You’d think that after installing big service packs and numerous Windows updates you’re finally done – it ain’t so. Microsoft releases additional patches called Hotfixes that have to be installed individually. These hotfixes address one particular problem at a time and are usually published shortly after the problem was discovered in order to provide a quick solution to the enduser to fix the bug or correct the vulnerability.
In order to stay current you’ll have to subscribe to Microsoft’s Security Bulletin – http://www.microsoft.com/technet/security/bulletin/notify.asp – or the CERT Advisory Mailing List – http://www.cert.org/contact_cert/certmaillist.html. You will receive regular e-mail notifications about vulnerabilities and fixes you might need to apply to your system.
The problem with hotfixes is that you have to make sure you keep up with the countless hotfixes released for Windows, figure out which ones apply to your system, install the correct ones, and keep track of them in case you need to reinstall. One way of doing that is by going to Microsoft’s download site – http://www.microsoft.com/downloads/ – selecting your operating system, searching for the keyword “Hotfix”, and finally reading through the dozens of hits trying to decide which ones apply to you. That’s no fun. Thankfully there are now several tools available that, used in combination, make hotfix tracking and installation much easier. We’ll explain those tools in detail in a moment. After reading the next section you’ll understand why.
Microsoft Baseline Security Analyzer
Microsoft now offers the Microsoft Baseline Security Advisor (MBSA), a new security tool that combines the capabilities of the now defunct Microsoft Personal Security Advisor website and the HFNetChk tool. MBSA allows you to check your Windows NT4, 2000, or XP installation for a number of security issues, i.e. Windows vulnerabilities, weak passwords, IIS vulnerabilities, SQL vulnerabilities, and missing hotfixes.
MBSA offers several advantages over MPSA and HFNetChk, for example you can now scan both workstation and server versions of Windows, it offers a user-friendly graphical interface with a close resemblance to the Windows XP Update UI, and most important for network admins you can scan a whole range of machines all at once by specifying a domain or a range of IP addresses.
To find out what security holes or missing hotfixes your system has, go to http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp and read about MBSA and how it works. Even more detailed info can be found in this white paper about MBSA – http://www.microsoft.com/technet/security/tools/Tools/MBSAWP.asp. Click the link to download and install MBSA. The graphical UI of the MBSA is user-friendly and self-explanatory.
Scan a computer allows you to scan one computer at a time. This can be the machine you installed MBSA on, or another machine that you have admin privileges for.
Scan more than one computer allows you to scan multiple computers at the same time. You can either scan machines in a domain that you specify, or a certain range of IP addresses. Again, you need admin privileges on any machine you wish to scan.
View existing reports allows you to view reports of previous scans, which are automatically stored. You can sort the list of saved reports, as well as the contents of each report by different criteria.
The main screen also contains links to a program help document as well as related Microsoft web sites for quick reference.
After completing the scan, you’ll get a security report consisting of three columns. The left column shows the score of each test, indicating how good or bad the PC faired in each test. The second column contains the name of each test. The third and most important column contains the results of each test, a link to an explanation of each test, a link to detailed results, and a link to information on how to correct the issue.
Since everything is very well documented and explained, it would be redundant to repeat the explanations here. It is recommended that you take the time and read the details and explanations to help you understand the issues and learn a little bit more about each topic, it’s worth it.
However, one of the issues addressed in the security test deserves a little bit more attention. Depending on the general state of the PC, it is possible that the MBSA requires you to install a good number of hotfixes. The good news is that this security test is a very easy and efficient way of finding out which fixes you need. But almost every hotfix requires a reboot immediately after installation. If it takes 1 minute to install the hotfix and 3 minutes to reboot, it would take at least 40 minutes and 10 reboots to install a list of 10 hotfixes for example. The reason you normally have to reboot is that multiple hotfixes could modify the same system file. If you have multiple modifications to the same file there can be confusion as to which version to install. But as mentioned above, there are a few nifty tools that Microsoft offers to make this process a lot quicker, safer, and a lot less painful. Let’s take a closer look.