabilities in them and are optional. Roles must be added on the second computer (server) running Windows 2003 Server file server and WINS server.
6.1. Principles of operation of security analysis systems
To understand the principles of operation of security analysis systems, it is necessary to designate some terms and definitions. The key concept for this lesson is vulnerability. An OS security vulnerability is understood as its property (drawback) that can be used by an attacker to implement unauthorized access (NSD) to information. Security analysis systems are able to detect vulnerabilities in network infrastructure, analyze and issue recommendations for their elimination, as well as create various kinds of reports. Typical vulnerabilities include:
lack of OS security updates; wrong settings OS security systems; mismatched passwords; susceptibility to penetration from external systems; software bookmarks;
incorrect settings of the system and application software installed on the OS.
Most security analysis systems (XSpider, Internet Scanner, LanGuard, Nessus) detect vulnerabilities not only in operating systems, but also in the most common application software. There are two main approaches by which security analysis systems detect vulnerabilities: scanning and probing [[6.4]]. Because of the first approach, security analysis systems are also called "security scanners" or simply "scanners".
When scanning, the security analysis system tries to determine the presence of a vulnerability by indirect signs, i.e. without actually confirming its presence is passive analysis... This approach is the fastest and easiest to implement. When probing, the security analysis system simulates the attack that exploits the vulnerability being tested, i.e. there is an active analysis. This approach is slower than scanning, but allows you to verify whether or not the analyzed
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
computer vulnerability.
In practice, these two approaches are implemented in security scanners through the following verification methods [[6.4]]:
1. Banner check;
2. Active probing check;
3. Simulated attacks (Exploit check).
The first method is based on a "scan" approach and allows inferring vulnerabilities based on information in the response header of a security scanner request. An example of such a check would be header parsing mail program Sendmail, as a result of which you can find out its version and draw a conclusion about the presence of a vulnerability in it.
Active probing checks are also based on a "scan" approach. This method compares fragments of the scanned software with the signature of a known vulnerability stored in the security analysis database. Variations of this method are, for example, checksums or dates of the scanned software.
The attack simulation method is based on the use of various defects in software and implements a sensing approach. There are vulnerabilities that cannot be detected without blocking or disrupting the functioning of the operating system services during the scan. When scanning critical servers on a corporate network, it is undesirable to use this method because it can disable them - in which case the security scanner successfully implements a "Denial of service" attack. Therefore, in most security analysis systems, such checks based on attack simulations are disabled by default. When they are included in the scanning process, a warning message is usually displayed (Fig. 6.1).
Rice. 6.1. XSpider 7.0 security scanner warning message about including dangerous checks in the scanning process
6.2. Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is a free security analysis tool for Windows operating systems and a number of Microsoft software products (Internet Information Services, SQL Server, Internet Explorer, etc.). The term "Baseline" in the name MBSA should be understood as a certain reference level at which the security of the OS can be considered satisfactory. MBSA allows you to scan computers running Windows operating systems for major vulnerabilities and for recommended security updates. It is critical to know which updates are installed and which ones should be installed on your OS. The MBSA provides this verification by accessing Microsoft's continually updated XML database of updates released for each Microsoft software [[6.8]]. You can work with the MBSA program through the graphical interface and the command line. In this lesson, only the first option will be considered.
The MBSA interface is based on the Internet Explorer browser. The main window of the program is divided into two areas (Fig. 6.2). Since the MBSA session is configured using the wizard, the left pane contains the steps of the wizard, and the right pane contains the main window describing the actions of each step.
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
enlarge image
Rice. 6.2. Main window of Microsoft Baseline Security Analyzer 2.0
At the first step "Welcome", you must select one of the actions (see Fig. 6.2): Scan this computer (Scan a computer);
Scan more than one computer;
View existing security reports by MBSA.
When starting MBSA for the first time, you must select the first or second option. At the next step of the wizard, in the main window, you need to set the scan parameters for the computer (s) running Windows (Fig. 6.3). You can enter the name or IP address of the computer to be scanned (by default, the computer on which MBSA was launched is selected).
The user who launched MBSA must have administrator rights for this computer or be a member of the system administrators group. In the case of scanning multiple computers, the user must have administrator rights on each of the computers, or better - domain administrator rights.
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
Rice. 6.3. Selecting Computer and Scanning Options in MBSA 2.0
Having selected the computer (s) for scanning, it is necessary to set the scanning options: check Windows OS;
checking passwords; checking IIS services; SQL server check;
checking for installed security updates.
More information about MBSA checks can be found on the official Microsoft website [[6.1]]. For example, when the check passwords option is specified, MBSA checks the computer for local user accounts that use blank or simple passwords (this check is not performed on servers acting as domain controllers) from the following combinations:
the password is empty; the password is the same as the user account name;
the password is the same as the computer name; the password is the word "password";
the password is the words "admin" or "administrator".
This check also displays messages about blocked accounts.
After all the options are set, you must click on the link below "Start scan" (see Fig. 6.3). When you scan MBSA for the first time, you need an Internet connection to download from the Microsoft Download Center ( http://www.microsoft.com/downloads) An XML file containing the current vulnerability reference database. MBSA first downloads this file in a zipped cab file, then, after checking its signature, unzips it to the computer from which it will run.
It is also possible for MBSA to work offline without an Internet connection. To do this, you need to download the above file and place it in the appropriate directory. For more information on this procedure, see Exercise 1 in Lab # 1.
After the cab file is unzipped, MBSA will start scanning the specified computer (s) for the operating system, update packages and programs in use. Then MBSA
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
parses the XML file and determines the security updates that are available for the installed software [[6.9]]. In order for MBSA to determine which update is installed on the scanned computer, it needs to know three points: the registry key, the file version and the checksum for each file installed with the update.
If any data on the scanned computer does not match the corresponding items in the XML file, MBSA will determine the corresponding update as missing, which will be reflected in the final report.
After scanning a single computer, MBSA will automatically launch the "View security report" window and display the scan results. If several computers were scanned, then you should select the "Pick a security report to view" mode to see the scan results. The report generated by MBSA is divided into five sections:
Security Update Scan Results, Windows Scan Results,
Internet Information Services (IIS) Scan Results, SQL Server Scan Results,
Desktop Application Scan Results.
Some sections are further broken down into sections dedicated to specific computer security issues and provide system information for each of the checks listed in Table 6.1. A description of each check of the operating system is reflected in the report along with instructions on how to eliminate the detected vulnerabilities.
Table 6.1. Description of checks performed by MBSA
Examination | Description |
Lists local accounts |
|
computer administrators |
|
Lists audit settings on the local computer |
|
Checks if Autologon is enabled |
|
Domain Controller | Checks if it is running IIS service on the controller |
domain (DC) |
|
Security Updates | security Exchange Server |
Checks the type of file system (e.g. NTFS) |
|
Checks if the Guest account is activated |
|
Lists IE security zones for each user |
|
IIS Admin Virtual | Looks at the IISADMPWD virtual directory |
IIS Lockdown Tool | Checks if IIS Lockdown has been done |
IIS Security Updates Checks for missing IIS security fixes
Local Account Checks for empty or weak passwords for Password Test of local accounts
Macro Security Lists preferences for Office macros by user
Msadc and Scripts View the MSADC virtual directory and Scripts Virtual Directories
Outlook Zones Lists Outlook security zones for each
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
user |
|
Displays information about the presence of links to directories |
|
top-level from Web sites or virtual directories |
|
Password expiration | Displays accounts with unlimited duration |
password actions not listed in NoExpireOk.txt |
|
Restrict anonymous | Lists registry settings prohibiting anonymous |
users view the list of accounts |
|
Sample Applications | Lists installed sample applications for IIS |
(e.g. Default Web Site, IISHelp) |
|
Lists non-essential services (e.g. FTP, |
|
SMTP, Telnet, WWW) that can weaken security |
|
Checks and lists the shared resources as well as their |
|
ACLs |
|
SQL Server Security | Checks for missing system fixes |
SQL Server security |
|
SQL: CmdExec role | Checks the limit on running CmdExec only for |
Checks if SQL Server is running on DC |
|
SQL: Exposed SQL | Checks if an administrator (SA) password is present |
in the text file (e.g. setup.iss or sqlstp.log) |
|
Checks file permissions in the SQL installation directory |
|
SQL: Guest Account | Lists databases with an active guest account |
Checks registry permissions on SQL Server keys |
|
Checks group membership of SQL Server accounts |
|
and SQL Server agent |
|
SQL: SQL Account | Checks for empty or weak passwords of local |
SQL accounts |
|
Checks if SQL Server is running Windows mode Only or |
|
SQL: SysAdmin Role Lists members of the SysAdmin role |
|
Displays the number of SysAdmins |
|
Checks for missing system fixes |
|
WMP security |
|
Windows Security | Checks for missing system fixes |
Windows security |
|
Displays the Windows version |
|
6.3. XSpider Security Scanner
V Lately in Russia, the XSpider security scanner version 7.0, produced by the domestic company Positive, is gaining more and more popularity among information security specialists
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
There are a number of features that give XSpider advantages as a security analysis system over other products of this class. As the developers themselves emphasize, the main feature of XSpider 7 is its scanning engine, which is able to simulate the scenario of a potential attacker. Also worth noting is the powerful "intelligent stuffing" XSpider 7, which is implemented in built-in heuristic algorithms that allow to reliably identify new vulnerabilities that have not yet been published.
The robust and comprehensive XSpider 7 validation is based, in part, on the following smart approaches [[6.5]]:
complete identification of services on random ports;
heuristic method for determining types and names of servers (HTTP, FTP, SMTP, POP3, DNS, SSH) regardless of their response to standard requests;
processing RPC services with their full identification; conducting checks for non-standard DoS attacks.
More than 6 years have passed since the release of the first version of the XSpider scanner. Version 7.0, which we will meet in this lesson, is commercial, unlike the previous free versions (6.5 and earlier). Positive Technologies has a flexible licensing system for the XSider 7 scanner. The license price depends on the number of checked IP addresses, the number of workstations from which the scan is performed, and the validity period of the update subscription. More detailed information on purchasing a product can be obtained on the company page: http://www.ptsecurity.ru/xs7rates.asp.
To explore the capabilities of the XSider 7 scanner, just purchase the XSpider 7 version Professional Edition with the number of scanned IP addresses from 4 to 16. XSpider 7 is installed on any Microsoft Windows operating system in wizard mode.
When XSpider 7 is launched, the main program window will be displayed (Fig. 6.4), which will display information about the current version of the scanner and license.
enlarge image
Rice. 6.4. XSpider 7.0 main scanner window that appears when it starts
At the bottom of the main window, in the "Documentation" section, there are links to the built-in tutorial and
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
XSpider product reference. These sections of the documentation can also be attributed to important advantages XSpider. Firstly, the textbook and reference book are written in Russian, which is not available in all similar systems... Secondly, the author of the textbook, Evgeny Kireev, Development Director of Positive Technologies, presented all the material in an interesting and understandable way, with the expectation of ordinary non-professional users in the field of information security.
XSpider 7 has a multi-window interface. It is important to note that each window serves as an interface to a specific XSpider task. The notion "task" is the central concept of the XSpider 7 security scanner, it allows you to organize and organize the process of scanning a network. Any host scan always occurs within a specific task, even if nothing was done specifically for this: an empty task is always created when the XSpider is initially run.
Any task in XSpider is defined by the following attributes:
list of checked hosts (hosts that are planned to be checked in a similar way are combined into a task);
history log of scans of this task; scan profile.
A task can be saved as a file (by default, the Program Files \ Positive Technologies \ XSpider 7.0 \ Tasks directory), and the first two attributes - the list of hosts and the scan history log - will be written to its data structure.
Scan profile is another XSpider scanner concept, which is a set of settings that define parameters for scanning hosts. A profile can be assigned to a task as soon as it is formed. If this is not done, the default profile (Default) will be used. After installing the XSpider 7 security scanner, 14 basic profiles are available to the user (Fig. 6.5). It is important to understand that you can work with profiles independently of tasks, you can edit them, create new ones and save them in separate files(by default, the Program Files \ Positive Technologies \ XSpider 7.0 \ Profiles directory). The task stores a link only to the profile from which it needs to take scanning parameters.
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
Rice. 6.5. Base Profiles Available in XSPider 7.0
6.4. Lab 1. Working with Microsoft Baseline Security Analyzer 2.0
In this lab, you will learn how to use the MBSA 2.0 Security Analysis Tool. First, you will configure your computer running Windows XP Professional to allow MBSA to run without an Internet connection, and then scan and generate a progress report.
6.4.1. Exercise 1: Preparing a Windows XP Professional Computer for Offline MBSA Operation
This exercise is performed in a Windows XP Professional virtual machine. The purpose of this exercise is to ensure that later tasks of working with MBSA 2.0 are accomplished offline, so we need an Internet connection. For more information on configuring MBSA in standalone mode, see the source [[6.2]].
3. Launch Internet Explorer and type the following address in the address bar: http://download.windowsupdate.com/v6/windowsupdate/redist/standalone/windowsupdateagent20-x86.exe.
4. Download the offline installer for the updated Windows Update Agent and install it on your Windows XP Professional computer.
6.
Save the downloaded file to the following folder: C: \ Documents and Settings \
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
10/10/2014 Systems for analyzing the security of a corporate network (vulnerability detection) on the example of products: Microsoft Baseline Securit ...
Settings \ Application Data \ Microsoft \ MBSA \ 2.0 \ Cache \ wsusscn2.cab. In the specified path under the folder
7. Install MBSA 2.0. Links to current versions of MBSA can be found on the page:http://www.microsoft.com/technet/security/tools/mbsahome.mspx.
8. A shortcut to Microsoft Baseline Security Analyzer 2.0 should appear on the desktop
6.4.2. Exercise 2: Checking the Local Computer with MBSA 2.0
This exercise is performed in a Windows XP Professional virtual machine.
1. Log in to the system as a user with administrator rights.
2. Double-click the MBSA 2.0 shortcut on your desktop.
3. MBSA will start in graphical wizard mode and the first "Welcome to the Microsoft Baseline Security Analyzer" window will appear. Click on the "Scan a computer" link.
4. The next window of the MBSA wizard will load, where you need to set scan options. By default, the Computer name field will display the name of the current computer on which you started MBSA. In the scan options, clear the Check for IIS administrative vulnerabilities check box.
6. Since there is no Internet connection, the message "Filed to download security update database" will first appear under the scan progress bar. In a few seconds MBSA
will start the offline scanning process with the text "Curently scanning<Имя компьютера>".
7. After the scan is finished, a report with the results will be loaded.
8. Study the report carefully.
6.5. Lab 2. Working with the security analysis system
In this lab, you will learn how to work with XSpider 7.0. You will first create a vulnerability scan profile for Windows XP Professional, then scan and generate a progress report. Before performing this work, be sure to update the vulnerability database.
6.5.1. Exercise 1: Creating a Profile for Scanning OS Vulnerabilities
Windows XP Professional
The exercise is performed on a virtual machine with Windows XP Professional OS with preinstalled software (see First of all).
1. Start the Windows XP Professional virtual machine.
2. Log in to the system as a user with administrator rights.
3. Run XSpider 7.0.
4. From the "Profile" menu, select "Edit Current". The window for configuring the Default profile (base profile) will open.
5. On the left in the settings tree, select the "Port Scanner" item, and the corresponding settings will appear in the right pane of the window. The default.prt ports file is selected by default.
6. Press the button. A window with a list of port files will open.
7. At the top of the window that opens, on the toolbar, click the "New" button.
8. In the window that appears, leave the "Empty file" option and click the "Select" button.
9. A window will open " New file ports. "In the comment area, write" LabWork ports ".
10. In the lower part of the window, in the line for entering "Add port (s)", enter the following port values: 80, 123, 135, 137, 139, 3306. After entering each port number, click the "Add" button on the right.
12. In the ports file list box, select the ports file you just created.
http://www.intuit.ru/studies/courses/1003/203/print_lecture/5271 |
During operation, BSA checks for operating system security updates, office suite Microsoft Office (for versions XP and later), server applications such as MS SQL Server, MS Exchange Server, Internet Information Server, etc. In addition, a number of security settings are checked, such as the current password policy.
Let's move on to acquaintance with software product... It should be noted that when preparing a description of this laboratory work BSA version 2.1 was used. Unfortunately, the product is not localized, so the English version was used.
When launched, a window opens that allows you to select an object to scan - one computer (selected by name or ip-address), several (specified by a range of ip-addresses or domain name) or view previously made system scan reports. When selecting scan separate computer by default, the name of the local station is substituted, but you can specify the name or ip-address of another computer.
You can set a list of checked parameters. In fig. 3.2 presents a selection of test options:
- check for Windows vulnerabilities caused by incorrect administration;
- checking for "weak" passwords (empty passwords, no restrictions on the validity of passwords, etc.);
- check for vulnerabilities in the IIS web server caused by incorrect administration;
- a similar check in relation to the MS SQL Server DBMS;
- checking for security updates.
Before starting work, the program contacts a Microsoft server to obtain a list of updates for the OS and known vulnerabilities. If the computer is not connected to the Internet at the time of the scan, the vulnerability database will not be updated, the program will notify you and further checks will not be performed. In such cases, you need to disable the security update check (by clearing the corresponding checkbox on the screen in Fig. 3.2 or using the key when using utilities command line , about what it will be below).
For a successful check local system it is necessary that the program be executed on behalf of an account with the rights local administrator... Otherwise, the check cannot be performed and a message will be displayed: "You do not have sufficient permissions to perform this command. Make sure that you are running as the local administrator or have opened the command prompt using the" Run as administrator "option" ...
Based on the scan results, a report is generated, at the beginning of which a overall assessment the security level of the scanned computer's configuration. In the example shown in Fig. In the 3.3 example, the level of risk is assessed as "Severe risk".
The following is a list of detected vulnerabilities, divided into groups: results of checking the installation of updates, results Windows checks etc. It should be noted that updates released by Microsoft come in different types:
Security updates- actual security updates, as a rule, dedicated to fixing one vulnerability of a software product;
Update rollups- a set of security fixes that allows you to simultaneously fix several vulnerabilities. This simplifies the maintenance of the software update process;
Service pack s- a set of fixes, both related and unrelated to security. Installation Service pack, as a rule, fixes all vulnerabilities discovered since the release of the previous Service pack, so there is no need to install intermediate updates.
In the description of the considered verification result (Fig. 3.4), you can select the link Result details and get more detailed description problems found in this group. If you have an Internet connection, you can follow the link provided in the report to obtain information about the missing security update and download it from the network.
It should be noted that the installation of updates for systems with high requirements in the field of business continuity requires a preliminary thorough check of the compatibility of the updates with the applications in use. This check is usually done on test systems with similar software configuration. At the same time, for small organizations and home users, such verification is often not feasible. Therefore, you need to be prepared to restore the system after unsuccessful update... For modern OS Windows family this can be done for example using special modes OS Boot - Safe Mode or Last Known Boot Mode.
Also, one more feature should be noted. On the this moment baseline security analyzer does not exist in the localized Russian version. And the links to service packs contained there may point to other language versions, which can create problems when updating localized products.
The work on the analysis of other groups of vulnerabilities is carried out in a similar way (Fig. 3.5). The vulnerability is described, its level of severity is indicated, and recommendations for fixing it. In fig. 3.6 provides a detailed description of the results (link result details) password checking. It is indicated that 3 accounts have passwords that are not expired.
In addition to the version of the program with graphical interface, there is also a command line utility. It is called mbsacli.exe and is located in the same directory where Baseline security analyzer was installed, for example, "C: \ Program Files \ Microsoft Baseline Security Analyzer 2"... The utility has a lot of keys, you can get information about which by running it with the key "/?" .
Launching without keys will scan the local computer and output the results to the console. To save the scan results, you can redirect the output to a file. For example: mbsacli> mylog.txt. I would like to once again draw your attention to the fact that when setting
