The Microsoft Baseline Security Analyzer (MBSA) is Microsoft’s user-friendly software vulnerability assessment tool intended for IT security professionals from small to medium-sized organizations used to scan one or more computers, and provide a detailed security assessment report with specific recommendations and guidance on correcting any found deficiencies (Vacca 2013). The MBSA used for this assignment was the MBSA version 2.3, which performed scans for missing patches, missing/weak passwords, and assess the holistic security status to determine any associated potential risks to the computer. MBSA utilized the Microsoft update catalog and determined which security updates required updating, provided a report on specific system information, and performed Windows Security and Desktop Application Scans to report any further administrative vulnerabilities.
The resulting security assessment report indicated that the scanned computer was at potential risk due to the failure of one or more non-critical checks. The results proved surprising as the scanned computer was purchased a little over a month ago. The failures in the report included, a) a missing a service pack (Windows Malicious Software Removal Tool released March 2014) and b) non-expiring and weak passwords for the user accounts. Fortunately, the MBSA found no other issues with the scanned computer’s firewall or desktop applications. These results were informative and provided guidance on how to better improve the scanned computer’s security measures. Using the recommendations for a solution to mitigate the potential risks, I installed the Malware Removal Tool software, created new more complicated passwords, and adjusted the user setting by removing the “password never expires” setting.
The MBSA actively scans and analyzes the computer system to determine if the Windows user, guest, and administrator accounts have weak or missing passwords. The SANS institute defines a weak password as a common usage word (available in English and foreign dictionaries) having less than 15 characters which uses no combination of numbers or special characters (SANS pdf http://www.sans.org/security-resources/policies/Password_Policy.pdf). The Defense in Depth Strategy for Information Assurance, originally developed by the National Security Agency modeled after military doctrine, uses multiple security mechanisms and controls arrayed in several layers throughout an IT system in order to protect valuable assets as shown in Figure 1. The layers act as redundant control measures to ensure that if one of the outer defense layers fail then one of the inner layers will prevent intrusion and protect the system. These security layers and controls should include policies, physical controls, authentication controls, and access controls.
Strong passwords are one of the first layers of in this strategy paradigm. In a corporate environment, where the value of protected systems and data is high, strong...