Microsoft’s Security Analyzer was once a decent tool that administrators could use to scan their systems and check for basic best practice settings. Since being discontinued, there’s been a hole that some admins are still looking to fill with a reliable security tool.
If you’re looking for a replacement, check our list of the top six alternatives to the Microsoft Baseline Security Analyzer (MBSA).
- SolarWinds Network Security Tools with Engineer’s Toolset (FREE TRIAL) An excellent set of tools designed specifically for network administrators and MSPs. The security tools in this bundle cover patching, network security, and real-time monitoring. Start a 14-day free trial.
- ManageEngine Vulnerability Manager Plus (FREE TRIAL) This package provides vulnerability scanning and then helps fix discord problems with tools that include a patch manager. Available for Windows Server. Start a 30-day free trial.
- Paessler PRTG Network Monitor (FREE TRIAL) Provides flexibility with sensors designed to scan any port or protocol. Start a 30-day free trial.
- Intruder A cloud-based network scanner whose goal is to make security simple and hands-off.
- OpenVAS. A powerful open-source scanner that’s backed by a large, active community.
- Nexpose. Offers quality network scanning, with full integration for the Metasploit framework.
The Engineer’s Toolset is an administrator’s best friend and contains an entire suite of tools that can help you monitor your network, manage devices, and implement security measures. With that being said we’ll focus on just how useful the network security tools are for replacing Microsoft Baseline Security Analyzer.
Patch Manager is your one-stop-shop for managing Microsoft Windows updates, as well as keeping your third-party programs up to date. If you’ve used WSUS for patch management, you’ve likely experienced its shortcomings and run into plenty of limitations. Patch Manager was designed to fill that void by providing an intuitive patching dashboard, compliance reporting, and an array of pretested patching packages.
For real-time monitoring, Security Event Manager keeps sysadmins up to speed with all security-related events across the network. Security Event Manager features an easy to read dashboard that gives you a top-down view of outstanding issues at a glance. One of my favorite parts of this tool is its automated threat detection and response.
During configuration, you can set specific events or thresholds to trigger actions such as disabling a user account, removing permissions, or executing a custom script. This, of course, requires a bit of time to set up and test but eliminates the last minute panic when a security breach occurs.
Security Event Manager goes above and beyond what MBSA could ever do by providing a forensic breakdown of file monitoring and added elements of intrusion detection. Also, the tool kit comes with a tool you might not expect, an SNMP dictionary attack tool. Use this tool to simulate attacks on network devices to find flaws in your own security or weak passwords set by end-users. SolarWinds has compiled some of the most commonly used dictionaries for you to use out of the box but also allows for you to import your own, or even customize an existing dictionary.
All of these security tools plus more are conveniently bundled in the Engineer’s Toolset. You can test out any of these tools completely free for 14 days.
ManageEngine Vulnerability Manager Plus is an on-premises package that will watch over devices running Windows, Linux, and macOS. The tool starts off by tracking all of the endpoints connected to your network and logging them in an inventory. That inventory discovery cycle continues repeatedly so all new devices get included in the list automatically. The service then scans each device for vulnerabilities.
- Vulnerability scanning
- Asset discovery
- Patch management
- Compliance reporting
- Spots misconfigurations
As well as detecting security issues, ManageEngine Vulnerability Manager Plus helps you update your system to shut down the weaknesses that it discovers. The main causes of security loopholes lie with device settings that provide opportunities for hackers to get into your system and move around undetected and also out-of-date software.
The vulnerability scans identify high-risk software and also encourage you to create a manifest of authorized software. With that series of profiles in place, you can better manage onboarding and the vulnerability scanner will keep a lookout for unauthorized software packages installed by users or infiltrated by malware.
System hardening strategies include recommendations for configuration changes and tips on how to block types of activities that could present a threat. The package also includes a patch manager that will automatically seek out the current updates for all of the software that your endpoints are running.
The patch manager should be set up with a calendar that provides maintenance windows. With that in place, the tool will start applying patches automatically at the next available window. This service is able to identify patch dependencies, which enables it to launch patches in the right order. The system is also able to reboot each device after updates where necessary.
All of the discoveries of the Vulnerability Manager Plus system are documented and so are the actions that the system implements to remediate threats. This body of logs is important for compliance reporting and the reporting engine in the package will order, summarize, and format that data in a suitable layout for whichever standard you are complying with.
- A high degree of automation in discovering hardware and software
- Recommendations for procedural standardization
- Manages devices running Linux, macOS, and Windows
- Can patch more than 500 third-party applications
- Not a SaaS package
ManageEngine Vulnerability Manager Plus installs on Windows Server. It is a very comprehensive package that you might think is only suitable for large organizations. However, ManageEngine produces a free edition that includes all of the utilities of the paid system but is limited to working with 25 endpoints. That free system is very appealing for small businesses. The paid plans are the Professional Edition for a single network and the Enterprise Edition for multi-site systems. You can get the Professional Edition on a 30-day free trial.
If you’re looking for more flexibility with pricing and deployment, PRTG Network Monitor offers to monitor on a per sensor basis. For example, setting a monitor to listen for port traffic would count as one sensor. With PRTG you only pay for the sensors you use, giving you more granular control over what features you use, versus what you pay for.
Paessler takes a holistic approach by giving you the freedom to monitor many different types of protocols and traffic. If it exists, you can monitor it with PRTG. If you have very specific areas of security you’re looking to monitor, this makes PRTG an ideal solution.
In addition to monitoring, there are plenty of built-in mechanisms for notifications such as HTTP requests, push notifications, and email to keep you or your team in the loop on network and security events. Dependency settings help you dial down alerts to avoid flooding your ticketing system, while the scheduling section allows you to only let through critical alerts after hours.
If you’re looking to replace Microsoft Baseline Security Analyzer and also have some areas of your network that still need to be monitored, PRTGs broad scope of capabilities make it a great choice for any sized network. You can test out all of PRTG’s features with a free 30-day trial.
Intruder is an entirely cloud-based scanner that is designed to find weaknesses and vulnerabilities in your network before the hackers do. Intruder utilizes similar external scanning that financial institutions use to ensure PCI compliance, and that best practices are being met. While Intruder isn’t reinventing the wheel, it does a good job delivering you actionable reports on areas of weakness prioritized by the level of impact it could have on your network.
When a threat or missing patch is found, you can receive an alert to be notified as soon as it’s found. Alerts are also integrated into Slack and Jira, making this an ideal tool if your team works with one of those apps.
Intruder is definitely marketed towards those who aren’t tech-savvy and lacks the ability for you to customize attack vectors, ports, or any of the fine details most tools allow for. If you’re looking for the most hands-off approach to threat prevention and monitoring, Intruder is a solid option. Of course, all of this convenience comes at a price. The base monthly fee starts at $101 when billed annually.
OpenVAS is an open-source and completely free vulnerability scanner that was first published in 2009. Much of the power behind OpenVAS comes from the community where you’ll find more than 50,000 different types of vulnerability tests you can run through the software.
The flexibility and power of OpenVAS are only limited to your imagination and skillset. With that being said, as with most open-source products your support will be limited to the community forums, and what you can piece together across Google searches.
While not much about OpenVAS is plug and play, you’ll find yourself with a rudimentary dashboard displaying the number of tasks you have running. Also, your CVEs that are created over time, and a pie chart view of the number of current threats found based on severity.
Once a scan is finished, you’ll have the chance to view what was found under the results tab. Here you’ll see a list of the type of vulnerabilities that were found, what their severity rating is, and the corresponding port number and service that encompasses it.
Drilling down into the results you’ll be given a fairly technical summary of how the attack was carried out and how your system reacted to that attack. Below this, the scan provides the next steps to mitigate this type of attack. Sometimes this is as easy as changing a password, other times it can involve numerous steps. I was pleasantly surprised by the level of detail provided in this section.
Although there are a vast amount of documentation and use case examples in the Knowledge Base, I found there is still a fairly steep learning curve for utilizing OpenVAS to its full potential.
The level of customization you apply to OpenVAS is extremely high given the fact the entire tool itself is open source. You might find this ideal if you’re looking to scan very specific ports and protocols on custom applications or other non-conventional programs.
For most corporate environments, OpenVAS will likely be too much to learn and take too long to be worth the effort. But for those who are on a budget and have the time and dedication to really learn OpenVAS, this could be the alternative to Microsoft Baseline Security Analyzer you’ve been looking for.
Nexpose is an on-premises security scanner developed by Rapid7, the same company that developed the popular offensive security tool Metasploit. One feature that sets Nexpose apart from the other tools is its Real Risk Score system.
Nexpose finds and scores threats on a 1-10 scale taking into account the vulnerability’s age, number of public exploits that are available, and the chance that an attack would actually be successful. This level of insight gives you a quantitative look at just how you should prioritize your patching and threat mitigation.
On the active side of your network, Nexpose can be configured to immediately detect new devices on your network and scan them. Rather than relying on infrequent data dumps and definition updates, Nexpose’s ‘Adaptive Security” taps into its Sonar Project to find and compare your results to some of those latest threat discoveries.
In addition to basic network scanning, you can also configure Nexpose on a policy level to help your network stay compliant with standards like PCI, NIST, and CIS. These policy templates come preconfigured and only need to be launched to run. When the scan is complete, a report gives you step by step instructions on what needs to be done starting with the actions that will make the biggest difference in terms of compliance.
Since this tool was created by the same team that worked on Metasploit, you can expect a full-on integration with the Metasploit framework. While this integration may be more than what most companies need, it makes a perfect pair for admins who are looking to simulate a breach and play on the offensive side to test their network.
Lastly, all of this data is compiled in a remediation report that’s pre-designed to be ready to hand off to executives and other individuals that just need a high-level overview of the results. The report does a great job of staying simple, yet informative. A large letter grade is marked in the top left-hand corner to give an immediate indication of your network’s standing.
You can test out all of the features Nexpose has to offer free for a full 30-days.
Choosing a MBSA Alternative
It’s clear that Microsoft Baseline Security Analyzer is outdated and doesn’t fit most organizations’ needs anymore. While we’ve listed the best alternatives to MBSA, we’ve found a few tools that work especially well depending on your company’s size and requirements.
Managed service providers and most medium-sized businesses will greatly benefit from SolarWinds Engineer’s Toolset and ManageEngine Vulnerability Manager Plus. Not only will these tools replace the functionality of MBSA, but they’ll also provide even further protection through streamlined automation and solutions you can implement right out of the box.
For businesses that have more time than money, OpenVAS is a free and open-source scanner that can be configured in almost an unlimited number of ways. Just make sure you have the time to invest in mastering it, as there is little to no support beyond the community.
So what’s your favorite alternative to MBSA? Be sure to let us know your favorite tool in the comments below.