21 Check Servers for Applied Patches





Check Servers for Applied Patches

figs/moderate.gif figs/hack21.gif

Make sure your Windows servers have the latest patches installed.

Keeping a network of systems patched and up-to-date is hard enough in Unix, but it can be even more difficult on Windows systems. A lack of robust built-in scripting and remote access capabilities makes Windows unsuitable for automation. Nevertheless, before you even attempt to update your systems, you need to know which updates have been applied to each system; otherwise, you might waste time and effort updating systems that don't need it. Clearly, this problem gets more difficult as the number of systems that need to be managed increases. We can avoid much of the extra work of manually updating systems by using the HFNetChk tool, which was originally a standalone program from Shavlik Technologies. It is now a part of Microsoft's Baseline Security Analyzer (http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi) and is available through its command-line interface, mbsacli.exe.

Not only can HFNetChk remotely check the status of Windows Server 2003 and Windows XP/2000/NT, but it can also check whether critical updates for IIS, SQL Server, Exchange Server, Media Player, and Internet Explorer have been applied. Although it can only check the update status of a system (and won't actually bring the system up-to-date), it is still an invaluable timesaving tool.

HFNetChk works by downloading a signed and compressed XML file from Microsoft that contains information on all currently available updates. This information includes checksums and versions of files covered by each update, as well as the registry keys modified by each update. Additional dependency information is also included. When scanning a system, HFNetChk will first scan the registry for the keys that are associated with the most current set of updates available for the current system configuration. If any of these registry keys are missing or do not match what is contained in the XML file, it will flag the update as not having been installed. If the registry key for an update is present and matches the information in the XML file, HFNetChk will then attempt to verify whether the files specified in the update information are present on the system and whether their version and checksum matches. If any of the checks fail, the update will be flagged. All flagged updates are then displayed in a report, along with a reference to the Microsoft Knowledge Base article with more information on the specific update.

To get HFNetChk installed on your system, you first need to download and install the Microsoft Baseline Security Analyzer. To run HFNetChk, open a command prompt and change to the directory that was created during the install (C:\Program Files\Microsoft Baseline Security Analyzer is the default).

To check the update status of the local system, run this command:

C:\> Program Files\Microsoft Baseline Security Analyzer> mbsacli /hf

Microsoft Baseline Security Analyzer

Version 1.1.1

Powered by HFNetChk Technology - Version 3.82.0.1

Copyright (C) Shavlik Technologies, 2001-2003

Developed for Microsoft by Shavlik Technologies, LLC

[email protected] (www.shavlik.com)





Please use the -v switch to view details for

Patch NOT Found, Warning and Note messages





Attempting to get cab from http://go.microsoft.com/fwlink/?LinkId=16932





XML successfully loaded.





Scanning PLUNDER

.............................

Done scanning PLUNDER

----------------------------

PLUNDER(192.168.0.65)

----------------------------



        * WINDOWS XP SP1



        Note            MS02-008        317244

        Warning         MS02-055        323255

        Note            MS03-008        814078

        Note            MS03-030        819696

        Patch NOT Found MS03-041        823182

        Patch NOT Found MS03-044        825119

        Patch NOT Found MS03-045        824141

        Patch NOT Found MS03-049        828035

        Note            MS03-051        813360



        * INTERNET EXPLORER 6 SP1



        Patch NOT Found MS03-048        824145



        * WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1



        Information

        All necessary hotfixes have been applied.

The first column tells why the check for a particular update failed. The second column shows which update failed the check, and the third column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number that you can refer to for more information on the issue fixed by that particular update.

If you want more information on why a particular check failed, you can run the command with the -v (verbose) switch. Here are the results of the previous command, but this time with the verbose switch:

Scanning PLUNDER

.............................

Done scanning PLUNDER

----------------------------

PLUNDER(192.168.0.65)

----------------------------



        * WINDOWS XP SP1



        Note            MS02-008        317244

        Please refer to Q306460 for a detailed explanation.



        Warning         MS02-055        323255

        File C:\WINDOWS\system32\hhctrl.ocx has a file

        version [5.2.3735.0] greater than what is expected [5.2.3669.0].



        Note            MS03-008        814078

        Please refer to Q306460 for a detailed explanation.



        Note            MS03-030        819696

        Please refer to Q306460 for a detailed explanation.



        Patch NOT Found MS03-041        823182

        File C:\WINDOWS\system32\cryptui.dll has a file

        version [5.131.2600.1106] that is less than what is expected

        [5.131.2600.1243].



        Patch NOT Found MS03-044        825119

        File C:\WINDOWS\system32\itircl.dll has a file

        version [5.2.3644.0] that is less than what is expected

        [5.2.3790.80].



        Patch NOT Found MS03-045        824141

        File C:\WINDOWS\system32\user32.dll has a file

        version [5.1.2600.1134] that is less than what is expected

        [5.1.2600.1255].



        Patch NOT Found MS03-049        828035

        File C:\WINDOWS\system32\msgsvc.dll has a file

        version [5.1.2600.0] that is less than what is expected

        [5.1.2600.1309].

    

        Note            MS03-051        813360

        Please refer to Q306460 for a detailed explanation.





        * INTERNET EXPLORER 6 SP1



        Patch NOT Found MS03-048        824145

        The registry key **SOFTWARE\Microsoft\Internet Explorer\ActiveX

        Compatibility\{69DEAF94-AF66-11D3-BEC0-00105AA9B6AE}** does not

        exist.  It is required for this patch to be considered installed.







        * WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1



        Information

        All necessary hotfixes have been applied.

After applying the listed updates, you should see something like this:

Scanning PLUNDER

.............................

Done scanning PLUNDER

----------------------------

PLUNDER(192.168.0.65)

----------------------------



        * WINDOWS XP SP1



        Information

        All necessary hotfixes have been applied.



        * INTERNET EXPLORER 6 SP1



        Information

        All necessary hotfixes have been applied.



        * WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1



        Information

        All necessary hotfixes have been applied.

When scanning the local system, Administrator privileges are needed. If you wish to scan a remote machine, you will need Administrator privileges on it. There are several ways to scan remote machines. To scan a single remote system, a NetBIOS name can be specified with the -h switch. Likewise, an IP address can be specified with the -i switch.

For example, to scan the machine PLUNDER from another machine, either of these two commands can be used:

mbsacli /hf -h PLUNDER

mbsacli /hf -i 192.168.0.65

You can also scan a handful of additional systems by listing them on the command line with commas separating each NetBIOS name or IP address.

Note that, in addition to having Administrator privileges on the remote machine, you must also ensure that you have not disabled the default shares [Hack #27] . If the default administrative shares have been disabled, then HFNetChk will not be able to check for the proper files on the remote system and, consequently, will not be able to determine whether an update was applied.

If you wish to scan a group of systems, there are several options for this as well. Using the -fh option, you can specify a file containing up to 256 NetBIOS hostnames (one on each line) that will be scanned. You can do the same thing with IP addresses, using the -fip option. Ranges of IP addresses may also be specified by using the -r option.

For example, you could run a command like this to scan from 192.168.1.23 to 192.168.1.172:

mbsacli /hf -r 192.168.1.123 - 192.168.1.172

All of these options are very flexible, and you can use them in any combination to specify which remote systems will be scanned.

In addition to specifying remote systems by NetBIOS name and IP address, you can also scan systems by domain name by using the -d option, or you can scan your entire local network segment by using the -n command-line option.

When scanning systems from a personal workstation, the -u and -p options can prove useful. These allow you to specify a username and password to use when accessing the remote systems. These switches are particularly handy if you don't normally log in using the Administrator account. The account that is specified with the -u option will of course need to have Administrator privileges on the remote machines being scanned.

Also, if you're scanning a large number of systems, you might want to use the -t option. This allows you to specify the number of threads used by the scanner, and increasing this value generally will speed up scanning. Valid values are from 1 to 128; the default value is 64.

If you are scanning more than one machine, a huge amount of data will simply be dumped to the screen. Use the -f option to specify a file to store the results of the scan in, and view it at your leisure using a text editor.

HFNetChk is a very flexible tool and can be used to check the update status of a large number of machines in a very short amount of time. It is especially useful when a new worm has come onto the scene and you need to know if all of your systems are up-to-date on their patches.

See Also


     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows