Recipe10.1.Scanning Exchange Servers for Security Patches


Recipe 10.1. Scanning Exchange Servers for Security Patches

Problem

You want to ensure that your Exchange servers have the most up-to-date set of security patches.

Solution

Download the current version of Microsoft Baseline Security Analyzer (MBSA) tool from http://www.microsoft.com/mbsa. Follow the included instructions to install it on a Windows 2000, Windows XP, or Windows Server 2003 machine that belongs to a domain in the same forest as the servers you want to scan.

Using a graphical user interface

  1. Open MBSA (c:\program files\Microsoft Baseline Security Analyzer\mbsa.exe).

  2. From the initial MBSA page, choose whether you want to scan a single computer or more than one by clicking the appropriate link:

    • If you want to scan a single computer, you can specify it by computer name or IP address.

    • If you need to scan multiple computers, you can choose to scan by domain (in which case, MBSA will scan all computers it can see in that domain) or by IP address range.

    You can optionally specify a format for the names of the reports produced in either mode; by default, the report name will include the domain name, computer name, and date and time of the scan. To speed up the scans as much as possible, you should uncheck the Check for weak passwords and Check for SQL vulnerabilities boxes (provided, of course, that you're only scanning your Exchange servers!).

  3. Click Start scan. MBSA will attempt to fetch the latest version of the security updates list from Microsoft's web site, then it will begin scanning the selected computers.

  4. Wait for the scan to complete; when it does, MBSA will display a detailed report indicating what the scan results look like (we'll decipher the report format in the Discussion).

Using a command-line interface:

Use the mbsacli.exe tool to scan the computers you're interested in. With no arguments, mbsacli will scan the local computer. To scan a machine named batman, skipping the SQL and password checks, you'd run the following command:

> mbsacli.exe /c batman /nSQL+Password

The scan will proceed as it does in the GUI version, but the output is different. Instead of a detailed on-screen report, you'll get a summary that shows which computers and IP addresses were scanned, along with an assessment of each computer's risk level and the name of the report. The report name is based on the domain and computer name and date/time of the scan (you can override this format with the /o option).

Discussion

We've had the ability to check an individual machine for Windows updates since Windows 98 or so, but the built-in Windows Update functionality leaves quite a bit to be desired from an enterprise security standpoint. Instead of allowing individual users, or administrators, to apply ad-hoc patch combinations to individual machines, most companies want a standardized way of determining which patches are necessary, then loading them automatically. MBSA provides the measurement tool; other tools, like the Systems Management Server (SMS), Microsoft Software Update Service (SUS) or its forthcoming successor Windows Update Services (WUS), can be used to get the actual patches on the machine. WUS will actually extend the functionality of Windows Update to include patches for other Windows applications, such as Office and Exchange. There are also a number of third-party patch management applications that offer support for monitoring and managing Exchange servers.

MBSA added support for Exchange in Version 1.2. When you launch MBSA, the first thing it does is attempt to download the current version of the MSSecure.xml file (which is actually available as either raw XML or as a .CAB file). This file enumerates all the available security patches for various versions of Windows and key applications like Exchange. By checking for file versions, modification dates, and the presence of registry keys added when hotfixes are applied, MBSA can usually determine which patches are installed on a given machine. We say "usually" because there have been several well-known cases of patches for which MBSA either falsely reported a fix as being present or baselessly complained that a critical fix was missing. The latest version of MBSA, 1.2.1, has fixed most of these cases, but be forewarned that an MBSA report listing one or more security updates that "could not be confirmed" doesn't necessarily spell impending doom.

For scanning Exchange servers, you'll probably want to use the command-line version of MBSA in HFNetChek compatibility mode. This mode makes MBSA work like the HFNetChek tool from which it was partially derived; it's useful because it allows you to feed it a text file containing a list of NetBIOS computer names or IP address (one per line, with a maximum of 255 lines per file). This makes it easy to script periodic checks of your Exchange servers, using a command line like this:

> mbsacli.exe -hf -fh  HostsToScan.txt   > mbsacli.exe -hf -fip  IPAddressesToScan.txt

One drawback of HFNetCheck mode is that you can't use the MBSA-mode options like /n, so you trade off some flexibility in scanning behavior for flexibility in specifying which hosts should actually be scanned. MBSA supports a broad range of command-line options, which are well-described in its documentation.

See Also

MBSA documentation (http://www.microsoft.com/technet/security/tools/mbsahome.mspx), Chapter 6 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press), and the Scripting with the Microsoft Baseline Security Analyzer V1.2 web site (http://www.microsoft.com/technet/security/tools/mbsascript.mspx)



Exchange Server Cookbook
Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
ISBN: 0596007175
EAN: 2147483647
Year: 2006
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net