Getting Familiar with MBSA 1.2.1

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

132 εμφανίσεις

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Agenda


Overall Features and Design


Tool Overview


Scanning / Performance


SUS / SMS


MBSA Details


Limitations of MBSA v1.1.1


What’s new in MBSA v1.2.1


Scripting with MBSA v1.2.1

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Overall Features and Design

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Tool Overview


Single executable that runs on Microsoft Windows
®

2000,
Windows XP, and Windows Server


2003 (/hf local scan also
works on Windows NT 4.0 SP4
®
).


Performs remote scans against Windows NT 4.0 SP4, Windows
2000, Windows XP, and Windows Server 2003 systems.


Focused on agent
-
less assessment, tactical deployment, being
easy to use
and
easy to take advantage of.


Installer package contains:


GUI (Mbsa.exe)


Command
-
line interface (Mbsacli.exe)


Latest version is 1.2.1, just released August 16, 2004.


Prior version is 1.1.1 and 1.2, released June 2003 and January
2004.

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

MBSA Console

MBSA

How it works*


Bulletin IDs


Product specific
updates


File data


Registry data


KB article
numbers

*Only covers security patch scanning capabilities, not security configuration detection issues.

2.
Checks MBSA version,
downloads
MSSecure.cab and
verifies digital
signature.

1.
Run MBSA on admin
system, specify
targets.

3.
Scans target systems for
OS, OS components, and
applications.

4.
Parses MSSecure.cab
to see if updates
available.

5.
Checks if the necessary
updates are missing.

6.
Generates time
-
stamped
report of missing updates.

Microsoft

Download Center

MSSecure.cab

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Scanning


Two main engines


MBSA engine for system configuration checks (about 60 different
checks)


HFNetChk engine for security update checks


MBSA
-
style scan


System configuration checks and missing security updates


Offered through MBSA GUI (Mbsa.exe) or CLI (Mbsacli.exe)


Individual XML scan report created for each computer


Single threaded


/hf style scan


Only missing/installed security updates and SPs


Offered through Mbsacli.exe using /hf switch


Text output to screen or option to write text to file


Multithreaded

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Scale/Performance

Check

Duration (seconds)

Network
Resources (bytes)

Windows vulnerabilities

9

1 MB

Weak passwords

16

3.2 MB

IIS vulnerabilities

2

130 KB

SQL vulnerabilities

5

200 KB

Security Updates (/nosum)

4

6.5 MB

Total

37

11 MB

Security Updates (/sum)

10

64 MB

Basis: Fully patched remote Windows XP SP1 on a busy 100
-
Mbps LAN

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

SUS Support


Perform security update by
pointing to local SUS Server for
approved updates.


GUI: MBSA reads registry for
SUS server info, or user types it in.


Command line.


Mbsacli.exe /sus
“http://mysusserver”


Mbsacli.exe /hf /sus
“http://mysusserver”


Scans for approved updates on
SUS server instead of all
available updates.


Reads ApprovedItems.txt file
through HTTP on SUS server.

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

SMS Support


Compatibility with SMS 2.0 Software Update Services Feature
Pack and SMS 2003


Pushes /hf to each client to perform local scan (Mbsacli.exe /hf)


Parses output


SMS administrators can centrally distribute security updates to clients


SMS 2003 is currently using MBSA v1.2

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

MBSA Details

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

MBSA v1.1.1 Limitations


Note messages are displayed for patches that can’t be
confirmed


Products that don’t have detection


MSXML for MS02
-
008 (multiple KBs for multiple versions)


More than one patch for a single product targeted at a particular OS
(Mssecure.xml schema limitation)


DirectX
®

9.0 for Windows 2000, Windows XP, Windows Server


2003
for MS03
-
030


A version of an Internet Explorer 5.01 patch for Windows 2000 that
differs from Internet Explorer 5.01 on Windows XP


Sometimes can only check for registry key to determine if
patch is installed


Example: Common reg key for each Ntdll.dll version in MS03
-
007,
whereas file version and checksums different


When a non
-
security update overwrites files previously
patched, MBSA flags the originally patched files as
vulnerable.


No localized file details to use for checksum data, except for
English.

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

What’s New in the MBSA v1.2 Family


UI Improvements


Tool localization (JA, DE, FR)


MSSecure.xml localization support (as available)


Upgrade support and new version notification


Revamped KB article
306460

(September 23, 2004)


Complete list of products supported/unsupported


Updated list of notes/warnings/product names


Additional Products


Office Detection Tool integration (local scans only) for Office 2000
and later


Microsoft Data Access Components (MDAC), Microsoft XML Core
Services (MSXML), Microsoft Virtual Machine (JVM), eBiz


Detection


Alternate file versions (‘AFiles’)


Added Configuration Checks

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Upgrade Notification

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Event Logging

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Supported Products


For Configuration Settings:


Windows NT 4.0 SP4,
Windows 2000,
Windows XP, Windows
Server 2003


Internet Information
Services (IIS) 4.0, IIS
5.0, IIS 6.0


SQL Server


7.0, SQL
Server 2000


Internet Explorer 5.01+


Office 2000, Office XP,
Office 2003


For Security Updates:


Windows NT 4.0 SP4, Windows 2000,
Windows XP, Windows Server 2003


IIS 4.0, IIS 5.0, IIS 6.0


SQL Server 7.0, SQL Server 2000/
Microsoft Data Engine (MSDE)


Internet Explorer 5.01+


Exchange 5.5, Exchange 2000, Exchange
2003


Windows Media Player 6.4+


Office 2000, Office XP, Office 2003


MSXML versions 2.5, 2.6, 3.0, 4.0


MDAC versions 2.5, 2.6, 2.7, 2.8


Microsoft Virtual Machine (JVM)


Commerce Server 2000, Commerce
Server 2002


Content Management Server 2001,
Content Management Server 2002


BizTalk
®

2000, BizTalk 2002, BizTalk
2004


Host Integration Server 2000, Host
Integration Server 2004 (+SNA Server
4.0)

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Alternate File Versions


“OR” logic to consider multiple sets of file details.


Handle case of non
-
security overwriting security updates.


A bulletin can have multiple patches for products targeted at
different operating systems.


Handle uniproc or multiproc patches, QFE/GDR branches


KB 824994

(Quick Fix Engineering / General Distribution Release)


Detection Checks the list of alternate files: if none match, the
missing patch message will reflect the file version of the first
file entry listed in MSSecure (whether it be a FileChangeID or
AFileChangeID).


Alternate files are listed as “AFileChangeID”.


MBSA 1.1.1 ignores AFileChangeID entries and only recognizes
FileChangeID entries.


Maximizes backward compatibility with MBSA v1.1.1 until customers
upgrade.

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Alternate File Versions in Detail

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Other Improvements


File version checks on Multilingual User Interface (MUI)
systems


Fixes bug where MBSA detected wrong file version numbers on
systems using MUI


Issue was known problem with GetFileVersionInfo API on Windows
2000 systems


Guest account check


Fixed bug where ForceGuest registry key wasn’t checked (Guest
account enabled is only flagged if simple file sharing isn’t used and if
ForceGuest isn’t enabled


KB 290403
)


Internet Explorer custom zone interpretation


MBSA now interprets custom zone settings and compares to
recommended default zone level settings


Event logging (with a link to Help and Support)


Outlook
®

zone check collapsed into Internet Explorer zone
check and Office macro check

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Additional Checks New to v 1.2.1


Internet Connection Firewall (ICF)


Check performed on local computer scans only


List each network connection with ICF status (disabled/ enabled and if
inbound ports are open)


No listing of which ports are open


Automatic Updates (AU)


Check performed on both local and remote machines


MBSA flags if AU is not enabled, or if it is enabled but not
configured to automatically download and install


Internet Explorer Enhanced Security Configuration
(Internet Explorer hardening)


Check performed on Windows Server


2003 only


Checks if IEESC is enabled for admins and non
-
admins

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Details on Localized Patch Scans


MSSecure.cab files


MBSA tries to download .cab file that matches operating system
language of scanned computer (so patch data will match operating
system).


If that fails, MBSA will look in the local folder for a previously
downloaded copy of this .cab file.


If that fails, MBSA will fall back to using the English file.


Language of scanned computer determines if checksum
checks are performed.


If operating system language of the scanned computer matches the
MSSecure file language being used in the scan, then checksum
checks will be performed.


Explicitly calling /sum or /nosum will force or prevent the use of
checksums

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Office Update Scans


Integrated Office Update Inventory Tool 2.1


Office updates checked on local computer scans only, no remote
checking


Office tool downloads separate Office update database files (similar to
HFNetChk downloading Mssecure.cab)


Offline scanning uses similar workaround for getting detection catalog
onto scanning computer


Scanning limitations described in following support article:
“MBSA Version 1.2 Support for Microsoft Office Products”


http://go.microsoft.com/fwlink/?LinkId=19025


http://www.microsoft.com/technet/security/tools.mbsaqa.mspx


Users running mbsacli.exe /hf will not receive an Office updates
scan


Office detection logic not in HFNetChk


Office patch data not in Mssecure.xml

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Default Scan Options


MBSA scan (GUI)


Uses
-
baseline,
-
v,
-
nosum


-
baseline aligns with Windows Update (WU) critical security updates


By default, notes and warnings are still shown


Checksum checks not performed (to match WU)


MBSA scan (Mbsacli.exe)


Uses
-
sum


Checksum checks performed


By default, notes and warnings are still shown


HFNetChk scan (Mbsacli.exe /hf)


Uses
-
sum


Checksum checks performed


Notes and warnings still shown by default

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Requirements


XML Parser (MSXML version 3.0 or later with latest SP


go.microsoft.com/fwlink/?Linkid
-
16533


Required Services:


Computer being scanned locally


Workstation Service


Server Service


World Wide Web Service for IIS Vulnerability Checks


Computer that is running MBSA that performs remote scans


Workstation service


Client for Microsoft Networks


Computer being remotely scanned


Server service


Remote registry service


File and Print Sharing

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Requirements (2)


IIS Common Files (required on local
computer when scanning remote IIS
computers)


Firewall Ports


Port 80 (HTTP)


Outbound from scanning computer


Needed to download Mssecure.xml file


TCP 139, 445


Inbound to scanned computer(s)


Needed to scan remote computers


UDP 137, 138


To authenticate to remote computer


User must be running as Local
Administrator for scanning

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Scan Connections


MBSA
-
style scans


MBSA will try to verify each machine account


NetWkstaGetInfo()
-

Windows for Workgroups


LookupAccountName


Win32 API


Gethostbyaddr


Windows Socket Function


HFNetChk
-
style scans


HF engine looks for two IP ports (TCP 139, 445) required for scanning
on each computer. Scan will fail if engine cannot connect to the ports.
This does not rely on ICMP.

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Scripting with MBSA v1.2.1

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Scripting with MBSA v1.2.1


Scripts for leveraging MBSA into other solutions:



Enable large
-
scale scanning and enable low
-
rights end
-
users to check
their own compliance without calling the helpdesk


Scan an unlimited number of computers or IP addresses from an
input file


Roll up the results across many reports into a single summary based
on one or more bulletin IDs or check IDs


More info (available upon release):


www.microsoft.com/technet/security/tools/mbsahome.mspx


©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Scripting with MBSA v1.2.1 (2)


Sample of rolling up the results across many reports into a
single summary:


Open the resulting XML file in Internet Explorer:


Click:


>> button to show computer list in each category


<< button to collapse the computer name list

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

Questions?

Caveats


MSSecure.xml not publicly supported


MSSecure.xml only supported for MBSA


Classic File Sharing Supported

PowerPoint, Scripts, and Notes:


http://www.gc.peachnet.edu/it/abarker


Thank YOU!

©2004. www.gc.peachnet.edu/it/abarker. All rights reserved.

MBSA Support


MBSA public newsgroup


News server: msnews.microsoft.com


Newsgroup: microsoft.public.security.baseline_analyzer


Internet resources


Home page

http://www.microsoft.com/technet/security/tools/mbsahome.mspx


FAQ

http://www.microsoft.com/technet/security/tools/mbsaqa.mspx


Technical white paper
http://www.microsoft.com/technet/security/tools/mbsawp.mspx



320454

(main MBSA KB article)


306460

(note messages KB article)


Scripting with the Microsoft Baseline Security Analyzer v 1.2

http://www.microsoft.com/technet/security/tools/mbsascript.mspx


MBSA Version 1.2 Support for Microsoft Office Products

http://www.microsoft.com/en
-
us/assistance/HA010884161033.aspx