With Microsoft’s Security Analyzer showing its age, it’s time for an alternative. Security these days is a constant battle between rapid patching and malicious individuals attempting to find exploits and vulnerabilities in software.
It’s not hyperbole to say that as soon as the last security hole is patched, the next one is found by hackers who produce new malware almost immediately after. These security risks have become the primary threat towards companies both large and small.
Here is our list of the best alternatives to Microsoft Baseline Security Analyzer:
- Paessler PRTG Network Monitor EDITOR’S CHOICE A bundle of network, server, and application monitoring tools that includes system security scanning features. Detect intruders and spot vulnerabilities with real-time system scanning. Download a 30-day free trial.
- SolarWinds Network Security Tools with Engineer’s Toolset (FREE TRIAL) The SolarWinds Engineer’s Toolset includes a Security Event Manager, a Patch Manager, and a User Device Tracker to help you to tighten system security.
- ManageEngine Vulnerability Manager Plus (FREE TRIAL) A vulnerability scanner bundled together with a patch manager and system hardening guides. Runs on Windows and Windows Server.
- OpenVAS An open-source, free vulnerability detection system.
- Nessus The original version of OpenVAs, this vulnerability scanner is available online or for installation on-premises.
- Nexpose This tool integrates with Metasploit to give you a comprehensive vulnerability sweep.
- Retina CS This vulnerability analyzer includes customized asset configuration and risk potential trackers.
Over the course of the last year, countless exploits have been uncovered at both the software and hardware levels. Some of these breaches are so severe they could result in the complete loss of all secure data from infected hosts. This isn’t just a concern for small or medium-sized businesses that may have lighter security than large enterprises.
Anyone can be targeted regardless of size. Macy’s had customer’s online data hacked in 2018. A third-party support partner resulted in Sears, Kmart, and Delta Airlines customers’ credit card information being stolen, a breach that affected an undisclosed number of individuals. Panera Bread, Adidas, UnderArmor, the long list of breaches taking place just in 2018 covers every sector of business across the globe.
Some estimates place InfoSec breaches due to poor security patching and routine vulnerability checks as high as 80% of all breaches. On paper, patching vulnerabilities sounds like a simple task, but when the individual patch count for any given business can reach high into the thousands, the problem becomes readily apparent. Manually managing software, hardware, and configuration vulnerabilities is a nigh impossible task that will inevitably fail.
Enter the MBSA
Even the most bare-bones security setup will include this simple tool developed by Microsoft to ensure Microsoft products are brought up-to-date and provide strong security against the most recent software exploits. Available for over a decade on a range of Microsoft products, Microsoft Baseline Security Analyzer can quickly scan Microsoft hosts on a network and help patch a range of Microsoft products with the latest security releases to mitigate the chance of a breach.
Unfortunately, this tool is extremely limited, and will only assess the status of Microsoft software. Most organizations will be running tools developed by various developers, and relying solely on MBSA for vulnerability assessment is akin to laying out the red carpet for would-be hackers.
Everything from SQL databases to improperly configured switches can be the preferred method of entry for those seeking to steal sensitive data or negatively impact a given network. The limited scope of MBSA’s tool kit provides zero protection from far too many potential entry points.
The need for a more robust vulnerability solution
As a network grows in size, it quickly becomes apparent that manual solutions are going to fall flat at scale. While there’s no replacement for skilled, knowledgeable staff, supplementing personnel with additional tools to help spot potential vulnerabilities goes a long way towards a more secure premise.
Vulnerability scanners come in a wide range of functions, specifications, and design goals. Some may feature detailed system configuration scans aimed at spotting weaknesses in networking equipment configurations that can be exploited to gain access to a network. Others may take a focused look at known software vulnerabilities, spot potential SQL inject sequences, or identify software versions that have known security windows. Real-time threat intelligence is becoming increasingly important as a tool for intrusion detection and prevention.
What your organization needs will vary from business to business. Certain sectors will require the absolute maximum amount of information security. Every switch, router, and endpoint in the network will need every possible door closed, even at the expense of potential usability. A good example of this is any organization that deals with financial information, or research and design firms that demand the utmost secrecy and security.
Anytime “the absolute maximum” amount of security is needed, there is going to be something of a trade-off in network usability. The easier it is for people within the organization to access information, the potential for intrusion is going to be higher.
Many vulnerability scanners will rate identified vulnerabilities on a scale. While this differs from software to software, the idea is the same. Each vulnerability check is given a rank to help administrators determine which flaws must be closed and which flaws can potentially be left open. Closing every single hole in a network is almost impossible, and even if it were possible the severely hampered usability of the network is likely not worth “perfect security.”
The best alternatives to Microsoft Baseline Security Analyzer
When selecting the tools that we feature in this article, we considered some of the following criteria:
- Ease of installation, integration, and use
- Vendor reputation in the industry
- The software is continuously maintained and kept up to date
- Extensive installation and support literature, help and staff availability
A leading network management solution with security feature options, Paessler PRTG has a unique take on both pricing and deployment. PRTG monitors networks on a “per-sensor” basis, with each component of a given asset representing a single sensor. Monitoring the port on a switch for traffic, for example, would be a single sensor. Pricing for PRTG is based on the total number of sensors deployed, giving a flexible amount of scalability to those who use PRTG.
These sensors can provide a range of functions, and when deployed in the right locations can give administrators a solution for many different networking areas. Sensors can be deployed on a given asset that track application updates, for example, to ensure up-to-date patch status on the asset.
These sensors can also be deployed on network ports to monitor traffic. The software can actively track for unusual traffic or system behavior and report this back to the system’s administrator, helping to stop intrusions in their tracks.
This impressive flexibility makes PRTG a good solution for small or medium-sized businesses that want a versatile network vulnerability service that does more than just look for holes in the network. PRTG Network Monitor is available on a 30-day free trial.
Paessler PRTG Network Monitor is our #1 choice for replacing the Microsoft Baseline Analyzer because it offers a more comprehensive approach to infrastructure monitoring. The combined capabilities of PRTG with its 3-in-1 application, server, and network monitoring features help identify system security weaknesses. A complete system monitoring solution!
Start 30-day Free Trial: paessler.com/download/prtg-download
OS: Windows Server 2012 or later
A combination of tools designed by SolarWinds to provide a comprehensive networking solution, SolarWinds products each has a specific focus that, when used in conjunction with other SolarWinds tools, give an overarching and cohesive approach to networking management as a whole.
Security Event Manager provides compliance reporting and helps ensure networks receive fast remediation and real-time event correlation. A one-stop shop for detailed event monitoring that excels at identifying potential security threats, Security Event Manager offers an advanced search and forensic analysis to assess the impact of security incidents.
Patch Manager is designed specifically to be a comprehensive patch management solution for connected network devices, shoring up potential vulnerabilities caused by out-of-date software. Used in conjunction with Network Configuration Manager, these two programs can provide the function of a traditional vulnerability scanner, spotting assets that need security updates and identifying configuration errors that could lead to an intrusion.
Lastly, SolarWinds User Device Tracker provides an additional layer of security via careful asset tracking and identification.
When used together, these products make for a powerful computer network management and security solution. Even when taken individually they excel at their prescribed functions. You can download the Engineer’s Toolset on a 14-day free trial.
SolarWinds Network Security Tools which are part of the Engineer’s Toolset is also ideal for replacing the Microsoft Baseline Analyzer, offering Router Password Decryption for decrypting any Cisco type-7 passwords, great for attacking an IP address with SNMP queries and simulating dictionary attacks to expose vulnerabilities. Hard to beat!
Start 14-day Free Trial: solarwinds.com/engineers-toolset
OS: Windows 7 or later, Windows Server 2012 or later
ManageEngine Vulnerability Manager Plus combines a patch manager and a vulnerability scanner. This package enables you to prevent vulnerabilities occurring, spot those that exist, tighten exploits, and harden your system.
The Vulnerability Manager Plus system in a software package that includes a collection of modules. The central server installs on Windows and Windows Server then each endpoint needs an agent installed on it. The agent program is available on Windows, macOS, and Linux.
The server of the package coordinates activities and reports from each distributed module operated through the device agents. This combination of services ensures that endpoints can be protected in the event of the network being damaged.
Scans occur every 90 minutes. The system includes a live threat intelligence feed and any newly discovered exploits trigger an extra search. Scans extend to network appliances, such as firewalls scan web services.
Vulnerability Manager Plus is offered in three editions: Free, Professional, and Enterprise. The free version is limited to monitoring 25 computers. The Professional edition operates on one site and the Enterprise edition caters to WANs. Both paid systems are offered on a 30-day free trial.
One of the premiere open-source vulnerability scanning applications currently available, OpenVAS has a strong track record for vulnerability detection that goes through constant improvement and community testing. As an open-source project the source code is freely available and can be tweaked by ambitious administrator’s to fit their needs.
As is common with other open-source softwares, the free nature of the product means that official product support is lacking. There is something of a learning curve when using OpenVAS, and getting the most from the software will require some time to learn how it works. There’s an extensive knowledgebase and significant community support that can help new users tailor scanning profiles to fit their needs and ensure a high degree of vulnerability identification and reduce the number of false positives. Even with this community support, the lack of any official training or product support can be a frustrating downside for some users.
That being said, OpenVAS does have a good track record as a vulnerability scanner, and is used by many organizations as their primary means of securing their networks.
Developed by Tenable and the original code base for OpenVAS, Nessus is another software with a long track record of vulnerability identification. It offers strong product support and many of the strengths of its cousin OpenVAS.
Nessus features both active and passive network scanning and can be used to scan both cloud and local assets. It has a long list of standard scanning profiles while still offering a breadth of customization in security scanning rules. Vulnerability prioritization gives administrator’s the information they need to quickly assess security risks and take the appropriate steps to fix them.
The Nessus licensing model is flexible and allows for deployment based on assets instead of individual IPs. Tenable offers both a cloud based SaaS scanning solution and an on-premise software deployment, giving administrators welcome deployment options. Further customization in the software’s dashboard gives Nessus the flexibility to fit wherever it needs to.
For those who like the features found in OpenVAS, but are seeking a more professionally supplemented solution with full product support, Tenable’s Nessus provides an attractive choice.
Nexpose is a vulnerability scanner developed by Rapid7, the makers of the Metasploit framework. The software’s main selling point is its ability to easily integrate with Metasploit for real, live vulnerability testing within a closed framework. This gives Nexpose users a powerful way to accurately test their systems for risk exposure and helps identify rapid solutions to potential exploits.
Nexpose features its own contextualized risk scoring system aimed at giving administrators a fast way to assess risk levels of identified vulnerabilities. These contextualized scores provide risk priorities for identified problems and help users address the deficiencies that need immediate attention.
Live and active monitoring combined with detailed remediation reporting gives a short list of actionable steps to shoring up network security. Unlike some software that simply lists vulnerabilities and their associated risk, Nexpose smartly provides a list of actual steps administrators can take to secure their systems.
Nexpose’s unique take on remediation reporting and easy integration with Metasploit make Nexpose a flexible option for both new and experienced security professionals.
Designed by BeyondTrust, Retina CS claims to be the only vulnerability management software engineered “from the ground up” with contextual vulnerability analysis in mind. Retina’s easy network discovery tool can identify everything from traditional network assets to IoT devices and cloud infrastructure.
Customized asset configuration and risk potential let users help Retina CS determine their own context sensitive security priorities. Threat analysis on these assets provides real remediation steps and potential return. Integrated patch management and vulnerability scanning gives Retina CS the toolkit it needs to protect networks.
Intended to scale all the way up to the enterprise level, Retina CS features both cloud-based SaaS and on-site deployments. It also features configuration compliance to help ensure large organizations meet compliance standards.
A powerful tool designed with the enterprise business in mind, Retina CS is a good option for large organizations that need contextualized security analysis.
Making your tools work
The most important, and far too often neglected, step in good security auditing is the proper configuration of scanning profiles and focused vulnerability testing. It’s enough to warrant its own dedicated section in this article as a reminder to administrators. Vulnerability scanners and security software will often come with their own default or preset scanning profiles designed as generic scanning solutions that can be used “out-of-the-box.” Customizing these scanning rules is critical to proper auditing of any network or platform. Likewise, doing your own closed tests on vulnerabilities themselves can help you gain insight into determining which vulnerabilities need immediate attention.
Picking the right MS BSA Alternative
Deciding which vulnerability scanner to use can depend on a range of factors:
Type of Business: As stated above, security needs will vary from business to business. Evaluate what your security goals are based on your organization’s structure, sector(s), and size. Also, address if any specific branches of the organization need heightened security over other branches.
Identify Assets: Take note of how many assets need to be monitored and evaluated for vulnerabilities, their locations, their individual functions, and importance to overall operation. Certain applications are more geared towards specific assets. It’s important to take note of both hardware and software assets, as each may have their own specific security concerns or risks. Public-facing assets, such as a web server are more vulnerable to exploit attacks than well-protected office systems.
Identify Existing Security: Understanding the security practices and implementations already in place is obviously a critical step in adding a new layer of security checks. If you already have a robust security solution from a certain vendor, for example, it may be prudent to use solutions that integrate well with your existing security.
Assess Security Risk and Desired Level of Security: Some organizations will inherently need a higher level of security than others. They may be more likely to be targeted by malicious intrusions, or naturally, have a much more public facing. Assessing both the potential risk of being targeted and the desired level of security needed will determine what kind of vulnerability management software to implement.
Once you’ve taken stock of what your organization will need in a security solution, it’s time to start researching the potential options. The list presented here will give a brief overview of trusted solutions in the information security industry, but doing your own in-depth research is critical when selecting the right solution. Even a well-reviewed piece of software with critical acclaim from multiple sources may not be the right fit for your organization. Using the above checklist combined with a careful look at each potential software choice will give you the tools you need to pick the right software.
Microsoft Baseline Security Analyzer (MBSA) FAQs
Can patches and updates be excluded from a scan?
Yes. If you use Microsoft Software Update Services (SUS) you can manage which updates and patches will be skipped in that environment. When running an MBSA scan check the Use SUS Server box and enter the address of that server. When the scan runs, it will only look for patches and updates that are approved in SUS.
Does version 2.3 of MBSA work with Windows 10?
Version 2.3 of MBSA does not work with Windows 10 or Windows Server 2016.
How do I remove Microsoft Baseline Security Analyzer (MBSA)?
To remove Microsoft Baseline Security Analyzer (MBSA) Use the Add/Remove Programs feature in the Windows Settings system.
- Go to the Search programs and files box in the Start menu (Windows 7) or on the Taskbar (Windows 8 and 10) and type uninstall a program. In Windows 7, you will see an Uninstall a program option, and in Windows 8 and 10, select Apps and Features.
- Scroll through the list of presented programs to find MBSA. Click on that entry.
- Click on the Uninstall button.