Wednesday, July 30, 2008

Scanning with MBSAcli

This is just a quick post mostly as a reminder to me of what commandline options to run when I want to use MBSAcli to target a server to scan for patches.

MBSA is a free program provided by Microsoft that allows admins to scan systems to check things like patch levels, admin accounts, shares etc... It's a useful tool that has a nice GUI but I find that each time I use the GUI it attempts to connect to the Internet to download updates. As I don't want that I just run it from the commandline and select just the options I need. I view the file that it spits out in MBSA as it allows for easier access to the right web pages with details of the vulnerabilty.

Tools

  • MBSA

Steps

1. I download the latest cab file with details of all the patches into c:\mbsa\

http://go.microsoft.com/fwlink/?LinkId=76054

2. After installing MBSA (if not already installed) I navigate to C:\Program Files\Microsoft Baseline Security Analyzer 2

3. I run the following command to scan a server called webserver

mbsacli.exe /target webserver /nd /n password+iis+os+sql /catalog c:\mbsa\wsusscn2.cab /rd c:\mbsa

The switches I have chosen are:

/target webserver - This is the server I am scanning
/nd - This is telling MBSA not to download updates
/n password+iis+os+sql - This is telling MBSA which scans NOT to perform. I just want to know about updates.
/catalog c:\mbsa\wsusscn2.cab - This is the update cab I downloaded.
/rd c:\mbsa - This is the directory for my report.

For more details on these and other available options use mbsacli /?


4. After it finishes I go to the report it created in c:\mbsa and double click it to open it in MBSA. From there I can view details of missing patches.

Thats it. Following that I figure out if the server needs the patch due to the role it has, for example if it's just a file server it probably dont need Outlook Express patches.


Links
http://technet.microsoft.com/en-us/security/cc184922.aspx

No comments: