You can use the –i option to tell the utility to perform the same operation on the systems with the specified TCP/IP addresses:
hfnetchk –x mssecure.xml –i 10.1.1.100,
10.1.1.101, 10.1.1.102, 10.1.1.254
You can use the –r option, which is the preferred method to use on a DHCP-based network, to identify a range of TCP/IP addresses to scan. Simply give Hfnetchk the same address range you use in your DHCP server:
hfnetchk –x mssecure.xml –r 10.1.1.100
–10.1.1.102, –h 10.1.1.254
When you audit multiple systems, remember to pipe the output to a file so that you have a permanent record of the audit.
The –d domain_name option instructs Hfnetchk to locate and audit every system that belongs to the specified domain. For example, suppose you have a domain called Engineering. To audit all computer domain members, type
hfnetchk –x mssecure.xml –d engineering
Hfnetchk requires NetBIOS name resolution to locate the computers that belong to the domain. The tool's documentation states that to use this method, your network must permit UDP port 137 traffic (i.e., NetBIOS Name Service—NetBIOS-NS), so you can't use this option if you disable NetBIOS-NS for security purposes.
Other Useful Options
As Table 1 shows, Hfnetchk supports many useful options. You can combine several of these options in one command. For example, suppose you're using a local copy of the catalog and you want a verbose report that lists only the necessary hotfixes. Type
hfnetchk –v –a n –x mssecure.xml
The syntax is ugly, but it works. The Microsoft article "Microsoft Network Security Hotfix Checker (Hfnetchk .exe) Tool Is Available" (http://support .microsoft.com/support/kb/articles/ q303/2/15.asp) contains a fairly detailed description of Hfnetchk command-line options, and the partner Hfnetchk FAQ "Frequently Asked Questions about the Microsoft Network Security Hotfix Checker (Hfnetchk .exe) Tool" (http://support.microsoft .com/support/kb/articles/q305/3/85 .asp) answers many questions about how the utility operates.
Expediting Hotfix Installation
We can dream about a utility that not only identifies needed hotfixes but also downloads the missing patches—but we aren't there yet. You need to read the security bulletin for each hotfix that Hfnetchk identifies as not installed to determine whether you need the hotfix on the audited system. Even though scanning one bulletin takes only a few minutes, reading and collecting all the missing pieces for Win2K, NT 4.0, IIS 5.0, IIS 4.0, and SQL Server can take a day or more.
You can find a current list of security bulletins, by number, at the Microsoft TechNet Security Bulletin Search site (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp). When you've identified and downloaded the updates you need, collect all the hotfixes for a specific product in one directory. For example, you might create a hotfix directory with three folders, one for Win2K, one for NT 4.0, and one for SQL Server 7.0. Because multiple hotfixes sometimes contain different updates of the same executable or DLL, standard protocol requires a reboot after you apply each fix to ensure that the OS installs the most recent version of any common files. However, you can use Microsoft's Chain (qchain.exe) utility to safely install multiple hotfixes without rebooting after each hotfix.
Qchain examines all the files that each update replaces and ensures that the OS installs the most recent version of any OS components that are common to more than one update. Run each hotfix.exe update with the hotfix .exe –z option (to disable the automatic reboot after installation) and –m option (to disable interactive feedback). If you have any updates that use the MSDAIPP installer, run these updates with the /q switch, which disables interactive feedback. (The installers use different options—another reason you need to determine how Microsoft packages each hotfix you want to install.) Run Qchain after you install all the hotfixes (or any other updates, for that matter) but before you reboot. Then, when you restart the system, Qchain ensures the OS loads only the most recent version of every updated file. You can download Qchain from the Microsoft Download Center (http://www.microsoft.com/downloads/ release.asp?releaseid=29821).
Running Qchain interactively is practical when you need to install one or two hotfixes. If you have a big list, though, using a script to automate the process is probably faster and more convenient. Figure 4 shows a script that I used to install multiple hotfixes for Win2K and IE. Each update that hotfix.exe installed used the –z and –m options; updates that MSDAIPP installed used the /q switch. I invoked Qchain with an argument that identified the text-based log file (i.e., d:\temp\qchain\hotfx.log) that permanently records the files the update replaced.
A Work in Progress
Hfnetchk is a great improvement over its predecessor, but you're still faced with a labor-intensive procedure. You must use the tool to run a preliminary audit (either interactively or from a script), download needed updates, examine each update to determine which installer it uses, write a script to install the updates on each system, use Hfnetchk to run a final audit, then verify the status of any hotfixes that Hfnetchk still reports as not installed. If you're responsible for thousands of systems, you're probably better off with more sophisticated third-party utilities such as those available from Shavlik Technologies, St. Bernard Software, or Gravity Storm Software.
End of Article
Prev. page
1
2
[3]
next page -->
