Solved

risks in installing microsoft baseline security analyser on live server

Posted on 2016-09-26
3
60 Views
Last Modified: 2016-09-26
We are trying to do some report for patch status of all servers in our domain - but due to firewall settings - the MBSA remote scans are not completing in full, Namely the security update status section of the report. The admins would prefer not to amend firewall rules to suit, so suggested installing the software locally and running the scans that way. AS I am not a windows server admin - can you forsee any issues in doing so, I don't believe it requires a reboot based on a test installation on a windows & laptop - but I wondered if you can think of anything else to worry about in such an installation on a live server - the last thing we want to do is cause any performance or downtime on critical live servers. it seems quite a safe install to a novice, but maybe you can enlighten me onto the risks in installing such software on a live system
0
Comment
Question by:pma111
3 Comments
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 125 total points
ID: 41815762
imo, it is considerably safer to amend firewall rules than to go out and install new software on every server, especially when it is software that gets close to the operating system.

Second, point out to the objecting administrators that every single server will have its own copy of MBSA which must be individually monitored, maintained and serviced by somebody.  Figure four hours for the initial install plus another hour a week, fifty-six hours per server per year.  At internal recharge of $150/hour, that's $8400 of time per server per year.  Who will be putting the money in their budget for that?

(Cut the above to 15 minutes per week and it is still 14 hours per server per year, $2100 that has to come from somewhere.)
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 41815805
No, MBSA does not "get close to the operating system", no worries. It does not install drivers or anything with virtual drivers. Nevertheless, it should be no problem to add a firewall rule to all servers that just allows all inbound traffic from the ip you are scanning from for a few minutes and later on, delete it again.
1
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41815846
MSBA required the remote computer scans to be performed by using TCP ports 135, 139, and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445, and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. These port are recommended in best practice to disallow by default.

So you need to identify the missing patch locally and download the patch to test on a similar build at staging environment prior to actual downtime called for the production server update rollout. You need to ensure the snapshot are taken and ready for rollback in case there are complication during or after the patch.

You should do an Microsoft Windows Update (WU) offline scan (using "Wsusscn2.cab")
How do I check to see if I have the current wsusscn2.cab file for offline use in a secure environment?  


Because clients can be scanned using an online source (Microsoft Update or an assigned Update Services server) in addition to the offline catalog (wsusscn2.cab), the report can include a specific heading called "Catalog synchronization date". If the offline catalog was used, the time that catalog was generated is displayed in the report and can be used to determine if the latest catalog was used. To check the version of the offline catalog, follow these procedures:

Step 1: If you do not have the file, download it from  http://go.microsoft.com/fwlink/?LinkId=76054 and save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab. You may use any folder, but this is where MBSA will store the file after MBSA has downloaded it.

Step 2: Open C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\Cache\wsusscn2.cab using any program able to view an archive file type of *.cab.

Step 3: Open package.cab from the wsusscn2.cab file, and then the package.xml file inside it.

Step 4: View the OfflineSyncPackage header element for the CreationDate. It should be set to a value such as "2010-08-09T22:13:59Z" (for example). Use the value you find to determine when the file was generated by Microsoft.
https://technet.microsoft.com/en-us/security/cc184922

For offline patching after scan, you can consider http://download.wsusoffline.net. In short, using "WSUS Offline Update", you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now