Planning a Security Update Infrastructure

If you wish, you can use this tool as a command-line utility. To do so, open a command prompt window (click Start | Run, type cmd, and click OK), and then type mbsacli.exe at the command prompt. Running this command will show the tool’s syntax and switches. If you run the command without any switches, it will scan the local computer. Some of the switches include the following:

• /d domainname Scan a domain.

• r /c domainname\computername Scan the computer that is named.

• /i 10.10.1.1 Scan a particular IP address.

• /r /i 10.10.1.1- 10.10.1.10 Scan an IP address range.

• /n OS Skip operating system commands.

• /n SQL Skip SQL Server checks.

• /n IIS Skip IIS checks.

• /n Updates Skip checking for security updates.

• /n Password Skip checking passwords. This option will substantially increase the amount of time it takes for MBSA to run.

• /e List errors from the latest scan.

• /l List all available reports.

Exercise 11.02: Setting UP A Windows xp Client for Wireless Networking

Previous versions of MBSA were command-line tools only. Version 1.1.1 provides a graphical interface as well. To use the MBSA GUI after you’ve installed the program, follow these steps:

1. Select Start | All Programs | Administrative Tools | Microsoft Baseline Security Analyzer. You will see the opening window, as shown in Figure 11.5.

   
   Figure 11.5: Starting MBSA

2. You can choose to scan a single computer, or you can scan a group of computers. (When you choose Scan more than one computer, you next enter the domain name or IP addresses of a beginning and ending address range.) For this example, we will scan the local computer. Click the Scan a Computer button, and you will see the window shown in Figure 11.6.

   
   Figure 11.6: Select a Computer to Scan Using MBSA

3. Enter the Computer name or the IP address of the machine you wish to check and select which options you wish to scan. Then click the Start scan button, and the scan will begin.

4. When the scan has completed, you will see the window shown in Figure 11.7. As you can see in the figure, the computer name, IP address, security report name, scan date and time, MBSA version, MBSA database version, security assessment, and security update scan results are listed. You can change the sort order of the security report by clicking the Sort Order box and selecting Issue name, Score (worst first), or Score (best first). Score (worst first) is the default setting.

   
   Figure 11.7: The MBSA Output Report on a Local Computer

5. You can scroll down the right side of the page inside the report using the scroll bar to view all of the information. For this example, select the Password Expiration result and double-click. The Password Expiration problem (some user accounts have passwords that are set to never expire) is shown in Figure 11.8.

   
   Figure 11.8: A Portion of an MBSA Report Showing the Password Expiration Result

6. When you open the item by clicking on the report, you will see details giving you a better understanding of why the problem it captured is a security risk. It will also list a solution to the problem to instruct you on how to correct the risk. Figure 11.9 shows the security issues and action to take to correct the vulnerabilities that were discovered.

   
   Figure 11.9: Security Issues and How to Correct Vulnerabilities

   Note

   As always, be careful when you begin to apply security fixes. It is always a good idea to do these types of administrative functions on a test machine in a nonproduction environment

7. Scroll down the window to see a step-by-step guide for correcting your security issues, as shown in Figure 11.10.

   
   Figure 11.10: The MBSA Step-by-Step Solution

Using Microsoft Software Update Services (SUS)

Microsoft SUS is a great add-on product that administrators can use to install software updates from a central location to manage up to 15,000 clients on a single server.

Microsoft recommends that you use the following guidelines and hardware as a minimum when installing SUS on a machine:

• Pentium III 700 MHz CPU

• 512MB of RAM

• NTFS partition with a minimum of 100MB available for the SUS installation folder

• A minimum of 6GB of disk space available for holding the SUS updates

• NIC and Internet connection

• Windows Server 2003, Windows 2000 Server, Windows 2000 Server Advanced, or Microsoft Windows 2000 Datacenter Server with Service Pack 2 or above

• IIS 5.0

• Internet Explorer 5.5 or newer

SUS works by retrieving updates from Microsoft and storing these updates on a server that has the SUS tool installed. Clients then can be configured to connect to SUS and retrieve approved hotfixes and patches from the SUS server. Administrators have flexibility over the retrieval of the hotfixes and updates because they can choose which languages can be downloaded. Administrators also can approve the hotfixes.

There are two parts required to implement the service:

• Software Update Service (SUS) server component Installed on a Windows 2000 or Windows Server 2003 server.

• Automatic updates Installed on Windows XP Professional, Windows 2000 Professional and Server with Service Pack 2 or above, and Windows Server 2003 servers; allows them to receive updates from the server running SUS.

The SUS service on the server connects to the Microsoft Windows Update site to download the latest updates. Then the clients connect to the server and receive the updates from it. This prevents numerous clients from needing to use Internet bandwidth to download critical updates, and allows them to receive the update programs faster because they get it over the fast LAN connection instead of a relatively slower Internet connection. The updates need to be downloaded from the Internet only once by the SUS server. Both components are available on the Microsoft Web site.

The updates that are managed through SUS include Windows critical updates, critical security updates, and security rollups. Administrators can sign up for e-mail notification of critical updates on the Microsoft SUS Web site.

If you have a server that meets the hardware and software requirements, you can install the SUS software. It is imperative that you make sure you have a virus-free machine, because you must turn off the antivirus software during the installation of SUS. If you leave your antivirus software running, it might mistake the SUS software installation for a virus. After the installation has completed, you can run SUS as follows:

1. Type http://computername/susadmin/default.asp in the address box on your Web browser. This will display the Welcome window, as shown in Figure 11.11.

   
   Figure 11.11: The SUS Welcome Window

2. To get started, you can synchronize your SUS server with the Microsoft Windows Update site by clicking the Synchronize server option in the left pane.

3. You can choose to synchronize the server now or you can schedule the server to synchronize at a later time, as shown in Figure 11.12. When you choose to synchronize later (by clicking the Synchronization Schedule button), you see the Schedule Synchronization dialog box, as shown in Figure 11.13. For this example, click the Synchronize Now button.

   
   Figure 11.12: The Options for Synchronizing the SUS Server

   
   Figure 11.13: Schedule Synchronization for the SUS Server

4. After you click Synchronize Now, the catalog progress bar will appear, and the download of updates will begin as shown in Figure 11.14. Note that this process can take a great deal of time to complete, since all of the updates are being downloaded onto the server for the first time.

   
   Figure 11.14: Catalog Download Progress Bar

5. After the download has completed, the Synchronization Log will appear as shown in Figure 11.15. You can scroll down the Synchronization Log window and view all of the downloaded updates.

   
   Figure 11.15: The Synchronization Log

6. To approve the updates, you can click the Approve Updates option In the left panel. Using the Sort by: drop-down box, you can sort the updates by status, date, title, or platform. Before approving the updates, ensure that you understand the risk involved with implementing each security fix. Sometimes a fix can cause other problems. As always, make certain that you have a current emergency repair disk (ERD), as well as a backup before you make changes on any machine. You can individually approve the update items you wish to distribute to the clients, as shown in Figure 11.16.

   
   Figure 11.16: Approving SUS Available Updates

7. For this example, we will approve the Internet Explorer 6 Service Pack 1 update. Just place a check mark beside the patch or hotfix and click the Approve button. A dialog box will appear, asking if you wish to continue, as shown in Figure 11.17. Click the Yes button to continue, and the process of replacing previous updates will begin.

   
   Figure 11.17: SUS Approval Confirmation

8. Figure 11.18 shows the End User License Agreement (EULA) that appears before the fix is applied. Click the Accept button if you agree to the License Agreement (you must accept the agreement if you wish to distribute the update).

   
   Figure 11.18: SUS License Agreement

9. This dialog box shown in Figure 11.19 informs you that your updates have been successfully approved and that they are now available to client machines. Click the OK button to close the dialog box.

   
   Figure 11.19: Successful Updates Ready for Client Distribution

In order to set up your clients to use SUS, you need to install the Automatic Updates software, available at http://www.microsoft.com/windows2000/downlads/recommended/ susclient/default.asp. This software replaces the Critical Updates feature. When the installation of the client software has been completed, you can distribute the updates to client machines as necessary. Clients using Windows XP Professional Service Pack 1, servers running Windows Server 2003, and computers running Windows 2000 Service Pack 3 can be set to automatically receive their SUS updates.

You have three ways to configure clients to retrieve updates from the SUS Server: use the Local Security Policy on a computer, use Group Policy in AD, or edit Registry settings. To use the Local Security Policy on a computer that is not a member of an AD domain, follow these steps:

1. Select Start | Run, type gpedit.msc, and click OK.

2. In the left pane of the GPO Editor, expand Computer Configuration, then Administrative Templates.

3. Right-click Administrative Templates and choose Add/Remove Templates.

4. Choose Add and select Wuau.adm in the folder.

5. You might be prompted to confirm and replace your existing Wuau.adm file; select Yes to overwrite this file.

6. Choose Close to complete the process.

7. Under Computer Configuration, expand Administrative Templates, then Windows Components, then Windows Update.

8. Double-click Configure Automatic Updates, and the Configure Automatic Updates Properties dialog box will open.

9. Choose Enabled from the list of options, and then select any of the following three options:

   • Notify for download and install This will provide clients with an icon in the taskbar that will notify users that updates are ready to be installed. To begin the installation, select the icon and the option used to install updates will appear.

   • Auto Download and notify for install This is the default method for installing updates. The user will not be notified during the download process. The client machine will automatically find the updates and install them.

   • Auto download and schedule the install If this option is chosen and no time is selected, the updates will be automatically installed by the clients at 3:00 a.m. If a reboot is necessary after the installation, the client machine will be rebooted. If a user is working on the machine at 3:00 a.m, the user will be prompted to reboot the machine so the updates can be applied.

   You can also choose whether Automatic Updates should restart at a specific time if it was missed, and you can choose whether you want the computer to be restarted by any user using that specific computer.

To configure automatic updates for computers belonging to AD by using Group Policy, follow these steps:

1. Select Start | All Programs | Administrative Tools | Active Directory Users and Computers.

2. Right-click the domain or OU to which you wish to apply this setting and select Properties.

3. Click the Group Policy tab, and then click New.

4. Enter a name for the new policy and click the Edit button.

5. Under Computer Settings or User Settings, right-click Administrative Templates and choose Add/Remove Templates, and then select Add.

6. Enter the name of the automatic update file, wuau.adm, and click Open.

Figure 11.20 shows the Approval Log that can be accessed via the View approval log option in the left pane of the SUS administration page. You can choose to clear the log or print the log.

Figure 11.20: Viewing the SUS Approval Log

Figure 11.21 shows the Set options page, which can be accessed via by choosing Set options in the left pane of the SUS administration page.

Figure 11.21: Setting SUS Options

This screen will allow you to set the following options on your SUS server:

• Proxy configuration

• Name of SUS Web server that you wish to have clients locate

• Server used to synchronize content

• Whether the content should come from Microsoft Windows Update servers or the local SUS server

• How to handle previously approved updates

• Where the updates should be stored

• Language preferences for the downloaded patches

  Note

  You might wish to change the language option if you use only one language on your network, because you do not need all of the other languages to be downloaded. This can greatly reduce your synchronization time.

The SUS Monitor server option allows you to view the available SUS updates that are loaded into memory caches of the server each time a synchronization event occurs.

Figure 11.22 shows the Monitor server page. You can refresh this page if the cached information is not loading from memory correctly.

Figure 11.22: Monitoring Server Updates