Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) checks computers running Microsoft Windows Server 2008 R2 for common security misconfigurations.
The following are the scanning options selected for Cisco Unified ICM Real-Time Distributor running one or more web applications (for example, Internet Script Editor or Agent-Reskilling).
• Windows operating system (OS) checks • IIS checks
• SQL checks
• Security update checks • Password checks
The report in this chapter shows example results of running the MBSA tool against a Cisco Unified ICM server that runs most Microsoft Server Applications that the tool supports.
• Security Update Scan Results, page 1 • Windows Scan Results, page 2
• Internet Information Services (IIS) Scan Results, page 4 • SQL Server Scan Results, page 5
• Desktop Application Scan Results, page 6
Security Update Scan Results
The following table provides an example of security update scan results:
Result Issue
Score
No critical security updates are missing.
IIS Security Updates
Instance (default): No critical security updates are missing. SQL Server/MSDE Security
Updates
No critical security updates are missing.
MDAC Security Updates
No critical security updates are missing.
MSXML Security Updates
No Microsoft Office products are installed.
Office Security Updates
Windows Scan Results
The following table shows Windows scan results:
Table 2: Vulnerabilities
Result Issue
Score
Automatic Updates are managed through Group Policy on this computer.
Automatic Updates
More than 2 Administrators were found on this computer.
You can ignore this event because the Cisco Unified ICM application requires the addition of certain groups to the Local Administrators group, which triggers this event. Review the Result Details and remove any known unnecessary accounts.
Note
Administrators
Microsoft Baseline Security Analyzer Windows Scan Results
Result Issue
Score
Some user accounts (1 of 7) have nonexpiring passwords.
When the server is properly configured to require expiring passwords, this warning typically finds the Guest account to have a nonexpiring password even though the account is disabled. This warning can be ignored.
Note
Password Expiration
Windows Firewall is enabled and has exceptions configured. Windows Firewall is enabled on all network connections. Windows Firewall
Some user accounts (1 of 7) have blank or simple passwords, or could not be analyzed. Local Account Password Test
All hard drives (1) are using the NTFS file system.
File System
Autologon is not configured on this computer.
Autologon
The Guest account is disabled on this computer.
Guest Account
Computer is properly restricting anonymous access.
Restrict Anonymous
The following table provides more scan information:
Table 3: More System Information
Result Issue
Score
Logon Success and Logon Failure auditing are both enabled. Auditing
Microsoft Baseline Security Analyzer
Result Issue
Score
Computer is running Windows Server 2008 R2 or greater. Windows Version
Internet Information Services (IIS) Scan Results
The following table shows IIS scan results:
Table 4: Vulnerabilities
Result Issue
Score
The IIS Lockdown tool was developed for IIS 4.0, 5.0, and 5.1, and is not needed for new
Windows Server 2008 R2 installations running higher versions of IIS.
IIS Lockdown Tool
IIS sample applications are not installed.
Sample Applications
IISADMPWD virtual directory is not present.
IISAdmin Virtual Directory
Parent paths are not enabled. Parent Paths
The MSADC and Scripts virtual directories are not present. MSADC and Scripts Virtual
Directories
Table 5: Other System Information
Result Issue
Score
IIS is not running on a domain controller.
Domain Controller Test
All web and FTP sites are using the default logging options.
IIS Logging Enabled
Microsoft Baseline Security Analyzer Internet Information Services (IIS) Scan Results
SQL Server Scan Results
The following table shows SQL Server scan results:
Instance (default) Table 6: Vulnerabilities Result Issue Score BUILTIN\Administrators group is part of sysadmin role.
This is acceptable because the Cisco Unified ICM application adds certain groups to the local Administrators account on the server which require dbo access to the database.
Note
Sysadmin role members
No more than 2 members of sysadmin role are present. Sysadmins
SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts are not members of the local Administrators group and do not run as LocalSystem. Service Accounts
The “sa” password and SQL service account password are not exposed in text files.
Exposed SQL Server/MSDE Password
SQL Server and/or MSDE is not running on a domain controller. Domain Controller Test
SQL Server and/or MSDE authentication mode is set to Windows Only.
SQL Server/MSDE Security Mode
The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys. Registry Permissions
CmdExec is restricted to sysadmin CmdExec role
Microsoft Baseline Security Analyzer
Result Issue
Score
The Guest account is not enabled in any of the databases.
Guest Account
The check was skipped because SQL Server and/or MSDE is operating in Windows Only authentication mode. SQL Server/MSDE Account
Password Test
Desktop Application Scan Results
The following table shows desktop application scan results:
Table 7: Vulnerabilities
Result Issue
Score
Internet Explorer zones have secure settings for all users.
IE Zones
The use of Internet Explorer is restricted for administrators on this server.
IE Enhanced Security
Configuration for Administrators
The use of Internet Explorer is restricted for nonadministrators on this server.
IE Enhanced Security Configuration for Non-Administrators
No Microsoft Office products are installed.
Macro Security
Microsoft Baseline Security Analyzer Desktop Application Scan Results
