MBSA does not check sa for weak passwords?
mbsacli.exe /target mydomain\mycomputer /n OS+IIS+Updates
When I run this command, it enumerates the local Windows user accounts, but
it does not seem to enumerate the SQL Server accounts such as 'sa' or
'dbtest2' my other account set up with SQL Server authentication. For the
purposes of testing MBSA, I've given these two accounts weak passwords, but
they are not being detected by MBSA. Am I doing something wrong or is this
by design? Here's the report:
Scan Complete.
Security assessment: Incomplete Scan
Computer name: mydoamin\mycomputer
IP address: xxx.xxx.xxx.xxx
Security report name: 2010Q2-mycomputer (3)
Scan date: 6/18/2010 10:38 AM
Scanned with MBSA version: 2.1.2112.0
Catalog synchronization date: Security updates scan not performed
Operating System Scan Results
Administrative Vulnerabilities
Issue: Local Account Password Test
Score: Check failed (critical)
Result: Some user accounts (2 of 9) have blank or simple passwords,
or could not be analyzed.
Detail:
| User | Weak Password | Locked Out | Disabled |
| Guest | Weak | - | Disabled |
| HelpAssistant | - | - | Disabled |
| SUPPORT_388945a0 | - | - | Disabled |
| test | Weak | - | - |
| ASPNET | - | - | - |
| IUSR_mycomputer | - | - | - |
| IWAM_mycomputer | - | - | - |
| SQLDebugger | - | - | - |
| Administrator | - | - | - |
SQL Server Scan Results
Instance SQLEXPRESS
Administrative Vulnerabilities
Issue: SQL Server/MSDE Security Mode
Score: Check passed
Result: SQL Server and/or MSDE authentication mode is set to
Windows Only.
Issue: CmdExec role
Score: Check passed
Result: CmdExec is restricted to sysadmin only.
Issue: Registry Permissions
Score: Check passed
Result: The Everyone group does not have more than Read access to
the SQL Server and/or MSDE registry keys.
Issue: Folder Permissions
Score: Check failed (critical)
Result: Permissions on the SQL Server and/or MSDE installation
folders are not set properly.
Detail:
| Instance | Folder | User |
| SQLEXPRESS | c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users |
| SQLEXPRESS | c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn | mycomputer\SQLServer2
005MSSQLUser$mycomputer$SQLEXPRESS |
| SQLEXPRESS | c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER |
| SQLEXPRESS | c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Data | mycomputer\SQLServer2
005MSSQLUser$mycomputer$SQLEXPRESS |
| SQLEXPRESS | c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Data | mycomputer\SQLServer2
005MSSQLUser$mycomputer$SQLEXPRESS |
| SQLEXPRESS | c:\Program Files\Microsoft SQL
Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER |
Issue: Sysadmin role members
Score: Best practice
Result: BUILTIN\Administrators group should not be part of
sysadmin role.
Issue: Guest Account
Score: Check passed
Result: The Guest account is not enabled in any of the databases.
Issue: Sysadmins
Score: Check failed (non-critical)
Result: More than 2 members of sysadmin role are present.
Issue: Service Accounts
Score: Unable to scan
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent
service accounts should not be members of the lo
cal Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| SQLEXPRESS | MSSQL$SQLEXPRESS | NT
AUTHORITY\NetworkService | This is a Domain Account. Baseli
ne Security Analyzer cannot determine whether it belongs to the Domain
Admins group due to the following error: 1212 Th
e format of the specified domain name is invalid.
. |
Issue: Password Policy
Score: Check failed (critical)
Result: Enable password policy and expiration for the SQL server
accounts.
Issue: SSIS Roles
Score: Check passed
Result: The BUILTIN Admin does not belong to the SSIS roles.
Issue: Sysdtslog
Score: Best practice
Result: Do not create sysdtslogs90 in the Master or MSDB
database.It is recommended to create a seperate logg
ing database.
By the way, I changed to mixed-mode authentications and got the same results, that is, it dis not detect that sa and dbtest2 had weak passwords.
I typically would not care about the lack of this feature, but it would now be a nice feature to have for my quarterly compliance test. =) I do the test with osql right now, but I'd rather use MBSA.
June 19th, 2010 1:14am
Hi,
There is a public newsgroup available for MBSA discussion at:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.security.baseline_analyzer
The public newsgroup is a better support pool to assist you.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 9:18am
Issue: SQL Server/MSDE Security Mode
Score: Check passed
Result: SQL Server and/or MSDE authentication mode is set to
Windows Only.
looks to me like even with the sql users present, the sql server instance is set to only windows logins, so propably no test therefor
June 24th, 2010 12:51pm