SQL Server Magazine

I'm sure that most of you subscribe to the Microsoft Product Security Notification email list, so you know that hardly a week goes by without a new bulletin. During crazy weeks, you might receive notice of three or four hotfixes that you need to install. When you're responsible for tracking, evaluating, and eliminating vulnerabilities for multiple platforms and applications, staying current with all these hotfixes can be overwhelming. Collecting, deploying, and tracking the hotfixes on generic workstations and servers as well as on the Microsoft IIS and SQL Server systems throughout your enterprise is a demanding job. Microsoft's new Hfnetchk utility can help you get the job done, although it isn't the perfect solution for large networks.

New and Improved
Until recently, Qfecheck was the only Microsoft tool that could help you determine which hotfixes were installed on a system. Qfecheck is a rudimentary utility that audits hotfixes on the local system. Although you can install the utility on a network share so that users can access it, you can't redirect Qfecheck to audit a remote machine—a restriction that severely limits the tool's value in a network environment of more than a few systems. Also, Qfecheck can't determine whether an update is specific to the OS, to IIS, to Microsoft Internet Explorer (IE), or to other applications. Perhaps Qfecheck's most glaring omission is that it can't advise you whether you truly need to install a hotfix or simply implement a work-around to ensure that your systems are secure by current standards.

Microsoft has been aware of Qfecheck's shortcomings for some time. In August 2001, the company attempted to address some of these limitations through the release of Hfnetchk, a new hotfix audit and advisory tool that greatly extends your ability to manage security hotfixes. The core of Hfnetchk's improved functionality is a new XML-format security-hotfix catalog, mssecure.cab. This catalog contains a comprehensive list of every security hotfix and workaround that Microsoft has released for its most popular platforms. Each time Microsoft releases a new security hotfix, the company updates mssecure.cab. Hfnetchk 3.1 uses this catalog to track security updates for the following products:

• Windows 2000 (including Service Pack 1—SP1—and SP2)
• Windows NT 4.0 (including SP1 through SP6a)
• NT Server, Enterprise Edition (NTS/E —including SP4 through SP6a)
• SQL Server 2000 (including SP1)
• SQL Server 7.0 (including SP1 through SP3)
• Internet Information Services (IIS) 5.0 and Internet Information Server (IIS) 4.0
• IE 5.01 through IE 5.5 (including IE 5.5 SP2)
• Microsoft Data Engine (MSDE) 1.0

The one product Hfnetchk doesn't track is Microsoft Exchange Server. Given that Exchange is deployed all over the world, I hope that the tool's developer, Microsoft Gold Certified Partner Shavlik Technologies, will include Exchange coverage in the tool's next version.

Getting Started
You can download Hfnetchk from the Microsoft Download Center (http://www.microsoft.com/downloads/release .asp?releaseid=31154). Each time you start Hfnetchk, it attempts to download the current version of the hotfix catalog file, mssecure.cab. When you're auditing one or only a few systems, the catalog download is convenient. When you permit users to audit systems independently, however, you might want to keep a local copy of the catalog file to eliminate unnecessary download activity and to speed up auditing. The instructions in this article assume that you're using a local copy of ms-secure.cab.

You can manually download ms-secure.cab from http://download.microsoft.com/download/xml/security/ 1.0/nt5/en-us/mssecure.cab. When you run Hfnetchk, use the–x command-line option to instruct the utility to use the local catalog copy. Microsoft releases security hotfixes nearly every week, so you'll need to download the catalog at least weekly to ensure that Hfnetchk's audit provides the most current results.

After you download the catalog file, you can use the File Signature Verification (sigverif.exe) tool to verify that the file contains a valid Microsoft signature. Open a command prompt and run sigverif.exe to open the tool's GUI. Click Advanced, then click Browse and navigate to the location in which you placed mssecure.cab. As part of the verification, the sigverif.exe checks the certificate revocation list (CRL) at Microsoft to ensure that the signature is valid.

After you verify the signature, double-click the Hfnetchk download file (i.e., nsch.exe) and the catalog download file (i.e., mssecure.cab) to expand them into individual files, then place all files from both downloads into the same directory. Hfnetchk expands into three files: readme.txt; hfnetchk license.txt, which contains the license text; and hfnetchk.exe, which installs Hfnetchk. Mssecure.cab expands into one file: mssecure.xml.

Open a command prompt and change to the directory in which you stored the files. I suggest you start Hfnetchk in its default mode but use the tool's –x option to direct Hfnetchk to use the local copy of the catalog. As you get comfortable with how Hfnetchk works, you can add other options to fine-tune auditing and reporting. (Table 1 lists Hfnetchk's available command-line options.) To run Hfnetchk with default settings, type

hfnetchk –x mssecure.xml 

This command produces a report similar to the one that Figure 1 shows. (I added the hotfix names and descriptions to the report file as I researched and downloaded the appropriate updates.) You can save the report to a text file so that you can refer to it later. For example, to save the report in a text file called hfxaudit.txt in the same directory as Hfnetchk, type

hfnetchk –x mssecure.xml >hfxaudit.txt

To save the same report on a network share (named Audit in this example), type

hfnetchk –x mssecure.xml>\\ Audit\hfxaudit.txt

   Prev. page   [1] 2 3     next page