To help users and administrators determine whether their systems are vulnerable and what patches need to be applied to secure them, Microsoft created the Microsoft Baseline Security Analyzer- MBSA for short.
In June of 2003, version 1.1.1 of MBSA was released. MBSA version 1.1.1 can be run from Windows 2000 Server, Windows 2000 Professional, Windows XP Home, Windows XP Professional and now Windows 2003 Server systems. While it can't be installed on or run from other versions of Windows, it can be used to scan a variety of other systems remotely including Windows NT Server, Windows NT Workstation, Internet Information Server (4.0 and 5.0) and SQL Server (7.0 and 2000), Internet Explorer, Exchange Server and Windows Media Player.
The tool does not work flawlessly. Some Microsoft Security Bulletins contain workarounds or manual fixes rather than patches to install. Because MBSA checks the Windows registry for keys to validate whether a certain patch has or has not been installed, these workarounds are not detected. For these items MBSA will report yellow X’s to signify that it can not tell whether or not you have applied the patch.
There are also discrepancies at times between what MBSA finds and what Windows Update detects. According to the MBSA FAQ, this is because "MBSA will always ensure that you have the latest version of the update installed on your system. If you have the original version of the MS02-008 or MS02-009 update, MBSA will indicate that the update is not installed, since a newer release is available. However, Windows Update may not indicate that a newer version is available since it may be looking for different elements on the system to identify if this update is present or not."
MBSA is based on HFNetChk, a security scanning tool created by Shavlik. MBSA does the same scan as HFNetChk and then some.
The report will supply a checklist of problems found- whether configuration errors or missing patches and updates. More importantly, the report contains instructions for how to repair the problem complete with links to the relevant information and downloads.
MBSA is not perfect, but neither is Microsoft Windows Security. As long as there are vulnerabilities and patches a tool like MBSA can come in quite handy. While some commercial products such as HFNetChk Pro or UpdateEXPERT may perform more comprehensive scans and also allow you to deploy and manage your patches, the fact that MBSA is free makes a compelling case for giving this tool a try.