Viewing MBSA Results
You can view scans located in the default %userprofile%\securityscans folder by using the MBSA GUI or by using Mbsacli with the /l display parameters. The /l parameter lists the names of all previous scans. For example, the command
mbsacli /l
generates a list of scans such as the one in Figure 1. Notice that this list shows 10 results—five computers each scanned twice. It's especially true with remote scanning that if you run scans regularly, you'll quickly accumulate so many results that they'll be difficult to use. The /ls parameter lists the names from the latest scan, and /lr displays an overview report of a single scan. To see the detailed results of a particular scan, run Mbsacli with the /ld parameter and the name of the scan, as follows:
mbsacli /ld "security - XPPRO
(11-21-2004 1-25 PM)"
The output of these display parameters is displayed on the screen, or you can redirect it to a file. We could view the combined results of all the system scans that the Runmbsa script performs by copying the collected XML files to an MBSA-installed computer's %userprofile%/securityscans folder and then running Mbsacli with any of the display parameters (/l, /ls, /lr, /ld). However, our end goal is to display a summary of many scan results as a Web page by using Microsoft's MBSA scripts. Let's see how to accomplish this.
Aggregating Results
In the MBSA scripts package, Microsoft includes a sample script that aggregates the results of many previous scans and displays them in an easy-to-view matrix. If you find this type of report useful, you'll ultimately want to customize the Microsoft scripts to meet the needs of your business or match your environment. However, the sample scripts provide useful features even straight out of the box.
The JavaScript rollup.js script lets you specify Microsoft security bulletins, then crunches through MBSA XML scan result files and outputs a new XML file that summarizes all computers' compliance with the specified bulletins and checks. For example, if you run the command
cscript.exe //nologo rollup.js
/b MS04-030 MS04-029 MS04-028
MS04-024 MS04-023 MS04-022
> MultiPatchRollupDemo.xml
the script creates a new XML file that you can open in Microsoft Internet Explorer (IE) or link to as a Web page.
The Cscript scripting engine compiles and runs the Rollup script and outputs the results to the XML file. Cscript's //nologo parameter is necessary to prevent Cscript's logo from corrupting the XML file with the Cscript banner.
In addition to checking for bulletin compliance, you can see how well your systems are faring in the vulnerability checks that MBSA performs. Table 1 shows the number and description of a few of these checks. For example, running the script
cscript.exe //nologo rollup.js
-c 104 > password.xml
tells you which computers have passed MBSA's Local Account Password Test (check 104) and which have failed it. Web Table 1 (http://www.windowsitpro.com, InstantDoc ID 45265) shows the complete list of checks.
As an example of how you might want to customize the sample scripts, MBSA's Services test (check 123) looks for unnecessary installed services, including WWW and Telnet. The MBSA security scan results contain the names of the services, but the Rollup script doesn't show you those names—it merely reports which computers pass a test. You could customize Rollup to list the actual services running on the target computers and output this data as a new XML file.
Final Steps
Copy the Rollup script to the network share on which you're collecting the MBSA scan results. Copy the MBSA sample scripts XML stylesheet named rollup.xslt to the Web server that you want to host the scan reports (e.g., C:\inetpub\www). We need to update the Rollup script to point to the location of the XML data files, because by default the script looks in %userprofile%\securityscans. Open the Rollup script file in Notepad and go to the following line (line 38):
var g_SecurityScans =
"%userprofile%\\securityscans"
and change it to
var g_SecurityScans =
"c:\\mbsadata"
or to whatever folder Runmbsa is copying your scan data to.
Next, configure a scheduled task that executes the shell script shown in Listing 2 to run daily on the central server. Check.bat runs the Rollup script to gather the results of Runmbsa's password checks and the status of six Microsoft security bulletins and outputs the new summary XML data files password.xml and bulletin.xml to the Web folder. Last, you can create a Web page that links to Password and Bulletin (or simply open them individually in your Web browser), and you'll see a summary rollup of the results, similar to those displayed in Figure 2. Using the Runmbsa and Check scripts, you'll be able to keep tabs on system configuration and missing patches on a regular and recurring basis.
MBSA provides a useful interface for scanning for basic system vulnerabilities and missing security updates. I've showed you how to configure it to scan all local computers in a domain whenever they're restarted and post up-to-date summary results as Web pages on a server. Although you'll no doubt want to customize this example to show data useful to your environment, you've now seen how easy it is to harness MBSA across your network. I don't recommend MBSA as your only security scanner or patch management tool, because it's not exceptionally robust in its vulnerability scanning and it doesn't distribute and install security updates. However, it's free—and its XML data output and sample scripts together with a bit of work on your part can make this tool a nice addition to your network security arsenal.
End of Article
safurniss March 24, 2005 (Article Rating: