A lot of junior Windows admins think that the Microsoft Baseline Security Analyzer (MBSA) is sufficient to test the security of IIS websites.MBSA is a stock pack in Microsoft Operations Manager, and apparently will be unavailable for System Center Operations Manager 2007, which is fine by me.
Use nikto instead. Really. Windows guy? Download nikto (it’s a perl script + some requisite modules), and run it against one of your sites. I would imagine most of the McLinux distro’s available have a package for it. UNIX guy? Download nikto and run it.