MBSA uses a command-line tool to expose all of the options previously available through HFNetChk to scan the target computer(s). You now use the mbsacli.exe command-line utility to access the information that used to be acquired through HFNetChk. The mbsacli.exe util-ity has a large list of options that make it extremely flexible. The reason you’ll probably want to run MBSA as opposed to mbsacli.exe from the command line is that MBSA has a GUI front end that makes it easier to manage and navigate. The command-line interface of mbsacli.exe allows for it to be used in scheduled tasks and as part of many different scripts.
To view the syntax for mbsacli.exe, type mbsacli.exe /? at a command prompt. Table 3.1 describes each of the switches.
T A B L E 3 . 1 The HFNetChk Switches
/hf Switch Description
/c Scan a single computer by computer name.
/i Scan a single computer by IP address.
/r Scan multiple computers by scanning a range of IP addresses.
/d Scan all computers in a domain.
/n Select which scans to not perform. By default, all checks are run, including OS, SQL, IIS, Updates, and Password. Multiple selections can be made by using the + symbol (no spaces).
/o Output is in XML file format.
/f Redirect output to a file.
/qp Do not display the progress of the scan.
/qe Do not display the error list.
/s 0 Do not display the report list.
/s 1 Do not suppress the security update check notes.
/s 2 Suppress security update check notes and warnings.
/nosum Security update checks will not test file checksums.
/sus Check only security updates approved at the specific Software Update Services (SUS) server.
The /sus switch includes the /nosum switch. Include /sum to override the /nosum that is implied.
Installing Service Packs and Hotfixes 99
/e List errors from the latest scan.
/l List all reports available.
/ls List reports from the latest scan.
/lr Display the overview report.
/ld Display a detailed report.
/v Display the security update reason codes.
/hf Run the mbsacli in HFNetChk mode.
-h Specify the NetBIOS computer name to scan. The default location is the local host. You can scan multiple host names if you separate each host name entry with a comma, as follows: hfnetchk -h computer1,computer2,server1,server2.
-fh Specify the name of a file that contains NetBIOS computer names to scan. There is one computer name on every line, with a maximum of 256 in every file.
-i Specify the IP address of the computer to scan. Similar to NetBIOS names, you can scan multiple IP addresses if you separate each IP address entry with a comma.
-fip Specify the name of a file that contains IP addresses to scan. There is one IP address for every line, with a maximum of 256 for each file.
-r Specify the IP address range to be scanned, beginning with ipaddress1 and ending with ipaddress2 inclusive, for example: hfnetchk -r 172.16.1.1-172.16.1.35.
-d Specify the domain name to scan. All computers in the domain are scanned.
-n Specify all computers on the local network to be scanned. This switch is similar to the -d switch for a domain, but all computers from all domains in My Network Places are scanned.
-history Display hotfixes that have been explicitly installed. Explicitly installed hotfixes are individually installed, as opposed to being installed in a group via a rollup package.
-b Scan your computer for hotfixes that are marked as baseline critical by the Microsoft Security Response Center (MSRC). To perform a baseline scan, your computer must be running the latest service pack that is available for your oper-ating system.
T A B L E 3 . 1 The HFNetChk Switches (continued)
/hf Switch Description 4332.book Page 99 Wednesday, May 19, 2004 4:01 PM
You can find a public newsgroup dedicated to the HFNetChk tool at microsoft.public .security.hfnetchk on the news.microsoft.com website.
HFNetChk is a good tool to use for scanning individual computers or a range of computers.
However, it can be used only to scan for security updates and service packs. MBSA not only pro-vides a graphical user interface (GUI), it also propro-vides much great functionality. MBSA can scan Windows computers for security practices such as identifying weak passwords and missing pass-words. MBSA can also be used to scan IIS and SQL servers for common configuration problems.
Microsoft Office, Outlook, and Internet Explorer can also be scanned for security configuration problems using MBSA. The current release of MBSA, V1.2, combines the functionality of earlier versions of MBSA with HFNetChk in a single product.
-t Display the number of threads that are used to run the scan. Possible values are from 1 through 128. The default value is 64. You can use this switch to throttle down (or up) the speed of the scanner.
-o Specify the desired output format. The (tab) outputs in tab-delimited format.
The (wrap) outputs in a word-wrapped format. You’ll use the tab output when scanning more than 255 hosts. The default is wrap.
-x Specify the XML data source for the hotfix information. The default file is the Mssecure.cab file from Microsoft’s website.
-s Eliminate the NOTE and WARNING messages in the output of the tool. The number 1 = NOTE messages only. The number 2 = both NOTE and WARNING messages. The default is no suppression.
-nosum Prevent the tool from performing checksum validation for the hotfix files. The checksum information is found in the Mssecure.xml file for all hotfixes.
-z Prevent the tool from performing Registry checks.
-v Display the reason that a scan did not work in wrap mode.
-f Specify the name of a file to output the results to.
-u Specify the username to use when scanning local or remote computer(s). You must use this switch with the -p (password) switch.
-p Specify the password to use to help create the security context under which the tool will run. This switch must be used with the -u switch.
-about Display information about HFNetChk.
-? Display a help menu.
T A B L E 3 . 1 The HFNetChk Switches (continued)
/hf Switch Description
Installing Service Packs and Hotfixes 101
A new feature of MBSA is that it will use your current SUS server to identify the hotfixes and service packs that have been approved for the company. The results of the MBSA scan will iden-tify only approved fixes that have not been implemented.
If you want a quick and clean report on which updates are installed on a single computer or a range of computers, HFNetChk is a great tool to use. The differentiating factor between using HFNetChk vs. MBSA is not the number of computers scanned, but the desired information. If you want just a report listing the updates that are not installed, HFNetChk is the tool to use.
If you want to check for other items, such as IIS and SQL vulnerabilities, use MBSA.
Slipstreaming
Slipstreaming is a method for incorporating a service pack into the base install files on an instal-lation point so that when a new instalinstal-lation occurs, the service pack is automatically installed.
Slipstreaming removes the need to install the service pack separately.
To slipstream a service pack into a distribution share point, take these steps:
1. Create a distribution folder where you want the installation files to be held.
2. Copy the I386 folder contents from the Windows 2000 CD-ROM. Be sure to copy all of the subfolders too.
3. Run the service pack with the following syntax:
Update.exe -s:c:\<folder_name>
This command copies all the service pack files over the original installation files. Then, when-ever a new installation is performed using these files, the service pack that was slipstreamed into the installation point is automatically installed.
In Exercise 3.3, you will slipstream Service Pack 3 into a Windows 2000 installation share point. The process is similar for Windows Server 2003.