Microsoft Baseline Security Analyzer

Akash Bansal
Akash Bansal used Ask the Experts™
on

I am using Microsoft Baseline Security Analyzer Version 2.2 (2.2.2170.0) on MS Windows SBS 2011 domain controller

I am unable to scan domain clients having Windows 7 OS but can scan Windows XP clients

getting the following error:

Security assessment: Incomplete Scan
Computer name: domain\laptop7
IP address: 192.168.0.102
Security report name: domain - laptop7 (5-13-2011 9-29 PM)
Scan date: 5/13/2011 9:29 PM
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date:


  Security Updates Scan Results
      
         Issue:  Security Updates
         Score:  Unable to scan
         Result: Windows Update Agent is not supported on this operating system.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cris HannaSr IT Support Engineer
Commented:
From TECHNET http://technet.microsoft.com/en-us/security/cc184923

Also, automatic distribution of the latest Windows Update Agent (WUA) client to client computers scanned by MBSA has been disabled by default in MBSA. This may prevent MBSA from successfully scanning computers that do not have the latest WUA client installed. Administrators and security auditors will want to select the option to "Configure computers for Microsoft Update and scanning prerequisites" in order to improve security scan success which will allow MBSA to automatically distribute an updated Windows Update Agent if needed.

Akash BansalIT Professional

Author

Commented:
@CrisHanna  Thanks for the support. :)

I had already tried this option. after selecting this option, MSBA had downloaded few updated; but the same result. :(
Exec Consultant
Distinguished Expert 2018
Commented:
Some useful pointers (the pre-requisites which the newer OS may have disabled by default for higher security configuration):

MBSA and the Windows Update Agent require Windows 2000 Service Pack 3 or later. The version check performed by MBSA uses the system registry, so if a remote computer being scanned has the Remote Registry Service disabled, this error will appear. To correct this, ensure the Remote Registry Service is running on the target computer.

Windows Server 2003 Service Pack 1 provides an added level of security that prevents multiple connections to the same remote computer from using alternate credentials when the scanning computer is joined to a domain. When scanning a remote target computer and you want to use different credentials than your logged-in credentials, use the following command instead of the mbsacli /u and /p (user name and password) command-line options to specify the account to be used in the remote connection:

C:\> runas /netonly /user:<domain\username> "cmd.exe" (followed by one or more MBSA commands after the new command prompt window opens).

Or

C:\> runas /netonly /user:<domain\username> "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe <add any MBSA command-line options here>"


@ http://technet.microsoft.com/en-us/security/cc184922#EIHAE

I also understand that MBSA does not run on Windows XP Embedded and Windows IA64 platforms, but remote scans against these platforms are fully supported. Hope it is not the hardaware platform causing this issue.


==========More info ====================
What are the services and ports required to run MBSA?

The required services are listed in the MBSA Help file (linked to in the left-hand pane of MBSA user interface). These requirements include Remote Registry service, Server service, Workstation service, File and Printer Sharing service, and Automatic Updates service. The wsusscn2.cab file is downloaded from the Microsoft Web site over HTTP based on your Internet Explorer settings. Remote computer scans are performed by using TCP ports 135, 139, and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned.

MBSA cannot scan a remote computer protected by a firewall unless the firewall is configured to open the ports that MBSA uses to communicate with the computer. The Windows Update Agent implements a remote scanning interface based on DCOM. The account being used to scan must possess local administrator rights. The computer must also be configured to meet the following conditions:

    The Server service, Remote Registry service, and File and Print Sharing service must be running on the remote computer.
    The required ports must be open on the firewall.
    The Windows Update Agent must be installed and the Automatic Updates service must not be disabled.

Remote computer scans are performed using TCP port 135, a dynamic or static DCOM port, and ports 139 and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. You must allow these ports to be open on the remote firewall if a personal firewall is being used.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Akash BansalIT Professional

Author

Commented:
@breadtan thanks for such a descriptive text

i would check firewall settings in GPO
I would like you to know the configuration at our side.

The server which has standard Group policy (including firewall policy) created by itself while running SBS configuration wizard.
Server is Windows SBS 2011 Standard (built on Server 2008 R2 platform)
Desktop which can not be scanned are Windows 7 ultimate edition 32-bit
Desktop which can be scanned as expected with same scan are Windows XP SP3 32 bit


btanExec Consultant
Distinguished Expert 2018

Commented:
Noted thanks. Do not think it is the platform then, so probably it is some service not enabled since Win 7 is supposed to be more secure even than VISTA and XP SP3. Probably can check out any event viewer on any application error log during the scanning. Typically remote access is disabled and commonly failure for MBSA since it need that services...
Akash BansalIT Professional

Author

Commented:
ok would check n let u know
Akash BansalIT Professional

Author

Commented:
Ya I found remote registry service was not enabled on any of the systems.

I have issued this command on one test system
sc \\computername start remoteregistry

This was my scan was successful on this test system

Now issue is how to enable remoteregistry service on all the systems using GPO so that I can scan all the systems.
btanExec Consultant
Distinguished Expert 2018
Commented:
may want to check out gpo global setting for domain joined machine.

http://www.arstechnica.com/civis/viewtopic.php?f=17&t=445092

see it as simply setting the mode to automatic. . . Computer > windows settings > system services and Set the "remote registry" service to automatic
TolomirAdministrator
Top Expert 2005

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial