IMHO "Microsoft Baseline Security Analyzer" has some potential, but a manual security check is to prefer since the tool aint is that good (yet?). The only thing I liked with it was the report of missing patches, that's a nice feature except that MBSA reported a missing patch in my system, and the patch reported missing for my system did not exist on M$ web. And MBSA could not verify if my custom policy's was secure and reported them as a potential risk. This tool will not today (if ever) replace good knowledge and good sources of information .