Patch and Update | Improving Web Application Security: Threats and Countermeasures

Ensure that your workstation has the latest service packs and patches. Check the operating system, IIS, SQL Server, MSDE, Microsoft Data Access Components (MDAC), and the .NET Framework. Microsoft offers several tools and methods to help you scan and update your system. These include the Windows Update site, the Microsoft Baseline Security Analyzer (MBSA) tool, and the Automatic Updates feature.

Using Windows Update

You can use Windows Update (available from the Start menu) to scan for updates and patches for Windows. Alternatively, you can directly scan for updates at http://windowsupdate.microsoft.com .

Note	After you update your system using the Windows Update site, use MBSA to detect missing updates for SQL Server, MSDE, and MDAC.

Using MBSA

You can use MBSA to assess security and to verify patches. If you used automatic updates or Windows Update to update your operating system and components, MBSA verifies those updates and additionally checks the status of updates for SQL Server and Microsoft Exchange Server. MBSA lets you create a script to check multiple computers.

Task To detect and install patches and updates

Download MBSA from the MBSA home page at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp .

If you do not have Internet access when you run MBSA, MBSA cannot retrieve the XML file that contains the latest security settings from Microsoft. You can use another computer to download the XML file, however. Then you can copy it into the MBSA program directory. The XML file is available at http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab .
Run MBSA by double-clicking the desktop icon or selecting it from the Programs menu.
Click Scan a computer . MBSA defaults to the local computer.
Clear all check boxes except for Check for security updates . This option detects which patches and updates are missing.
Click Start scan . Your server is now analyzed . When the scan completes, MBSA displays a security report, which it also writes to the %Userprofile%\SecurityScans directory.
Download and install the missing updates. Click Result details next to each failed check to view the list of missing security updates.

The resulting dialog box displays the Microsoft security bulletin reference number. Click the reference to find out more about the bulletin and to download the update.

For more information about using MBSA, see "How To: Use Microsoft Baseline Security Analyzer (MBSA)," in the How To section of this guide.

Note	MBSA will not indicate required .NET Framework updates and patches. Browse the .NET Framework downloads page at http://msdn.microsoft.com/netframework/downloads/default.asp .

Using Automatic Updates

The Automatic Updates feature offers the easiest method to update your operating system with the latest critical security patches. The feature is built into Windows XP and is installed with Windows 2000 Service Pack 3.

To configure Automatic Updates with Windows 2000, click Automatic Updates in the Control Panel. For more information about Automatic Updates and Windows 2000, see Microsoft Knowledge Base article 327850, "How To: Configure and Use Automatic Updates in Windows 2000."

Task To configure Automatic Updates with Windows XP

Right-click the My Computer icon on the desktop or the System icon in Control Panel.
Click System Properties .

For more information about Automatic Updates and Windows XP, see Microsoft Knowledge Base article, 306525, "How To: Configure and Use Automatic Updates in Windows XP."

Automatic Updates scans and installs updates for the following operating systems (including the .NET Framework and IIS where applicable ):

Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Professional

In addition to using Automatic Updates, use MBSA to detect missing updates for SQL Server, MSDE and MDAC.