Network Security Hacks [Electronic resources] نسخه متنی

Hack 21 Check Servers for Applied Patches

Make sure your Windows servers have the latest
patches installed.

Keeping a network
of systems patched and up-to-date is hard enough in Unix, but it can
be even more difficult on Windows systems. A lack of robust built-in
scripting and remote access capabilities makes Windows unsuitable for
automation. Nevertheless, before you even attempt to update your
systems, you need to know which updates have been applied to each
system; otherwise, you might waste time and effort updating systems
that don't need it. Clearly, this problem gets more
difficult as the number of systems that need to be managed increases.
We can avoid much of the extra work of manually updating systems by
using the HFNetChk tool, which was originally a
standalone program from Shavlik Technologies. It is now a part of
Microsoft's Baseline
Security Analyzer (http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi)
and is available through its command-line interface,
mbsacli.exe.

Not only can HFNetChk remotely check the status
of Windows Server 2003 and Windows XP/2000/NT, but it can also check
whether critical updates for IIS, SQL Server, Exchange Server, Media
Player, and Internet Explorer have been applied. Although it can only
check the update status of a system (and won't
actually bring the system up-to-date), it is still an invaluable
timesaving tool.

HFNetChk works by downloading a signed and
compressed XML file from Microsoft that contains information on all
currently available updates. This information includes checksums and
versions of files covered by each update, as well as the registry
keys modified by each update. Additional dependency information is
also included. When scanning a system, HFNetChk
will first scan the registry for the keys that are
associated with the most current set of updates available for the
current system configuration. If any of these registry keys are
missing or do not match what is contained in the XML file, it will
flag the update as not having been installed. If the registry key for
an update is present and matches the information in the XML file,
HFNetChk will then attempt to verify whether the
files specified in the update information are present on the system
and whether their version and checksum matches. If any of the checks
fail, the update will be flagged. All flagged updates are then
displayed in a report, along with a reference to the Microsoft
Knowledge Base article with more information on the specific update.

To get HFNetChk installed on your system, you
first need to download and install the Microsoft Baseline Security
Analyzer. To run HFNetChk, open a command prompt
and change to the directory that was created during the install
(C:\Program Files\Microsoft Baseline Security
Analyzer is the default).

To check the update status of the local system, run this command:

C:\> Program Files\Microsoft Baseline Security Analyzer> mbsacli /hf
Microsoft Baseline Security Analyzer
Version 1.1.1
Powered by HFNetChk Technology - Version 3.82.0.1
Copyright (C) Shavlik Technologies, 2001-2003
Developed for Microsoft by Shavlik Technologies, LLC
info@shavlik.com (www.shavlik.com)
Please use the -v switch to view details for
Patch NOT Found, Warning and Note messages
Attempting to get cab from http://go.microsoft.com/fwlink/?LinkId=16932
XML successfully loaded.
Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Note            MS02-008        317244
Warning         MS02-055        323255
Note            MS03-008        814078
Note            MS03-030        819696
Patch NOT Found MS03-041        823182
Patch NOT Found MS03-044        825119
Patch NOT Found MS03-045        824141
Patch NOT Found MS03-049        828035
Note            MS03-051        813360
* INTERNET EXPLORER 6 SP1
Patch NOT Found MS03-048        824145
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.

The first column tells why the check for a particular update failed.
The second column shows which update failed the check, and the third
column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number
that you can refer to for more information on the issue fixed by that
particular update.

If you want more information on why a particular check failed, you
can run the command with the -v (verbose) switch.
Here are the results of the previous command, but this time with the
verbose switch:

Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Note            MS02-008        317244
Please refer to Q306460 for a detailed explanation.
Warning         MS02-055        323255
File C:\WINDOWS\system32\hhctrl.ocx has a file
version [5.2.3735.0] greater than what is expected [5.2.3669.0].
Note            MS03-008        814078
Please refer to Q306460 for a detailed explanation.
Note            MS03-030        819696
Please refer to Q306460 for a detailed explanation.
Patch NOT Found MS03-041        823182
File C:\WINDOWS\system32\cryptui.dll has a file
version [5.131.2600.1106] that is less than what is expected
[5.131.2600.1243].
Patch NOT Found MS03-044        825119
File C:\WINDOWS\system32\itircl.dll has a file
version [5.2.3644.0] that is less than what is expected
[5.2.3790.80].
Patch NOT Found MS03-045        824141
File C:\WINDOWS\system32\user32.dll has a file
version [5.1.2600.1134] that is less than what is expected
[5.1.2600.1255].
Patch NOT Found MS03-049        828035
File C:\WINDOWS\system32\msgsvc.dll has a file
version [5.1.2600.0] that is less than what is expected
[5.1.2600.1309].
Note            MS03-051        813360
Please refer to Q306460 for a detailed explanation.
* INTERNET EXPLORER 6 SP1
Patch NOT Found MS03-048        824145
The registry key **SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{69DEAF94-AF66-11D3-BEC0-00105AA9B6AE}** does not
exist.  It is required for this patch to be considered installed.
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.

After applying the listed updates, you should see something like this:

Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Information
All necessary hotfixes have been applied.
* INTERNET EXPLORER 6 SP1
Information
All necessary hotfixes have been applied.
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.

When scanning the local system, Administrator privileges are needed.
If you wish to scan a remote machine, you will need Administrator
privileges on it. There are several ways to scan
remote machines. To scan a single remote
system, a NetBIOS name can be specified with the
-h switch. Likewise, an IP address can be
specified with the -i switch.

For example, to scan the machine PLUNDER from
another machine, either of these two commands can be used:

mbsacli /hf -h PLUNDER
mbsacli /hf -i 192.168.0.65

You can also scan a handful of additional systems by listing them on
the command line with commas separating each NetBIOS name or IP
address.

Note that, in addition to having Administrator privileges on the
remote machine, you must also ensure that you have not disabled the
default shares[Hack #27] .
If the default administrative shares have been disabled, then
HFNetChk will not be able to check for the
proper files on the remote system and, consequently, will not be able
to determine whether an update was applied.

If you wish to scan a group of systems, there are several options for
this as well. Using the -fh option, you can
specify a file containing up to 256 NetBIOS hostnames (one on each
line) that will be scanned. You can do the same thing with IP
addresses, using the -fip option. Ranges of IP
addresses may also be specified by using the -r
option.

For example, you could run a command like this to scan from
192.168.1.23 to 192.168.1.172:

mbsacli /hf -r 192.168.1.123 - 192.168.1.172

All of these options are very flexible, and you can use them in any
combination to specify which remote systems will be scanned.

In addition to specifying remote systems by NetBIOS name and IP
address, you can also scan systems by domain
name by using the -d option, or you can scan your
entire local network segment by using the
-n command-line option.

When scanning systems from a personal workstation, the
-u and -p options can prove
useful. These allow you to specify a username and password to use
when accessing the remote systems. These switches are particularly
handy if you don't normally log in using the
Administrator account. The account that is specified with the
-u option will of course need to have
Administrator privileges on the remote machines being scanned.

Also, if you're scanning a large number of systems,
you might want to use the -t option. This allows
you to specify the number of threads used by the scanner, and
increasing this value generally will speed up scanning. Valid values
are from 1 to 128; the default value is 64.

If you are scanning more than one machine, a huge amount of data will
simply be dumped to the screen. Use the -f option
to specify a file to store the results of the scan in, and view it at
your leisure using a text editor.

HFNetChk is a very flexible tool and can be used
to check the update status of a large number of machines in a very
short amount of time. It is especially useful when a new worm has
come onto the scene and you need to know if all of your systems are
up-to-date on their patches.

See Also

Frequently Asked Questions about the



Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool: Knowledge Base Article 305385, at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;