Automatically patching machine with hotfix KB824146 using mbsafu.

• Previous message: Jeffrey Altman: "Re: Norton Internet Security 2003 blacklist fault?"
• Next in thread: Paavola, Tad: "Re: Automatically patching machine with hotfix KB824146 using mbsafu."
• Maybe reply: Paavola, Tad: "Re: Automatically patching machine with hotfix KB824146 using mbsafu."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 11 Sep 2003 20:45:43 -0600
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I didn't want to spend as many hours patching machines with KB824146 exploit
as I did with KB823980, so I tried out mbsafu.

Mbsafu is an automatic remote patching tool that applies Security updates
based on Microsoft Baseline Security Analyzer output.

This will patch NT4, WIN2k, WINXP, WIN2003 machines.

I patched 200-250 machines in our domain in 1<hour using the free tool:
Mbsafu. It works! We ran this against desktops and domain controllers.

Before deploying this, TEST IT on a few machines.

Steps to patch machines:

Download and unzip mbsafu.
http://sourceforge.net/projects/mbsafu/

Read the usage.txt and readme.txt that come with the program.
Read the docs......

Download and install mbsa (Microsoft).
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/Tools/MBSAhome.asp

You need this to run mbsacli the mbsa command line scanner.

Run mbsacli scan against the computers in your domain.
Mbsacli -hf -d DOMAIN -o tab > output.csv

You can also run mbsacli on a range of ip addresses.
Look at the options...

Setup a network share with full privileges for the account you will patch
under.
Set to full control for the domain admin account you will use.

Parse the output using mbsabarse

Type output.csv | mbsaparse \\server\share

Download all needed patches it detects using:
Mbsafetch \\server\share

Troubleshoot patches that did not download by manually downloading via
manual.htm

Determine the specific patch you want to apply.
824146 is the patch I want to apply.

Edit the patch files to only apply that specific patch.
        The patch files contain the patches to apply for each machine, one
patch per line.
If you remove all the lines except for the 824146 line, it will only install
that patch.

Set the command line switches for all the patches or the patches you want to
install:

mbsaswitch \\server\share all "-z -q"

Note: this is to do an unattended install without a reboot.
If you want to reboot after applying the patch, read about the switches you
need to set, I do not recommend this. I wrote a simple perl script to
determine if anyone is logged onto the computer, so you can reboot it later.

For NT 4 clients you want the switches to be="/z /q" <--- VERIFY THIS!

Change your domain admin password to use a character-number only password.
When I had my password set using alphanumerics, it did not work correctly.
Run the autopatch tool.

This uses windows scheduler to schedule the job to run on the target
machine.
It should encrypt your password.

        mbsascheduler.exe \\server\share domain\user pass timeout-in-seconds
> remote-results.csv

Runs process remotely, this is similar to psexec but does not encrypt your
password.

        mbsaremote.exe \\server\share domain\user pass timeout > remote-
results.csv

This will the schedule the remote machine to install the patch from your
network share using domain credentials, it uses windows scheduler so the
password is not sent in clear text to the machine.

Start the update using scheduler service wait 10 minutes for it to complete
on each machine, and log the results to remote-result3.csv

        mbsascheduler.exe \\server\share domain\user password 600 > remote-
results.csv

As soon as it finishes, change your domain password.
It takes awhile to get started, so be patient, and it took 5 minutes before
I started getting connections on the network share with the clients
installing the patch.

Additional Items: Tools and Information I used to patch and verify:

Perl script to find computers no one is logged onto.
http://www.cs.montana.edu/~admin/MSO-039/no_one_logged_on.pl
Note, Pure Hack.
If you want to improve it and send me the improvements, go ahead.
Eventcombmt can be used to search for event logs relating to installation of
patches.
Look for event 4377,8
Source:all
Event Types:Informational
Text:KB824146

"shutdown /i /r /f" will allow you to interactively shutdown computers
remotely.

"Retina Network Security Scanner has been updated to identify this
vulnerability. http://www.eeye.com/html/Products/Retina/index.html
Also our FREE RPC scanner tool has been updated to check for this second
vulnerability. http://www.eeye.com/html/Research/Tools/RPCDCOM.html"

Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
03-039.asp

Good Luck.

--Luke
Montana State University - Bozeman
Computer Science System Administrator, Bozeman MT 59717

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----

• Previous message: Jeffrey Altman: "Re: Norton Internet Security 2003 blacklist fault?"
• Next in thread: Paavola, Tad: "Re: Automatically patching machine with hotfix KB824146 using mbsafu."
• Maybe reply: Paavola, Tad: "Re: Automatically patching machine with hotfix KB824146 using mbsafu."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]