Windows Security Patch Status Sanity Checks¶
Viewing Patch History¶
Powershell’s “Get-Hotfix” cmdlet¶
Open Powershell as a user with administrator-equivalent rights, and run:
Get-Hotfix [-computername <computername>] | sort installedon
Using Microsoft Baseline Security Analyzer to Audit Patch Status¶
Create a working directory (e.g., c:\temp\mbsa) and download the following items to it:
- Microsoft Baseline Security Analyzer (MBSA): http://www.microsoft.com/en-us/download/details.aspx?id=7558
- Security update catalog (wsusscn2.cab) http://go.microsoft.com/fwlink/?LinkId=76054
- Windows Update Redistribution Catalog (wuredist.cab) http://update.microsoft.com/redist/wuredist.cab
- Authorization catalog (muauth.cab) http://go.microsoft.com/fwlink/?LinkId=43266
The *.cab files are a point-in-time database of update metadata and will need to be updated/re-downloaded when desired (after Patch Tuesday, for example).
Install Microsoft Baseline Security Analyzer.
Running MBSA Scans¶
Create a file (e.g., servers.txt) with the server names you wish to scan, where the text file contains servers in the same domain.
CD to the MBSA installation directory (if not in %PATH%) and run the MBSA scan (one line):
mbsacli.exe /catalog C:\temp\mbsa\wsusscn2.cab /listfile C:\temp\mbsa\servers.txt /wi /nvc /nd /n Password+IIS+OS+SQL /u:DOMAIN\ADMIN.ACCOUNT /p YOURPASSWORD
You can easily scan an entire domain with one line (not recommended, especially if there are workstations):
mbsacli.exe /catalog C:\temp\mbsa\wsusscn2.cab /d DOMAINTOSCAN /wi /nvc /nd /n Password+IIS+OS+SQL /u:DOMAINTOSCAN\ADMIN.ACCOUNT /p YOURPASSWORD
N.B.: It’s a Catch-22, but a computer scan may fail if the target’s Windows Update agent is far out of date.
Also note that due to prerequisites, Windows Update reports only the immediately applicable patches. More patches may become applicable after the first round, and in some cases (Windows 2012R2 rollups), the majority of patches will be missing until the prerequisites are applied. There is no logical way around this.
Analyzing MBSA Results in Excel¶
MBSA results are stored in XML files with *.mbsa extensions in the %userprofile%\SecurityScans directory.
- Copy %userprofile%\SecurityScans\*.mbsa to working directory (optional).
- Collate them into one file (e.g., "type *.mbsa >>final.xml").
- Add <fullscan> to the beginning of final.xml, and add </fullscan> to the end:
- Save final.xml.
- Open Excel and import final.xml.
- Within Excel, filter where IsInstalled equals FALSE. Those are the ones needed and missing.
Side note: The MBSA Scripting Samples seem like far more trouble than they’re worth; it’s trivial to import into Excel as is. And multimbsa.exe (spawns multiple parallel scans) seems to pass all options (notably the password option) in all caps, which makes it useless for multiple domains. I gave up trying to figure it out.