Automating Hotfixes

The ideal time for a malicious individual to find out whether your organization is vulnerable to attack is shortly after the announcement of a vulnerability. How long does your organization wait before deploying a hotfix to externally facing servers? Given the onslaught of Web site defacements and IIS-specific attacks such as the CodeRed Worm, the need for timely identification and remediation of vulnerable servers has never been clearer.

I've built a basic Windows Script Host (WSH) application that lets you leverage the Microsoft Network Security Hotfix Checker (hfnetchk.exe) command-line tool to not only identify vulnerable servers in your enterprise but also automatically apply necessary hotfixes. Although the application might benefit some small enterprises, it's really targeted at larger environments with at least five IIS servers in the internal or demilitarized zone (DMZ) networks.

Introducing Hfnetchk
Building upon the power of the WSH-based Hfcheck tool, Microsoft recently introduced the Hfnetchk command-line tool, which is available as a free download from http://www.microsoft.com. For more information, see the Microsoft article "Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available" (http://support.microsoft.com/directory/article.asp?id=kb;en-us;q303215). Hfnetchk downloads a signed compressed cabinet format (.cab) file from Microsoft and unpacks it into an XML file containing a comprehensive list of Microsoft security bulletins and associated patches. Then, Hfnetchk scans target machines in the enterprise network, compares installed files with patches currently available, and identifies which patches you need to apply to each target machine to make it current.

Most other tools check only for the existence of a registry entry to determine whether you've applied a hotfix. Hfnetchk both examines the registry and compares the hotfix file date with the system file date. Also, this new tool lets you scan for Windows 2000, Windows NT, IIS, Microsoft SQL Server 2000, SQL Server 7.0 (including Microsoft Data Engine—MSDE), and Microsoft Internet Explorer (IE).

Although Hfnetchk is powerful, it isn't quite the panacea administrators have been seeking for hotfix management. At the time of writing, Hfnetchk's inability to download the CAB file through a proxy server means that, without modification, the tool just isn't ready for use in most enterprise environments. Additionally, Hfnetchk doesn't let you take any action when it finds a missing hotfix, limiting its usefulness to information gathering without automating remediation. However, by using a little scripting know-how, you can transform Hfnetchk into the basis for a complete hotfix-management solution.

3 Steps to Hotfix Management
A complete enterprise hotfix-management solution must perform three basic actions:

• query for the list of available patches
• identify needed updates on each target machine
• implement necessary patches

Hfnetchk takes care of querying Microsoft for the list of current patches and identifying which target machines need which updates, but it can't download the list through a proxy server or implement the patches. To remedy both of Hfnetchk's limitations, I've developed a sample application suite around Hfnetchk called the Hotfix Identification and Verification Engine (HIVE). Hive.exe does everything except download the files associated with the hotfixes and determine which hotfixes to apply and which to ignore, but I explain that later. You can download the fully functional application from the Code Library on the Windows Web Solutions Web site (http://www.windowswebsolutions.com).

Query and Identify
To use HIVE to automate hotfix installation and verification, you need to maintain on a central server

• all HIVE scripts and required binaries
• a copy of the XML hotfix list (in environments with a proxy server)
• a list of target machines to query
• copies of all hotfix distributions and custom installation scripts
• logs of all queries and actions taken

To facilitate storing these items, hive.exe creates the following folders on the central server:

• Hive—contains all the other folders as subfolders
• Bin—contains HIVE scripts and binaries required for processing server queries and installing hotfixes
• Data—contains the XML file extracted from the Microsoft .cab file
• Hotfixes—contains a subfolder for each MS bulletin number to be installed on the target machines
• Ignore—contains subfolders representing MS bulletin numbers to ignore
• Installs—contains autogenerated hotfix installation scripts for target machines
• Logs—contains a log file for each HIVE target machine
• Machines—contains a folder for each target machine
• TBE—contains a folder for each MS bulletin number to be engineered (i.e., for bulletin numbers that you haven't yet assigned to the Hotfixes or Ignore folder)