I’ve been working on getting together a set of quarantine scripts for use in conjunction with our ISA 2004 VPN. The sample scripts that MS make available are a good starting point but they still need quite a bit of customisation to tailor them for your own business requirements.
I don’t have a problem with that – after all, each company will have different security policy requirements, and will have different installed software to check for. However, I do think that there will always be some fundamental tests that MS could do more to help with.
For example, take the issue of checking the list of hotfixes that are installed on the client PC. Given that Microsoft are typically releasing patches once a month, that means that the list of patches to check against is typically going to need updating once a month. Is it possible to automate the process of building that list? Windows Update and MBSA clearly have the intelligence to work out what patches are needed, but can a mere mortal reproduce that capability?
One idea I had was to build a reference PC that connects to a SUS server to stay up to date. I would then programmatically extract the list of installed hotfixes and then use that as the checklist. The quarantine code could automatically download that checklist as part of the initialisation process.
The problem with this idea, though, is that it doesn’t take dependencies and superceding into account. My initial reference PC was XP with SP1 then hotfixes then SP2 installed. The net result was a given list of installed hotfixes. If I take a clean XP + SP2 machine, it doesn’t need all of those hotfixes (because they have been replaced either by SP2 or by newer hotfixes), yet they aren’t installed.
My next idea was to try to use MBSA and the command line options. Unfortunately, that idea died very quickly when I discovered you can only run it as an administrator.
So here is my request to Microsoft: please make available a command line tool that can be run under a normal user account, and that spits out a list of missing hotfixes when queried either against the Microsoft master list or against a specified (W)SUS server.