Is SP3 Coming Soon?
As of April 16, the Windows 2000 Post-Service Pack 2 (SP2) hotfix list contained 782 individual Win2K updates, not including security hotfixes. As I scrolled through new postings last weekend, I noticed that new Win2K updates now indicate pre-SP4 status, which means Microsoft has established a firm boundary for the scope of SP3 updates. My best guess is that SP3 is forthcoming, possibly during the next few weeks. The last official word I received about SP3 was "sometime during the first half of this year," so we're certainly edging closer. You might want to refresh your slipstream build and winstall skills in preparation for distributing this massive update to production systems—primarily because you'll need to add all the security updates that Microsoft is unable to ship with SP3.

MBSA
Microsoft released the Microsoft Baseline Security Analyzer (MBSA) in April. Developed by Shavlick Technologies, MBSA is an improved version of Hfnetchk. In addition to Hfnetcheck's auditing tasks, MBSA also reports on a variety of potential security problems in Windows XP, Win2k, and Windows NT systems, including

  • an Hfnetchk report on the status of security hotfixes for the OS, Microsoft IIS, and Microsoft SQL server
  • an analysis of common IIS and SQL configuration defaults that expose servers to attacks
  • a report about the number of Administrator accounts
  • a report on the status of the built-in Guest account
  • an analysis of passwords in Active Directory (AD) or the local SAM
  • an analysis of running services that are frequent targets of exploits
  • a check on the status of security auditing
  • an enumeration of published shares
  • an analysis of Microsoft Outlook and Microsoft Office macro settings
  • an analysis of Internet Explorer (IE) security zone definitions

If you rely on the free version of Hfnetchk to help you audit and update systems, you'll really appreciate MBSA. Here are some of the features I like best:

  • The GUI eliminates the need to create complicated command-line commands and script files that audit and report on the status of hotfixes on one machine, a group of systems, or all systems on a subnet or in a domain.
  • You can enable or disable any of the security checks each time you run the utility from the GUI or the command line. For example, you might want to analyze Administrator accounts each time you run MBSA but limit password analysis to once each quarter, especially on a large network. Likewise, you can disable the IIS or SQL analysis on systems that don't have these programs installed, and you can disable Outlook or IE analysis when you custom build a secure version of these applications for production systems.
  • MBSA creates an overview HTML-based status report for each system. Each overview contains links to detail reports that itemize findings for a specific security analysis. Each detail report includes a link explaining the security implications associated with each potential problem MBSA detects. The utility saves and indexes the reports so you can examine the results from the GUI, instead of digging through text files and looking at them with a word processor. The GUI version saves each report in the administrator profile. If you want to redirect reports to an alternate location, you must run MBSA from the command line.
  • You can customize the list of services MBSA checks by adding additional service names to the services.txt file in the MBSA installation folder.

If you prefer to schedule analysis tasks to run automatically, you can run MBSA from the command-line in a script. However, the initial release doesn't support all of Hfnetchk's command-line options. To display the command-line options MBSA accepts, open a command prompt, change to the directory where you installed MBSA (the default is C:\Program Files), and type

mbsacli.exe /?  

You can install MBSA interactively or download the installation file from http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN-US/mbsasetup.msi. After you download the file, you can install MBSA by double-clicking the mbsasetup.msi file or by right-clicking mbsasetup.msi and selecting Install from the drop-down menu. In both cases, the Installation Wizard guides you through the installation, modification, and removal procedures. When the installation finishes, the installer places an MBSA icon on the desktop. You can remove MBSA in Add/Remove Programs or by running msbasetup.msi from the command line.

For general information about system requirements and MBSA command-line options, see Microsoft article "Microsoft Baseline Security Analyzer (MBSA) Version 1.0 Is Available". You'll find the MBSA Q&A at http://www.microsoft.com/technet/security/tools/tools/mbsaqa.asp, and an excellent description of the utility's security analysis capabilities in the white paper "Baseline Security Analyzer" at http://www.microsoft.com/technet/security/tools/tools/mbsawp.asp.