Solved

risks in installing microsoft baseline security analyser on live server

Posted on 2016-09-26
3
95 Views
Last Modified: 2016-09-26
We are trying to do some report for patch status of all servers in our domain - but due to firewall settings - the MBSA remote scans are not completing in full, Namely the security update status section of the report. The admins would prefer not to amend firewall rules to suit, so suggested installing the software locally and running the scans that way. AS I am not a windows server admin - can you forsee any issues in doing so, I don't believe it requires a reboot based on a test installation on a windows & laptop - but I wondered if you can think of anything else to worry about in such an installation on a live server - the last thing we want to do is cause any performance or downtime on critical live servers. it seems quite a safe install to a novice, but maybe you can enlighten me onto the risks in installing such software on a live system
0
Comment
Question by:pma111
3 Comments
 
LVL 27

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 125 total points
ID: 41815762
imo, it is considerably safer to amend firewall rules than to go out and install new software on every server, especially when it is software that gets close to the operating system.

Second, point out to the objecting administrators that every single server will have its own copy of MBSA which must be individually monitored, maintained and serviced by somebody.  Figure four hours for the initial install plus another hour a week, fifty-six hours per server per year.  At internal recharge of $150/hour, that's $8400 of time per server per year.  Who will be putting the money in their budget for that?

(Cut the above to 15 minutes per week and it is still 14 hours per server per year, $2100 that has to come from somewhere.)
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 41815805
No, MBSA does not "get close to the operating system", no worries. It does not install drivers or anything with virtual drivers. Nevertheless, it should be no problem to add a firewall rule to all servers that just allows all inbound traffic from the ip you are scanning from for a few minutes and later on, delete it again.
1
 
LVL 63

Assisted Solution

by:btan
btan earned 125 total points
ID: 41815846
MSBA required the remote computer scans to be performed by using TCP ports 135, 139, and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. These port are recommended in best practice to disallow by default.

So you need to identify the missing patch locally and download the patch to test on a similar build at staging environment prior to actual downtime called for the production server update rollout. You need to ensure the snapshot are taken and ready for rollback in case there are complication during or after the patch.

You should do an Microsoft Windows Update (WU) offline scan (using "Wsusscn2.cab")
How do I check to see if I have the current wsusscn2.cab file for offline use in a secure environment?  


Because clients can be scanned using an online source (Microsoft Update or an assigned Update Services server) in addition to the offline catalog (wsusscn2.cab), the report can include a specific heading called "Catalog synchronization date". If the offline catalog was used, the time that catalog was generated is displayed in the report and can be used to determine if the latest catalog was used. To check the version of the offline catalog, follow these procedures:

Step 1: If you do not have the file, download it from  http://go.microsoft.com/fwlink/?LinkId=76054 and save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab. You may use any folder, but this is where MBSA will store the file after MBSA has downloaded it.

Step 2: Open C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab using any program able to view an archive file type of *.cab.

Step 3: Open package.cab from the wsusscn2.cab file, and then the package.xml file inside it.

Step 4: View the OfflineSyncPackage header element for the CreationDate. It should be set to a value such as "2010-08-09T22:13:59Z" (for example). Use the value you find to determine when the file was generated by Microsoft.
https://technet.microsoft.com/en-us/security/cc184922

For offline patching after scan, you can consider http://download.wsusoffline.net. In short, using "WSUS Offline Update", you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question