risks in installing microsoft baseline security analyser on live server

We are trying to do some report for patch status of all servers in our domain - but due to firewall settings - the MBSA remote scans are not completing in full, Namely the security update status section of the report. The admins would prefer not to amend firewall rules to suit, so suggested installing the software locally and running the scans that way. AS I am not a windows server admin - can you forsee any issues in doing so, I don't believe it requires a reboot based on a test installation on a windows & laptop - but I wondered if you can think of anything else to worry about in such an installation on a live server - the last thing we want to do is cause any performance or downtime on critical live servers. it seems quite a safe install to a novice, but maybe you can enlighten me onto the risks in installing such software on a live system
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
imo, it is considerably safer to amend firewall rules than to go out and install new software on every server, especially when it is software that gets close to the operating system.

Second, point out to the objecting administrators that every single server will have its own copy of MBSA which must be individually monitored, maintained and serviced by somebody.  Figure four hours for the initial install plus another hour a week, fifty-six hours per server per year.  At internal recharge of $150/hour, that's $8400 of time per server per year.  Who will be putting the money in their budget for that?

(Cut the above to 15 minutes per week and it is still 14 hours per server per year, $2100 that has to come from somewhere.)
0
McKnifeCommented:
No, MBSA does not "get close to the operating system", no worries. It does not install drivers or anything with virtual drivers. Nevertheless, it should be no problem to add a firewall rule to all servers that just allows all inbound traffic from the ip you are scanning from for a few minutes and later on, delete it again.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
MSBA required the remote computer scans to be performed by using TCP ports 135, 139, and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. These port are recommended in best practice to disallow by default.

So you need to identify the missing patch locally and download the patch to test on a similar build at staging environment prior to actual downtime called for the production server update rollout. You need to ensure the snapshot are taken and ready for rollback in case there are complication during or after the patch.

You should do an Microsoft Windows Update (WU) offline scan (using "Wsusscn2.cab")
How do I check to see if I have the current wsusscn2.cab file for offline use in a secure environment?  


Because clients can be scanned using an online source (Microsoft Update or an assigned Update Services server) in addition to the offline catalog (wsusscn2.cab), the report can include a specific heading called "Catalog synchronization date". If the offline catalog was used, the time that catalog was generated is displayed in the report and can be used to determine if the latest catalog was used. To check the version of the offline catalog, follow these procedures:

Step 1: If you do not have the file, download it from  http://go.microsoft.com/fwlink/?LinkId=76054 and save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab. You may use any folder, but this is where MBSA will store the file after MBSA has downloaded it.

Step 2: Open C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab using any program able to view an archive file type of *.cab.

Step 3: Open package.cab from the wsusscn2.cab file, and then the package.xml file inside it.

Step 4: View the OfflineSyncPackage header element for the CreationDate. It should be set to a value such as "2010-08-09T22:13:59Z" (for example). Use the value you find to determine when the file was generated by Microsoft.
https://technet.microsoft.com/en-us/security/cc184922

For offline patching after scan, you can consider http://download.wsusoffline.net. In short, using "WSUS Offline Update", you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.