This is just a quick post mostly as a reminder to me of what commandline options to run when I want to use MBSAcli to target a server to scan for patches.
MBSA is a free program provided by Microsoft that allows admins to scan systems to check things like patch levels, admin accounts, shares etc... It's a useful tool that has a nice GUI but I find that each time I use the GUI it attempts to connect to the Internet to download updates. As I don't want that I just run it from the commandline and select just the options I need. I view the file that it spits out in MBSA as it allows for easier access to the right web pages with details of the vulnerabilty.
Tools
- MBSA
Steps
1. I download the latest cab file with details of all the patches into c:\mbsa\
http://go.microsoft.com/fwlink/?LinkId=76054
2. After installing MBSA (if not already installed) I navigate to C:\Program Files\Microsoft Baseline Security Analyzer 2
3. I run the following command to scan a server called webserver
mbsacli.exe /target webserver /nd /n password+iis+os+sql /catalog c:\mbsa\wsusscn2.cab /rd c:\mbsa
The switches I have chosen are:
/target webserver - This is the server I am scanning
/nd - This is telling MBSA not to download updates
/n password+iis+os+sql - This is telling MBSA which scans NOT to perform. I just want to know about updates.
/catalog c:\mbsa\wsusscn2.cab - This is the update cab I downloaded.
/rd c:\mbsa - This is the directory for my report.
For more details on these and other available options use mbsacli /?
4. After it finishes I go to the report it created in c:\mbsa and double click it to open it in MBSA. From there I can view details of missing patches.
Thats it. Following that I figure out if the server needs the patch due to the role it has, for example if it's just a file server it probably dont need Outlook Express patches.
Links
http://technet.microsoft.com/en-us/security/cc184922.aspx
