Automate MBSA
Simple scripts scan your computers when they restart and post the results on a Web page
February 21, 2005
Let's say that you're a systems administrator for a company and that you wish to assess and collect a wide variety of security data about systems on your network. You'd like to scan your systems every time they're restarted and then make the results available on a Web site where you and your teammates can review them (and then remediate the vulnerabilities). You can use Microsoft Baseline Security Analyzer 1.2.1 together with MBSA sample scripts from Microsoft to create an automated networkwide scanning program. I don't recommend relying on MBSA exclusively for your network security—it's not robust enough for this responsibility. But as you'll see, it can perform some surprising tricks and gives you data to work with when securing your network. If you need some more basic information about MBSA before you tackle this project, see the Web-exclusive sidebar "MBSA Introduction" (http://www.windowsitpro.com, InstantDoc ID 45266).
We can break down our project into the following tasks:
Download MBSA and install it on each target computer manually or by using an automated method such as a software installation Group Policy Object (GPO). Download the MBSA sample scripts.
Write a startup script that runs the MBSA command-line utility (mbsacli.exe) every time the computer is restarted and saves the scan results to a network share.
Run a daily scheduled task that uses an MBSA sample script to process the data on the network share into HTML reports viewable on a Web server.
Every network is different, and you'll want to tweak this example to best fit your environment. For example, these steps assume that users aren't local administrators and therefore can't run the scripts under their user permissions. As a result, most of the MBSA installation and scanning occurs via Active Directory (AD) GPOs running with elevated privileges.
Downloading MBSA and the Sample Scripts
To create the scanning program, you need to have the latest version of MBSA and the MBSA sample scripts. Download the latest version of MBSA at http://www.microsoft.com/mbsa. On this Web site, you'll also find a number of technical whitepapers, FAQs, and other documentation about this tool. After you download and install the file, browse to C:program filesmicrosoft baseline security analyzer to review the default location for all the MBSA files. Here's where you'll find both MBSA.exe and mbsacli.exe.
The first time you run MBSA, it downloads security update information from Microsoft in a signed file named mssecure_1033.cab. (The number 1033 represents the English version of the file. The number will be different for the French, German, and Japanese versions.) As with previous versions of MBSA, you can specify whether to download this file directly from Microsoft or point MBSA to a Software Update Services (SUS) server to generate its reports of missing security updates based on the updates that you've approved for installation.
Microsoft provides a package of downloadable MBSA scripts and documentation that automates the scanning of your network and demonstrates how to aggregate the results into an easy-to-review format. Download the package at http://www.microsoft.com/technet/security/tools/mbsascript.mspx and extract the files to a folder on your computer. The package contains two JavaScript scripts, a Word document describing how to use the scripts, and XML files to format the script output.
Remote vs. Local Scanning
MBSA can be run locally on each target computer or remotely from a central scanning computer. Remote scans are easier to set up because they don't require you to touch every computer to install MBSA, and they're easy to run. To configure a remote scan, you run the MBSA GUI or Mbsacli and specify the targets by name, IP address, or in a list. As easy as this approach might be, it has drawbacks. First, not all MBSA vulnerability checks are performed when scanning remotely (e.g., MBSA checks Windows Firewall settings only when run locally). Second, a network scan takes up more network bandwidth than a local scan. Last, a local scan can more easily be tied to an event such as a system restart or user logon. For these reasons, our example demonstrates how to use MBSA to locally scan each computer when it restarts, then copies the results to a central server for processing and reporting.
To run the scans locally, you'll need to install MBSA on every target computer. Because Microsoft supplies the file as a Windows Installer (.msi) file, it's easiest to deploy the application using a software installation GPO. The benefits of using a GPO to assign the application to your target computers are that your users don't need permissions to install the software and you know it will be installed at the next computer restart.
Scanning the System After Every Restart
After you've installed MBSA on each target computer, you need to create a startup script that launches Mbsacli every time the computer is restarted. Listing 1 shows runmbsa.bat, a three-line sample script. The first line starts Mbsacli. We want to include all the MBSA checks, so we'll configure our automated scanner with the MBSA mode parameters, rather than the HFNetChk mode parameters. For more information about Mbsacli's MBSA and HFNetChk modes, see the Web-exclusive sidebar "Two Mbsacli Modes," InstantDoc ID 45267.
On Runmbsa's first line, the -c parameter together with the environment variable %computername% instructs Mbsacli to scan the local computer. The /o parameter defines the filename format of the saved scan. By default, MBSA saves the XML files in the format Domain-Computer(scantime), expressed as %D%-%C%(%T%), but I wanted the filename format to include only the domain and computer names. To write the scan results as Domain-Computer.xml, you specify the output XML file as %D%-%C%. In Windows shell scripting, the percent sign (%) denotes a variable, so to pass %D% and %C% to MBSA, we must enclose each of these expressions in a set of percent signs.
The optional last instruction on Runmbsa's first line redirects the status output of the MBSA scanner to a text file. Usually this output simply contains a success message, but if the scan fails, it might include helpful troubleshooting information. This output shows only the MBSA run status and doesn't contain actual scan-result data.
Runmbsa's second line copies the scan results from the target computer to a network share on the computer that will process and host the results. The Copy command's /y parameter overwrites the target without prompting so that the script can run unattended.
The last line deletes the local results so that the next time the scan runs, the result file will again be named Domain-Computer.xml. If you run the command
mbsacli.exe /o %%D%%-%%C%%
repeatedly on a computer, you'll notice that MBSA creates multiple XML files named Domain-Computer, Domain-Computer (1), Domain-Computer (2), and so on, instead of overwriting the XML file each time, as you might expect. But I don't want to clutter up my systems with multiple XML result files; I want to see just the latest results for each system. So we delete the local copy to ensure that every time the scan runs, the XML file is named Domain-Computer.xml. When we copy the file to the share, it overwrites any previous results on the share.
Now that we've created the MBSA scanning shell script, we need to create a mechanism to run the script every time the computer is restarted. We can create a new GPO that runs this shell script as a computer startup script and link it to the domain, organizational unit (OU), or site AD object that contains the computers to scan. After you've added the GPO and Group Policy has been updated on a target computer, restart the computer and Runmbsa will run. Even locally, scanning a computer might take a few minutes, and if you log on to the target computer and launch Task Manager, you should see an MBSA process and a CMD process running under the SYSTEM account. When the scan has been completed, we can see that it has copied the results to the network share.
Viewing MBSA Results
You can view scans located in the default %userprofile%securityscans folder by using the MBSA GUI or by using Mbsacli with the /l display parameters. The /l parameter lists the names of all previous scans. For example, the command
mbsacli /l
generates a list of scans such as the one in Figure 1. Notice that this list shows 10 results—five computers each scanned twice. It's especially true with remote scanning that if you run scans regularly, you'll quickly accumulate so many results that they'll be difficult to use. The /ls parameter lists the names from the latest scan, and /lr displays an overview report of a single scan. To see the detailed results of a particular scan, run Mbsacli with the /ld parameter and the name of the scan, as follows:
mbsacli /ld "security - XPPRO (11-21-2004 1-25 PM)"
The output of these display parameters is displayed on the screen, or you can redirect it to a file. We could view the combined results of all the system scans that the Runmbsa script performs by copying the collected XML files to an MBSA-installed computer's %userprofile%/securityscans folder and then running Mbsacli with any of the display parameters (/l, /ls, /lr, /ld). However, our end goal is to display a summary of many scan results as a Web page by using Microsoft's MBSA scripts. Let's see how to accomplish this.
Aggregating Results
In the MBSA scripts package, Microsoft includes a sample script that aggregates the results of many previous scans and displays them in an easy-to-view matrix. If you find this type of report useful, you'll ultimately want to customize the Microsoft scripts to meet the needs of your business or match your environment. However, the sample scripts provide useful features even straight out of the box.
The JavaScript rollup.js script lets you specify Microsoft security bulletins, then crunches through MBSA XML scan result files and outputs a new XML file that summarizes all computers' compliance with the specified bulletins and checks. For example, if you run the command
cscript.exe //nologo rollup.js /b MS04-030 MS04-029 MS04-028 MS04-024 MS04-023 MS04-022 > MultiPatchRollupDemo.xml
the script creates a new XML file that you can open in Microsoft Internet Explorer (IE) or link to as a Web page.
The Cscript scripting engine compiles and runs the Rollup script and outputs the results to the XML file. Cscript's //nologo parameter is necessary to prevent Cscript's logo from corrupting the XML file with the Cscript banner.
In addition to checking for bulletin compliance, you can see how well your systems are faring in the vulnerability checks that MBSA performs. Table 1 shows the number and description of a few of these checks. For example, running the script
cscript.exe //nologo rollup.js -c 104 > password.xml
tells you which computers have passed MBSA's Local Account Password Test (check 104) and which have failed it. Web Table 1 (http://www.windowsitpro.com, InstantDoc ID 45265) shows the complete list of checks.
As an example of how you might want to customize the sample scripts, MBSA's Services test (check 123) looks for unnecessary installed services, including WWW and Telnet. The MBSA security scan results contain the names of the services, but the Rollup script doesn't show you those names—it merely reports which computers pass a test. You could customize Rollup to list the actual services running on the target computers and output this data as a new XML file.
Final Steps
Copy the Rollup script to the network share on which you're collecting the MBSA scan results. Copy the MBSA sample scripts XML stylesheet named rollup.xslt to the Web server that you want to host the scan reports (e.g., C:inetpubwww). We need to update the Rollup script to point to the location of the XML data files, because by default the script looks in %userprofile%securityscans. Open the Rollup script file in Notepad and go to the following line (line 38):
var g_SecurityScans = "%userprofile%\securityscans"
and change it to
var g_SecurityScans = "c:\mbsadata"
or to whatever folder Runmbsa is copying your scan data to.
Next, configure a scheduled task that executes the shell script shown in Listing 2 to run daily on the central server. Check.bat runs the Rollup script to gather the results of Runmbsa's password checks and the status of six Microsoft security bulletins and outputs the new summary XML data files password.xml and bulletin.xml to the Web folder. Last, you can create a Web page that links to Password and Bulletin (or simply open them individually in your Web browser), and you'll see a summary rollup of the results, similar to those displayed in Figure 2. Using the Runmbsa and Check scripts, you'll be able to keep tabs on system configuration and missing patches on a regular and recurring basis.
MBSA provides a useful interface for scanning for basic system vulnerabilities and missing security updates. I've showed you how to configure it to scan all local computers in a domain whenever they're restarted and post up-to-date summary results as Web pages on a server. Although you'll no doubt want to customize this example to show data useful to your environment, you've now seen how easy it is to harness MBSA across your network. I don't recommend MBSA as your only security scanner or patch management tool, because it's not exceptionally robust in its vulnerability scanning and it doesn't distribute and install security updates. However, it's free—and its XML data output and sample scripts together with a bit of work on your part can make this tool a nice addition to your network security arsenal.
Project Snapshot: How to |
---|
PROBLEM: Scan all company computers on startup for missing patches and other vulnerabilities, aggregate results, and post them on a Web page.WHAT YOU NEED: MBSA and MBSA sample scriptsDIFFICULTY: 3.5 out of 5PROJECT STEPS: |
About the Author
You May Also Like