Most Windows administrators have either heard of or used the Microsoft Baseline Security Analyzer and one of its components, HFNetChk, a utility that allows you to scan a network for missing security patches. It’s an invaluable tool for protecting a network and keeping it up to date.

On Nov. 20, 2002, Shavlik—the company that created HFNetChk—released version 3.86 of this powerful command line utility. In addition to the version of the product that it supplies to Microsoft, Shavlik offers a free version of the tool called HFNetChkLT, which performs the same function as HFNetChk but includes many extra features, such as a GUI and the ability to push patches to servers and to scan specific classes of machines (such as servers or workstations) separately.

I’m going to go over the new features available in HFNetChk 3.86, as well as provide an overview of HFNetChkLT.

HFNetChk 3.86
Currently, Microsoft is shipping version 3.81 of HFNetChk as part of the Microsoft Baseline Security Analyzer that’s available for download from its site. Since version 3.81, Shavlik has made a number of improvements to the utility. An updated version is available for download.

Changes to HFNetChk since version 3.81 include:

Support for Windows NT Terminal Services edition.
Support for Windows Media Player.
Support for Exchange server 5.5 and 2000.
Support for Microsoft Data Access Components (MDAC).
Enhanced error messages for easier problem identification.
Host scan performance improvements.
New ‘-ver’ command line switch to determine whether HFNetChk itself is out of date.
Support for Windows XP Home Edition.

As you can probably tell from this short list of the dozens of changes made to HFNetChk since version 3.81, the newest 3.86 version has a lot going for it in terms of improvements and additional product support. Let’s look at how to install and use version 3.86.

To install the new version of HFNetChk, download it and run the executable. If you already have HFNetChk installed, you will be asked if you want to update the existing installation. For my installation of this utility on an Exchange 2000 server on my lab network, I accepted the defaults, which placed HFNetChk in C:\Program Files\Shavlik Technologies\HFNetChk. That’s all there is to it.

Running and using it
Much has been written about the functionality of HFNetChk. So I’ll just run version 3.86 against my lab Exchange 2000 server to show you how well it supports Exchange and Windows patches. Click here to see the results. As HFNetChk revealed, I need to install a bunch of patches on the Exchange server in my lab.

HFNetChk 3.86 upgrade
With the ability to scan Exchange, MDAC, Media Player, and NT TSE, this new version of HFNetChk is a “must download” for anyone who administers Windows servers and/or desktops. As the number of exploits available for Windows services continues to grow, keeping up with patches is critical to maintaining the integrity of your infrastructure.

Now let’s take a look at Shavlik’s HFNetChkLT.

Shavlik offers two big brothers to the command line HFNetChk: HFNetChkLT and HFNetChkPro. The HFNetChkLT version adds a number of features to the Windows version of HFNetChk, including a GUI and the ability to push patches to a machine. HFNetChkLT is available as a free download from Shavlik.

Once you download HFNetChkLT, you can install it by double-clicking on the executable and following the instructions. The HFNetChkLT installer requires Internet Explorer 5.5 or above. If you are running a version below this, you will need to upgrade before installing HFNetChkLT. If you are missing other required components, such as version 2 of the Windows Installer, XML Parser 3.0 SP2, MDAC 2.6 SP2, and Jet 4.0 SP3, you will be redirected to a download page where you can obtain them. The installer can’t continue without those components.

Once the prerequisites are met, you can install HFNetChkLT, after which a system restart is required. The installation on my lab server required a total of three restarts to install the prerequisites and HFNetChkLT.

Running the application
The installation provides a desktop icon you can double-click to run the application. The first screen you’ll see is the first step of a wizard that can help you to get started scanning the local machine or other machines on your network, as shown in Figure A.

Figure A
Step one of the Shavlik Scan Guide

The second step of the wizard asks you what you would like to scan. You can scan just the local machine, all machines in the domain, the entire Microsoft network, or machines in your Favorites. You can also pick a subset of one of these choices. For this example, I’m going to specify a couple of machines, so I’ll choose the Pick Machines option, as shown in Figure B.

Figure B
What would you like to scan?

The third step of the wizard lets you assign a name to the current scan to allow for easy reuse.

One of the most useful features of the LT version of HFNetChk is its ability to schedule scans at regular intervals, which you can define in the wizard’s Scheduling screen (Figure C). You can run the scan immediately, at a later time, or on a specific recurring schedule. I’ve chosen to run a scan immediately.

Figure C
Scheduling a scan

If you are scanning several machines, you may not necessarily have the appropriate rights to scan them using the account you are logged in with. So HFNetChkLT provides a Scan RunAs screen (Figure D), which you can use to provide a user name and password to gain the necessary rights.

Figure D
Running the scan as a specific user

The Machines, Domains, and IP Addresses screens allow you to specify what to scan based on the choice you made in step 2 of the wizard. Since I opted to scan specific machines, only the Machines screen is enabled. It lists my domains and workgroups with machines that can be scanned. As you can see in Figure E, I’ve chosen two servers, LAB2K and MAIL1, to be scanned.

Figure E
Select the machines to be scanned.

After you’ve made these choices, click the Finish button to begin the immediate scan. The summary of my test scan is shown in Figure F.

Figure F
Results of my scan

Results are everything
You might have noticed that the server MAIL1 did not show up anywhere under Domains Scanned in Figure F. Upon further inspection, I found it in Machines Not Scanned instead. This was because the MAIL1 server was not available at the time that the scan was performed. This shows that HFNetChkLT can gracefully handle error conditions.

The scan results (Figure G) break down by product all of the patches that need to be installed, and they provide both the reason that the scanner believes the patch was not found and a summary of what the patch provides.

Figure G
A missing patch explanation

Patching the machines
Now that you have a list of everything that has to be patched, it’s time to decide what to do about it. For my example, patching would not require a huge amount of time since only one server is affected. But consider an organization that has dozens or hundreds of servers—or imagine that you decide to use HFNetChkLT to keep your desktop Windows machines patched as well. The task list associated with either of these two scenarios could be overwhelming indeed. Luckily, HFNetChkLT can also deploy some of these patches.

At this point, you will stumble across one major limitation to HFNetChkLT: It can deploy only patches related to the operating system and not application patches. If you want the additional functionality, you’ll have to upgrade to the Pro version.

One excellent feature of HFNetChkLT is the ability to test whether the target system meets the minimum requirements for a patch to be automatically deployed. For example, one of the patch messages on my summary report indicated that I should have installed patch MS00-027, which corrects a problem in Cmd.exe. To make sure that the target system LAB2K meets the requirements for this patch, I just right-click the patch and choose Test Install. For me, this yielded results showing that the system LAB2K meets the prerequisites.

To perform the patch deployment, right-click on the patch name and choose Deploy | Deploy Selected Patch(es). If you choose more than one patch, HFNetChkLT will use QChain.exe to install all of the patches with a minimum of reboots.

The deployment process uses a wizard similar to the initial scanning wizard. As with the previous wizard, you can define RunAs parameters in the Deploy RunAs screen. But with this wizard, you can also define advanced options that allow you to shut down specific services such as SQL or IIS before deployment, back up old files, deploy quietly, and specify whether to reboot the target machine immediately.

To install the patches, you must allow them to be downloaded. In the wizard’s Download screen, click the Get Patches button to obtain the required files. You can then install the patch by clicking the Finish button. When you’re finished, you can get details about the patch deployment from the Deployment section in the left-hand window. Click here for the details of the deployment for MS00-027.

HFNetChkLT wrap-up
This is just a short overview of HFNetChkLT, but you can see that the tool is quite thorough in providing information as well as scanning and patching systems. I particularly like the fact that it indicates the reason a patch was not found in the same screen and explains why the patch is important. The tool’s ability to deploy operating system patches is also good and has the potential to save an administrator substantial time in this ever-important process.

Both HFNetChk and HFNetChkLT are utilities that nearly every Windows administrator should use. I particularly like the LT version, since it incorporates a GUI that can provide invaluable information regarding patches.