Title: Using the Microsoft Security Tool Kit to Get and Stay Secure
1Using the Microsoft Security Tool Kit to Get and
Stay Secure
Chris Knaff Technical lead Performance Team
Microsoft Product Support
2Microsoft Security Tool KitDescription
- Used to lock down an existing computer or new
installation - Works on Microsoft Windows NT 4.0, Windows NT
4.0 Terminal Server Edition (TSE), and Windows
2000 - Not needed for Windows XP
- Can be installed automatically or manually
- Used to get your system to a base level of
security
3Before Installing the Tool Kit
- We recommend that you
- Perform a good backup of system
- Update repair disks
- Close all applications
- Be an administrator of your machine
4Installing the Tool Kit
- Start with the Readme.htm file
- Click on the Install Now link to begin the
installation
5The Readme.htm
- The Readme.htm file contains
- An Install Now link for automatic install
- Descriptions for manual installations
- Information on how to push the tool kit contents
through a network using Systems Management Server
(SMS) - Links for online updates
6Windows NT Requirements
- Microsoft Internet Explorer 4.01 or later
- Windows NT 4.0 Service Pack 3 or later
7Windows NT 4.0Installing the Tool Kit
- Windows NT 4.0 Service Pack 6a
- Reboot
- Windows NT 4.0 Security Rollup Package
- Hotfix Q305929
- Hotfix Q307866 Pre-restart updates
- Reboot
- Hotfix Q307866 Post-restart updates
- Internet Explorer 5.5 Service Pack 2
- Reboot
- Internet Information Services (IIS) Lockdown
Wizard (if IIS is installed)
8Windows NT 4.0 TSERequirements
- Internet Explorer 4.01
- Windows NT 4.0 Terminal Server Edition Service
Pack 3 - IIS cannot be installed (the tool kit will not
run)
9Windows NT 4.0 TSETool Kit Updates for Windows
NT 4.0 TSE
- Windows NT 4.0 Terminal Server Edition Service
Pack 6 - Various hotfixes (Q280119, Q269049, Q266433, and
Q265714) - Internet Explorer 5.01 SP2
- Windows Media Player patches
10Windows 2000Tool Kit Updates for Windows 2000
- Windows 2000 Service Pack 2
- Internet Explorer 5.5 SP2
- IIS 5.0 Security Update (if IIS is installed)
- Windows Media Player patches
- Windows 2000 Critical Update Notification Tool
- IIS Lockdown Wizard (if IIS is installed)
11Contents of the Tool Kit
- \CDLaunch (contains files used to autorun the
tool kit) - \Combined (contains Internet Explorer 5.01 SP2,
Internet Explorer 5.5 SP2, Windows Media Player
patches, and the Tools directory) - \Combined\Tools (contains HFNetCheck, Qchain, and
the IIS Lockdown Tool directories)
12Contents of the Tool Kit (2)
- \Documents (contains documents on each of the KB
articles supplied by the tool kit, with new and
existing deployment guides) - \NT 4.0 (contains all the tools needed to lock
down a Windows NT 4.0 system, such as SP6a, the
option pack, and the security rollup package) - \NT 4.0 Terminal Server Edition (contains Service
Pack 6 and the four hotfixes needed to lock down
a Windows NT 4.0 Terminal Server)
13Contents of the Tool Kit (3)
- \SMS (contains documentation on how to push the
tool kit with SMS) - \Windows 2000 (contains the tools needed to lock
down a Windows 2000 system, such as SP2 and the
IIS 5.0 Security Update) - Readme.htm (main file used when using the tool
kit)
14IIS Lockdown Wizardwith URLScan
- IISLockD functionality
- Obtaining the IISLockD
- Running IISLockD
- Removing IISLockD
- Troubleshooting
- Server templates and references
- IISLockD ? IIS Lockdown Wizard
15IISLockD FunctionalityLimits Attack
VULNERABILITIES
- Removes unused components, including
- Web services
- Script mappings
- WebDAV
- Samples and added features
- Restricts anonymous web users from writing to
content folders and executing system applications
16URLScan FunctionalityUsed to Prevent Expected
and Unexpected Attacks
- Implemented as ISAPI filter
- Allows or denies requests based on URL
characteristics
- Blocks are based on attack characteristics
- HTTP request verbs
- Canonicalization and normalization checking
- Executable file extensions
- Multiple dots in path
- Stop/Restart of IISADMIN service required after
modifying urlscan.ini
17Obtaining IISLockD
- CD-ROM
- Microsoft Security Tool Kit CD-ROM
- CD-Drive\COMBINED\tools\IIS Lockdown Tool\
- Contains IIS Lockdown Wizard 2.0
- Internet Download
- http//www.microsoft.com/Downloads/Release.asp?Rel
easeID32362 - Latest version of IIS Lockdown Wizard (currently
2.1) - Check for updates before installing
18Changes in IISLockD 2.1
- Metabase backup generated prior to uninstalling
the wizard - Dynamic updating of template_urlscan.ini no
longer made - Unattended install documentation included in
IISLockD.chm
19Running IISLockDOne-Click Install
- Execute compressed IISLockD.exe (230 KB)
- Specify temporary folder to extract setup files
- Folder containing setup files will be
automatically deleted after setup
20Running IISLockD (2) Extracted Files
- Decompress files IISLockD.exe /x
- Specify folder to extract files to
- Execute IISLockD.exe (156 KB)
- Execute Urlscan.exe to install only UrlScan.
21Running IISLockD (3) Unattended Install
- Decompress files IISLockD.exe /x
- Specify folder to extract files
- Configure IISLockD.ini (see Q310725)
- Execute IISLockD.exe (156 KB)
22Install Methods Compared
- One-Click Install
- Execute IISLockD.exe
- Mixed-case filename
- generic Windows application icon
- File size (230 KB)
- Extraction Method
- Files are compressed inside IISLockD.exe
- Lower-case filename
- Cool-key icon
- File size (156 KB)
- No need to choose extract location
23Running IISLockD (4)IIS Lockdown Wizard Setup
Demo
24Running IISLockD (5)IIS Lockdown Wizard Setup
Demo
25Running IISLockD (6)IIS Lockdown Wizard Setup
Demo
26Running IISLockD (7)IIS Lockdown Wizard Setup
Demo
27Running IISLockD (8)IIS Lockdown Wizard Setup
Demo
28Installation Logs
- oblt-rep.log
- Summary of what was done generated after
install. - windir\System32\InetSrv\oblt-rep.log
- oblt-log.log
- List of actions to perform during uninstall.
- windir\System32\InetSrv\oblt-log.log
- Note
- One Button Lockdown Tool (OBLT) was the original
name of the IIS Lockdown Wizard
29Removing IISLockDRunning IISLockD a Second Time
- Uninstall wizard is automatically invoked
- Prompt Uninstall or Exit wizard
- oblt-once.MD0 used to replace currently running
metabase - All metabase changes made after installing
IISLockD will be lost - Metabase restoration phase can take 30 min or
more
30Removing IISLockD (2)Uninstall Demo Running
IISLockD.exe
31Removing IISLockD (3)Uninstall Demo Running
IISLockD.exe
32Uninstall Logs
- oblt-undone.log
- Renamed from oblt-log.log uninstall starts
- windir\System32\InetSrv\oblt-undone.log
- oblt-undo.log
- List of actions performed during uninstall
- windir\System32\InetSrv\oblt-undo.log
33TroubleshootingProblems During Installation
- Multiple security scopes not supported
- Modified files not available
- Current users permissions too restrictive
34Troubleshooting (2)If Web Services No Longer
Work Properly
- Collect logs
- Collect data with Web services failing
- Event Logs
- Network Monitor (Q252876)
- IIS Logs
- UrlScan.log
- Remove IISLockD
- Collect data with Web services working
- Create custom server template (Q311350)
35Troubleshooting (3) Cannot Uninstall IISLockD
- Verify current user is member of Local
Administrators group. - Verify oblt-log.log and oblt-rep.log both exist.
- Call 1-866-PCSAFETY (1-866-727-2338).
- Prepare to send oblt.log all Event Viewer logs.
36References
- Q311350 - HOWTO Create a Custom Server Type for
Use with the IIS Lockdown Wizard - Q310725 - HOWTO Run the IIS Lockdown Wizard
Unattended - Q307608 - INFO Availability of URLScan Security
Tool - General Security Info
- http//www.microsoft.com/security/
- Q282060 - Resources for securing Internet
Information Services
37Use of Qchain
- Solution for Windows NT 4.0, Windows 2000, and
Windows XP - Fast installs of hotfixes on a single computer
- One reboot
- Only Microsoft-supported method of installing
multiple hotfixes - Manual or batch install
38Elements of Qchain
- Qchain.exe
- Hotfix executable(s)
- QFEcheck.exe
39Qchain Syntax
- Qchain /?
- Shows available syntax
- Qchain ltlogfilenamegt
- Ex Qchain hotfixlog
40Installing Hotfixes with QchainManual Install
- Can install each hotfix singly
- Must use switch for no reboot
- Quiet mode is optional
- Can be used together
- Ex Qnnnnnn_x86_en.exe z (no reboot)
- Ex Qnnnnnn_x86_en.exe m (quiet)
- Ex Qnnnnnn_x86_en.exe z m (no reboot and
quiet )
41Installing Hotfixes with Qchain (2)Batch File
- Use a batch file for scripting multiple hotfixes
- Ex _at_echo off
- Setlocal
- set pathtofixesltsome pathgt
- pathtofixes\Q123456.exe z m
- pathtofixes\Q234567.exe z m
- pathtofixes\qchain.exe
42Limitations of Qchain
- May not work on some Windows NT 4.0 and pre-SP2
Windows 2000 hotfixes. - If the hotfix contains files listed in registry
key - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Cont
rol\Session Manager\KnownDLLs
43Other ToolsQfecheck.exe
- Verifies the hotfixes installed
- Works only on Windows 2000
- To view syntax type Qfecheck /?
- QFECHECK /llocation /v /q /?
- /l Log output to ltComputernamegt.log in the
current folder location. Use the specified
location to store the log file. - /v Verbose output
- /q Quiet mode
44Additional References
- QChain.exe
- Microsoft KB article Q296861
- Qfecheck.exe
- Microsoft KB article Q282784
45Hfnetchk Usage
- Used for scanning
- Single Computer
- Enterprise Wide
- Assesses patch status for
- Windows NT 4.0
- Windows 2000
- Windows XP
- IIS 4.0 and 5.0
- SQL Server 7.0 and SQL Server 2000
- Internet Explorer 5.01 and later
- Can be used locally or remotely
- Customize scan via switches
46Command-Line Switches
- -x (datasource) specifies
- XML file
- Compressed XML file in .cab format
- URL
- Default is Mssecure.cab from the Microsoft Web
site - -o (output switch) specifies output format
- tab Tab-delimited format
- wrap Word-wrapped format
- -? (help)
- Displays help menu for all switches and examples
- -z (reg checks)
- Prevents checking registry settings
- Finds fixes when no registry settings are present
to avoid false negatives - -v (verbose)
- Displays reasons for test failure in wrap mode
47Command-Line Switches (2)
- -h (hostname)
- Specifies the NetBIOS machine name to scan
default is localhost - -r (range)
- Specifies a range of IP addresses to scan
- Starting with IP address1 and ending with IP
address2, inclusive - -i (IP address)
- Specifies the IP address of the machine to scan.
- -d (domain_name)
- Specifies domain name to scan
- Will scan all machines in domain
- -n (network)
- Scan all systems on local network
- All hosts in Network Neighborhood
- -b (baseline)
- Displays the status of hotfixes required for
minimum baseline security standards
48Command-Line Switches (3)
- -s (suppress)
- Suppresses NOTE and WARNING messages
- 1 Suppress NOTE messages only
- 2 Suppress WARNING messages
- Default is to show all messages
- -nosum (checksum)
- Do not evaluate file checksum
- -t (threads)
- Sets number of threads used for scanning
- Possible values are 1 to 128 default is 64
- -history (history level)
- (1) explicitly installed
- (2) explicitly not installed
- (3) explicitly installed and not installed
- This switch is not necessary for normal operation
49Common Usage Single Computer
- Local computer
- Isolated servers
- Sample usage
- Hfnetchk.exe history 3 gtservername_date.txt
- Hfnetchk.exe x C\temp\mssecure.xml z v
- Hfnetchk.exe o tab gtservername_date.txt
50Common Usage (2) Enterprise Wide
- Individual computers
- Specific computers in a group
- Entire domains or networks
- Sample usage
- Hfnetchk.exe h server_name1, server_name2,
server_name3 - Hfnetchk.exe r 192.168.0.1,192.168.0.254 z v
- Hfnetchk.exe d domain_name t 128 s 2 z
gtdomain_name_date.txt - Hfnetchk.exe d domain_name t 128 b -v
gtdomain_name_date.txt - Hfnetchk.exe d domain_name nosum v
gtdomain_name_date.txt
51References
- Q303215
- Microsoft Network Security Hotfix Checker
(Hfnetchk.exe) Tool Is Available - Q305385
- Frequently Asked Questions about the Hfnetchk.exe
Tool - Readme.txt file installed with Hfnetchk
- Support via e-mail at
- hfnetchk_at_microsoft.com
52Hfnetchk
- Assess installation status of hotfixes
- Local or remote
- Use command-line switches to tune
- Find references on Security Tool Kit
53Critical Update Notification ToolDescription
- Can be used on Windows 2000 machines only
- Used to automate downloading of updates provided
by http//windowsupdate.microsoft.com/
54Critical Update Notification Tool (2)Installation
- Installed automatically via the tool kit
- Can be manually installed from \Windows
2000\Windows Update\cun.msi(found on the tool
kit) - Can be pushed to your network via SMS (\Windows
2000\Windows update\cun.sms)
55Critical Update Notification InstallLets You
Choose How Often You Want Your Machine to Check
for Updates
56Stay Secure Through Other Microsoft Resources
- To report a virus, send an e-mail to
secure_at_microsoft.com to alert the Microsoft
Security Response Center. - Visit Microsoft Security Response Center at
http//www.microsoft.com/security/. - Receive free virus-related telephone support at
1-866-PC Safety. - Sign up to receive security bulletins by sending
an e-mail to microsoft_security-subscribe-reques
t_at_announce.microsoft.com.(The e-mail address
above has been line-wrapped for readability. It
is one address.)
57Thank you for joining us for todays Microsoft
Support WebCast. For information about all
upcoming Support WebCasts and access to the
archived content (streaming media files,
PowerPoint slides, and transcripts), please
visit http//support.microsoft.com/webcasts/ We
sincerely appreciate your feedback. Please send
any comments or suggestions regarding the
Support WebCasts to feedback_at_microsoft.com and
include Support WebCasts in the subject line.