April 25, 2011, 4:24 p.m.
posted by unixgeek
Check Servers for Applied Patches
Make sure your Windows servers have the latest patches installed.
Keeping a network of systems patched and up-to-date is hard enough in Unix, but it can be even more difficult with Windows systems. A lack of robust built-in scripting and remote access capabilities makes Windows unsuitable for automation. Nevertheless, before you even attempt to update your systems, you need to know which updates have been applied to each system; otherwise, you might waste time and effort updating systems that don't need it.
Clearly, this problem gets more difficult as the number of systems that need to be managed increases. You can avoid much of the extra work of manually updating systems by using the HFNetChk tool, which was originally a standalone program from Shavlik Technologies. It is now a part of Microsoft's Baseline Security Analyzer (http://www.microsoft.com/technet/security/tools/mbsa1/default.mspx) and is available through its command-line interface, mbsacli.exe.
Not only can HFNetChk remotely check the status of Windows Server 2003 and Windows XP/2000/NT, but it can also check whether critical updates for IIS, SQL Server, Exchange Server, Media Player, and Internet Explorer have been applied. Although it can only check the update status of a system (and won't actually bring the system up-to-date), it is still an invaluable timesaving tool.
HFNetChk works by downloading a signed and compressed XML file from Microsoft that contains information on all currently available updates. This information includes checksums and versions of files covered by each update, as well as the Registry keys modified by each update. Additional dependency information is also included.
When scanning a system, HFNetChk first scans the Registry for the keys that are associated with the most current set of updates available for the current system configuration. If any of these Registry keys are missing or do not match what is contained in the XML file, it flags the update as not having been installed. If the Registry key for an update is present and matches the information in the XML file, HFNetChk then attempts to verify whether the files specified in the update information are present on the system and whether their versions and checksums match.
If any of the checks fails, HFNetChk flags the update. All flagged updates are then displayed in a report, along with a reference to the Microsoft Knowledge Base article with more information on the specific update.
To install HFNetChk on your system, you first need to download and install the Microsoft Baseline Security Analyzer. To run HFNetChk, open a command prompt and change to the directory that was created during the install (C:\Program Files\Microsoft Baseline Security Analyzer is the default).
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /hf Microsoft Baseline Security Analyzer Version 1.2.1 (1.2.4013.0) (C) Copyright 2002-2004 Microsoft Corporation. All rights reserved. HFNetChk developed for Microsoft Corporation by Shavlik Technologies, LLC. (C) Copyright 2002-2004 Shavlik Technologies, LLC. www.shavlik.com Please use the -v switch to view details for Patch NOT Found, Warning and Note messages Scanning BLACKBIRD Attempting to get CAB from http://go.microsoft.com/fwlink/?LinkId=18922 XML successfully loaded. Done scanning BLACKBIRD ---------------------------- BLACKBIRD (192.168.0.67) ---------------------------- * WINDOWS XP PROFESSIONAL SP2 Note MS05-009 887472 Patch NOT Found MS06-021 916281 Patch NOT Found MS06-022 918439 Patch NOT Found MS06-025 911280 Patch NOT Found MS06-032 917953
The first column tells why the check for a particular update failed. The second column shows which update failed the check, and the third column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number that you can refer to for more information on the issue fixed by that particular update.
If you want more information on why a particular check failed, you can run the command with the -v (verbose) switch. Here are the results of the previous command, this time with the verbose switch:
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /hf -v Microsoft Baseline Security Analyzer Version 1.2.1 (1.2.4013.0) (C) Copyright 2002-2004 Microsoft Corporation. All rights reserved. HFNetChk developed for Microsoft Corporation by Shavlik Technologies, LLC. (C) Copyright 2002-2004 Shavlik Technologies, LLC. www.shavlik.com Scanning BLACKBIRD Attempting to get CAB from http://go.microsoft.com/fwlink/?LinkId=18922 XML successfully loaded. Done scanning BLACKBIRD ---------------------------- BLACKBIRD (192.168.0.67) ---------------------------- * WINDOWS XP PROFESSIONAL SP2 Note MS05-009 887472 Please refer to 306460 for a detailed explanation. Patch NOT Found MS06-021 916281 File version is less than expected. [C:\WINDOWS\system32\browseui.dll, 6.0.2900.2861 < 6.0.2900.2904] Patch NOT Found MS06-022 918439 File version is less than expected. [C:\WINDOWS\system32\jgdw400.dll, 220.127.116.11 < 18.104.22.168] Patch NOT Found MS06-025 911280 File version is less than expected. [C:\WINDOWS\system32\rasmans.dll, 5.1.2600.2180 < 5.1.2600.2908] Patch NOT Found MS06-032 917953 File version is less than expected. [C:\WINDOWS\system32\drivers\tcpip.sys, 5.1.2600.2827 < 5.1.2600.2892]
After applying the listed updates, you should see something like this:
Scanning BLACKBIRD ............................. Done scanning BLACKBIRD ---------------------------- PLUNDER(192.168.0.67) ---------------------------- * WINDOWS XP PROFESSIONAL SP2 Information All necessary hotfixes have been applied.
You need Administrator privileges to scan the local system. Likewise, to scan a remote machine, you will need Administrator privileges on that machine. There are several ways to scan remote machines. To scan a single remote system, you can specify a NetBIOS name with the -h switch or an IP address with the -i switch.
For example, to scan the machine PLUNDER from another machine, use either of these two commands:
mbsacli /hf -h PLUNDER mbsacli /hf -i 192.168.0.65
You can also scan a handful of additional systems by listing them on the command line, with commas separating each NetBIOS name or IP address.
Note that, in addition to having Administrator privileges on the remote machine, you must also ensure that you have not disabled the default shares [Hack #32]. If the default administrative shares have been disabled, HFNetChk will not be able to check for the proper files on the remote system and, consequently, will not be able to determine whether an update was applied.
If you want to scan a large group of systems, you have several options. Using the -fh option, you can specify a file containing up to 256 NetBIOS hostnames (one on each line) to be scanned. You can do the same thing with IP addresses, using the -fip option. You can also specify ranges of IP addresses by using the -r option.
For example, you could run a command like this to scan systems with IP addresses in the range 192.168.1.23 to 192.168.1.172:
mbsacli /hf -r 192.168.1.123 - 192.168.1.172
All of these options are very flexible, and you can use them in any combination to specify which remote systems will be scanned.
In addition to specifying remote systems by NetBIOS name and IP address, you can scan systems by domain name by using the -d option, or you can scan your entire local network segment by using the -n command-line option.
When scanning systems from a personal workstation, the -u and -p options can prove useful. These allow you to specify a username and password to use when accessing the remote systems. These switches are particularly handy if you don't normally log in using the Administrator account. (The account that is specified with the -u option will, of course, need to have Administrator privileges on the remote machines being scanned.)
Also, if you're scanning a large number of systems, you might want to use the -t option. This allows you to specify the number of threads used by the scanner, and increasing this value generally speeds up scanning. Valid values are from 1 to 128; the default value is 64.
If you are scanning more than one machine, a huge amount of data will simply be dumped to the screen. Use the -f option to specify a file to store the results of the scan in, and view it at your leisure using a text editor.
HFNetChk is a flexible tool and can be used to check the update statuses of a large number of machines in a very short amount of time. It is especially useful when a new worm has come onto the scene and you need to know if all of your systems are up-to-date on their patches.