Using Microsoft Baseline Security Analyzer 2.x (MBSA) With PowerShell
Using Microsoft Baseline Security Analyzer 2.x (MBSA) With PowerShell :
- When you are in a new environment and you just had your bare metal servers setting there doing nothing or maybe some virtual servers, a first thing to do is starting your implementation plan (Assuming you had one already and it's Microsoft based thing),
- You will install windows server OS (Whatever version you decided in your plan), you end up doing some hardening, installing patches and applying other security policies.
- I personally faced this scenario few times, where you do not have much automation tools to apply patches and applying the security policies on a bunch of servers and do the mandatory hardening, you really feel it is a waste of time. You want to do your real work, not this..!
The good thing is i know some stuff about PowerShell, and I decided to automate something here.
- At first, i created a small piece of code, with the help of MBSACLI.exe (The CLI of MBSA) and PowerShell, gathering all the mandatory patches for your server from the internet and start patching automatically in one click.
- Most of the patches that show up in your MBSA result is in .CAB format, which is a good thing, but you will also have so many .exe files downloaded, which pisses me off a little.
- Any way I will get to the point now, I divided this Script into two Scripts, the first one will gather the mandatory patches and updates, the second one will install the .cab files only in your Server. I am still working on the .exe part, I am trying to find a common way to install all .exe patches, for that i am gonna show two scripts only and i will update this post again once i juice everything. This is a snapshot of the Entire code (First code):
The second code which will use DISM.exe tool to install all the .cab packages. Have a look at the second code (installing .cab files using DISM.exe):
you can find both codes below,
Happy Scripting everyone. Hasta Luego todos...!!!!
Notice : MBSA will only run in Administration level, make sure you Run Scrips or your Powershell session as an administrator.
First code:
# you can change this path based on your requirments, this is the path of your
# MBSACLI.exe file.
$MBSAPath = "c:\Program Files\Microsoft Baseline Security Analyzer 2"
cd $MBSAPath
$wc = New-Object System.Net.WebClient
# this folder will conatin all your downloded patches.
mkdir c:\currentupdates -Force
Write-Host "Downloading the latest MBSA database file, and getting the list of mandatory patches" -BackgroundColor DarkGreen
Write-Host "mbsacli.exe will gather everything in a file called 'currentupdates.xml' you can find this file in : $MBSAPath " -BackgroundColor DarkYellow
cmd /C "mbsacli.exe /xmlout /unicode > currentupdates.xml" | Out-Null
Write-Host "Finished gathering your mandatory patches" -BackgroundColor Green
Write-Host "Downloading mandatory patches...this might take a while depends on the mandatory pathces you need and your internet speed.." -BackgroundColor Green
$xmlpath = Select-Xml -Path .\currentupdates.xml -XPath "//DownloadURL" | ForEach-Object {$_.Node.InnerText}
foreach ($fn in $xmlpath){
$Filename = [System.IO.Path]::GetFileName($fn)
$destFile = "c:\currentupdates\" + $Filename
$dest = "c:\currentupdates"
Write-Host "downloading: $Filename "
$wc.DownloadFile($fn,$destFile)
}
Second Code:
# the path where the paches were downloaded
$dest = "c:\currentupdates"
cd $dest
$allcab = (Get-ChildItem -Path $dest -Filter "*.cab").Name
foreach ($f in $allcab){
DISM.exe /Online /Add-Package /PackagePath:"$dest\$f" /NoRestart
}
- When you are in a new environment and you just had your bare metal servers setting there doing nothing or maybe some virtual servers, a first thing to do is starting your implementation plan (Assuming you had one already and it's Microsoft based thing),
- You will install windows server OS (Whatever version you decided in your plan), you end up doing some hardening, installing patches and applying other security policies.
- I personally faced this scenario few times, where you do not have much automation tools to apply patches and applying the security policies on a bunch of servers and do the mandatory hardening, you really feel it is a waste of time. You want to do your real work, not this..!
The good thing is i know some stuff about PowerShell, and I decided to automate something here.
- At first, i created a small piece of code, with the help of MBSACLI.exe (The CLI of MBSA) and PowerShell, gathering all the mandatory patches for your server from the internet and start patching automatically in one click.
- Most of the patches that show up in your MBSA result is in .CAB format, which is a good thing, but you will also have so many .exe files downloaded, which pisses me off a little.
- Any way I will get to the point now, I divided this Script into two Scripts, the first one will gather the mandatory patches and updates, the second one will install the .cab files only in your Server. I am still working on the .exe part, I am trying to find a common way to install all .exe patches, for that i am gonna show two scripts only and i will update this post again once i juice everything. This is a snapshot of the Entire code (First code):
The second code which will use DISM.exe tool to install all the .cab packages. Have a look at the second code (installing .cab files using DISM.exe):
you can find both codes below,
Happy Scripting everyone. Hasta Luego todos...!!!!
Notice : MBSA will only run in Administration level, make sure you Run Scrips or your Powershell session as an administrator.
First code:
# you can change this path based on your requirments, this is the path of your
# MBSACLI.exe file.
$MBSAPath = "c:\Program Files\Microsoft Baseline Security Analyzer 2"
cd $MBSAPath
$wc = New-Object System.Net.WebClient
# this folder will conatin all your downloded patches.
mkdir c:\currentupdates -Force
Write-Host "Downloading the latest MBSA database file, and getting the list of mandatory patches" -BackgroundColor DarkGreen
Write-Host "mbsacli.exe will gather everything in a file called 'currentupdates.xml' you can find this file in : $MBSAPath " -BackgroundColor DarkYellow
cmd /C "mbsacli.exe /xmlout /unicode > currentupdates.xml" | Out-Null
Write-Host "Finished gathering your mandatory patches" -BackgroundColor Green
Write-Host "Downloading mandatory patches...this might take a while depends on the mandatory pathces you need and your internet speed.." -BackgroundColor Green
$xmlpath = Select-Xml -Path .\currentupdates.xml -XPath "//DownloadURL" | ForEach-Object {$_.Node.InnerText}
foreach ($fn in $xmlpath){
$Filename = [System.IO.Path]::GetFileName($fn)
$destFile = "c:\currentupdates\" + $Filename
$dest = "c:\currentupdates"
Write-Host "downloading: $Filename "
$wc.DownloadFile($fn,$destFile)
}
Second Code:
# the path where the paches were downloaded
$dest = "c:\currentupdates"
cd $dest
$allcab = (Get-ChildItem -Path $dest -Filter "*.cab").Name
foreach ($f in $allcab){
DISM.exe /Online /Add-Package /PackagePath:"$dest\$f" /NoRestart
}
Comments
Post a Comment