Q: How can I use the HFNetChk command-line tool to automate security-patch checking on my organization's Windows NT 4.0 servers?

In late 2002, Microsoft released the Security Operations Guide for Windows 2000 Server, which includes a set of useful security solutions and tools, most of which you can use in NT 4.0 environments. One of those tools is a script, hfnetchk.cmd, that checks multiple Windows servers for missing security patches. You list the servers you want to scan in a text file (called servers.txt by default), and the batch file uses hfnetchk.exe to scan the servers, record the results to a log file, and save the log files in date-based folders. You can use these files to create a security-patch scan-history database. From the directory in which you've installed hfnetchk.cmd, type

hfnetchk.cmd servers.txt

at the command line. Figure 1, page 15, shows a sample run of the script. To automate the hfnetchk.cmd script, use the built-in AT command.

To run the hfnetchk.cmd script on an NT 4.0 system, you must have Microsoft Internet Explorer (IE) 5.0 or later, which includes an XML parser, and Windows Script Host (WSH) installed. You can download the Security Operations Guide for Windows 2000 Server and its associated scripts and tools from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/windows2000/staysecure/default.asp.

If you don't already have hfnetchk.exe, download it from http://www.microsoft.com/downloads/release.asp?releaseid=31154. If the computer you're running the tool on isn't connected to the Internet, you also must install the mssecure.xml file, which is available for download from http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab. The mssecure.xml file is contained in the mssecure.cab file.