When Microsoft ships an operating system, it does its best to find and remove all security vulnerabilities. In a perfect world, that would mean that the operating system was perfect from a security standpoint. In our imperfect world, however, operating systems are large and complex. As we know, complexity is the enemy of security. This means that the complexity of these large operating systems provides plenty of opportunities for security vulnerabilities to crop up.
Security vulnerabilities are discovered every day both by vendors and by customers who purchased the products. Microsoft, like virtually all other hardware and software vendors, continuously refines its products based on the discovery of these vulnerabilities. When a particularly critical vulnerability is discovered, Microsoft quickly writes and releases a software patch to address the issue.
The quicker you apply a patch to your systems, the quicker you become resistant to attacks that exploit that particular vulnerability. This doesn't mean that you should watch the TechNet web site all day and immediately apply every security patch to every computer in your enterprise. Nor does it mean that you should apply patches only when Microsoft sends email specifically indicating that you have a product with a known vulnerability. The proper patch management strategy for your environment lies somewhere in between.
Patch management is essential to ensure the ongoing security of all components in your network. This book focuses specifically on Windows Server 2003, but the same consideration should be given to other software and hardware that can be updated. Some software, such as virus scanners and software firewalls, should be regularly updated to ensure they provide defense against the latest attack vectors. Routers, hardware firewalls, and other intermediate network devices also have software or firmware that should be regularly updated to ensure they remain resistant to known attacks and patch known vulnerabilities.
Optimally you will plan a software update strategy before you deploy the computers in your enterprise. Realistically, however, this isn't usually the case. Computer systems are deployed with little or no regard for regular software maintenance. We often have to take systems that have various levels of software updates and bring them all to a single version of software. This section addresses the various strategies you can use to determine the software patches installed and the ways you can ensure patches are installed on necessary computers.
All computer systems are not equal. Some may be critical to your business, while others could be removed with little notice. Because you cannot apply patches to all computers simultaneously, you must determine an order and priority for your patch application activities. Some basic rules apply to your decisions regarding patch application, including the following:
Web-based attacks that exploit a flaw in IIS, for example, would be most dangerous to computers that have direct exposure to the Internet. When a patch is available for a computer that publicly exposes the functionality that the patch addresses, it should be given a high priority. The patch should be applied to all computers as appropriate, but the more immediate need is to patch those computers most likely to be attacked.
While your product support web site may not be essential to your continued business operation, your central database server may be critical, and its loss would mean the demise of the company. When an update strategy and procedure is created, you should keep this in mind and assign priorities according to business need.
If you have internal firewalls and desktop-based virus scanners, your computers may be reasonably resistant to new attacks. This could give you enough time to test the patch and ensure its compatibility with your environment before deploying it. If your computers are completely undefended inside the corporate network, any exposure to an attack could be catastrophic until a patch is deployed to the entire company. Unfortunately, it is common for worms and viruses to "jump" firewalls through a variety of means, such as portable laptops and computers with modems.
Since the Windows 9x days, Microsoft has provided Windows Update (http://windowsupdate.microsoft.com), a web-based service that integrates with Windows to provide operating system updates and new features. You've probably used Windows Update yourself to download and install updates. Windows XP Professional and later versions of Windows even include Automatic Updates, a feature that can periodically check Windows Update for new updates, download them in the background, and apply them for you.
Windows Update is primarily intended for individual users and doesn't always make sense in an enterprise. Imagine, for example, that you configure thousands of client computers to automatically download and apply updates. Each time an update is available, each client computer will independently download a copy, which is an inefficient use of your company's Internet connection. Additionally, you won't have any opportunity to test and approve the updates before they are deployed to your client computers.
Microsoft Software Update Services provides a kind of "corporate edition" of Windows Update and is a more efficient and controllable means of managing security updates within your organization.
Software Update Services (SUS, pronounced suss) is a free download from the Windows web site (www.microsoft.com/windows). SUS consists of two components: a server and a client. The server component can run on Windows 2000 Server or Windows Server 2003; the client component is included in Windows 2000 Service Pack 3 and Windows XP Service Pack 1.
The SUS client is also available as a standalone download. However, the easiest way to deploy and configure it is to simply deploy the appropriate service pack to your client computers. You'll also receive the other benefits of the service pack, including bug fixes and security updates.
Once installed and configured, your SUS server will automatically download new updates from Windows Update. You'll be able to test and approve these updates, which will then be made available to computers running the SUS client. SUS handles only updates marked by Microsoft as critical, which includes all security updates. New features and other noncritical updates aren't handled by SUS, although client computers can still use Windows Update to obtain these updates.
To install SUS server, simply launch the Microsoft installer (MSI) file containing the software. As part of the installation, you'll specify a location where SUS will store its updates, as shown in Figure 15-8. This location should contain sufficient space for a large number of updates. Keep in mind that SUS server can download all available critical updates for all Microsoft operating systems, Internet Explorer, and other products.
After installing SUS, you can connect to the SUS administrative interface by using a web browser. Simply point the browser to http://server/SUSAdmin, replacing server with the name of the computer running SUS server.
You may need to configure one or more of SUS server's options, as shown in Figure 15-9. These options control SUS' use of proxy servers, allowing SUS to operate within your network.
Your first administrative step should be to configure a synchronization schedule as shown in Figure 15-10. This schedule allows SUS to automatically download new critical updates from Microsoft's servers (or from another SUS server in your organization). A weekly schedule is usually sufficient.
You can also manually trigger synchronization whenever you like, although a scheduled synchronization ensures that your SUS server always has the latest updates. Remember that SUS won't actually deploy these updates to clients until you've approved them, so there's no danger in having the latest updates on the SUS server.
After synchronization completes, you can use the Monitor Server tab of the SUS admin page to view the number of available updates, as shown in Figure 15-11. SUS categorizes updates by product, including versions of IE and Windows.
However, just because updates are available doesn't mean your client computers will receive them. First, you must approve the updates, giving you the opportunity to test them for compatibility in your environment. As shown in Figure 15-12, you can review the available updates and indicate which ones you approve for deployment to your clients. When client computers contact the SUS server, they will receive all approved, applicable updates for their operating system and other installed products (such as IE).
Once you have installed one or more SUS servers on your network, you'll need to configure the SUS client software on your client computers. Although you can manually configure the software on a per-client basis, it's far more efficient to use Group Policy to centrally configure all your client computers at once. First, determine the right place to apply a Group Policy Object (GPO).
For example, if you want all domain computers to use a centralized SUS server, you might apply an appropriately configured GPO to the domain. However, it's more likely that you'll deploy a SUS server for each major site within your organization. Doing so will allow clients to retrieve their updates locally, rather than using WAN bandwidth. In that case, it would make the most sense to configure a GPO and link it to Active Directory sites, creating a consistent, location-aware configuration for SUS.
Configuring SUS couldn't be easier: Simply open the Group Policy Editor. Under Computer Configuration, open Administrative Templates, then Windows Update. As shown in Figure 15-13, four policy settings control the SUS client software.
This policy setting activates the SUS client software and configures its primary behavior. You can configure client computers to automatically download and apply updates, to notify their users prior to downloading or installation, or to automatically download and notify prior to installation. The best choice is usually full automation, ensuring that users don't prevent the installation of important updates. You can also select the day of the week and time that available updates should be installed. For example, if users typically leave their computers on in the evenings, you might schedule installation for every night at 10 p.m., when users won't be impacted should a restart be required.
This is where you provide the URL of the SUS server that clients should use, which should be the URL of the SUS server that you've set up on your corporate network.
You can specify how long the client software should wait after system startup to begin installing updates that were missed. For example, if a user turns off his system in the middle of an update installation, the SUS client will not attempt to install the update again until the next scheduled time. By configuring this option, you can have SUS retry five minutes after the system restarts.
This policy allows you to prevent SUS from automatically restarting a client computer after installing updates that require a restart. When this policy is enabled, SUS will complete the update installation the next time the computer is restarted, rather than restarting it automatically.
Remember that these policies apply only to computers running Windows XP SP 1, Windows 2000 SP 3, or Windows Server 2003.
The Microsoft Baseline Security Analyzer (MBSA) is a tool used to verify the current state of security patches and settings on a computer. It is a direct result of customer feedback that there was no centralized tool to determine the security state of a computer.
MBSA has two goals for most Microsoft Windows operating systems and applications, including Windows Server 2003 and Windows XP:
Identify common security misconfigurations such as a blank administrator password or excessive users in the Administrators group
Identify missing security patches
MBSA has both a graphical interface and a command-line interface. This allows you to tailor your use of MBSA to the needs of your environment. For example, the command-line version of MBSA can be scripted or run as a regularly scheduled batch process. However, for ad hoc usage of MBSA, you may prefer the graphical interface. It provides a simple way to configure and launch the tool as well as view the report and take corrective action.
Among its numerous customer-driven features that make it a powerful and useful tool, MBSA can:
This can be done by selecting a domain name to scan or a range of IP addresses. Figure 15-14 shows the configuration range options.
This is also shown in Figure 15-14. This feature allows you to target specific MBSA checks. This saves time by scanning only the areas you feel are vulnerable or must verify.
MBSA can check the patch level of a targeted computer based on its own data or based on the patches loaded on your internal SUS computer. This is also shown in Figure 15-14 as the administrator has selected Woodgrove-sus.
When MBSA is done with its scan, it displays the results of the scan as shown in Figure 15-15. All scans and their results are shown, and the areas of security concern are highlighted. You can get more information on the exact criteria used for the scan, as well as the recommended corrective action, from this report. Furthermore, the reports are stored in XML so you can parse them with any XML-savvy program to create charts, analyze trends, or predict future statistics.
Using MBSA should not be part of your daily routine. An appropriately planned and implemented update strategy, as described earlier in this chapter, should eliminate your daily need for tools such as MBSA. It should be used in limited situations such as:
When a new widespread virus or worm appears that takes advantage of a known security flaw. At that time, you should use MBSA to ensure that your most vulnerable computers are protected with the appropriate patches. This allows you to spot-check those vulnerable servers. Although your update strategy should have already protected those servers, there's no harm in double-checking.
As a periodic audit tool to ensure your patch update strategy is working. You will be reviewing Audit Logs of these updates anyway, but MBSA allows you to periodically choose a critical server and examine it for security vulnerabilities.
Any problems that MBSA exposes should not be fixed manually unless there is a time-critical need, such as protecting against a spreading attack. Rather, you should address discovered vulnerabilities by locating the cause of the problem such as a misconfigured update server or violation of a security policy. Locating the root cause of the problem ensures that the problem will not reappear later due to some fundamental flaw or loophole in your security strategy.
MBSA as an Attacker's Tool
You may say to yourself, when first reading about MBSA, "Wow! This is a great tool that can help me identify vulnerabilities." As you begin to read more reports and discover more vulnerabilities and misconfigurations in your environment, however, you may develop a different attitude. You may, as many people do, think that this tool is a little too aware of your misconfigurations. It seems to find so many problems.
You may also realize that you're not the only person who's downloaded MBSA. And that Microsoft doesn't require any type of "good deed oath" to download it. An attacker could use it to footprint your network and get the same information. She could then launch an attack based on a vulnerability from an MBSA report.
While this is true, it's a little shortsighted. Literally hundreds of existing attacker tools are available on the Internet right now. Many of them are redundant with MBSA and many are legitimate tools used by security professionals for penetration testing. An attacker could easily get the same information using a different, non-Microsoft tool.
So don't blame Microsoft for telling anyone who cares to listen about your vulnerabilities. Just fix them!
MBSA can be downloaded from http://www.microsoft.com/technet/security/tools/tools/MBSAHome.mspx. Details on exactly what vulnerabilities MBSA scans for and how it determines patch levels are included in the Baseline Security Analyzer white paper located at http://www.microsoft.com/technet/security/tools/tools/mbsawp.mspx.