Solved

risks in installing microsoft baseline security analyser on live server

Posted on 2016-09-26
3
113 Views
Last Modified: 2016-09-26
We are trying to do some report for patch status of all servers in our domain - but due to firewall settings - the MBSA remote scans are not completing in full, Namely the security update status section of the report. The admins would prefer not to amend firewall rules to suit, so suggested installing the software locally and running the scans that way. AS I am not a windows server admin - can you forsee any issues in doing so, I don't believe it requires a reboot based on a test installation on a windows & laptop - but I wondered if you can think of anything else to worry about in such an installation on a live server - the last thing we want to do is cause any performance or downtime on critical live servers. it seems quite a safe install to a novice, but maybe you can enlighten me onto the risks in installing such software on a live system
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 125 total points
ID: 41815762
imo, it is considerably safer to amend firewall rules than to go out and install new software on every server, especially when it is software that gets close to the operating system.

Second, point out to the objecting administrators that every single server will have its own copy of MBSA which must be individually monitored, maintained and serviced by somebody.  Figure four hours for the initial install plus another hour a week, fifty-six hours per server per year.  At internal recharge of $150/hour, that's $8400 of time per server per year.  Who will be putting the money in their budget for that?

(Cut the above to 15 minutes per week and it is still 14 hours per server per year, $2100 that has to come from somewhere.)
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 41815805
No, MBSA does not "get close to the operating system", no worries. It does not install drivers or anything with virtual drivers. Nevertheless, it should be no problem to add a firewall rule to all servers that just allows all inbound traffic from the ip you are scanning from for a few minutes and later on, delete it again.
1
 
LVL 64

Assisted Solution

by:btan
btan earned 125 total points
ID: 41815846
MSBA required the remote computer scans to be performed by using TCP ports 135, 139, and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. These port are recommended in best practice to disallow by default.

So you need to identify the missing patch locally and download the patch to test on a similar build at staging environment prior to actual downtime called for the production server update rollout. You need to ensure the snapshot are taken and ready for rollback in case there are complication during or after the patch.

You should do an Microsoft Windows Update (WU) offline scan (using "Wsusscn2.cab")
How do I check to see if I have the current wsusscn2.cab file for offline use in a secure environment?  


Because clients can be scanned using an online source (Microsoft Update or an assigned Update Services server) in addition to the offline catalog (wsusscn2.cab), the report can include a specific heading called "Catalog synchronization date". If the offline catalog was used, the time that catalog was generated is displayed in the report and can be used to determine if the latest catalog was used. To check the version of the offline catalog, follow these procedures:

Step 1: If you do not have the file, download it from  http://go.microsoft.com/fwlink/?LinkId=76054 and save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab. You may use any folder, but this is where MBSA will store the file after MBSA has downloaded it.

Step 2: Open C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab using any program able to view an archive file type of *.cab.

Step 3: Open package.cab from the wsusscn2.cab file, and then the package.xml file inside it.

Step 4: View the OfflineSyncPackage header element for the CreationDate. It should be set to a value such as "2010-08-09T22:13:59Z" (for example). Use the value you find to determine when the file was generated by Microsoft.
https://technet.microsoft.com/en-us/security/cc184922

For offline patching after scan, you can consider http://download.wsusoffline.net. In short, using "WSUS Offline Update", you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question