Windows Host Security: Network Security Hacks
(Page 1 of 8 )
This chapter shows you some ways to keep your Windows system up-to-date and secure. Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort. (
Network Security Hacks by Andrew Lockhart, O'Reilly Media, ISBN: 0596006438, 2004.)
This chapter shows you some ways to keep your Windows system up-to-date and secure, thereby making your network a safer place to work (and have fun). Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort.
One of the main reasons that Windows gets a bad rap is the poorly administered state in which Windows machines seem to be kept. The recent deluge of worm and virus attacks that have brought down many a network shows this to hold true. Alot of this can be traced back to the “ease” of administration that Windows seems to provide by effectively keeping the Windows administrator out of the loop about the inner workings of her environment—effectively wresting control from the system administrator’s hands.
This chapter seeks to remedy that to some degree by showing you ways to see exactly what your server is really doing. While this may seem old hat to a Unix sysadmin, getting details on open ports and running services is often a new concept to the average Windows administrator. In addition, this chapter shows you how to disable some Windows “features,” such as sharing out all your files automatically and truncating log files. You’ll also learn how to enable some of the auditing and logging features of Windows, to give you early warning of possible security incidents (rather than waiting for the angry phone call from someone at the wrong end of a denial-of-service attack originating from your network).
Hack 21: Check Servers for Applied Patches
Make sure your Windows servers have the latest patches installed.
Keeping a network of systems patched and up-to-date is hard enough in Unix, but it can be even more difficult on Windows systems. A lack of robust built-in scripting and remote access capabilities makes Windows unsuitable for automation. Nevertheless, before you even attempt to update your systems, you need to know which updates have been applied to each system; otherwise, you might waste time and effort updating systems that don’t need it. Clearly, this problem gets more difficult as the number of systems that need to be managed increases. We can avoid much of the extra work of manually updating systems by using the tool, which was originally a standalone program from Shavlik Technologies. It is now a part of Microsoft’s Baseline Security Analyzer (search http://download.microsoft.com) and is available through its command-line interface, mbsacli.exe.
Not only can HFNetChk remotely check the status of Windows Server 2003 and Windows XP/2000/NT, but it can also check whether critical updates for IIS, SQL Server, Exchange Server, Media Player, and Internet Explorer have been applied. Although it can only check the update status of a system (and won’t actually bring the system up-to-date), it is still an invaluable timesaving tool. HFNetChk works by downloading a signed and compressed XML file from Microsoft that contains information on all currently available updates. This information includes checksums and versions of files covered by each update, as well as the registry keys modified by each update. Additional dependency information is also included. When scanning a system, HFNetChk will first scan the registry for the keys that are associated with the most current set of updates available for the current system configuration. If any of these registry keys are missing or do not match what is contained in the XML file, it will flag the update as not having been installed. If the registry key for an update is present and matches the information in the XML file, HFNetChk will then attempt to verify whether the files specified in the update information are present on the system and whether their version and checksum matches. If any of the checks fail, the update will be flagged. All flagged updates are then displayed in a report, along with a reference to the Microsoft Knowledge Base article with more information on the specific update.
To get HFNetChk installed on your system, you first need to download and install the Microsoft Baseline Security Analyzer. To run HFNetChk, open a command prompt and change to the directory that was created during the install (C:\Program Files\Microsoft Baseline Security Analyzer) is the default).
To check the update status of the local system, run this command:
C:\> Program Files\Microsoft Baseline Security Analyzer> mbsacli /hf
Microsoft Baseline Security Analyzer
Version 1.1.1
Powered by HFNetChk Technology - Version 3.82.0.1
Copyright (C) Shavlik Technologies, 2001-2003
Developed for Microsoft by Shavlik Technologies, LLC
info@shavlik.com (www.shavlik.com)
Please use the -v switch to view details for
Patch NOT Found, Warning and Note messages
Attempting to get cab from http://go.microsoft.com/fwlink/?LinkId=16932
XML successfully loaded.
Scanning PLUNDER
.............................
Done scanning PLUNDER
----------------------------
PLUNDER(192.168.0.65)
----------------------------
* WINDOWS XP SP1
Note MS02-008 317244
Warning MS02-055 323255
Note MS03-008 814078
Note MS03-030 819696
Patch NOT Found MS03-041 823182
Patch NOT Found MS03-044 825119
Patch NOT Found MS03-045 824141
Patch NOT Found MS03-049 828035
Note MS03-051 813360
* INTERNET EXPLORER 6 SP1
Patch NOT Found MS03-048 824145
* WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1
Information
All necessary hotfixes have been applied.
The first column tells why the check for a particular update failed. The second column shows which update failed the check, and the third column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number that you can refer to for more information on the issue fixed by that particular update.
 | If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Visit the O'Reilly Network http://www.oreillynet.com for more online content. |
Next: Run the Verbose Switch >>
More Windows Security Articles
More By O'Reilly Media
