This chapter shows some ways to keep your Windows system up-to-date and secure, thereby making your network a safer place to work (and have fun). Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort.
One of the main reasons that Windows gets a bad rap is the poorly administered state in which Windows machines seem to be kept. The recent deluge of worm and virus attacks that have brought down many a network shows this to hold true. A lot of this can be traced back to the “ease” of administration that Windows seems to provide by effectively keeping the Windows administrator out of the loop about the inner workings of her environment (and wresting control from her hands).
This chapter seeks to remedy that problem to some degree by showing you ways to see exactly what your server is really doing. While this might seem like old hat to a Unix sysadmin, getting details on open ports and running services is often a new concept to the average Windows administrator.
In addition, this chapter shows how to disable some Windows “features,” such as sharing out all your files automatically and truncating log files. You’ll also learn how to enable some of the auditing and logging features of Windows, to give you early warning of possible security incidents (rather than waiting for the angry phone call from someone at the wrong end of a denial-of-service attack originating from your network).
This chapter also covers how to use and manage the Windows Encrypting File System (EFS) for encrypting files and folders, how to configure automatic updates on a network of computers, and how to check for accounts that have passwords that never expire.
Make sure your Windows servers have the latest patches installed.
Keeping a network of systems patched and up-to-date is hard enough in Unix, but it can be even more difficult with Windows systems. A lack of robust built-in scripting and remote access capabilities makes Windows unsuitable for automation. Nevertheless, before you even attempt to update your systems, you need to know which updates have been applied to each system; otherwise, you might waste time and effort updating systems that don’t need it.
Clearly, this problem gets more difficult as the number of systems that need to be managed increases. You can avoid much of the extra work of manually updating systems by using the HFNetChk
tool, which was originally a standalone program from Shavlik Technologies. It is now a part of Microsoft’s Baseline Security Analyzer (http://www.microsoft.com/technet/security/tools/mbsa1/default.mspx) and is available through its command-line interface, mbsacli.exe.
Not only can HFNetChk remotely check the status of Windows Server 2003 and Windows XP/2000/NT, but it can also check whether critical updates for IIS, SQL Server, Exchange Server, Media Player, and Internet Explorer have been applied. Although it can only check the update status of a system (and won’t actually bring the system up-to-date), it is still an invaluable timesaving tool.
HFNetChk works by downloading a signed and compressed XML file from Microsoft that contains information on all currently available updates. This information includes checksums and versions of files covered by each update, as well as the Registry keys modified by each update. Additional dependency information is also included.
When scanning a system, HFNetChk first scans the Registry for the keys that are associated with the most current set of updates available for the current system configuration. If any of these Registry keys are missing or do not match what is contained in the XML file, it flags the update as not having been installed. If the Registry key for an update is present and matches the information in the XML file, HFNetChk then attempts to verify whether the files specified in the update information are present on the system and whether their versions and checksums match.
If any of the checks fails, HFNetChk flags the update. All flagged updates are then displayed in a report, along with a reference to the Microsoft Knowledge Base article with more information on the specific update.
To install HFNetChk on your system, you first need to download and install the Microsoft Baseline Security Analyzer. To run HFNetChk, open a command prompt and change to the directory that was created during the install (C:\Program Files\Microsoft Baseline Security Analyzer is the default).
To check the update status of the local system, run this command:
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /hf
Microsoft Baseline Security Analyzer
Version 1.2.1 (1.2.4013.0)
(C) Copyright 2002-2004 Microsoft Corporation. All rights reserved.
HFNetChk developed for Microsoft Corporation by Shavlik Technologies, LLC.
(C) Copyright 2002-2004 Shavlik Technologies, LLC. www.shavlik.com
Please use the -v switch to view details for
Patch NOT Found, Warning and Note messages
Scanning BLACKBIRD
Attempting to get CAB from http://go.microsoft.com/fwlink/?LinkId=18922
XML successfully loaded.
Done scanning BLACKBIRD
----------------------------
BLACKBIRD (192.168.0.67)
----------------------------
* WINDOWS XP PROFESSIONAL SP2
Note MS05-009 887472
Patch NOT Found MS06-021 916281
Patch NOT Found MS06-022 918439
Patch NOT Found MS06-025 911280
Patch NOT Found MS06-032 917953The first column tells why the check for a particular update failed. The second column shows which update failed the check, and the third column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number that you can refer to for more information on the issue fixed by that particular update.
If you want more information on why a particular check failed, you can run the command with the -v (verbose) switch. Here are the results of the previous command, this time with the verbose switch:
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /hf -v
Microsoft Baseline Security Analyzer
Version 1.2.1 (1.2.4013.0)
(C) Copyright 2002-2004 Microsoft Corporation. All rights reserved.
HFNetChk developed for Microsoft Corporation by Shavlik Technologies, LLC.
(C) Copyright 2002-2004 Shavlik Technologies, LLC. www.shavlik.com
Scanning BLACKBIRD
Attempting to get CAB from http://go.microsoft.com/fwlink/?LinkId=18922
XML successfully loaded.
Done scanning BLACKBIRD
----------------------------
BLACKBIRD (192.168.0.67)
----------------------------
* WINDOWS XP PROFESSIONAL SP2
Note MS05-009 887472
Please refer to 306460 for a detailed explanation.
Patch NOT Found MS06-021 916281
File version is less than expected.
[C:\WINDOWS\system32\browseui.dll, 6.0.2900.2861 < 6.0.2900.2904]
Patch NOT Found MS06-022 918439
File version is less than expected.
[C:\WINDOWS\system32\jgdw400.dll, 82.0.0.0 < 106.0.0.0]
Patch NOT Found MS06-025 911280
File version is less than expected.
[C:\WINDOWS\system32\rasmans.dll, 5.1.2600.2180 < 5.1.2600.2908]
Patch NOT Found MS06-032 917953
File version is less than expected.
[C:\WINDOWS\system32\drivers\tcpip.sys, 5.1.2600.2827 <
5.1.2600.2892]After applying the listed updates, you should see something like this:
Scanning BLACKBIRD
.............................
Done scanning BLACKBIRD
----------------------------
PLUNDER(192.168.0.67)
----------------------------
* WINDOWS XP PROFESSIONAL SP2
Information
All necessary hotfixes have been applied.
You need Administrator privileges to scan the local system. Likewise, to scan a
remote machine, you will need Administrator privileges on that machine. There are several ways to scan remote machines. To scan a single remote system, you can specify a NetBIOS name with the -h switch or an IP address with the -i switch.
For example, to scan the machine PLUNDER from another machine, use either of these two commands:
mbsacli /hf -h PLUNDER mbsacli /hf -i 192.168.0.65
You can also scan a handful of additional systems by listing them on the command line, with commas separating each NetBIOS name or IP address.
Note that, in addition to having Administrator privileges on the remote machine, you must also ensure that you have not disabled the default shares [Hack #32]. If the default administrative shares have been disabled, HFNetChk will not be able to check for the proper files on the remote system and, consequently, will not be able to determine whether an update was applied.
If you want to scan a large group of systems, you have several options. Using the -fh option, you can specify a file containing up to 256 NetBIOS hostnames (one on each line) to be scanned. You can do the same thing with IP addresses, using the -fip option. You can also specify ranges of IP addresses by using the -r option.
For example, you could run a command like this to scan systems with IP addresses in the range 192.168.1.23 to 192.168.1.172:
mbsacli /hf -r 192.168.1.123 - 192.168.1.172
All of these options are very flexible, and you can use them in any combination to specify which remote systems will be scanned.
In addition to specifying remote systems by NetBIOS name and IP address, you can scan systems by domain name by using the -d option, or you can scan your entire local network segment by using the -n command-line option.
When scanning systems from a personal workstation, the -u and -p options can prove useful. These allow you to specify a username and password to use when accessing the remote systems. These switches are particularly handy if you don’t normally log in using the Administrator account. (The account that is specified with the -u option will, of course, need to have Administrator privileges on the remote machines being scanned.)
Also, if you’re scanning a large number of systems, you might want to use the -t option. This allows you to specify the number of threads used by the scanner, and increasing this value generally speeds up scanning. Valid values are from 1 to 128; the default value is 64.
If you are scanning more than one machine, a huge amount of data will simply be dumped to the screen. Use the -f option to specify a file to store the results of the scan in, and view it at your leisure using a text editor.
HFNetChk is a flexible tool and can be used to check the update statuses of a large number of machines in a very short amount of time. It is especially useful when a new worm has come onto the scene and you need to know if all of your systems are up-to-date on their patches.