mbsacli.exe /target mydomain\mycomputer /n OS+IIS+Updates When I run this command, it enumerates the local Windows user accounts, but it does not seem to enumerate the SQL Server accounts such as 'sa' or 'dbtest2' my other account set up with SQL Server authentication. For the purposes of testing MBSA, I've given these two accounts weak passwords, but they are not being detected by MBSA. Am I doing something wrong or is this by design? Here's the report: Scan Complete. Security assessment: Incomplete Scan Computer name: mydoamin\mycomputer IP address: xxx.xxx.xxx.xxx Security report name: 2010Q2-mycomputer (3) Scan date: 6/18/2010 10:38 AM Scanned with MBSA version: 2.1.2112.0 Catalog synchronization date: Security updates scan not performed Operating System Scan Results Administrative Vulnerabilities Issue: Local Account Password Test Score: Check failed (critical) Result: Some user accounts (2 of 9) have blank or simple passwords, or could not be analyzed. Detail: | User | Weak Password | Locked Out | Disabled | | Guest | Weak | - | Disabled | | HelpAssistant | - | - | Disabled | | SUPPORT_388945a0 | - | - | Disabled | | test | Weak | - | - | | ASPNET | - | - | - | | IUSR_mycomputer | - | - | - | | IWAM_mycomputer | - | - | - | | SQLDebugger | - | - | - | | Administrator | - | - | - | SQL Server Scan Results Instance SQLEXPRESS Administrative Vulnerabilities Issue: SQL Server/MSDE Security Mode Score: Check passed Result: SQL Server and/or MSDE authentication mode is set to Windows Only. Issue: CmdExec role Score: Check passed Result: CmdExec is restricted to sysadmin only. Issue: Registry Permissions Score: Check passed Result: The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys. Issue: Folder Permissions Score: Check failed (critical) Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly. Detail: | Instance | Folder | User | | SQLEXPRESS | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users | | SQLEXPRESS | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | mycomputer\SQLServer2 005MSSQLUser$mycomputer$SQLEXPRESS | | SQLEXPRESS | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER | | SQLEXPRESS | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | mycomputer\SQLServer2 005MSSQLUser$mycomputer$SQLEXPRESS | | SQLEXPRESS | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | mycomputer\SQLServer2 005MSSQLUser$mycomputer$SQLEXPRESS | | SQLEXPRESS | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER | Issue: Sysadmin role members Score: Best practice Result: BUILTIN\Administrators group should not be part of sysadmin role. Issue: Guest Account Score: Check passed Result: The Guest account is not enabled in any of the databases. Issue: Sysadmins Score: Check failed (non-critical) Result: More than 2 members of sysadmin role are present. Issue: Service Accounts Score: Unable to scan Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the lo cal Administrators group or run as LocalSystem. Detail: | Instance | Service | Account | Issue | | SQLEXPRESS | MSSQL$SQLEXPRESS | NT AUTHORITY\NetworkService | This is a Domain Account. Baseli ne Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error: 1212 Th e format of the specified domain name is invalid. . | Issue: Password Policy Score: Check failed (critical) Result: Enable password policy and expiration for the SQL server accounts. Issue: SSIS Roles Score: Check passed Result: The BUILTIN Admin does not belong to the SSIS roles. Issue: Sysdtslog Score: Best practice Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logg ing database. By the way, I changed to mixed-mode authentications and got the same results, that is, it dis not detect that sa and dbtest2 had weak passwords. I typically would not care about the lack of this feature, but it would now be a nice feature to have for my quarterly compliance test. =) I do the test with osql right now, but I'd rather use MBSA.

Hi, There is a public newsgroup available for MBSA discussion at: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.security.baseline_analyzer The public newsgroup is a better support pool to assist you. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Issue: SQL Server/MSDE Security Mode Score: Check passed Result: SQL Server and/or MSDE authentication mode is set to Windows Only. looks to me like even with the sql users present, the sql server instance is set to only windows logins, so propably no test therefor