A Guide to Remote Patching
by Shawn C Lander on October 16, 2003
INTRODUCTION
The rise of Internet worms that exploit vulnerabilities in the Windows operating system
has necessitated the ability to quickly apply hotfixes and updates on workstations associated
with
an organization. It is laborious, to say the least, to personally visit each workstation
to use Windows Update to apply them.
There are a variety of tools available to make the patching process easier to manage by allowing
remote administration of patch application. Most of these tools are client / server based and
have substantial costs and implementation overhead. Due to the recent security initiatives within
Microsoft, Microsoft even offers a tool for remote scanning of security vulnerabilities within
your organization.
At first glance, this Microsoft tool, the Microsoft Security Baseline Analyzer (MBSA), may not
seem like the solution you need. However, in conjunction with with an open-source project, mbsaFU,
and very little changes with the way you administer your network, you have a solution for remote
application of critical hotfixes and updates. With just a little creative thinking, these tools
can be used for even bigger things.
In Microsoft's own words:
The Microsoft Security Baseline Analyzer (MBSA) provides a streamlined method of
identifying common security misconfigurations. Version 1.1.1 of MBSA includes a graphical and
command line interface that can perform local and remote scans of Windows systems. MBSA runs
on Windows Server 2003, Windows 2000 and Windows XP and will scan for common security
misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows
XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000,
Internet Explorer 5.01 and later, and Office 2000 and 2002. MBSA also scans for missing security
updates for Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL, Exchange,
IE, and Windows Media Player.
REQUIREMENTS
Based upon the requirements of MBSA, this solution will only work if the workstations you
need to remotely patch are Windows NT, Windows 2000, or Windows XP. It is important to note that
the workstations do not need to be part of an NT domain or an Active Directory either. It
is sufficient to have a common administrator account and password within your environment.
The following list describes the requirements for the computer that is running MBSA and
scanning remote computers:
Windows 2000, Windows XP or Windows Server 2003.
Internet Explorer 5.01 or later.
An XML parser (included with IE 5.01 or later).
The Workstation and Server services must be turned on.
The IIS Common Files are required on the computer on which MBSA is installed if you
want to run remote scans of IIS-based computers.
The following list describes the requirements for a the computer you want to scan
remotely using the MBSA tool:
Windows NT 4.0 (service pack 4 or later), Windows 2000, Windows XP, or Windows Server 2003.
Internet Explorer 5.01 or later.
IIS 4.0 or 5.0 (required for IIS vulnerability checks).
SQL 7.0 or 200 (required for SQL vulnerability checks).
Office 2000 or 2002 (required for Office vulnerability checks).
The Server and Remote Registry services must be installed and turned on.
File and Print Sharing must be enabled.
Not using simple file sharing (on Windows XP).
Access to a windows share on a remote server.
An administrator account that shares a common username and password with the scanning computer.
File and print sharing and the common administrator account are required because access to the
ADMIN$ and IPC$ shares are required by MBSA and mbsaFU to scan and patch a remote computer.
INITIAL SETUP
The default install of the supported operating systems includes the necessary services and
configurations to make using the MBSA and mbsaFU utilities for remote patching possible. If
you have a common administrator account and password on all workstations than there is very
little you need to do to begin using these tools.
If, on the other hand, you do perform security hardening of your operating systems after
an install it is possible that you have explicitly turned off one or more of the required
services or otherwise firewalled access to the administrative shares. If this is the case,
verify that your environment meets the requirements mentioned above.
Once you have verified that your environment meets the requirements you are ready to
begin installing and using the MBSA tools.
Since this process is entirely performed at the command prompt it would be beneficial to
setup your scanning workstation in a manner that would be conducive to working at that level.
Additionally, you must be working from within the mbsaFU install directory in order to
use some of the mbsaFU tools. We recommend that you setup your scanning workstation in
the following manner:
Login to the workstation using the common administrator account.
Install the MBSA tool.
Insert the MBSA install directory into the PATH environment variable.
Create a network share for the mbsaFU tool to use (\\SERVER\SHARE for instance)
Install the mbsaFU tool on the network share (\\SERVER\SHARE\mbsaFU).
Create a shortcut that starts the command prompt in the mbsaFU install directory.
All workstations that you want to remotely patch must have access to the network share
where the mbsaFU tool will store the patches and administrative tools (\\SERVER\SHARE). That
network share should at least be accessible by the common administrative account.
HOW THIS WORKS
Perform the scan and save the results.
The command line tool of MBSA is mbsacli and has a variety of scanning options which
are documented using the /? command line argument. Using these options you can scan a
computer or network by using anything from hostname, domain name, single IP addresses or
an IP address range. The mbsaFU tool only works with HOTFIX output and requires the output
to be in a specific format. The command to use to scan the entire 152 subnet would be:
Parse the scan results to determine needed hotfixes.
The mbsaFU utilities has a program that will parse the results of the scan and create
the necessary files required by the rest of the mbsaFU utilities to operate. Use this
utility with the following command:
type scanresults.txt | mbsaparse \\SERVER\SHARE
Help for mbsaparse is available by typing mbsaparse without
any command arguments or other input. Optional command line arguments allow a forced
restart of remote workstations after patch application and allow for patching of a
specific hotfix qnumber.
mbsaparse will create the following directories at the root of the
\\SERVER\SHARE share:
bin
A directory used by a later mbsaFU utility.
Hotfixes
Contains a directory for each product needing patches (i.e. Windows 2000 SP3, Windows
2000 SP4, Internet Explorer 6 SP1, etc) which will be used to store the necessary patches.
Logs
A directory to store log files of the mbsaFU utilities attempts to remote patch workstations.
There will be one file for each workstation named after the machine name of the workstation.
PatchList
Contains one file for each workstation requiring patches. The contents of each file will
be the patches needing to be applied with any command line arguments added.
Download the required patches.
Browse to the \\SERVER\SHARE\HotFixes\[PRODUCT] directory. You should see files
named [q-number].exe.needed (meaning the patch for this hotfix q-number for this
product needs to be downloaded). Download the [q-number] patch that related to the product
folder from the Microsoft web site (and name the patch [q-number].exe in this directory):
http://support.microsoft.com?kbid=[q-number]
When downloading the patch read the knowledgebase article to determine if any command
line arguments are needed to install the patch in the manner you want. For instance, many
patches can use the /q /u options for quiet mode, unattended installation (no
user interaction for a completed install) and /z option to not reboot the computer
immediately (avoiding interruptions to the current user).
You can also find out about any required command line arguments by running the patch with
the /? argument.
The mbsaFU tools contains a utility called mbsafetch that is supposed to
automate this process. However, in our testing we were unable to get this utility to work
properly.
Edit patchlist files to include the required command line arguments.
Once all the patches are downloaded and it is known what arguments are required for
proper installation of the hotfixes, the patchlist files need to be edited to include
the required command line arguments. Instead of doing it by hand, you can use the included
mbsaswitch tool to add/change startup switches for a specific product
hotfix, or all of them at once, as in the following examples:
Run mbsaexec on each target machines as account with administrative
privileges and with write permission to \\SERVER\SHARE. You can do this
remotely using the included tool mbsaremote as below:
mbsaremote \\SERVER\SHARE [username] [password]
This will execute mbsaexec on all target machines, which will then
execute every line in \\SERVER\SHARE\PatchList\[TARGETNAME].patchlist
text file, one at a time. The output of this command is a result of the execution
of mbsaexec and not of the patch/hotfix installations.
The help file of mbsaexec is available by running the utility
without any command line arguments.
Check the results.
Review the results of mbsaremote. For each machine that is
patched a comma seperated file will be generated that lists the exit information
from each hotfixes execution. These log files will be generated in
\\SERVER\SHARE\Logs\[TARGETNAME].csv. Reviewing the log files
will let you know if patches were successfully installed.
OTHER TASKS
The mbsaFU tool can be used to install updates, hotfixes and patches based upon the scans performed
by MBSA. However, given a bit of creative thinking (and the psexec utility, anything
can be installed using these tools. We have successfully used these utilities for remotely installing
Windows 2000 service packs, new versions of Internet Explorer, McAfee VirusScan DAT file updates, and
much more. We've even prototyped a method to remotely changing account passwords.
Using mbsaFU to accomplish these tasks, however, requires manually creating the patchlist
files and uploading the installation file into the Hotfix directory. Additionally,
these tasks are more successful if installation can be done with an unattended or silent
mode.
AUTOMATION
After becoming familiar with these tools it is possible to create command files (.CMD
or .BAT) to execute MBSA and use the mbsaFU utilities to perform the patching. Examples
of what can be done are contained in the readme and usage files of the
mbsaFU utility.
Because we are familiar with our environment (we know that the workstations on our network are
a specific operating system and patch level), we've been able to create script files that use these
utilities to force installation of newly released hotfixes. By creating and using these scripts we
avoid having to perform scans with MBSA and avoid having to use the mbsaparse
utility. If you are interested in our scripts contact us.
PROBLEMS
Through the process of working with these utilities we have discovered several instances where
MBSA is unable to scan a remote workstation (and consequently mbsaFU is unable to remotely
patch it). Some of the issues are described below:
WinXP Firewall
Open the Properties window for the Local Area Connection from the Network
Connections control panel... on the Advanced tab, make sure that the Protect
my computer and... box is unchecked.
WinXP Simple File Sharing
Within Windows Explorer choose Folder Options from the Tools menu. On
the View tab, scroll to the bottom of the various properties and make sure that the
Use simple file sharing property is unchecked.
Invalid Local Security Settings (NT, 2000, XP)
From the Local Security Settings control panel within Administrative Tools
choose Local Policies -> User Rights Assignments. Insure that the Access
this computer from the network policy has Administrators in its Security
Settings.
If you discover any additional problems/solutions we would like to add them to this list in order
to help future people in using these techniques. Please email any additional information to
mis@eng.ufl.edu.
![[MBSA icon]](/mis/images/training/training_mbsa.gif)