Here is a new treat from Microsoft. A "pro" version of their baseline security analyzer. I haven't had time to play with it but here is the description and link for those who are daring.

As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). Version 1.1.1 of MBSA includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows Server 2003, Windows 2000, and Windows XP systems and will scan for common security misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA also scans for missing security updates for Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL, Exchange, IE, and Windows Media Player.


The following features have been added in Version 1.1.1:

Windows Server 2003 detection and scan support:
Security update detection for all Windows Server 2003 SKUs (Standard, Advanced, Datacenter, Web, and Small Business Server)
Local and remote scanning

The following features were added in Version 1.1:

Security update detection for the following products:
Exchange 5.5 and 2000 (including Exchange Admin Tools)
Windows Media Player 6.4 and above
Full support of HFNetChk v3.81 switches in MBSA CLI interface
Support for Software Update Services (SUS) 1.0
Compatibility with SMS 2.0 Software Update Services Feature Pack
New default mode for security update checks
MBSA GUI scan (mbsa.exe) uses -baseline, -v, and -nosum by default. (-baseline scans for updates marked as critical security updates on Windows Update, -v provides additional details on each missing update, and -nosum does not perform checksum checks)
MBSA command-line scan (mbsacli.exe) uses -sum by default to perform checksum checks.
HFNetChk-style scan (via mbsacli.exe /hf) uses -sum by default to perform checksum checks.
Support for scanning multiple SQL Server instances
Version checking (If a newer version of the XML file is available than what was used to generate a report, the user will be notified of this in the report header. If a newer major version of the MBSA tool is available, the scan will not proceed and the user will get an appropriate message on the errors screen)