Managing Windows Security Patches

By | September 17, 2006

A decent percentage of security breaches involve a software vulnerability caused by a missing patch that the IT security staff already knows about. Research Company Gartner estimates that IT departments spend up to two hours every day managing patches. So, why do these vulnerabilities exist? It’s because of the lack of an effective plan and knowledge for managing and deploying security patches in the enterprise.

There many tools to manage and deploy security patches. These tools can be divided into two major categories: tools to evaluate security of the systems, and that are used to patch systems. In order to know which patches to apply, you must first know what is in your enterprise network.

The common way for evaluate the security state of your systems is enumeration. This technique allows you to query the systems in your network for what security patches are applied and their security settings. Both patch scanner and vulnerability scanner fall into this category.

A patch scanner enumerates, with administrative privileges, applied patches on the target systems. This process yields accurate results, but not in the correct security posture since it ignores the access the hacker would have to the system.

In contrast, a vulnerability scanner collects information from the hacker’s perspective on the target system. It focuses on security issues that the hacker could use to compromise the system and yields results that help IT staff to protect the network from remote attacks. However, the accuracy of the results is not good enough since it cannot determine local-exploitable vulnerabilities and particular problems.

Reporting systems are preferred by some enterprisers over enumeration, simply because the clients in the network report periodically their security state to a central server, thus eliminating the need to launch inaccurate and time consuming scans. They yield much richer information and allow IT staff to do offline analysis on the enterprise network.

Reporting systems have also few drawbacks: being an agent-based mechanism turning it to a potential security threat if not managed carefully; information gathered from the central server contains sensitive data that could turn to a blueprint for how to attack your network; and an attack on the central server could leave your IT staff unaware of your network security state.

Tools for Managing Security Patches

There are a number of patch management tools available these days in the market. The discussion of all solutions is beyond this article; instead, we will focus on a small number of tools for Microsoft Windows.

MBSAThe Microsoft Baseline Security Analyzer is Microsoft’ free solution designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. MBSA is a patch scanner and requires administrative privileges as well as particular services to be running on the target system.

Windows Software Update ServiceWindows Software Update Service (WSUS) is a free solution from Microsoft that enable administrators to more easily manage and deploy patches across the enterprise. In small-medium networks, IT staff can configure the Windows Automatic Update service on endpoints to query against the WSUS, ensuring that all your clients have all the security patches you want and none other.

Enterprise Management System – If you already have an Enterprise Management System (EMS) deployed in your enterprise, you can use it to distribute security patches. Microsoft offers System Management Server for client management. This solution is based on Microsoft’s MSBA and therefore must be deployed with Windows Software Update Service.

Final Thoughts

The adoption of comprehensive discovery tools improves the effectiveness of an organization’s patch management process. To be successful, the technology and processes adopted should support a number of objectives and be as automated as possible.

Leave a Reply