Professional Documents
Culture Documents
6-1
Chapter 6 Solutions
Review Questions
1. Which tool can you use on a command-line to identify which patches are installed properly on a computer? Answer: a. 2. If you receive an error 201 when running HfNetChk, where do you find out what the problem is? Answer: c. 3. Which of the following does MBSA examine? (Choose all that apply.) Answer: a, b, c. 4. On which types of operating systems can MBSA be used? (Choose all that apply.) Answer: a, c, d. 5. Which of the following applications can MBSA examine for security vulnerabilities? (Choose all that apply.) Answer: a, c. 6. Which type of scans can be performed using MBSA? (Choose all that apply.) Answer: c, d. 7. True or False. Qfecheck.exe will warn you about any updates that you should have installed but do not currently have installed? Answer: b. 8. Which of the following does Qfecheck.exe use to enumerate patches? Answer: c. 9. Which of the following programs is specifically designed for large enterprise networks? Answer: a. 10. Which of the following operating systems can use the Automatic Updates feature? (Choose all that apply.) Answer: c, d. 11. Which of the following should be included in a critical patching process? (Choose all that apply.) Answer: a, c. 12. Which of the following is the correct web address for the CERT Coordination Center web site? Answer: d. 13. Which of the following should be included as essential maintenance tasks for patch management? (Choose all that apply.) Answer: b, d. 14. Which of the following can be used to control the Windows Updates settings of a computer? (Choose all that apply.) Answer: a, b. 15. Which of the following might affect enforcement of settings for Windows Update on a computer? Answer: b, d.
70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network
6-2
16. Which of the following security related settings can be scanned by MBSA? (Choose all that apply.) Answer: a, b, d. 17. Which of the following are valid scan options for MBSA? (Choose all that apply.) Answer: a, b, d. 18. Which of the following are true statements regarding an MBSA-style command line scan performed with the MBSA tool? (Choose all that apply.) Answer: b, d. 19. Which is the following is the correct command for an HFNetChk-style MBSA scan? Answer: d. 20. Which of the following is the correct command to run the Qfecheck.exe program with verbose output? Answer: a. 21. If the user of a computer in a domain sets his computer to not accept automatic updates, but an administrator creates and applies a group policy to set all computers in the domain to accept automatic updates, which of the following will happen? (Choose all that apply.) Answer: b, c. 22. In which container within Computer Configuration/Administrative Templates are the Windows Update settings? Answer: a. 23. Which is the correct Microsoft web address to find information regarding Systems Management Server? Answer: b. 24. Which of the following applications will MBSA scan for security vulnerabilities? (Choose all that apply.) Answer: a, c, d. 25. Which of the following types of computer operating systems can MBSA scan? Answer: a, c.
Activities
Activity 6-1
The purpose of the activity is to have the students you will troubleshoot the MBSA tool and resolve the issue so that the scan performs properly. In this exercise they will be troubleshooting a standalone machine.
Activity 6-2
The purpose of the activity is to have the students learn to troubleshoot a MBSA command-line scan to resolve several errors.
Activity 6-3
The purpose of the activity is to have the students troubleshoot an HfNetChk command-line scan to resolve errors.
Activity 6-4
The purpose of the activity is to have the students first access the Web page on Microsofts site to download and install the Qfecheck.exe tool. They will then run the tool to determine which security updates are properly installed in their computer.
70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network
6-3
Activity 6-5
The purpose of the activity is to have the students access Microsofts Web site for SMS, locate the Security Patch Management demo, and view the presentation.
Activity 6-6
The purpose of the activity is to have the students learn how to configure your computer to automatically download and install the latest updates from the Microsoft Web site.
Activity 6-7
The purpose of the activity is to have the students create a group policy that configures the settings for Automatic Updates. They will then apply the group policy to all computers in your domain.
Case Projects
Case Project 6-1
When it comes to managing your infrastructure, chances are good that you may have many different types of clients in your network and that they may be at many different levels in regard to the service packs and hotfixes that are applied to them. You could go around to each client and examine it individually to determine which service packs and hotfixes are installed on it, but that would definitely be doing it the hard way. Instead, you could use the automated processes and products provided by Microsoft such as the Microsoft Baseline Security Analyzer (MBSA) and Qfecheck.exe to ease the complexity of checking the security status of all of the clients in your network. MBSA reports current status for recommended security updates. The MBSA tool can be run through the graphical user interface (GUI) or it can be run from a command line. In addition to Mbsacli.exe and Hfnetchk.exe, Microsoft has released a command-line tool named Qfecheck.exe that has the ability to track and verify installed Windows 2000 and Windows XP hotfixes. It enumerates all of the installed patches by their associated Microsoft Knowledge Base article. Qfecheck.exe checks which hotfixes are installed by reading the information that is stored the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates registry key. This tool does not tell you if any updates that you might need are missing; it simply tells you if the ones that you have installed are installed properly.
70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network
6-4
-b -fq filename -s , -s2 -nosum -sum -z -history 1,2,3 -v -o tab, wrap, -f filename -t -u username/-p password -x -t -ver -trace
Scans a computer for updates that are marked as baseline critical by the MSRC Specifies the file that contains the Qnumbers to suppress on output Suppresses note messages an/or warnings Will not test file checksums on security updates Forces a checksum scan when you scan a nonEnglish language computer Specifies to not perform registry checks Displays those updates that have or/and have not been explicitly installed Displays the reason why a test did not work in wrap mode Specifies the output format that you want Displays the number of threads used to run the scan Specifies the user/password name when scanning local or remote computer(s). Must be used together. Specifies the XML data source containing the update information Displays the number of threads that are used to run the scan Checks if you are running the latest version of HFNetChk Creates a debug log
70-299 MCSE Guide to Implementing and Administering Security in a Windows Server 2003 Network
6-5
after you install SUS 1.0 SP1. You cannot determine if the Automatic Updates service is running. The Automatic Updates client is not getting updates from the SUS server.
you are administering the SUS server is running Windows Server 2003. Under Manage my computer, expand Services and Applications, and then click Services. Verify that Automatic Updates appears on the list of services, double-click the Automatic Updates entry, and check the Service Status. On the Windows client computer, ensure that the following values exist: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\W indowsUpdate WUServer=http://<SUSServer>, WUStatusServer=http://<YourServer>, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window s\WindowsUpdate\AU UseWUServer=dword:00000001. Update.log will have a series of log entries, for example: 2003-11-28 18:28:31 Success IUENGINE Querying software update catalog from http://intranetSUS/autoupdate/getmanifest.asp. If entries such as this do not exist, the Automatic Updates service on that client computer has not yet attempted to query the server for updates. The client waits approximately 24 hours between attempts to query the server for updates.