How to run a Microsoft Baseline Security Scan on remote computers

Scanning network computers with MBSA (Microsoft Baseline Security Analyzer) tool has never been easy. As long as you have administrator access to the computer, you can scan virtually any computer on the network. This tool can help in building a security baseline as well as ad-hoc random checks of computers on your network to ensure that they are all updated and patched.

Well, all that is quite easy, however the challenge comes when you want to scan computers / servers that are not a part of your domain. Some might ask the question that why would you care for something not in your domain. It just so happens that for business reasons some of the servers / computers might not be in your domain and may be in workgroup or even another domain. I am sure you must have some computers / servers like that.

Scanning those computers using the GUI (shown on the left hand side) is not possible (at least I did not find any way to scan those using the GUI). All is not lost yet. Anticipating such scenarios, thankfully, Microsoft has provided a command line interface for this tool. It gets installed at the time you install the MBSA tool. The syntax for the command is:

MBSACLI [/target {[domain\]computer | IP} | /r IP-IP | /d domain] [/n option[+option...]] 
[/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/listfile file]  [/wa | /wi] [/catalog file] [/nvc]
[/nai] [/nm] [/nd] [/u username /p password]

A quick glance through the MBSA help will give you detailed description of the command and all the parameters. Also the FAQs on the Microsoft Technet site are quite a good resource for this.

To use the MBSA in a command line mode, I recommend that you download the latest offline scan file from Microsoft website. MBSA downloads the file automatically when used in a GUI mode, but it fails to do so when using in command line mode. To enable MBSACLI to use this file without additional parameters save the file to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab. Where wsusscn2.cab is the name of the file you just downloaded. You could also save it to your favourite location and then manually specify the location by using the /catalog file option in the command above.

To run the command line tool, navigate to the MBSA program folder which typically is in C:\Program Files\Microsoft Baseline Security Analyzer 2.  Once you are there run the actual command as follows:

C:\Program Files\Microsoft Baseline Security Analyzer 2>mbsacli /target 192.168.23.23 /catalog c:\wsusscn2.cab /u administrator /p password

Here you can use either the IP address or the computer name after the /target switch. I had saved the offline scan file to C: drive so I explicitly defined that by using the /catalog switch.

Once you run the command it displays the report in the command window itself though it is not very user friendly. You can then fire up the GUI tool and view the report by clicking on the View a security report link in the left hand side pane of the tool.