Best Alternatives to Microsoft Baseline Security Analyzer (MBSA)

With Microsoft’s Security Analyzer showing its age, it’s time for an alternative. Security these days is a constant battle between rapid patching and malicious individuals attempting to find exploits and vulnerabilities in software.

It’s not hyperbole to say that as soon as the last security hole is patched, the next one is found by hackers who produce new malware almost immediately after. These security risks have become the primary threat towards companies both large and small.

Here is our list of the best alternatives to Microsoft Baseline Security Analyzer:

  1. SolarWinds Network Security Tools with Engineer’s Toolset EDITOR’S CHOICE The SolarWinds Engineer’s Toolset includes a Security Event Manager, a Patch Manager, and a User Device Tracker to help you to tighten system security.
  2. ManageEngine Vulnerability Manager Plus (FREE TRIAL) A vulnerability scanner bundled together with a patch manager and system hardening guides. Runs on Windows and Windows Server.
  3. Paessler PRTG Network Monitor A bundle of network, server, and application monitoring tools that includes system security scanning features. Detect intruders and spot vulnerabilities with real-time system scanning.
  4. OpenVAS An open-source, free vulnerability detection system.
  5. Nessus The original version of OpenVAs, this vulnerability scanner is available online or for installation on-premises.
  6. Nexpose This tool integrates with Metasploit to give you a comprehensive vulnerability sweep.

Over the course of the last year, countless exploits have been uncovered at both the software and hardware levels. Some of these breaches are so severe they could result in the complete loss of all secure data from infected hosts. This isn’t just a concern for small or medium-sized businesses that may have lighter security than large enterprises.

Anyone can be targeted regardless of size. Macy’s had customers’ online data hacked in 2018. A third-party support partner resulted in Sears, Kmart, and Delta Airlines customers’ credit card information being stolen, a breach that affected an undisclosed number of individuals. Panera Bread, Adidas, UnderArmor, the long list of breaches taking place just in 2018 covers every sector of business across the globe.

Some estimates place InfoSec breaches due to poor security patching and routine vulnerability checks as high as 80% of all breaches. On paper, patching vulnerabilities sounds like a simple task, but when the individual patch count for any given business can reach high into the thousands, the problem becomes readily apparent. Manually managing software, hardware, and configuration vulnerabilities is a nigh-impossible task that will inevitably fail.

Enter the MBSA

Even the most bare-bones security setup will include this simple tool developed by Microsoft to ensure Microsoft products are brought up-to-date and provide strong security against the most recent software exploits. Available for over a decade on a range of Microsoft products, Microsoft Baseline Security Analyzer can quickly scan Microsoft hosts on a network and help patch a range of Microsoft products with the latest security releases to mitigate the chance of a breach.

Unfortunately, this tool is extremely limited, and will only assess the status of Microsoft software. Most organizations will be running tools developed by various developers, and relying solely on MBSA for vulnerability assessment is akin to laying out the red carpet for would-be hackers.

Everything from SQL databases to improperly configured switches can be the preferred method of entry for those seeking to steal sensitive data or negatively impact a given network. The limited scope of MBSA’s tool kit provides zero protection from far too many potential entry points.

The need for a more robust vulnerability solution

As a network grows in size, it quickly becomes apparent that manual solutions are going to fall flat at scale. While there’s no replacement for skilled, knowledgeable staff, supplementing personnel with additional tools to help spot potential vulnerabilities goes a long way towards a more secure premise.

Vulnerability scanners come in a wide range of functions, specifications, and design goals. Some may feature detailed system configuration scans aimed at spotting weaknesses in networking equipment configurations that can be exploited to gain access to a network. Others may take a focused look at known software vulnerabilities, spot potential SQL inject sequences, or identify software versions that have known security windows. Real-time threat intelligence is becoming increasingly important as a tool for intrusion detection and prevention.

What your organization needs will vary from business to business. Certain sectors will require the absolute maximum amount of information security. Every switch, router, and endpoint in the network will need every possible door closed, even at the expense of potential usability. A good example of this is any organization that deals with financial information, or research and design firms that demand the utmost secrecy and security.

Anytime “the absolute maximum” amount of security is needed, there is going to be something of a trade-off in network usability. The easier it is for people within the organization to access information, the potential for intrusion is going to be higher.

Many vulnerability scanners will rate identified vulnerabilities on a scale. While this differs from software to software, the idea is the same. Each vulnerability check is given a rank to help administrators determine which flaws must be closed and which flaws can potentially be left open. Closing every single hole in a network is almost impossible, and even if it were possible the severely hampered usability of the network is likely not worth “perfect security.”

The best alternatives to Microsoft Baseline Security Analyzer

Our methodology for selecting alternatives to Microsoft Baseline Security Analyzer

We reviewed the market for vulnerability scanners like Microsoft Baseline Security Analyzer and assessed the options based on the following criteria:

  • A service that is able to check on third-party software not just Microsoft products
  • A patch manager linked to a vulnerability scanner
  • Process automation that gets vulnerabilities patched quickly
  • Nice to have a network configuration manager bundled in
  • Every action logged for compliance auditing
  • A free trial for a no-cost assessment period or a free tool
  • A system that is worth the money because it will cost less than the damage it will prevent

1. SolarWinds Network Security Tools with Engineer’s Toolset (FREE TRIAL)

SolarWinds Engineer's Toolset

A combination of tools designed by SolarWinds to provide a comprehensive networking solution, SolarWinds products each has a specific focus that, when used in conjunction with other SolarWinds tools, give an overarching and cohesive approach to networking management as a whole.

Key Features:

  • A package of 60 network tools
  • A combination of system management services
  • A common platform, Orion
  • Interaction between tools
  • Security management

Why do we recommend it?

SolarWinds network security tools offer an alternative strategy to network monitoring to that offered by MBSA. The software provider has a number of systems that you can use to track activity on the network, shut down unauthorized actions, and fortify the network. The Engineer’s Toolset is a package of 60 tools.

Security Event Manager provides compliance reporting and helps ensure networks receive fast remediation and real-time event correlation. A one-stop shop for detailed event monitoring that excels at identifying potential security threats, Security Event Manager offers an advanced search and forensic analysis to assess the impact of security incidents.

Patch Manager is designed specifically to be a comprehensive patch management solution for connected network devices, shoring up potential vulnerabilities caused by out-of-date software. Used in conjunction with Network Configuration Manager, these two programs can provide the function of a traditional vulnerability scanner, spotting assets that need security updates and identifying configuration errors that could lead to an intrusion.

Lastly, SolarWinds User Device Tracker provides an additional layer of security via careful asset tracking and identification.

Who is it recommended for?

SolarWinds created a common platform for its monitoring and management systems, so if you buy the Network Performance Monitor, the Patch Manager, the Network Configuration Manager, and the User Device Tracker, the tools will automatically slot together to provide system hardening and live security tracking services. The Security Event Manager is a SIEM system that spots suspicious activity.

Pros:

  • Offers patching, security, and inventory management tools to completely replace Microsoft Baseline Security Analyzer
  • Aids in automatic device discovery, testing and management
  • Can help verify device settings, network status, and decrease troubleshooting time
  • Can easily export or import results configurations – highly customizable

Cons:

  • Would like to see a longer 30-day trial time

When used together, these products make for a powerful computer network management and security solution. Even when taken individually they excel at their prescribed functions. You can download the Engineer’s Toolset on a 14-day free trial.

EDITOR'S CHOICE

SolarWinds Network Security Tools which are part of the Engineer’s Toolset is also ideal for replacing the Microsoft Baseline Analyzer, offering Router Password Decryption for decrypting any Cisco type-7 passwords, great for attacking an IP address with SNMP queries and simulating dictionary attacks to expose vulnerabilities. Hard to beat!

Start 30-day Free Trial: solarwinds.com/engineers-toolset

OS: Windows 7 or later, Windows Server 2012 or later

2. ManageEngine Vulnerability Manager Plus (FREE TRIAL)

ManageEngine Vulnerabilty Manager Plus

ManageEngine Vulnerability Manager Plus combines a patch manager and a vulnerability scanner. This package enables you to prevent vulnerabilities from occurring, spot those that exist, tighten exploits, and harden your system.

Key Features:

  • An onsite vulnerability manager
  • A patch manager
  • Scan cycle runs every 90 minutes
  • Threat intelligence
  • Free version available

Why do we recommend it?

ManageEngine Vulnerability Manager Plus sweeps your network, endpoints, and software to identify configuration errors and out-of-date software. The configuration analysis module recommends changes that you can make to tighten security and the software manager automatically launches a patch manager to update operating systems and software.

The Vulnerability Manager Plus system in a software package that includes a collection of modules. The central server installs on Windows and Windows Server then each endpoint needs an agent installed on it. The agent program is available on Windows, macOS, and Linux.

The server of the package coordinates activities and reports from each distributed module operated through the device agents. This combination of services ensures that endpoints can be protected in the event of the network being damaged.

Scans occur every 90 minutes. The system includes a live threat intelligence feed and any newly discovered exploits trigger an extra search. Scans extend to network appliances, such as firewalls scan web services.

Who is it recommended for?

This is an on-premises package for Windows Server that reaches across the network to scan devices running Windows, macOS, and Linux. This is a good option for businesses of any size because it automates the actions required to fix discovered problems, such as patching. The Free edition is suitable for small businesses with up to 25 endpoints.

Pros:

  • Great for continuous scanning and patching throughout the lifecycle of any device
  • Robust reporting can help show improvements after remediation
  • Flexible – can run on Windows, Linux, and Mac
  • Backend threat intelligence is constantly updated with the latest threats and vulnerabilities
  • Supports a free version, great for small businesses

Cons:

  • The ManageEngine ecosystem is very detailed, requiring time to learn all of its features

Vulnerability Manager Plus is offered in three editions: Free, Professional, and Enterprise. The free version is limited to monitoring 25 computers. The Professional edition operates on one site and the Enterprise edition caters to WANs. Both paid systems are offered on a 30-day free trial.

ManageEngine Vulnerability Manager Plus Download a 30-day FREE Trial

3. Paessler PRTG Network Monitor (FREE TRIAL)

PRTG Network Monitor

A leading network management solution with security feature options, Paessler PRTG has a unique take on both pricing and deployment. PRTG monitors networks on a “per-sensor” basis, with each component of a given asset representing a single sensor. Monitoring the port on a switch for traffic, for example, would be a single sensor. Pricing for PRTG is based on the total number of sensors deployed, giving a flexible amount of scalability to those who use PRTG.

Key Features:

  • Monitor for networks, servers, and applications
  • Autodiscovery
  • Port scanner

Why do we recommend it?

Paessler PRTG Network Monitor supervises endpoints and software as well as networks. The tool can be used to identify rogue devices because of its continuous device polling processes. This enables you to tighten up network breaches. You can use the port scanner in the tool to list open ports on all devices.

These sensors can provide a range of functions, and when deployed in the right locations can give administrators a solution for many different networking areas. Sensors can be deployed on a given asset that track application updates, for example, to ensure up-to-date patch status on the asset.

These sensors can also be deployed on network ports to monitor traffic. The software can actively track for unusual traffic or system behavior and report this back to the system’s administrator, helping to stop intrusions in their tracks.

Who is it recommended for?

PRTG is a good package for general system monitoring. It provides automated processes to track system performance through a series of thresholds that trip when responses dip or resources run short. The package contains many sensors and if you only activate 100, the system is completely free to use.

Pros:

  • Uses a combination of packet sniffing, WMI, and SNMP to report device status, and patching insights
  • Autodiscovery reflects the latest inventory changes in real-time
  • Drag and drop editor makes it easy to build custom views and reports
  • Supports a wide range of alert mediums such as SMS, email, and third-party integration
  • Supports a powerful freeware version

Cons:

  • Is a very comprehensive platform with many features and moving parts that require time to learn

This impressive flexibility makes PRTG a good solution for small or medium-sized businesses that want a versatile network vulnerability service that does more than just look for holes in the network. PRTG Network Monitor is available on a 30-day free trial.

Start 14-day Free Trial: Paessler.com/PRTG-download

Paessler PRTG Network Monitor is our #1 choice for replacing the Microsoft Baseline Analyzer because it offers a more comprehensive approach to infrastructure monitoring. The combined capabilities of PRTG with its 3-in-1 application, server, and network monitoring features help identify system security weaknesses. A complete system monitoring solution!

OS: Windows Server 2012 or later

4. OpenVAS

openVAS

One of the premiere open-source vulnerability scanning applications currently available, OpenVAS has a strong track record for vulnerability detection that goes through constant improvement and community testing. As an open-source project the source code is freely available and can be tweaked by ambitious administrator’s to fit their needs.

Key Features:

  • Free to use
  • Threat intelligence
  • Community supported

Why do we recommend it?

OpenVAS is a highly-respected vulnerability scanner – VAS stands for Vulnerability Assessment Scanner. This tool is free to use and there is a paid alternative. The package was created as a fork of Nessus (see below) and it runs through a list of about 50,000 Network Vulnerability Tests (NVTs).

As is common with other open-source softwares, the free nature of the product means that official product support is lacking. There is something of a learning curve when using OpenVAS, and getting the most from the software will require some time to learn how it works. There’s an extensive knowledgebase and significant community support that can help new users tailor scanning profiles to fit their needs and ensure a high degree of vulnerability identification and reduce the number of false positives. Even with this community support, the lack of any official training or product support can be a frustrating downside for some users.

That being said, OpenVAS does have a good track record as a vulnerability scanner, and is used by many organizations as their primary means of securing their networks.

Who is it recommended for?

OpenVAS is a mainstay of penetration testing. So, it is used by professional security consultants. The tool doesn’t have a very good interface, so it isn’t the type of system that infrequent users or untrained technicians would use. A paid alternative offered by the company that manages OpenVAS is called Greenbone Enterprise.

Pros:

  • Open source transparent tool
  • Has a large dedicated community
  • Completely free

Cons:

  • No paid support option
  • The interface is bare-bones and lacks many default quality-of-life features
  • Enterprises will likely need experienced staff to fully extract value from the platform

5. Nessus

Nessus

Developed by Tenable and the original code base for OpenVAS, Nessus is another software with a long track record of vulnerability identification. It offers strong product support and many of the strengths of its cousin OpenVAS.

Key Features:

  • Based on OpenVAS
  • On-premises or SaaS
  • Professional support

Why do we recommend it?

Nessus is a network vulnerability scanner and it dates back to 1998. While originally a free tool, the system is now a paid package. There is a free version for home use, called Nessus Essentials. Two paid versions are Nessus Professional and Nessus Expert, which are very expensive. The producer of Nessus is called Tenable.

Nessus features both active and passive network scanning and can be used to scan both cloud and local assets. It has a long list of standard scanning profiles while still offering a breadth of customization in security scanning rules. Vulnerability prioritization gives administrator’s the information they need to quickly assess security risks and take the appropriate steps to fix them.

The Nessus licensing model is flexible and allows for deployment based on assets instead of individual IPs. Tenable offers both a cloud-based SaaS scanning solution and an on-premise software deployment, giving administrators welcome deployment options. Further customization in the software’s dashboard gives Nessus the flexibility to fit wherever it needs to.

For those who like the features found in OpenVAS, but are seeking a more professionally supplemented solution with full product support, Tenable’s Nessus provides an attractive choice.

Who is it recommended for?

Tenable tends to push its higher plan for vulnerability management, which is called Tenable and is available in on-premises and cloud SaaS versions. The Nessus system is priced beyond the budgets of small businesses and universities tend to use OpenVAS on cybersecurity courses, so qualified penetration testers tend to use that system instead of Nessus.

Pros:

  • Offers a free vulnerability assessment tool
  • Simple, easy-to-learn interface
  • Little configuration needed, 450+ templates that support a range of devices and network types
  • Prioritization is easy to tweak for different events

Cons:

  • The paid version is a more expensive enterprise solution, not the best fit for smaller networks
  • Limited integration options

6. Nexpose

Nexpose

Nexpose is a vulnerability scanner developed by Rapid7, the makers of the Metasploit framework. The software’s main selling point is its ability to easily integrate with Metasploit for real, live vulnerability testing within a closed framework. This gives Nexpose users a powerful way to accurately test their systems for risk exposure and helps identify rapid solutions to potential exploits.

Key Features:

  • Based on Metasploit
  • Easy-to-understand results
  • Suggests fixes

Why do we recommend it?

Nexpose is an on-premises vulnerability scanner. It is produced by Rapid7, the creators of Metasploit, which is a penetration testing tool. Nexpose was designed as an automated version of the manual tools contained in Metasploit. Rapid7 also produces a SaaS vulnerability scanner, called InsightVM. Nexpose is fully automated and has an attractive user interface.

Nexpose features its own contextualized risk scoring system aimed at giving administrators a fast way to assess risk levels of identified vulnerabilities. These contextualized scores provide risk priorities for identified problems and help users address the deficiencies that need immediate attention.

Live and active monitoring combined with detailed remediation reporting gives a short list of actionable steps to shoring up network security. Unlike some software that simply lists vulnerabilities and their associated risk, Nexpose smartly provides a list of actual steps administrators can take to secure their systems.

Nexpose’s unique take on remediation reporting and easy integration with Metasploit make Nexpose a flexible option for both new and experienced security professionals.

Who is it recommended for?

While penetration testers favor Metasploit, network managers would be better off opting for Nexpose. This system is an on-premises package for Windows Server and Linux. The cloud alternative, InsightVM is a very similar service but you don’t have to host it. So, any business interested in a Rapid7 vulnerability manager should assess both options.

Pros:

  • Offers a wide range of integration into frameworks like Metasploit
  • Has highly intuitive and customizable dashboards
  • Supports the entire vulnerability lifecycle

Cons:

  • Designed for research professionals – has a steep learning curve
  • More focused on vulnerability discovery – not the best option for users looking strictly for patch management

Making your tools work

The most important, and far too often neglected, step in good security auditing is the proper configuration of scanning profiles and focused vulnerability testing. It’s enough to warrant its own dedicated section in this article as a reminder to administrators. Vulnerability scanners and security software will often come with their own default or preset scanning profiles designed as generic scanning solutions that can be used “out-of-the-box.” Customizing these scanning rules is critical to proper auditing of any network or platform. Likewise, doing your own closed tests on vulnerabilities themselves can help you gain insight into determining which vulnerabilities need immediate attention.

Picking the right MS BSA Alternative

Deciding which vulnerability scanner to use can depend on a range of factors:

Type of Business: As stated above, security needs will vary from business to business. Evaluate what your security goals are based on your organization’s structure, sector(s), and size. Also, address if any specific branches of the organization need heightened security over other branches.

Identify Assets: Take note of how many assets need to be monitored and evaluated for vulnerabilities, their locations, their individual functions, and importance to overall operation. Certain applications are more geared towards specific assets. It’s important to take note of both hardware and software assets, as each may have their own specific security concerns or risks. Public-facing assets, such as a web server are more vulnerable to exploit attacks than well-protected office systems.

Identify Existing Security: Understanding the security practices and implementations already in place is obviously a critical step in adding a new layer of security checks. If you already have a robust security solution from a certain vendor, for example, it may be prudent to use solutions that integrate well with your existing security.

Assess Security Risk and Desired Level of Security: Some organizations will inherently need a higher level of security than others. They may be more likely to be targeted by malicious intrusions, or naturally, have a much more public-facing. Assessing both the potential risk of being targeted and the desired level of security needed will determine what kind of vulnerability management software to implement.

Once you’ve taken stock of what your organization will need in a security solution, it’s time to start researching the potential options. The list presented here will give a brief overview of trusted solutions in the information security industry, but doing your own in-depth research is critical when selecting the right solution. Even a well-reviewed piece of software with critical acclaim from multiple sources may not be the right fit for your organization. Using the above checklist combined with a careful look at each potential software choice will give you the tools you need to pick the right software.

Microsoft Baseline Security Analyzer (MBSA) FAQs

Can patches and updates be excluded from a scan?

Yes. If you use Microsoft Software Update Services (SUS) you can manage which updates and patches will be skipped in that environment. When running an MBSA scan check the Use SUS Server box and enter the address of that server. When the scan runs, it will only look for patches and updates that are approved in SUS.

Does version 2.3 of MBSA work with Windows 10?

Version 2.3 of MBSA does not work with Windows 10 or Windows Server 2016.

How do I remove Microsoft Baseline Security Analyzer (MBSA)?

To remove Microsoft Baseline Security Analyzer (MBSA) Use the Add/Remove Programs feature in the Windows Settings system.

  1. Go to the Search programs and files box in the Start menu (Windows 7) or on the Taskbar (Windows 8 and 10) and type uninstall a program. In Windows 7, you will see an Uninstall a program option, and in Windows 8 and 10, select Apps and Features.
  2. Scroll through the list of presented programs to find MBSA. Click on that entry.
  3. Click on the Uninstall button.