Patching your Windows operating systems is a never-ending story.
In this second installment of my two-part series on patching Windows, I outline patching principles that are important regardless of your company's size and organizational complexity. Then I'll offer some suggestions for Windows patchwork for small businesses.
Pick one thing and do it well
It's really a very simple choice. We do what intelligent people have always done when faced with a myriad of things to do in limited time; we find the item that will give us the most payback and we do it well. It was not always obvious what that choice was when it come to computer security, but it is today. A number of preeminent security experts and organizations now tell us that the No. 1 thing that we can do to improve the security of our systems is to patch them. There are even overwhelming statistics that back them up. So, whether you run Linux or Windows, Solaris or AIX, AS/400 or Mac OS X, close the known holes.
Research the problem and refine it
The first step, of course, is to find out what these are. Right. Just add yourself to a few vulnerability lists, such as Bugtraq (Click here to read the FAQ or subscribe), SecurityFocus, (the company hosts many security mailing lists) and www.microsoft.com/technet/security. After you've subscribed to one or more lists, you could easily spend your entire day just reading and digesting all the notices. Every day you'll be treated to reports of problems with everything from your antivirus program and your router to your operating system and the Web browser you run on it. To manage this cacophony, apply, once again, the 90/10 rule. Is there an area that will produce more results? The answer is obvious: if most of your systems are Windows, keeping up with and applying patches to Windows systems will have the most impact on your security level.
Determine how to manage the process
For most of us, manually patching one system at a time is not an option. While it's easy, and a number of tools exist to help us understand the single system and deal with the process, the time involved soon becomes a chore, and the chore often is abandoned. With Windows systems there are many choices, from automated patch application to full-blown enterprise-level patch management programs. You have three choices; decide which is best for you.
Options for small businesses
Understanding what a patch will do for a system, and why it should be applied, let alone 'how' it can be applied, is a complicated process for users and businesses without dedicated IT services. Windows XP and Windows 2000, post Service Pack 3, provide ways in which, with a simple click of a check box, Microsoft-approved updates are automatically downloaded to the end system and applied according to a choice of configuration settings. This automated patching process can be configured to remove user choice entirely. In other words, it can automatically download and apply available patches, or it can prompt users that they need to apply the update. A standard Windows XP install defaults to allow this automatic activity. If you don't want automated updating, users can visit the Windows Update service (Tools/Windows Update). This site will scan the computer looking for applicable patches and updates. The user has merely to choose which updates to allow, and they will be applied.
Neither of those choices is very palatable to me. I don't like the idea of users deciding whether they need or can really use an update, and I don't like the idea of any software company having control over the process. However, sometimes we have to eat what we don't like because the alternatives are malnutrition and starvation. Small businesses do not have large amounts of time, money or resources to throw at the problem of keeping systems up-to-date -- and let's face it, the problems engendered by using automatic update or Windows Update can be dealt with, and are far less of a risk than those posed by an unpatched system.
Small-scale systems also can benefit from several freely available programs that check to see whether a system has the current patches applied. The Microsoft Baseline Security Analyzer (MBSA) can do this. You can listen and view a discussion on how to use this tool or download the tool. MBSA can be used to scan a single system or a whole domain. Small businesses can benefit from a periodic examination of their Windows systems using this tool and can develop a management program around it. MBSA uses HFNetChk, a tool written for Microsoft by Shavlik Technologies, to examine the system against fixes listed in a frequently updated XML file on Microsoft's site. You can also download HFNetChk and use it at the command line or incorporate it into your own scripts. You can also download a free GUI front-ended HFNetChk (HFNetChkLT) directly from the company's Web site.
The Center for Internet Security also provides a HFNetChk based tool, the Windows 2000 Consensus (often referred to as the Gold Standard) Scoring tool. The tool also uses Security Configuration and Analysis, a built-in component in Windows 2000, and other customized vulnerability checks to score the current Windows 2000 Professional computer against a configuration agreed upon by NSA, NIST, SANS, Microsoft and other major corporations. Getting that many people to agree on something is enviable, and using a scoring tool helps people get a handle on where they are and where they should be. It also provides before and after metrics that can assist you in validating your security program. While not "gold standard," other CIS templates for Windows 2000 Server, Windows NT, Unix and Cisco are also available from the site.
Click here for part one.
Roberta Bragg is an author and security consultant in the area of Windows operating systems.
This was first published in November 2002