Security is a major concern of most network and system administrators. It is quite understandable considering today’s threat scene. Cyber attacks are more and more common and they have ill-effects that are so huge they can be hard to fathom.
Cybercriminals are constantly looking for vulnerabilities in systems and software to gain access to the most important asset of many organizations, their data. Preventing that requires the use of vulnerability assessment tools such as the Microsoft Baseline Security Analyzer or MBSA. However, this tool is starting to show some signs of age. For starters, it won’t directly work with modern versions of Windows and it is also somewhat limited in functionality.
To be totally honest, if you’re still using MBSA, it’s about time you switch to something else. Today, we’re reviewing four of the best alternatives to the Microsoft Baseline Security Analyzer.
We’ll start off our discussion by having a look at MBSA. After all, it helps to know what we’re trying to replace. We’ll then discuss the vulnerability in general. Next, we’ll talk about vulnerability scanning tools, what they are, who needs them and what their essential features are. This will bring us to the big reveal: the four best alternatives to the Microsoft Baseline Security Analyzer. We’ll briefly review each of the tools to give you an idea of their features and capabilities.
Microsoft Baseline Security Analyzer: Explained
The Microsoft Baseline Security Analyzer, or MBSA, is a rather old tool from Microsoft. While it certainly is not an ideal option for large organizations, the tool could be of use to smaller businesses, those with only a handful of servers. Other than its age, one of the tool’s main drawback is that coming from Microsoft, you can’t expect it to scan anything but Microsoft products. It will, however, scan the Windows operating system as well as some services such as the Windows Firewall, SQL server, IIS and Microsoft Office applications.
Contrary to most other vulnerability scanning tools, this one doesn’t scan for specific vulnerabilities. Instead, it looks for things such as missing patches, service packs and security updates and it scans systems for administrative issues. Its reporting engine can generate a list of missing updates and misconfigurations.
Another major drawback of MBSA is that, due to its age, it is not really compatible with Windows 10. Version 2.3 of MBSA will work with the latest version of Windows but it will likely require some tweaking to clean up false positives and to fix checks that can’t be completed. As an example, MBSA will falsely report that Windows Update is not enabled on Windows 10, even when it is. Consequently, you can’t use this product to check whether or not Windows Update is enabled on Windows 10 computers.
This is a simple tool to use and it does what it does well. However, it doesn’t do much and it actually doesn’t even do it that well on modern computers, prompting many users to seek a replacement.
Before we go any further, let’s pause and briefly discuss vulnerability. The complexity of modern computer systems and networks has reached an unprecedented level of complexity. An average server could often be running hundreds of processes. Each of these processes is a computer program. Some of them are big programs that are made of thousands of lines of source code. Within this code, there could be—and there probably are—unexpected things. A developer may, at one point, have added some backdoor feature to ease his debugging efforts. Later on, as the developer started working on something else, this dangerous feature might have mistakenly made it to the final release. There could also be some errors in the input validation code that could cause unexpected–and often undesirable–results under some specific circumstance.
These are what we’re referring to as vulnerabilities and any one of these can be used to try to gain access to systems and data. There is a huge community of cybercriminals out there who have nothing better to do than to find these holes and exploit them to penetrate your systems and steal your data. When ignored or left unattended, vulnerabilities can be used by malicious users to gain access to your systems and data or, possibly worse, your client’s data or to otherwise cause some major damage such as rendering your systems unusable.
Vulnerabilities can be found everywhere. They often creep in software running on your servers or in their operating systems. They also exist in networking equipment such as switches, routers and even security appliances such as firewalls. To be on the safe side—if there is such as thing as being on the safe side—you really need to look for them everywhere.
Vulnerability Scanning Tools
Vulnerability scanning or assessment tools have one primary function: identifying vulnerabilities in your systems, devices, equipment, and software. They are often called scanners because they will usually scan your equipment to look for known vulnerabilities.
But how do vulnerability scanning tools find vulnerabilities? After all, they are usually not there in plain sight. If they were that obvious, developers would have addressed them before releasing the software. The tools actually are not much different from virus protection software which use virus definitions databases to recognize computer virus signatures. Similarly, most vulnerability scanners rely on vulnerability databases and scan systems for specific vulnerabilities. Such vulnerability databases are often available from well-known independent security testing labs dedicated to finding vulnerabilities in software and hardware or they can be proprietary databases from the vulnerability scanning tool’s vendor. As a chain is only as strong as its weakest link, the level of detection you get is only as good as the vulnerability database your tool uses.
Who Needs Them?
The one-word answer to that question is pretty obvious: Everyone! Just like no one in his right mind would think of running a computer without some virus protection these days, no network administrator should be without at least some form of vulnerability protection. Attacks could be coming from anywhere and hit you where and when you least expect them. You need to be aware of your risk of exposure.
While scanning for vulnerabilities is possibly something that could be done manually, this is an almost impossible job. Just finding information about vulnerabilities, let alone scanning your systems for their presence, could take an enormous amount of resources. Some organizations are dedicated to finding vulnerabilities and they often employ hundreds if not thousands of people. Why not take advantage of them?
Anyone managing a number of computer systems or devices would benefit greatly from using a vulnerability scanning tool. Complying with regulatory standards such as SOX or PCI-DSS, just to name a few, will often mandate that you do. And even if they don’t specifically require it, compliance will often be easier to demonstrate if you can show that you have vulnerability scanning tools in place.
Essential Features of Vulnerability Scanning Tools
There are many factors to consider when selecting a vulnerability scanning tool. On top of the list of things to consider is the range of devices that can be scanned. You need a tool that will be able to scan all the equipment you need to scan. If you have many Linux servers, for example, you’ll want to choose a tool that can scan them, not one that only handles Windows machines. You also want to choose a scanner which is as accurate as possible in your environment. You wouldn’t want to drown in useless notifications and false positives.
Another differentiating element between products is their respective vulnerability database. Is it maintained by the vendor or is it from an independent organization? How regularly is it updated? Is it stored locally or in the cloud? Do you have to pay additional fees to use the vulnerability database or to get updates? You might want to get answers to these questions before you pick your tool.
Some vulnerability scanners use intrusive scanning methods. They could potentially affect system performance. In fact, the most intrusive are often the best scanners. However, if they affect system performance, you’ll want to know about it beforehand in order to schedule your scans accordingly. Talking about scheduling, this is another important aspect of network vulnerability scanning tools. Some tools don’t even have scheduled scans and need to be launched manually.
Alerting and reporting are also important features of vulnerability scanning tools. Alerting pertains to what happens when a vulnerability is found. Is there a clear and easy to understand notification? How is it transmitted? Via an on-screen popup, an email, a text message? More importantly, does the tool provide some insight on how to fix the vulnerabilities it finds? Some tools even have automated remediation of certain types of vulnerabilities. Other tools integrate with patch management software as patching is often the best way to fix vulnerabilities.
As for reporting, while it is often a matter of personal preference, you must ensure that the information you expect and need to find in the reports will actually be there. Some tools only have predefined reports, others will let you modify the built-in reports. As for the best ones—at least from a reporting standpoint—they will let you create custom reports from scratch.
Four Great Alternatives To MBSA
Now that we know what vulnerabilities are, how they are scanned and what the main features of vulnerability scanning tools are, we’re ready to review some of the best or most interesting packages we could find. We have included some paid and some free tools. Some are even available in both a free and a paid version. All would be a good fit to replace MBSA. Let’s see what their main features are.
SolarWinds is a well-known name among network and system administrators. The company has been making some of the best network administration tools for about 20 years. One of its top tools, the SolarWinds Network Performance Monitor is consistently receiving high praise and rave reviews as one of the best SNMP network bandwidth monitoring tool. The company is also quite famous for its free tools. They are smaller tools designed to address specific tasks of network management. Among the best-known of these free tools are the Advanced Subnet Calculator and the Kiwi Syslog server.
Our first tool, the SolarWinds Network Configuration Manager is not really a vulnerability scanning tool. But for two specific reasons, we thought it was an interesting alternative to MBSA and chose to include it on our list. For starters, the product has a vulnerability assessment feature and also, it addresses a specific type of vulnerability, one that is important but that not that many other tools address, the misconfiguration of networking equipment. The product is also packed with non-vulnerability-related features.
- FREE TRIAL: SolarWinds Network Configuration Manager
- Official Download Link: https://www.solarwinds.com/network-configuration-manager/registration
The SolarWinds Network Configuration Manager’s main usage as a vulnerability scanning tool is in the validation of network equipment configurations for errors and omissions. The tool can also periodically check device configurations for changes. This is useful as some attacks are started by modifying a networking device’s configuration—which are often not as secure as servers’—in a way that can facilitate access to other systems. The tool can also help with standards or regulatory compliance through the use of its automated network configuration tools which can deploy standardized configurations, detect out-of-process changes, audit configurations, and even correct violations.
The software does integrate with the National Vulnerability Database which earned it its spot on this list of MBSA alternatives. It also has access to the most current CVE’s to identify vulnerabilities in your Cisco devices. It will work with any Cisco device running ASA, IOS, or Nexus OS. In fact, two other useful tools, Network Insights for ASA and Network Insights for Nexus are built right into the product.
Price for the SolarWinds Network Configuration Manager starts at $2,895 for up to 50 managed nodes and goes up with the number of managed nodes. If you’d like to give this tool a try, a free 30-day trial version can be downloaded directly from SolarWinds.
The Open Vulnerability Assessment System, or OpenVAS, is a framework of several services and tools. They combine to create a comprehensive yet powerful vulnerability scanning tool. The framework behind OpenVAS is part of Greenbone Networks’ vulnerability management solution from which elements have been contributed to the community for about ten years. The system is entirely free and many of its key components are open-source although some are not. The OpenVAS scanner is supplied with over fifty thousand Network Vulnerability Tests which are updated on a regular basis.
OpenVAS is comprised of two primary components. The first one is the OpenVAS scanner. This is the component responsible for the actual scanning of target computers. The second component is the OpenVAS manager which handles everything else such as controlling the scanner, consolidating results, and storing them in a central SQL database. The software has both browser-based and command-line user interfaces. Another component of the system is the Network Vulnerability Tests database. This database can get its updates from either the free Greenborne Community Feed or the paid Greenborne Security Feed for a more comprehensive protection.
3. Retina Network Community
Retina Network Community is the free version of the Retina Network Security Scanner from AboveTrust, which is one of the best-known vulnerability scanners. Despite being free, it is a comprehensive vulnerability scanner which is packed with features. It can perform a thorough vulnerability assessment of missing patches, zero-day vulnerabilities, and non-secure configurations. It also boasts user profiles aligned with job functions, thereby simplifying system operation. This product features a metro style intuitive GUI which allows for a streamlined operation of the system.
One great thing about Retina Network Community is that it uses the same vulnerability database as its paid sibling. It is an extensive database of network vulnerabilities, configuration issues, and missing patches which is automatically updated and covers a wide range of operating systems, devices, applications, and virtual environments. Talking about virtual environments, the product fully supports VMware and it includes online and offline virtual image scanning, virtual application scanning, and integration with vCenter.
The main drawback of Retina Network Community is that it is limited to scanning 256 IP addresses. Although this might not be much if you’re managing a large network, it could be more than enough for many smaller organizations. If your environment has more than 256 devices, everything we just said about this product is also true in its big brother, the Retina Network Security Scanner which is available in Standard and Unlimited editions. Either edition has an extended feature set as compared to the Retina Network Community scanner.
4. Nexpose Community Edition
Perhaps not quite as popular as Retina, Nexpose from Rapid7 is another well-known vulnerability scanner. As for the Nexpose Community Edition, it is a slightly scaled down version of Rapid7’s comprehensive vulnerability scanner. The product has some important limitations, though. For instance, it is limited to scanning a maximum of 32 IP addresses. This severely limits the tool’s usefulness to only the smallest networks. Another limitation is that the product can only be used for one year. If you can live with these limitations, it is an excellent product. If not, you can always have a look at the paid offering from Rapid7.
Nexpose Community Edition will run on physical machines under either Windows or Linux. It is also available as a virtual appliance. It’s got extensive scanning capabilities that will handle networks, operating systems, web applications, databases, and virtual environments. This tool uses adaptive security which can automatically detect and assess new devices and new vulnerabilities the moment they access your network. This feature works in conjunction with dynamic connections to VMware and AWS. The software also integrates with the Sonar research project to provide true live monitoring. Nexpose Community Edition provides integrated policy scanning to assist in complying with popular standards like CIS and NIST. And last but not least, the tool’s intuitive remediation reports give you step-by-step instructions on remediation actions.