What's the current state of security in the Windows Server environment you manage?
Most Windows Server administrators do a great job to stay on top of the core system administrator tasks, such as logging, monitoring and backups. However, many are unaware of the true state of the security vulnerabilities in their data center, including whether years-old Windows updates have been applied.
An administrator should perform regular vulnerability scans with tools such as Rapid7's Nexpose or GFI Software's LanGuard to know the state of Windows Server system security. A tenet of information security is never let good information go to waste. When a report shows Windows Server patching needs work and other software updates are missing, then administrators need to determine the risk to the business and how to remedy the issue. Network perspective is important but so is user perspective; run vulnerability scans both without and with user authentication.
There are some higher-level practices administrators might consider to keep Windows Server secure. First, run vulnerability scans at least once per year. Some organizations run vulnerability scans more often, such as every 30 days or once per quarter, depending on specific business needs and compliance or contractual requirements. Some businesses have requirements to perform continual monitoring and exposure management, using real-time services from a security vendor.
When scanning for vulnerabilities, use commercial tools. They are easier to use, manage and generate better reports than open-source offerings. Also, there's a strong business incentive for the vendors to update their products to check for the latest vulnerabilities.
Scan external-facing systems and internal network systems. Administrators often overlook one or the other. Without scanning both systems, these admins -- and the business executives -- do not have good information to make security decisions.
Network perspective is important, but so is user perspective. Run vulnerability scans both without and with user authentication. With user authentication, the vulnerability scanner logs into each system with a set of credentials to uncover any security shortcomings, including patches for third-party software. Make a practice of testing on a periodic and consistent basis. The data center is changing continuously so administrators should make regular security testing part of their overall Windows management process.
Develop a schedule to close vulnerabilities
Administrators have a few options if a vulnerability scan uncovers missing software updates and gaps in Windows Server patching. They can patch immediately, but most organizations avoid this, especially on servers. You can test and patch the critical areas within 30 days. You might even test and patch within 90 days.
Systems administrators often separate Windows Server patching by deployment group. For example, administrators apply patches on test servers immediately. After a week, they patch noncritical servers. If the Windows Server patching process went smoothly, then the administrators patch all other servers, including critical domain controllers and web servers, the following week.
While the IT staff determines the best timetable for Windows Server patching, administrators should not wait to close a vulnerability once a scanner or manual tool, such as Rapid7's Metasploit, uncovers a threat. Some administrators avoid patching critical servers for fear the system will crash or a vendor will drop support. In this case, the IT staff should get clearance from management before a security incident or breach occurs.
How to deal with patches in a multi-OS environment
Software update tools can help but have limits
Security improvements are coming to Windows Server 2016