Recently I’ve been checking the patch level on a LOT of Microsoft servers, mostly versions of Microsoft Server and Microsoft SQL Server. Microsoft has a great tool for this, the Microsoft Baseline Security Analyzer. It’s legacy software, but it’s free of charge and still works like a charm.
Obviously, not all administrators are too keen on installing an application on their precious servers, or let me plug my PC into their corporate network in order to perform a remote scan. So often I’m forced to use the standalone version of MBSA and run it through the command line. Since the CL tool is kind of picky, I’ve created a quick tutorial on how to utilize it here.
- First, you need the MBSA, downloadable from here
- To make the tool standalone, you’ll need to install it somewhere and copy out the mbsacli.exe and wusscan.dll files to a temporary catalog (the default install location is C:\Program Files\Microsoft Baseline Security Analyzer 2\)
- You’ll also need Microsoft latest wsusscn2.cab file, which contains details on all the latest updates from Microsoft. You can download it here
- Select those three files (or zip them down) and copy them to the server you wish to test
- Open a command window, cd into the directory containing the files (on the server), and issue the following command:
mbsacli /xmlout /catalog wsusscn2.cab /unicode /nvc >results.xml
The resulting results.xml file should contain all Microsoft patches that are targeted towards that particular server, both installed and uninstalled. So if the server is a Microsoft Server 2008 running SQL Server 2005, the file will contain both patches for Microsoft Server 2008 and SQL Server 2005.
The easiest way of analyzing the results are to open the file in Excel. Here you can easily filter out all installed patches for example, and gain a quick overview if the server is under a good patch management process or not.
In the example output below, the server is missing a lot of patches (sorted by severity), which makes it vulnerable to a wide range of exploits:
I’ve had some issues running this on older installations of Windows software such as Windows 2000 and Windows NT (yeah I know, but some people still use non-supported Microsoft products), but for most properly configured servers the above command works as intended. Drop me a comment if you have any trouble!