Introduction

One of the topics that an Exchange administrator needs to care about is the level of security of the Exchange servers regarding the patching level from the Security Update.

In wide IT environment, Security Updates are most of the time in charge of a dedicated administrator responsible for security updates deployment using application such like Microsoft Windows Server Update Services (WSUS). In some scenario, this means that the Exchange admin depends on the WSUS admin to have a global report of the fixes applied or not on a bunch of servers. One of the main consequences in that case is that some delay may occur to get the information.

We here propose to provide an easy and automate way to get the information on demand from a single workstation using command lines based on:

  • Microsoft Baseline Security Analyzer (MBSA) v.2.0.1 (available for download here)
  • MBSA 2.0 Scripting Samples (available for download here)

The purpose of the batch will be to run MBSA against several identified remote servers, and then parse all MBSA reports produced into a single XML file to get a global overview of all servers security update version.

Also, some corporate networks are protected from the Internet by a proxy and/or a firewall. The provided solution will help to not perform scanning against the Microsoft Update website, but using the offline security update cabinet file (WSUSScn2.cab)

As always, some requirements need to be fulfilled...

...On the workstation and the remote computers

  • It is imperative that all remote computers needed to be scan have been updated with the latest version of the Windows Update Agent (WUA) (available here).
  • In some case, the latest Windows Installer program should also be installed (available here).

...On the workstation only

Since security updates are released on the regular basis, it is mandatory to update frequently the offline security update cabinet file WSUSScn2.cab.

This cabinet is available in direct download using the following link http://go.microsoft.com/fwlink/?LinkId=76054.

Download the cabinet on the workstation, and move it in a directory ease of access. (ex: C:\Temp)

If you wish to include the download of the cabinet within the automation job, you will have to create the proper script. If you use a proxy authentication to get access to the Internet, the script should include code to provide the necessary credentials.

If you are not that involved with scripting, there are command line tools available on the Internet which permit downloading a file from a URL. Some tools even include parameters to perform an authentication against the proxy server.

Microsoft Baseline Security Analyzer (MBSA) v.2.0.1

If you are already familiar with MBSA, then you know that the GUI version allow you to generate report of remote servers from a workstation.

But did you know that MBSA also includes a command line tool allowing you to perform the same type of tasks and even more: MBSACli.exe.

When you need to scan several computers, you can only specify an IP range using MBSA GUI, while with MBSACli you are able to specify a list of the computers to be scanned.

For all command line parameters, type "mbsacli.exe /?" from a command prompt.

We here proposed to run MBSACli.exe using the following parameters:

mbsacli.exe /nd /nai /nvc /wi /catalog <path>\wsusscn2.cab /listfile <path>\servers.txt

/nd: To avoid any download from the Internet

/nai: To avoid WUA updates on the workstation that run MBSA, but also on remote servers.

/nvc: To avoid check for new version of MBSA

/wi: Permit to display all updates, even ones rejected by the WSUS server. Particularly useful for Exchange admin not allowed binding against SUS server.

/catalog:<path>\wsusscn2.cab
Permit to point MBSA to the local update cabinet. In our scenario, the cabinet is located on the workstation running MBSA. Though, we are here by-passing the use of an Internet connection.

/listfile <path>\servers.txt
The servers.txt file contains NetBIOS name or FQDN name list in column of all servers to be scanned.

MBSA 2.0 Scripting Samples

After MBSACli.exe has run, we now have as many of MBSA report generated as number of servers to scan in the "servers.txt" file.

By default, all MBSA report uses the .mbsa file extension and are located within the following path on the workstation: "C:\Documents and Settings\<username>\SecurityScans"

The setup of MBSA 2.0 Scripting Samples is in fact an uncompressed installation. The default setup process proposes you to extract the files wherever you want.

Once you've performed the setup process, locate the rollup.js script file within the unzipped folder.

This script will allow parsing all MBSA reports into one single xml report as showed below:

With such report, we are able to have a global overview of all fixes installed or not on remote servers.

To perform such task, run the following command:

cscript /nologo rollup.js -b>c:\XMLReportName.xml

With this command line, all MBSA reports will be compiling within the XMLReportName.xml file.

The XML file can be opened in Internet Explorer for reading. In order to transmit the XML report to another person, you will need to attach the rollup.xslt to the XML due to file dependencies.

Also, there is no need to have MBSA installed to read the XML report.

You will notice that MBSA reports names or folder path isn't mentioned in the command line. This means that by default, the command line will run against ALL reports located within the MBSA "SecurityScans" default path.

Consequence is that prior any automation, you would need to perform a cleanup (deletion or archiving) of the "SecurityScans" directory content, using for example, the following command line:

Del %Userprofile%\SecurityScans\*.* /Q

Note: Another use of the rollup.js script would be to run against all MBSA report to provide information only regarding a specific bunch of security updates. To do so, run the following command:

cscript /nologo rollup.js –b MS06-019 MS06-029>c:\XMLReportName.xml

Such command line can be useful following a maintenance period on the environment to check that identified security updates have been properly installed on identified servers.

Conclusion

We are now able to compile all seen command lines into a single batch file as follow:

1. Clean all previous MBSA report

Del %Userprofile%\SecurityScans\*.* /Q

2. Download latest WSusscn2.cab (using a script or other appropriate solution)

3. Perform new bundle of MBSA reports

mbsacli.exe /nd /nai /nvc /wi /catalog <path>\wsusscn2.cab /listfile <path>\servers.txt

4. Parse all MBSA reports into a single XML file

cscript /nologo rollup.js -b>c:\XMLReportName.xml

With this solution, Exchange Administrators are able to have a global overview on periodic basis of the current state of the Exchange servers regarding Security Fixes.

References

Windows Installer 3.1 v2 (3.1.4000.2435) is available
http://support.microsoft.com/kb/893803

A new version of the Windows Update offline scan file is available
http://support.microsoft.com/kb/926464

MBSA 2.0 Scripting Samples
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B64AC19-3C9E-480E-B0B3-6B87F2EE9042&displaylang=en

Microsoft Baseline Security Analyzer v2.0.1 (for IT Professionals)
http://www.microsoft.com/downloads/details.aspx?FamilyId=4B4ABA06-B5F9-4DAD-BE9D-7B51EC2E5AC9&displaylang=en

- Jeremy Gagne