http://www.vnunet.com/News/1130844 By James Middleton 11-04-2002 Microsoft released the Baseline Security Analyser (MBSA), a free tool which analyses Windows systems for common security misconfigurations, earlier this week. But users have already slammed it as just a GUI version of the software giant's HfNetChk. Since the release last year of Microsoft's command line hot fix network security checker, administrators have clamoured for a release with more functionality. The only alternative to date is a paid-for tool called HFNetChkPro, developed by Microsoft and Shavlik Technologies, which costs $5,000 for a 250-desktop licence. Users are concerned that MBSA misses an opportunity to provide a viable free security tool, and means that users will have to keep paying. Damien Adams, of technical services firm ScienTech, said: "For Microsoft to suggest that users should pay for tools to fix problems in its software is insulting. "Now that Microsoft is pushing security, and is even going to venture into the security market, will we have to pay for patches? A majority of Microsoft's security market exists because of holes in its software." His feelings were echoed by other Microsoft users on the company's Security Focus mailing list who agreed that buying products which have incredible layers of complexity built into their systems, and then being charged for tools to identify and fix inherent problems, is indeed insulting. On a technical level, MBSA was compared to a GUI version of HfNetChk, and is still seen to be lacking the more useful features offered by commercial alternatives. Terry Atkison, of services firm BestNetPC, confirmed that the tool "seems to be a cleaner looking GUI version of HfNetChk. It found a couple of missing hotfixes on one of the machines, and it also scanned for other security vulnerabilities." But another user, Brian Heathfield, said: "Results were quite mixed: on one machine it flagged nearly every fix as not knowing if they were applied." So far, the initial feedback on MBSA has prompted Microsoft customers to flame the company for coming up with nothing more than a way to "further inundate Microsoft admins with information". Microsoft's recent forays into security have been described as a "token effort" and the MBSA has been labelled as nothing more than a port scanner. "How long have such things already been widely available?" asked one user. More information on MBSA can be found here. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 03:24:37 PDT