Saturday, September 11, 2010

Utilising the Microsoft Baseline Security Analyser remotely from Ubuntu

So, today one of my projects was to see if I could incorporate the Microsoft Baseline Security Analyser (MBSA) into the autoassess network script. Some of the options I thought about were running it in wine (doesn't work), running it remotely on the remote machine (works), running a remote scan from yet another dedicated remote server (kinda works, but not really).

I had to download winexe from sourceforge and compile it (not install it, ran it from the winexe/bin folder). It is a "clone" of psexec from the sysinternals suite.

So, onto the knitty-gritty. I first tried to use a remote server (virtual guest) to scan the remote machines. This would have been the second best (next to it just running in wine on the local Ubuntu machine), but alas, MBSA essentially segfaults with an invalid pointer for some reason...


bperry@bperry-laptop:~/Downloads/winexe-0.91/source4/bin$ ./winexe -U Test%password //192.168.0.102 "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe /target 192.168.0.104 /u admin /p password"
Microsoft Baseline Security Analyzer
Version 2.2 (2.2.2170.0)
(C) Copyright 2002-2010 Microsoft Corporation. All rights reserved.

An unexpected error has occurred. The operating system returned error message -2147467261 Invalid pointer

bperry@bperry-laptop:~/Downloads/winexe-0.91/source4/bin$


So, when I saw this, I lost most of my hope of having MBSA run remotely on the remote machine themselves. But, running MBSA on the actual server works! Removing the /target, /u, and /p switches outputs the report MBSA should print.


bperry@bperry-laptop:~/Downloads/winexe-0.91/source4/bin$ ./winexe -U Test%password //192.168.0.102 "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe"
Microsoft Baseline Security Analyzer
Version 2.2 (2.2.2170.0)
(C) Copyright 2002-2010 Microsoft Corporation. All rights reserved.


Security assessment: Severe Risk
Computer name: GENERIC\TEST-8A3888C308
IP address: 192.168.0.102
Security report name: GENERIC - TEST-8A3888C308 (11-09-2010 12-02)
Scan date: 11/09/2010 12:02
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date:
Security update catalog: Microsoft Update


Security Updates Scan Results

...

bperry@bperry-laptop:~/Downloads/winexe-0.91/source4/bin$



I found this pretty neat, and will be adding support for running MBSA on the remote machine (if applicable) to the autoassessment script. This is a huge step in being able to make a judgement of host security by getting lists of patches and other things the computer both has and does not have installed.

One thing that really frustrated me, and hopefully this helps others who have this problem, but I had disable "Simple File Sharing" on the remote host in order to login remotely from Ubuntu or another Windows host.

Basically, go to My Computer -> Tools -> Folder Options -> View tab -> bottom of the list, uncheck Simple File Sharing. Click apply and the change should work instantly. No need to reboot.

If you get an error saying something about not being able to install winexe service or something, look at the --uninstall and --reinstall flags. (sorry if this got reposted to planets due to the update :-/)