70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network

6-1

Chapter 6 Solutions
Review Questions
1. Which tool can you use on a command-line to identify which patches are installed properly on a computer? Answer: a. 2. If you receive an error 201 when running HfNetChk, where do you find out what the problem is? Answer: c. 3. Which of the following does MBSA examine? (Choose all that apply.) Answer: a, b, c. 4. On which types of operating systems can MBSA be used? (Choose all that apply.) Answer: a, c, d. 5. Which of the following applications can MBSA examine for security vulnerabilities? (Choose all that apply.) Answer: a, c. 6. Which type of scans can be performed using MBSA? (Choose all that apply.) Answer: c, d. 7. True or False. Qfecheck.exe will warn you about any updates that you should have installed but do not currently have installed? Answer: b. 8. Which of the following does Qfecheck.exe use to enumerate patches? Answer: c. 9. Which of the following programs is specifically designed for large enterprise networks? Answer: a. 10. Which of the following operating systems can use the Automatic Updates feature? (Choose all that apply.) Answer: c, d. 11. Which of the following should be included in a critical patching process? (Choose all that apply.) Answer: a, c. 12. Which of the following is the correct web address for the CERT Coordination Center web site? Answer: d. 13. Which of the following should be included as essential maintenance tasks for patch management? (Choose all that apply.) Answer: b, d. 14. Which of the following can be used to control the Windows Updates settings of a computer? (Choose all that apply.) Answer: a, b. 15. Which of the following might affect enforcement of settings for Windows Update on a computer? Answer: b, d.

70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network

6-2

16. Which of the following security related settings can be scanned by MBSA? (Choose all that apply.) Answer: a, b, d. 17. Which of the following are valid scan options for MBSA? (Choose all that apply.) Answer: a, b, d. 18. Which of the following are true statements regarding an MBSA-style command line scan performed with the MBSA tool? (Choose all that apply.) Answer: b, d. 19. Which is the following is the correct command for an HFNetChk-style MBSA scan? Answer: d. 20. Which of the following is the correct command to run the Qfecheck.exe program with verbose output? Answer: a. 21. If the user of a computer in a domain sets his computer to not accept automatic updates, but an administrator creates and applies a group policy to set all computers in the domain to accept automatic updates, which of the following will happen? (Choose all that apply.) Answer: b, c. 22. In which container within Computer Configuration/Administrative Templates are the Windows Update settings? Answer: a. 23. Which is the correct Microsoft web address to find information regarding Systems Management Server? Answer: b. 24. Which of the following applications will MBSA scan for security vulnerabilities? (Choose all that apply.) Answer: a, c, d. 25. Which of the following types of computer operating systems can MBSA scan? Answer: a, c.

Activities
Activity 6-1
The purpose of the activity is to have the students you will troubleshoot the MBSA tool and resolve the issue so that the scan performs properly. In this exercise they will be troubleshooting a standalone machine.

Activity 6-2
The purpose of the activity is to have the students learn to troubleshoot a MBSA command-line scan to resolve several errors.

Activity 6-3
The purpose of the activity is to have the students troubleshoot an HfNetChk command-line scan to resolve errors.

Activity 6-4
The purpose of the activity is to have the students first access the Web page on Microsofts site to download and install the Qfecheck.exe tool. They will then run the tool to determine which security updates are properly installed in their computer.

70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network

6-3

Activity 6-5
The purpose of the activity is to have the students access Microsofts Web site for SMS, locate the Security Patch Management demo, and view the presentation.

Activity 6-6
The purpose of the activity is to have the students learn how to configure your computer to automatically download and install the latest updates from the Microsoft Web site.

Activity 6-7
The purpose of the activity is to have the students create a group policy that configures the settings for Automatic Updates. They will then apply the group policy to all computers in your domain.

Case Projects
Case Project 6-1
When it comes to managing your infrastructure, chances are good that you may have many different types of clients in your network and that they may be at many different levels in regard to the service packs and hotfixes that are applied to them. You could go around to each client and examine it individually to determine which service packs and hotfixes are installed on it, but that would definitely be doing it the hard way. Instead, you could use the automated processes and products provided by Microsoft such as the Microsoft Baseline Security Analyzer (MBSA) and Qfecheck.exe to ease the complexity of checking the security status of all of the clients in your network. MBSA reports current status for recommended security updates. The MBSA tool can be run through the graphical user interface (GUI) or it can be run from a command line. In addition to Mbsacli.exe and Hfnetchk.exe, Microsoft has released a command-line tool named Qfecheck.exe that has the ability to track and verify installed Windows 2000 and Windows XP hotfixes. It enumerates all of the installed patches by their associated Microsoft Knowledge Base article. Qfecheck.exe checks which hotfixes are installed by reading the information that is stored the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates registry key. This tool does not tell you if any updates that you might need are missing; it simply tells you if the ones that you have installed are installed properly.

Case Project 6-2

You can perform two types of scans using the MBSA command-line interface: MBSA-style scans and HFNetChkstyle scans. The MBSA-style scans will store the results in XML files that can be viewed using the MBSA interface. The Microsoft Network Security Hotfix Checker (Hfnetchk.exe) style scans will display the scan results as text in the command-line window. The MBSA command-line parameters cannot be used with the /hf switch. Each style of scan has its own syntax for including or excluding options during the scan. Chapter 3 listed the commands that are available with the MBSA-style commands. The HfNetChk-style commands are listed in Table 6-2. Table 6-2 HFNetChk Command-Line Parameters Switch Description -h hostname Scans the named NetBIOS computer. To scan multiple hosts, separate the host names with a comma. -fh filename Scans the NetBIOS named computers specified in the named text file -i xxx.xxx.xxx.xxx Scans the named IP address. To scan multiple IP addresses, separate addresses with a comma. -fip filename Scans the IP addresses that you specified in the named text file -r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx Scans a specified range of IP addresses -d domainname Scans a specified domain -n Scans all the computers on the local network -sus SUS filename or server Specifies a text file or a URL from which to obtain the SUS file

70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network

6-4

-b -fq filename -s , -s2 -nosum -sum -z -history 1,2,3 -v -o tab, wrap, -f filename -t -u username/-p password -x -t -ver -trace

Scans a computer for updates that are marked as baseline critical by the MSRC Specifies the file that contains the Qnumbers to suppress on output Suppresses note messages an/or warnings Will not test file checksums on security updates Forces a checksum scan when you scan a nonEnglish language computer Specifies to not perform registry checks Displays those updates that have or/and have not been explicitly installed Displays the reason why a test did not work in wrap mode Specifies the output format that you want Displays the number of threads used to run the scan Specifies the user/password name when scanning local or remote computer(s). Must be used together. Specifies the XML data source containing the update information Displays the number of threads that are used to run the scan Checks if you are running the latest version of HFNetChk Creates a debug log

Case Project 6-3

Microsoft has released a command-line tool named Qfecheck.exe that has the ability to track and verify installed Windows 2000 and Windows XP hotfixes. It enumerates all of the installed patches by their associated Microsoft Knowledge Base article. Qfecheck.exe checks which hotfixes are installed by reading the information that is stored the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates registry key. It checks for: 1. Files that have been hotfixed, but have an outdated binary file 2. The version number recorded in the registry and compares it against the current version of the installed file 3. Hotfix files that are listed as current, but are not recorded as valid by the installed catalogs This tool does not tell you if any updates that you might need are missing; it simply tells you if the ones that you have installed are installed properly. After you have downloaded and installed the tool, you can run it from the command line.

Case Project 6-4

You can start the troubleshooting process by carefully checking the settings of the computer on the Automatic Updates tab of System Properties, and then checking the settings for any group policies applied to the container(s) in which the computer resides. Table 6-3 lists some of the common issues and solutions for SUS and the Automatic Updates client. Table 6-3 SUS and Automatic Updates Client Issues Issue Solution New updates do not appear on the Approve No new updates are available or the memory caches are not loading updates page after server synchronization. new updates. To reload, in the navigation bar, click Monitor server, Refresh. The SUS Administration Web site is not Restart the synchronization service by clicking Start, Run, functioning correctly. services.msc. In the results pane, right-click Windows Update Synchronization Service, Restart. The SUS Administration Web site is not Restart Internet Information Services (IIS) by clicking Start, Run, available or Automatic Updates clients cannot services.msc. In the results pane, right-click World Wide Web connect to the SUS server. Publishing Service, Restart. Security enhancements in Windows Server 2003 Ensure that http://SUSServer_computername is added to the local may result in problems accessing the SUS site intranet site list. This is only necessary if the computer from which

70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network

6-5

after you install SUS 1.0 SP1. You cannot determine if the Automatic Updates service is running. The Automatic Updates client is not getting updates from the SUS server.

you are administering the SUS server is running Windows Server 2003. Under Manage my computer, expand Services and Applications, and then click Services. Verify that Automatic Updates appears on the list of services, double-click the Automatic Updates entry, and check the Service Status. On the Windows client computer, ensure that the following values exist: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\W indowsUpdate WUServer=http://<SUSServer>, WUStatusServer=http://<YourServer>, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window s\WindowsUpdate\AU UseWUServer=dword:00000001. Update.log will have a series of log entries, for example: 2003-11-28 18:28:31 Success IUENGINE Querying software update catalog from http://intranetSUS/autoupdate/getmanifest.asp. If entries such as this do not exist, the Automatic Updates service on that client computer has not yet attempted to query the server for updates. The client waits approximately 24 hours between attempts to query the server for updates.

Case Project 6-5

. If the failed update has been installed in a SUS environment, then you should first cancel the approval of the update on the SUS server in order to prevent further installations, which would only compound your problems. After you have stopped the problem from multiplying itself, you can turn your attention to the damage caused and look for a solution to the problem. For the computers that already have the update, you only have two options: You can remove the update using the Add or Remove Programs utility (if it is available). You can use the System Restore utility to revert the system back to the time before the update was installed. In some cases, however, the update cannot be uninstalled. When time permits and you want to address the issue even further, you can examine the log files of the communication between the clients and the SUS server to attempt to determine why the update failed. The log file on a Windows XP client is located at c:\windows\windowsupdate.log. You can examine the communication between the SUS server and the client to determine whether the connection may have failed during the installation. You can then use the Microsoft Knowledge Base to find more information that you can use to troubleshoot the issue. Appendix B of the SUS Deployment guide contains a list of Software Update Services Event Log Messages. It is a complete list of event log messages that could be reported on your server running SUS. All of these events are logged on the server to the system log.