Windows XP Security - Microsoft Baseline Security Analyzer Patch Check and Security Tests
(Page 4 of 6 )
Windows Update is a good way to update a few computers on your network, but it’s a bad strategy for a large network because it requires user intervention and isn’t easily automated. As you’ll discover in Chapter 9, Microsoft has a better way to automate patch rollout on more than a handful of computers using their Software Update Services package. However, neither option offers a good, sweeping way of determining the update level of your machines.
To fill this need, Microsoft has issued the Baseline Security Analyzer (MBSA) tool, which will query each machine on your network and detect which available patches haven’t been installed. The tool is simple to use, easy to automate, and is more suited to a mass analysis than Windows Update. However, it lacks the intelligence and logic of its web-based counterpart. You’ll probably see a lot of updates that don’t pertain to your machines, even though they aren’t installed. It’s up to you to verify that the specific patch listed in the results from the MBSA session doesn’t apply to specific machines on your network. You’ll also need to reboot after each patch application.
Installing Microsoft Baseline Security Analyzer To install MBSA, follow this procedure:
- Go to http://www.microsoft.com and search for hfnetchk. (I would include a link, but Microsoft has a tendency to change their website around quite often.)
- Download, execute, and install the program to c:\hfnetchk.
- At the command prompt, enter hfnetchk –z –v.
The –z and –v switches tell the MBSA tool to go out and download a database of all available patches. It will then scan a computer or set of computers for patches that haven’t been installed, and indicate which haven’t been installed along with the Microsoft Knowledge Base article number. You can look up the appropriate patch using the number provided by the MBSA at http://www.microsoft.com/support.
Penetration Tests Many security vendors provide free or low-cost online tools that evaluate the security of your system, of course with the underlying motive of persuading you to buy their product. These tools are most often a “penetration test” that can indicate how effectively you’ve hardened your system.
Symantec offers their security check, as well as other tools, at http://security.symantec.com. Here you can scan for holes in your computer’s external interfaces—a very basic penetration test—or scan for viruses that might be present on your system, and track a cracker’s location if you have his source IP. If you’ve followed the steps in this chapter so far, I highly recommend taking advantage of the Scan for Security Risks option to ensure that you haven’t missed anything. In addition to probing your open ports, the option can also detect some Trojan horse viruses that can invade your computer and open a back door.
There’s one thing you should be aware of: Each of these Symantec tools download to your system Active X content, which of course should at least give a competent, astute administrator pause. It’s up to you to trust a particular vendor. Generally, the more popular security-testing sites will have the most robust scanning tools.
Steve Gibson, of the venerable Gibson Research Corporation, has also made available the popular ShieldsUp! test, which is available at http://www.grc.com. It performs much the same function as the Symantec tools.
Next: File System Security >>
More Windows Security Articles
More By Apress Publishing
|
 This article is taken from chapter four of the book Hardening Windows, written by Jonathan Hassell (Apress, 2004; ISBN: 1590592662). Check it out at your favorite bookstore. Buy this book now.
|
|
