Using the Microsoft Security Tool Kit to Get and Stay Secure

1
Using the Microsoft Security Tool Kit to Get and
Stay Secure
Chris Knaff Technical lead Performance Team
Microsoft Product Support
2
Microsoft Security Tool KitDescription

• Used to lock down an existing computer or new
  installation
• Works on Microsoft Windows NT 4.0, Windows NT
  4.0 Terminal Server Edition (TSE), and Windows
  2000
• Not needed for Windows XP
• Can be installed automatically or manually
• Used to get your system to a base level of
  security

3
Before Installing the Tool Kit

• We recommend that you
• Perform a good backup of system
• Update repair disks
• Close all applications
• Be an administrator of your machine

4
Installing the Tool Kit

• Start with the Readme.htm file
• Click on the Install Now link to begin the
  installation

5
The Readme.htm

• The Readme.htm file contains
• An Install Now link for automatic install
• Descriptions for manual installations
• Information on how to push the tool kit contents
  through a network using Systems Management Server
  (SMS)
• Links for online updates

6
Windows NT Requirements

• Microsoft Internet Explorer 4.01 or later
• Windows NT 4.0 Service Pack 3 or later

7
Windows NT 4.0Installing the Tool Kit

• Windows NT 4.0 Service Pack 6a
• Reboot
• Windows NT 4.0 Security Rollup Package
• Hotfix Q305929
• Hotfix Q307866 Pre-restart updates
• Reboot
• Hotfix Q307866 Post-restart updates
• Internet Explorer 5.5 Service Pack 2
• Reboot
• Internet Information Services (IIS) Lockdown
  Wizard (if IIS is installed)

8
Windows NT 4.0 TSERequirements

• Internet Explorer 4.01
• Windows NT 4.0 Terminal Server Edition Service
  Pack 3
• IIS cannot be installed (the tool kit will not
  run)

9
Windows NT 4.0 TSETool Kit Updates for Windows
NT 4.0 TSE

• Windows NT 4.0 Terminal Server Edition Service
  Pack 6
• Various hotfixes (Q280119, Q269049, Q266433, and
  Q265714)
• Internet Explorer 5.01 SP2
• Windows Media Player patches

10
Windows 2000Tool Kit Updates for Windows 2000

• Windows 2000 Service Pack 2
• Internet Explorer 5.5 SP2
• IIS 5.0 Security Update (if IIS is installed)
• Windows Media Player patches
• Windows 2000 Critical Update Notification Tool
• IIS Lockdown Wizard (if IIS is installed)

11
Contents of the Tool Kit

• \CDLaunch (contains files used to autorun the
  tool kit)
• \Combined (contains Internet Explorer 5.01 SP2,
  Internet Explorer 5.5 SP2, Windows Media Player
  patches, and the Tools directory)
• \Combined\Tools (contains HFNetCheck, Qchain, and
  the IIS Lockdown Tool directories)

12
Contents of the Tool Kit (2)

• \Documents (contains documents on each of the KB
  articles supplied by the tool kit, with new and
  existing deployment guides)
• \NT 4.0 (contains all the tools needed to lock
  down a Windows NT 4.0 system, such as SP6a, the
  option pack, and the security rollup package)
• \NT 4.0 Terminal Server Edition (contains Service
  Pack 6 and the four hotfixes needed to lock down
  a Windows NT 4.0 Terminal Server)

13
Contents of the Tool Kit (3)

• \SMS (contains documentation on how to push the
  tool kit with SMS)
• \Windows 2000 (contains the tools needed to lock
  down a Windows 2000 system, such as SP2 and the
  IIS 5.0 Security Update)
• Readme.htm (main file used when using the tool
  kit)

14
IIS Lockdown Wizardwith URLScan

• IISLockD functionality
• Obtaining the IISLockD
• Running IISLockD
• Removing IISLockD
• Troubleshooting
• Server templates and references

• IISLockD ? IIS Lockdown Wizard

15
IISLockD FunctionalityLimits Attack
VULNERABILITIES

• Removes unused components, including
• Web services
• Script mappings
• WebDAV
• Samples and added features
• Restricts anonymous web users from writing to
  content folders and executing system applications

16
URLScan FunctionalityUsed to Prevent Expected
and Unexpected Attacks

• Implemented as ISAPI filter
• Allows or denies requests based on URL
  characteristics

• Blocks are based on attack characteristics
• HTTP request verbs
• Canonicalization and normalization checking
• Executable file extensions
• Multiple dots in path

• Stop/Restart of IISADMIN service required after
  modifying urlscan.ini

17
Obtaining IISLockD

• CD-ROM
• Microsoft Security Tool Kit CD-ROM
• CD-Drive\COMBINED\tools\IIS Lockdown Tool\
• Contains IIS Lockdown Wizard 2.0
• Internet Download
• http//www.microsoft.com/Downloads/Release.asp?Rel
  easeID32362
• Latest version of IIS Lockdown Wizard (currently
  2.1)
• Check for updates before installing

18
Changes in IISLockD 2.1

• Metabase backup generated prior to uninstalling
  the wizard
• Dynamic updating of template_urlscan.ini no
  longer made
• Unattended install documentation included in
  IISLockD.chm

19
Running IISLockDOne-Click Install

• Execute compressed IISLockD.exe (230 KB)
• Specify temporary folder to extract setup files
• Folder containing setup files will be
  automatically deleted after setup

20
Running IISLockD (2) Extracted Files

• Decompress files IISLockD.exe /x
• Specify folder to extract files to
• Execute IISLockD.exe (156 KB)
• Execute Urlscan.exe to install only UrlScan.

21
Running IISLockD (3) Unattended Install

• Decompress files IISLockD.exe /x
• Specify folder to extract files
• Configure IISLockD.ini (see Q310725)
• Execute IISLockD.exe (156 KB)

22
Install Methods Compared

• One-Click Install
• Execute IISLockD.exe
• Mixed-case filename
• generic Windows application icon
• File size (230 KB)

• Extraction Method
• Files are compressed inside IISLockD.exe
• Lower-case filename
• Cool-key icon
• File size (156 KB)
• No need to choose extract location

23
Running IISLockD (4)IIS Lockdown Wizard Setup
Demo
24
Running IISLockD (5)IIS Lockdown Wizard Setup
Demo
25
Running IISLockD (6)IIS Lockdown Wizard Setup
Demo
26
Running IISLockD (7)IIS Lockdown Wizard Setup
Demo
27
Running IISLockD (8)IIS Lockdown Wizard Setup
Demo
28
Installation Logs

• oblt-rep.log
• Summary of what was done generated after
  install.
• windir\System32\InetSrv\oblt-rep.log
• oblt-log.log
• List of actions to perform during uninstall.
• windir\System32\InetSrv\oblt-log.log

• Note
• One Button Lockdown Tool (OBLT) was the original
  name of the IIS Lockdown Wizard

29
Removing IISLockDRunning IISLockD a Second Time

• Uninstall wizard is automatically invoked
• Prompt Uninstall or Exit wizard
• oblt-once.MD0 used to replace currently running
  metabase
• All metabase changes made after installing
  IISLockD will be lost
• Metabase restoration phase can take 30 min or
  more

30
Removing IISLockD (2)Uninstall Demo Running
IISLockD.exe
31
Removing IISLockD (3)Uninstall Demo Running
IISLockD.exe
32
Uninstall Logs

• oblt-undone.log
• Renamed from oblt-log.log uninstall starts
• windir\System32\InetSrv\oblt-undone.log
• oblt-undo.log
• List of actions performed during uninstall
• windir\System32\InetSrv\oblt-undo.log

33
TroubleshootingProblems During Installation

• Multiple security scopes not supported
• Modified files not available
• Current users permissions too restrictive

34
Troubleshooting (2)If Web Services No Longer
Work Properly

• Collect logs
• Collect data with Web services failing
• Event Logs
• Network Monitor (Q252876)
• IIS Logs
• UrlScan.log
• Remove IISLockD
• Collect data with Web services working
• Create custom server template (Q311350)

35
Troubleshooting (3) Cannot Uninstall IISLockD

• Verify current user is member of Local
  Administrators group.
• Verify oblt-log.log and oblt-rep.log both exist.
• Call 1-866-PCSAFETY (1-866-727-2338).
• Prepare to send oblt.log all Event Viewer logs.

36
References

• Q311350 - HOWTO Create a Custom Server Type for
  Use with the IIS Lockdown Wizard
• Q310725 - HOWTO Run the IIS Lockdown Wizard
  Unattended
• Q307608 - INFO Availability of URLScan Security
  Tool
• General Security Info
• http//www.microsoft.com/security/
• Q282060 - Resources for securing Internet
  Information Services

37
Use of Qchain

• Solution for Windows NT 4.0, Windows 2000, and
  Windows XP
• Fast installs of hotfixes on a single computer
• One reboot
• Only Microsoft-supported method of installing
  multiple hotfixes
• Manual or batch install

38
Elements of Qchain

• Qchain.exe
• Hotfix executable(s)
• QFEcheck.exe

39
Qchain Syntax

• Qchain /?
• Shows available syntax
• Qchain ltlogfilenamegt
• Ex Qchain hotfixlog

40
Installing Hotfixes with QchainManual Install

• Can install each hotfix singly
• Must use switch for no reboot
• Quiet mode is optional
• Can be used together
• Ex Qnnnnnn_x86_en.exe z (no reboot)
• Ex Qnnnnnn_x86_en.exe m (quiet)
• Ex Qnnnnnn_x86_en.exe z m (no reboot and
  quiet )

41
Installing Hotfixes with Qchain (2)Batch File

• Use a batch file for scripting multiple hotfixes
• Ex _at_echo off
• Setlocal
• set pathtofixesltsome pathgt
• pathtofixes\Q123456.exe z m
• pathtofixes\Q234567.exe z m
• pathtofixes\qchain.exe

42
Limitations of Qchain

• May not work on some Windows NT 4.0 and pre-SP2
  Windows 2000 hotfixes.
• If the hotfix contains files listed in registry
  key
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Cont
  rol\Session Manager\KnownDLLs

43
Other ToolsQfecheck.exe

• Verifies the hotfixes installed
• Works only on Windows 2000
• To view syntax type Qfecheck /?
• QFECHECK /llocation /v /q /?
• /l Log output to ltComputernamegt.log in the
  current folder location. Use the specified
  location to store the log file.
• /v Verbose output
• /q Quiet mode

44
Additional References

• QChain.exe
• Microsoft KB article Q296861
• Qfecheck.exe
• Microsoft KB article Q282784

45
Hfnetchk Usage

• Used for scanning
• Single Computer
• Enterprise Wide
• Assesses patch status for
• Windows NT 4.0
• Windows 2000
• Windows XP
• IIS 4.0 and 5.0
• SQL Server 7.0 and SQL Server 2000
• Internet Explorer 5.01 and later
• Can be used locally or remotely
• Customize scan via switches

46
Command-Line Switches

• -x (datasource) specifies
• XML file
• Compressed XML file in .cab format
• URL
• Default is Mssecure.cab from the Microsoft Web
  site
• -o (output switch) specifies output format
• tab Tab-delimited format
• wrap Word-wrapped format

• -? (help)
• Displays help menu for all switches and examples
• -z (reg checks)
• Prevents checking registry settings
• Finds fixes when no registry settings are present
  to avoid false negatives
• -v (verbose)
• Displays reasons for test failure in wrap mode

47
Command-Line Switches (2)

• -h (hostname)
• Specifies the NetBIOS machine name to scan
  default is localhost
• -r (range)
• Specifies a range of IP addresses to scan
• Starting with IP address1 and ending with IP
  address2, inclusive
• -i (IP address)
• Specifies the IP address of the machine to scan.

• -d (domain_name)
• Specifies domain name to scan
• Will scan all machines in domain
• -n (network)
• Scan all systems on local network
• All hosts in Network Neighborhood
• -b (baseline)
• Displays the status of hotfixes required for
  minimum baseline security standards

48
Command-Line Switches (3)

• -s (suppress)
• Suppresses NOTE and WARNING messages
• 1 Suppress NOTE messages only
• 2 Suppress WARNING messages
• Default is to show all messages
• -nosum (checksum)
• Do not evaluate file checksum

• -t (threads)
• Sets number of threads used for scanning
• Possible values are 1 to 128 default is 64
• -history (history level)
• (1) explicitly installed
• (2) explicitly not installed
• (3) explicitly installed and not installed
• This switch is not necessary for normal operation

49
Common Usage Single Computer

• Local computer
• Isolated servers

• Sample usage
• Hfnetchk.exe history 3 gtservername_date.txt
• Hfnetchk.exe x C\temp\mssecure.xml z v
• Hfnetchk.exe o tab gtservername_date.txt

50
Common Usage (2) Enterprise Wide

• Individual computers
• Specific computers in a group
• Entire domains or networks

• Sample usage
• Hfnetchk.exe h server_name1, server_name2,
  server_name3
• Hfnetchk.exe r 192.168.0.1,192.168.0.254 z v
• Hfnetchk.exe d domain_name t 128 s 2 z
  gtdomain_name_date.txt
• Hfnetchk.exe d domain_name t 128 b -v
  gtdomain_name_date.txt
• Hfnetchk.exe d domain_name nosum v
  gtdomain_name_date.txt

51
References

• Q303215
• Microsoft Network Security Hotfix Checker
  (Hfnetchk.exe) Tool Is Available
• Q305385
• Frequently Asked Questions about the Hfnetchk.exe
  Tool
• Readme.txt file installed with Hfnetchk
• Support via e-mail at
• hfnetchk_at_microsoft.com

52
Hfnetchk

• Assess installation status of hotfixes
• Local or remote
• Use command-line switches to tune
• Find references on Security Tool Kit

53
Critical Update Notification ToolDescription

• Can be used on Windows 2000 machines only
• Used to automate downloading of updates provided
  by http//windowsupdate.microsoft.com/

54
Critical Update Notification Tool (2)Installation

• Installed automatically via the tool kit
• Can be manually installed from \Windows
  2000\Windows Update\cun.msi(found on the tool
  kit)
• Can be pushed to your network via SMS (\Windows
  2000\Windows update\cun.sms)

55
Critical Update Notification InstallLets You
Choose How Often You Want Your Machine to Check
for Updates
56
Stay Secure Through Other Microsoft Resources

• To report a virus, send an e-mail to
  secure_at_microsoft.com to alert the Microsoft
  Security Response Center.
• Visit Microsoft Security Response Center at
  http//www.microsoft.com/security/.
• Receive free virus-related telephone support at
  1-866-PC Safety.
• Sign up to receive security bulletins by sending
  an e-mail to microsoft_security-subscribe-reques
  t_at_announce.microsoft.com.(The e-mail address
  above has been line-wrapped for readability. It
  is one address.)

57
Thank you for joining us for todays Microsoft
Support WebCast. For information about all
upcoming Support WebCasts and access to the
archived content (streaming media files,
PowerPoint slides, and transcripts), please
visit http//support.microsoft.com/webcasts/ We
sincerely appreciate your feedback. Please send
any comments or suggestions regarding the
Support WebCasts to feedback_at_microsoft.com and
include Support WebCasts in the subject line.