Detecting


Use MBSA to detect missing security patches for Windows NT 4.0, Windows 2000, and Windows XP. You can use MBSA in two modes; GUI and command line. Both modes are used to scan single or multiple computers. The command line can be scripted to run on a schedule.

Note  

The login used to run MBSA must be a member of the Administrators group on the target computer(s). To verify adequate access and privilege, use the command net use \\ computername \c$ where computername is the network name of a machine which you are going to scan for missing patches. Resolve any issues accessing the administrative share before using MBSA to scan the remote computer.

 Task   To manually detect missing updates using the MBSA graphical interface

  1. Run MBSA by double-clicking the desktop icon or by selecting it from the Programs menu.

  2. Click Scan a computer . MBSA defaults to the local computer. To scan multiple computers, select Scan more than one computer and select either a range of computers to scan or an IP address range.

  3. Clear all check boxes except Check for security updates . This option detects uninstalled patches and updates.

  4. Click Start scan . Your server is now analyzed . When the scan is complete, MBSA displays a security report and also writes the report to the %userprofile%\SecurityScans directory.

  5. Download and install the missing updates.

    Click the Result details link next to each failed check to view the list of uninstalled security updates. A dialog box displays the Microsoft security bulletin reference number. Click the reference to find out more about the bulletin and to download the update.

 Task   To detect missing updates using the MBSA command line interface

  • From a command window, change directory to the MBSA installation directory, and type the following command:

     mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD 

    You can also specify a computer name. For example:

     mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD 

    You can also specify a range of computers by using the /r option. For example:

     mbsacli /r 192.168.0.1-192.168.0.254 /n OS+IIS+SQL+PASSWORD 

    Finally, you can scan a domain by using the /d option. For example:

     mbsacli /d NameOfMyDomain /n OS+IIS+SQL+PASSWORD 

 Task     To analyze the generated report

  1. Run MBSA by double-clicking the desktop icon or by selecting it from the Programs menu.

  2. Click Pick a security report to view and open the report or reports , if you scanned multiple computers.

  3. To view the results of a scan against the target machine, mouse over the computer name listed. Individual reports are sorted by the timestamp of the report.

As previously described, the advantage of the command line method is that it may be scripted and scheduled to execute. This schedule is determined by the exposure of your systems to hostile networks, and by your security policy.

MBSA Output Explained

The following example was taken using the MBSA version 1.1.

click to expand
Figure 2: Screenshot of the report details for a scanned machine

The top portion of the MBSA screenshot shown in Figure 2 is self explanatory.

Red crosses indicate that a critical issue has been found. To view the list of missing patches, click the associated Result details link.

The results of a security update scan might show two types of issues:

  • Missing patches

  • Patch cannot be confirmed

Both types include links to the relevant Hotfix and security bulletin pages that provide details about the patch together with download instructions.

Missing patches are indicated by a red cross. An example is shown in Figure 3.


Figure 3: Missing patch indication

When a patch cannot be confirmed, it is indicated by a blue asterisk. This occurs when your system has a file that is newer than the file provided with a security bulletin. This might occur if you install a new version of a product that updates a common file.


Figure 4: Patch cannot be confirmed indication

For updates that cannot be confirmed, review the information in the bulletin and follow the instructions. This may include installing a patch or making configuration changes. For more information on patches that cannot be verified by MBSA, see Microsoft Knowledge Base article, 306460, "HFNetChk Returns Note Messages for Installed Patches."




Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net