Windows Patch Management, Looking Beyond Windows
This article continues our coverage of patching solutions closely integrated into Windows operating system and offered by Microsoft free of charge. The mechanisms discussed so far -- Critical Update Notification, and its successor, Automatic Update -- are fairly easy to implement and manage (using the methods we have presented). They come with several significant drawbacks, however. We continue our examination of free Windows patch management solutions with an eye on Shavlik Technologies' offerings and the Microsoft Baseline Security Analyzer. The products offer a host of interface and deployment options as well as reporting capabilities.
First, they offer no control over which patches should be deployed, and they are limited to weekly or daily updates. While you can configure different registry settings across groups of clients to accomplish multi-stage deployment (by applying different group policy objects to different sets of computers using WMI or security-based filtering), with larger number of clients this might be difficult to maintain. Further, they offer no reporting functionality to enable the admin to determine the rate of success (or failure).
One way to control which patches are being deployed and when deployment should start is to install patches using the Software Installation portion of Group Policies. (This approach, however, cannot be used with legacy, pre-Windows 2000 systems, which are not Group Policy-aware.) Using Group Policies this way requires the creation of Windows Installer-based packages (in the .MSI format), which can be done with some of the free utilities provided by Microsoft, such as SMS Installer or WinINSTALL LE (which are cut down versions of commercial, third-party products) or more sophisticated (and fairly expensive) tools, such as InstallShield or Wise for Windows Installer. Once a package is created, you must configure the Software Installation node in the Computer Settings portion of a Group Policy Object. Automatic Update must then be disabled on client computers.
The one downside to this solution is that it lacks reporting capabilities.
To fill this gap, Microsoft brought in an independent company -- Shavlik Technologies -- to develop an appropriate utility. Shavlik developed HFNetChk (the acronym is derived from HotFix Network Checker), which is a feature-limited version of its flagship product, HFNetChkPro (and the equivalent of Shavlik's free tool, HFNetchkLT). The command line utility can be used only for inventorying security patches; unlike the full-featured HFNetChkPro, it does not allow actual updates. Another advantage of HFNetChkPro is that its scope extends beyond the range of operating systems and products supported by Windows Update. For more information on its capabilities and its syntax, refer to Microsoft Knowledge Base article 303215.
Not long after its release, HFNetChk was superseded by the Microsoft Baseline Security Analyzer (MBSA) now in v1.2 and offering graphical and command line interfaces as well as the ability to evaluate security patch level and system configuration status (but it is still limited to reporting capabilities, and lacks actual update functionality). MBSA's system configuration checks include features like password policy, local Administrator group membership, unnecessary services (a list that can be customized by modifying content of the Services.txt file located in the MSBA installation folder), type of file system, guest account status, and a number of others related to products or services installed on the target computer (e.g., IIS, SQL, and Office).
The full list of programs supported by versions 1.2 and 1.1.1 of MBSA is found in Microsoft Knowledge Base article 306460.
Although Microsoft no longer offers HFNetChk for download (the updated version is obtainable from Shavlik), you can expose its functionality by launching the MSBA command-line interface MSBACLI.EXE with the /hf switch. Microsoft recently released version 1.2 of MBSA. Enhancements include support for French, German, and Japanese (in addition to English), and improved product detection for missing security updates and system configuration checks (such as Internet Configuration Firewall, Automatic Updates, and IE zone configuration). MBSA 1.2 can be installed on Windows 2000, XP, and 2003, but its inventory also covers Windows NT 4.0, along with system components and services such as Microsoft Access Data Components (MDAC), MSXML, Microsoft Virtual Machine, Windows Media Player 6.4 and later, Internet Information Server 4.0 and 5.0, Internet Explorer 5.01 and later, Office 2000 and later (for local scans, only), SQL Server 7.0 and 2000, Exchange 5.5 and later, Commerce Server, Content Management Server, BizTalk Sever, and Host Integration Server.
Both MBSA and HFNetChk rely on information provided in an XML file named mssecure.xml, which, by default, is circulated in a compressed and digitally signed cab file version (mssecure_1033.cab for English language based scans), although you can force use of an XML decompressed file by applying -x switch to the HFNetChk or MSBACLI.EXE running in HFNetChk mode. The most recent version of the file is downloaded automatically as soon as either tool is launched and cached locally (in case Internet access is not available during future scans). As explained in the first article of this series, there are two primary sources of mssecure.cab and mssecure.xml:
- The Microsoft Web site:
- The Shavlik Web site: