Security

HFNetChk 4 raises the bar for patch management

Most admins are familiar with HFNetChk, the command line tool that checks for missing patches. The commercial version of this product has reached version 4.0 and includes a slick GUI and some great features for centralized patch deployment.


Shavlik's HFNetChkLT 3.86 definitely offered some advanced features for performing patch management on Windows servers. However, those features are nothing compared to the new superset of features in HFNetChkPro 4.0. Plus, in addition to the full feature set in the Pro version, Shavlik has recast the LT (light) version of the product so that it is aimed at small organizations—at no cost.

In with the new
You may already be familiar with the command line version of HFNetChk included in the Microsoft Baseline Security Analyzer. HFNetChk 4.0 is basically a GUI version of that program with massive improvements.

Among some of the features included in version 4 are:
  • Support for a much broader set of Microsoft products, including Microsoft Office, Internet Explorer, SQL Server, Exchange, Microsoft’s JVM, and even the upcoming Windows Server 2003.
  • Documents and annotations for patches, providing better documentation.
  • A new and easier-to-use interface.
  • The ability to drag and drop a patch to a machine to deploy it.
  • Some integration with Active Directory in order to process patch deployments to machines in a specific organizational unit.
  • Secure caching of passwords at the management station to support different usernames and passwords on remote systems.
  • Third-party threat analysis for a less biased view of criticality.
  • Multiple patch signature verifications to ensure that a patch has not been replaced with a Trojan. Patches are verified on download, when copied to the remote machine, and again immediately prior to deployment.

And for small organizations…
Prior to version 4, the LT version of HFNetChk was basically a severely crippled subset of the Pro version and was only capable of deploying OS-related patches. No application patches were supported. Starting with version 4, Shavlik has made a major change to the distinction between the two versions. Rather than being crippled, the LT version now supports almost all of the features of the Pro version, but only does so for up to 50 machines.

The LT version also does not include the complete set of reports, technical support, and automatic updates of the product. Other than these minor limitations, it is full featured. This means that organizations with fewer than 50 computers can enjoy the benefits of advanced patch management for no acquisition cost.

Downloading and installing HFNetChk LT
For this article, I will be using the LT version of HFNetChk on a Windows XP Professional workstation. HFNetChk LT can be downloaded from Shavlik’s Web site. Installation is accomplished with a single, downloaded executable that weighs in at just over 13 MB. After registering for the download, you will be sent an activation key from Shavlik.

HFNetChk requires a version of the .NET Framework on the management station in order to run. If an appropriate version is not present, it will be installed for you. In addition, MDAC 2.6, JET, MSXML, and the Windows Installer are all required and will also be installed at this point.

Running and using the product
Immediately after running the program and providing the license key, it is easy to tell that the jump from version 3.8 to version 4.0 is significant. For this version, Shavlik hired people with extensive experience in user interface design, and it shows. See Figure A for a screen shot of HFNetChk LT 4 and Figure B for a sample screen shot from version 3.8.

Figure A
The new version 4.0’s interface is clean and colorful.


Figure B
Here is the version 3.8 interface.


HFNetChk 4 includes prominent icons at the top of the interface for common tasks, such as scanning the local system, scanning all of the machines in a domain, and choosing which machines in the domain should be scanned.

For this article, I will perform two scans. The first will scan the Windows XP workstation on which HFNetChk is running and the second will scan my test network's Exchange 2000 Server.

A local scan does exactly what it says. It performs a local scan of the HFNetChk system to determine the software installed and the patch level of that software. Another new feature in HFNetChk 4 is the location of the XML file used by the program to determine various pieces of information. In older versions, this file was located at Microsoft’s site, but with the new version, it is now hosted by Shavlik instead.

Performing this scan is as easy as simply clicking the Scan My Computer button. Figure C shows the quick results from this scan, which indicate that this system is missing four service packs and twenty-three patches.

Figure C
Here are the results of the quick scan on this system.


To get more details on the situation, click the machine name in the top windows. This will provide a list of the missing patches as well as a little more detail about what the scan found (see Figure D).

Figure D
Here, you can find more details on the scan.


Clicking on a patch or service pack in the top right-hand side of the screen shows details about the selected item, as shown in Figure E

Figure E
Here, you can find information about the selected patch.


The information presented here includes the analysis of the threat from both Microsoft and TruSecure. At the bottom of the window, you can select the source from which you would like to view the analysis.

Additionally, the pane containing the patch list has a quick view of the severity of each of the patches, again provided by both Microsoft and TruSecure. A red lightning bolt indicates a threat that is labeled as high by Microsoft, while a yellow lightning bolt is considered a medium threat. In the next column, the same color scheme is used to show the threat level as determined by TruSecure. The flag in the third column is always gray until changed by you. This flag indicates a user-defined threat level. For example, with the recent Slammer worm, you might have considered the patch for it minor if none of your SQL Server systems were accessible from the Internet, while Microsoft considered it a critical problem.

Deploying a patch
With a system scanned, the next step is to determine which patches you need to deploy. For this example, I will deploy MS02-060, which corrects a problem in the Windows Help system. To begin the process, the patch needs to be downloaded. You can accomplish this by selecting the patch and choosing the Download link in the patch description. You can deploy this patch by right-clicking it, choosing Deploy, and then choosing Selected Patches (see Figure F).

Figure F
Here, you can deploy the fix.


This results in a window asking you when you want this patch deployed (see Figure G). Patch deployment can be scheduled for off hours or times of low network traffic and computer usage. In this example, I will deploy this patch immediately.

Figure G
You will determine when you want the patch to be deployed.


The status of the patch deployment can be tracked using the PatchPush Tracker (see Figure H).

Figure H
Here is the PatchPush Tracker.


Once the patches are pushed to the system, the system may or may not have to be rebooted. Once a patch has been added to a system, the red "X" in the patch list box changes to a green check mark.

This example was just a quick scan with a manual deployment of a specific patch. Other options include the ability to automatically deploy patches, add comments to patches, modify the criticality, schedule a deployment, and much more.

Scanning a remote system
While scanning the local system is useful to keep it patched, the real power of HFNetChk 4 comes in its ability to scan and patch remote systems. As an example, I will scan a single remote system. 

To start this process, simply click the button Choose Computers To Scan in the opening window (see Figure I), provide the name or IP address of the machine, and add it to the list of machines to be scanned by clicking the button with double-red arrows.

Figure I
Here, you can see that 172.16.1.4 has been added to the scan list.


In order to scan a remote machine, you need to provide proper credentials. Add the credentials by clicking the machine in the list and choosing Set/Change Credentials. Once the proper credentials are added, the lock icon next to the server turns gold. You can start the scan by clicking the Begin Scan button.

From here, the process is identical to the previous examples. Patches can be pushed to the remote machine from a central location.

Caveat
Rolling out a brand new patch without testing it is not generally a good administrative practice in IT. As such, be sure that, where possible, you first test patches—especially service packs—on a testing lab system before deploying them in your production environment.

If you don’t have a lab or even a few testing machines, then at the very least you should consider using VMWare to set up a small test environment for this purpose. I think it is safe to say that most admins have been bitten by a patch or a service pack that has caused problems, so it’s a good idea to be extra cautious.

HFNetChk 4 is a winner for an all-Microsoft shop
HFNetChk 4 supports the following applications and services:
  • Windows NT 4.0 and NT 4.0 Terminal Server Edition
  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Internet Explorer 5.0 and later
  • Internet Information Server 4.0, 5.0, and 5.1
  • Windows Media Player 6.4, 7.0, 7.1, 8.0, 9.0
  • Java Virtual Machine (Microsoft version only)
  • FrontPage Server Extensions
  • Exchange Server 5.5 and 2000
  • SQL Server 7.0 and 2000
  • ISA Server
  • TabletPC
  • Commerce Server
  • Microsoft Office

Without support for some very popular third-party applications, such as ArcServe or Backup Exec, HFNetChk 4 falls slightly short of a complete patch deployment suite. However, for patching most Microsoft operating systems and applications, it is an excellent product.

Editor's Picks