Windows Server 2003 : Designing a Security Infrastructure - Planning a Security Update Infrastructure

Understanding Software Update Practices

Virtually all software products have to be updated, some more frequently than others. Operating systems are usually updated on a regular basis, and Microsoft releases its primary updates in the form of service packs. A service pack is a collection of patches and updates that have been tested as a single unit. Service packs are a distinct improvement over the previous system, in which operating system updates were released as a series of individual patches, each addressing a separate issue. For support personnel, the large number of patches available and the uncertainty surrounding which patches had been installed on a particular computer made the task of troubleshooting software problems extremely difficult. Service packs install all the available patches at one time, enabling the support staff to know which updates are present on the computer.

Service packs are not the only updates that Microsoft releases, however. Because service packs require a great deal of testing, Microsoft releases them relatively infrequently. In between service pack releases, Microsoft releases individual patches called hotfixes. A hotfix is a small patch designed to address a specific issue. While Microsoft recommends that all users install the service pack releases, hotfixes are often intended only for computers experiencing a particular problem.

Update releases might include bug fixes, new features, or drivers, but for network administrators, security updates are often the most important releases. In many cases, Microsoft releases hotfixes to address specific security issues that cannot wait until the next service pack release. Security updates are relatively frequent, and in some cases, must be installed as quickly as possible, to eliminate a potential hazard.

Using Windows Update

Windows Update is a World Wide Web site that Microsoft maintains, which enables any computer running any version of the Microsoft Windows operating system to locate and download the latest operating system and driver updates and patches. When a computer connects to the Windows Update site, it downloads an application that examines the computer’s current configuration and compiles a list of all the updates and patches the system needs (see Figure 1). The user can then download and install all the selected updates at once, simplifying the maintenance process.

For a single user running a home computer, Windows Update is a great way to keep a computer current, but it is generally not suitable for use on networks, for the following reasons:

• Bandwidth Each time a computer receives an update release using Windows Update, it downloads the software from a Microsoft server on the Internet. On a large network, this would mean that hundreds or thousands of computers are downloading the same files. For small updates, this might not be a problem, but Windows service packs are usually more than 100 megabytes (MB), and downloading the same file for every computer could monopolize an enormous amount of the network’s Internet bandwidth.

• Testing Although Microsoft tests its updates carefully before releasing them, the company cannot possibly test every combination of configuration settings and software products. Therefore, it is possible for a particular update to cause problems with some or all of the computers on your network. Here again, for a single computer, this might not be a major issue, but if an update causes a problem on all a network’s computers, the loss of productivity and the added burden on technical support personnel could be catastrophic.

Updating a Network

In a network environment, deciding which updates to install and when to install them should not be left up to the individual user. Administrators must be responsible for obtaining updates when they are released and deploying them on the network in a timely manner. However, network administrators should not immediately install every update that appears. It is important to test the update releases first. This is one of the reasons that a network installation should have a security update infrastructure.

A network security update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:

• Determine which computers need to be updated— In some cases, a new security update might apply only to computers performing a specific function or using a specific application or feature. Network administrators must understand each release’s specific function and determine which computers require the update.

• Test update releases on multiple system configurations— A security update that causes a malfunction might be just an annoyance on a single computer, but on a large network, it could be a catastrophe. Network administrators must perform their own tests of all security updates before deploying them on the entire network.

• Determine when updates are released— Microsoft frequently releases security updates that might or might not be applicable to the systems on your network. Network administrators must be aware of new releases when they occur and must understand the specific issues each release addresses.

• Deploy update releases on large fleets— Manually installing security updates on hundreds or thousands of computers requires enormous amounts of time, effort, and expense. To deploy updates on a large network efficiently, the process must be automated.

Microsoft has made tools available that help the administrator accomplish these tasks, such as those discussed in the following sections.

Using Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a graphical tool (see Figure 2) that can check for common security lapses on a single computer or multiple computers running various versions of the Windows operating system. These lapses are typically due to incorrect or incomplete configuration of security features and failure to install security updates. The security faults that MBSA can detect are as follows:

• Missing security updates Using a list of current update releases obtained from a Microsoft Internet server or from a local Microsoft Software Update Services (SUS) server, MBSA determines whether all the required service packs and security updates have been installed on the computer, and if not, compiles a list of the updates that need to be installed.

  Tip

  MBSA replaces an earlier Microsoft update checking utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates. MBSA includes all the functionality of Hfnetchk.exe, including the command line interface, which you can activate by running Mbsacli.exe with the /hf parameter.

  
  

• Account vulnerabilities MBSA checks to see if the Guest account is activated on the computer; whether there are more than two accounts with Administrator privileges; whether anonymous users have too much access to the computer; and whether the computer is configured to use the Autologon feature.

• Improper passwords MBSA checks the passwords on all the computer’s accounts, to see if they are configured to expire, are blank, or are too simple.

• File system vulnerabilities MBSA checks to see whether all the disk drives on the computer are using the NTFS file system.

• IIS and SQL vulnerabilities If the computer is running Microsoft Internet Information Services (IIS) or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses.

In addition, MBSA displays other information about security on the computer, such as a list of shares, the Windows operating system version number, and whether auditing is enabled.

MBSA is an informational tool that can display security information about a computer, but it cannot do anything to remedy the vulnerabilities that it finds. You can use MBSA to determine which security updates to install on specific computers, but to develop an effective security update infrastructure, you must implement a system to keep track of which security updates have been installed on every computer in the enterprise.

Testing Security Updates

Before you deploy security updates on a network, you must test them to make sure they are compatible with all your system configurations. The amount and type of testing depends on the nature of the updates and the complexity of your network. For a major update like a service pack, testing should be extensive. You might want to test the release in a lab environment first, and then do a pilot deployment on a part of your network before proceeding with the general deployment. For smaller, minor updates, a pilot deployment might be sufficient, followed by a general deployment if no problems occur.

Using Microsoft Software Update Services

Deploying any software on a large network is a complicated task, and security updates are no exception. What might be a simple task on a single computer turns into a major project when you have hundreds or thousands of computers. Microsoft Software Update Services (SUS) is a free product that notifies administrators when new security updates are available, downloads the updates, and then deploys them to the computers on the network (see Figure 3).

Figure 3. The Microsoft Software Update Services interface

SUS is essentially an intranet version of the Windows Update Web site that eliminates the need for each computer to download software updates from the Internet and eliminates the need to manually deploy the updates on multiple computers. Administrators can control which updates are applied to the network computers and when, automating the process so that users do not need to know or do anything.

SUS consists of the following components:

• Synchronization server One computer, running SUS, functions as a synchronization server, downloading all software updates from the Windows Update Web site as they are released. The administrator can allow the downloads to occur as needed; schedule them to occur at specific times (such as off-peak traffic hours); or trigger them manually. Once SUS downloads the updates, it stores them on the server. This eliminates the need for the administrator to continually check the Windows Update Web site for new releases.

• Intranet Windows Update server Once the SUS server has downloaded the updates, the administrator must decide whether the server deploys them immediately to the network or saves them for testing and later deployment. When updates are ready for deployment, SUS functions as the Windows Update server for the computers on the network, except that this server is on the intranet and does not require the clients to access the Internet.

• Automatic updates Automatic Updates is a Windows operating system feature that enables computers to download and install software updates with no user intervention. You can configure this feature on your client computers so that they get the updates from an SUS server on the local network rather than from the Windows Update Web site, restricting the updates to those approved by the network administrator.

To configure the computers on a network to retrieve and install updates from an SUS server, you can use group policies to avoid having to configure each system individually. The Computer Configuration\Administrative Templates\Windows Components\Windows Update container (see Figure 4) contains four policies that enable you to configure the Automatic Update behavior for all your network computers.

Figure 4. Windows Update group policies

Tip