Typically you install the scan tool only on one site in the hierarchy and use it to manage all child sites. However, any of the databases at child primary sites must run a SQL script so that they process the vulnerability assessment information correctly before passing it to the parent site. The script is called DefinitionData.sql and must be run on the SMS site database as the db_owner (dbo) of the SMS database.

Note
Best practice is to install the SMS 2003 R2 Scan Tool for Vulnerability Assessment on the central site and then run the SQL script on all child primary sites in the hierarchy.

1. On the primary child site server, stop the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.

2. Copy the file DefinitionData.sql from the STVA folder on the R2 CD to a location that you can access from your SMS database.

3. Load DefinitionData.sql into a SQL Server query tool like Query Analyzer or ISQL/W.

4. From within the SQL Server query tool, select the Systems Management Server database and run the query.

5. Verify that the Query Analyzer status bar does not show any errors.

6. Restart the SMS_SITE_COMPONENT_MANAGER and SMS_EXECUTIVE services.

You can install the tool from the SMS 2003 R2 Setup page by selecting Scan Tool for Vulnerability Assessment or by manually running VASetup.msi. The following procedures provide details for each installation method.

1. Run <cd root>\autorun.exe from the SMS 2003 R2 CD. The Setup page will display.

2. Click Scan Tool for Vulnerability Assessment to launch the Setup wizard.

1. Browse to \<cd root>\STVA\.

2. Run VASetup.msi to launch the Setup wizard.

If you have already installed the Scan Tool for Vulnerability Assessment, Setup will try to repair it. If you have a previous version of the scan tool, Setup will try to upgrade the previous version.

During Setup, the Scan Tool for Vulnerability Setup wizard installs to the selected destination folder and creates several SMS objects. The user who initiates the installation must have the appropriate permissions for Setup to complete successfully. The following security is required for the user who initiates the Scan Tool for Vulnerability Assessment Setup:

• Write permissions to the NTFS file system for the selected destination folder. The default name and location is \Program Files\Microsoft Vulnerability Assessment Tool. The PkgSource folder is created under this destination folder.
  
  
• Create permissions for the SMS Package object.
  
  
• Create permissions for the SMS Collection object. This is a requirement only if the Advertise inventory tool to test and production collections option is selected during Setup.
  
  
• Create permissions for the SMS Advertisement object. This is a requirement only if the Advertise inventory tool to test and production collections option is selected during Setup.
  
  

For more information about creating and securing the SMS package source folder, see Scenarios and Procedures for Systems Management Server 2003: Security, available from the Systems Management Server 2003 Product Documentation Web page (http://go.microsoft.com/fwlink/?LinkID=9502).

The following procedure provides the steps necessary to complete the Scan Tool for Vulnerability Assessment Setup wizard and explains each configuration setting in the wizard.

1. Launch the SMS 2003 R2 Vulnerability Assessment Tool Setup wizard. Click Next.

2. Read the license terms, click I accept the license agreement, and click Next.

3. Register the product by entering your name, the name of the organization that will be using the Scan Tool for Vulnerability Assessment, and the 25-digit CD product key. The CD key is located on the back of the SMS 2003 R2 product CD case. After you have entered the registration information, click Next.

4. The Setup wizard installs the Scan Tool for Vulnerability Assessment in the configured destination folder, C:\Program Files\Microsoft Vulnerability Assessment Tool, by default. The Pkgsource folder is created under the destination folder and used as the SMS package source folder. Select the default destination folder, or browse to a different location, and click Next.

   Note
   If an existing folder is selected, a dialog box appears stating that the folder already exists and asks to confirm the use of the selected folder for the scan tool installation. Click Yes to use the folder, overwrite the contents, and proceed to the Choose Vulnerabilities to Check page. Click No to go back to the Destination Folder page.

5. The SMS 2003 R2 Scan Tool for Vulnerability Assessment checks for four major types of vulnerabilities. You must select at least one vulnerability that the tool will assess on clients before proceeding. For more information about the types of vulnerabilities, see Overview of the Vulnerabilities Assessed.

   Note
   To modify the vulnerabilities assessed by the tool after completing the Setup wizard, rerun Setup and reconfigure the settings on the Choose Vulnerabilities to Check page of the wizard.

   Click Next.

6. Configure the following on the Distribution Settings page:

   • You must specify a base name for the objects SMS creates. The suggested name is Vulnerability Assessment Tool. If you choose another base name, it must be different from any existing SMS objects and from any SMS objects you will create later in the Setup process. The base name is limited to 32 characters and is used in the names of the packages, programs, collections, and advertisements created during Setup. For more information about the SMS objects created, see Overview of the SMS Objects Created to Run the Scan Tool for Vulnerability Assessment.
     
     
   • The Copy Vulnerability Assessment Tool package to all distribution points setting is selected by default. Setup automatically configures the package to be copied to all distribution points in the site where Setup is running and to all child sites. If you want to limit the distribution points that contain the inventory tool package, do not select this option but remember to manually configure the distribution points for the package after Setup is complete.
     
     
   • The Advertise Vulnerability Assessment Tool to the default collection, which includes the test computer option is selected by default and instructs Setup to create an advertisement to distribute the scan tool.
     
     If you do not select Advertise Vulnerability Assessment Tool to the default collection, which includes the test computer, Setup does not create an advertisement and does not give you the option to designate a test computer. You must manually create these objects in the SMS Administrator console prior to distributing the scan tool to clients.
     
     
   • If you choose to have Setup create the advertisement, you must specify the NetBIOS name of an Advanced Client to use as a test computer. Setup adds the test computer to the Vulnerability Assessment Tool (pre-production) collection. For more information about managing the collections created by Setup, see Managing Collections for the Scan Tool for Vulnerability Assessment. During testing, vulnerability assessment is performed on the test computer and you can verify whether the components are working as expected.
     
     

   Click Next.

7. Configure the following on the Distribution Settings for MBSA Scan Engine page:

   • By default, Create SMS objects to distribute MBSA is selected. This option enables the other two settings on the page and instructs Setup to create the SMS objects necessary to distribute MBSA to Advanced Clients and adds the MBSA 2.0 package to the Run another program first setting on the Advanced tab of each Vulnerability Assessment program. If you are certain that all of your clients already have MBSA 2.0 installed, clear the Create SMS objects to distribute MBSA check box and skip to the next step.
     
     

     Note
     If you attempt to run the SMS 2003 R2 Scan Tool for Vulnerability Assessment on a client that does not have the MBSA installed, the scan advertisement will fail.

   • If Create SMS objects to distribute MBSA is selected, you must specify a name for the MBSA SMS objects that Setup creates. The suggested name is MBSA 2.0. If you choose another name, it must be different from any existing SMS objects. The name is limited to 32 characters and is used in the names of the package and program created during Setup. For more information about the SMS objects created, see Overview of the SMS Objects Created for the MBSA Scan Engine.
     
     
   • Copy the MBSA client package to all distribution points is selected by default. Setup automatically configures the package to be copied to all distribution points in the site where Setup is running and to all child sites. If you want to limit the distribution points that contain the MBSA 2.0 package, do not select this option and manually configure the distribution points for the package after Setup is complete.
     
     

   Note
   Setup does not create any advertisements for this package, but is does add the MBSA 2.0 package and MBSA Install Silently (without shortcuts) program to the Run another program first setting on the Advanced tab of each Vulnerability Assessment program. This ensures that MBSA 2.0 is installed on the client before installing the tool and scanning for vulnerability assessments.

   Click Next.

8. Click Next to initiate the Scan Tool for Vulnerability Assessment installation.

   The Setup wizard installs the Microsoft SMS 2003 Scan Tool for Vulnerability Assessment files to the specified destination folder. In addition, the Setup wizard creates the packages and programs, and if configured, the collections and advertisements that are needed to deploy the scan tool. When Setup is complete, the Setup Complete page appears.

9. Click Finish.

Concepts