The SMS 2003 R2 Scan Tool for Vulnerability Assessment can check for four major types of vulnerabilities. During Setup, you have the option to select which vulnerabilities you want to scan for. SMS does not remediate any of these vulnerabilities, but it does collect the vulnerability scan information in hardware inventory and make it available in SMS reports.
Windows Administrative Vulnerability Checks
This group of checks scans for security issues in the Windows operating systems (Windows 2000, Windows XP, and Windows Server 2003), such as Guest account status, file system type, available file shares, and members of the Administrators group.
Weak Passwords Check
Microsoft Baseline Security Analyzer checks machines for blank and weak passwords during a scan. This check can take a long time, depending on the number of user accounts on the machine. Users may want to disable this check before scanning domain controllers on their network. Note that this check may produce event log entries in the Security log, if auditing is enabled on the machine for Logon/Logoff events. If this option is not selected, the Windows and Microsoft SQL Server account password checks are not performed.
IIS Administrative Vulnerability Checks
This group of checks scans for security issues in Internet Information Services (IIS) 4.0, IIS 5.0, and IIS 6.0, such as sample applications and certain virtual directories present on the machine. The tool also checks whether the IIS Lockdown tool has been run on the machine, which can help an administrator configure and secure servers running IIS.
SQL Server Administrative Vulnerability Checks
This group of checks scans for administrative vulnerabilities on each instance of SQL Server and Microsoft Data Engine (MSDE) found on the computer, such as the type of authentication mode, sa account password status, and service account memberships. All individual checks will be performed on each instance of SQL Server and MSDE.
For more information about the vulnerability checks, see the MBSA help.
|Although MBSA does have the ability to scan for missing software updates, the SMS 2003 R2 Scan Tool for Vulnerability Assessment does not scan clients for missing software updates or create packages to distribute software updates to clients. If you want to manage software updates for your SMS clients, you should also install the SMS 2003 Inventory Tool for Microsoft Updates, available on the SMS 2003 Inventory Tool for Microsoft Updates Web site (http://go.microsoft.com/fwlink/?LinkID=50169), or the SMS 2003 R2 Inventory Tool for Custom Updates and supporting software updates catalogs. For more information, see Inventory Tool for Custom Updates.|