Patch Management

[tonybradley]

After SQL Slammer hit, one of my customers wanted to do a sweep of all systems to find out what patches and hotfixes might still be missing. Of course, they also wanted to do it for free. They ended up using the latest release of the Microsoft Baseline Security Analyzer (MBSA) to scan the computers on their network.

MBSA has its issues, but overall it seems to work pretty well for a free product. In the end, we ended up with a report enumerating the security vulnerabilities on the various systems that had yet to be patched. We wanted to address the more critical patches first- but it raised the question that we may undo a more current patch if we went out of order and applied an older patch after the fact.

Then I heard about Update Expert from St. Bernard software:

UpdateEXPERT is a software patch vulnerability assessment tool that scans your networked systems for missing patches and remediates discovered weaknesses for increased protection. UpdateEXPERT features an extensive database (including service packs, hotfixes and other patches) that is maintained by St. Bernard Software's software patch experts.

MORE

The nice thing about this software is that it will do the same things as MBSA- scan all systems and determine missing patches and hotfixes, but it has added features. It also lets you manage the patch implementation and track progress. Given a set of patches to apply it automatically orders them properly so they won't conflict with each other.

This is a Microsoft-centric solution- working with Windows NT / 2000 / XP, IIS, Terminal Server, SQL Server, Exchange Server, Internet Explorer, Windows Media Player, Netmeeting, Office and Outlook. Its also not free, but I believe it is reasonably priced.

I recommend that anyone struggling to keep up with which patches need to go on which Windows boxes and in what order take a look at this product.

....no, I am not receiving a commission from St. Bernard Software (maybe I should contact them about that oversight?)

[MrLinus]

Interesting tool. I'll have to check it out later this summer when I begin my devel of a Windows Security course.

Here's what I don't understand. Why couldn't they do something like the tool that Red Hat has? up2date, included as part of the OS, automatically checks and compares your system to what vulnerabilities are found. Updates are done -- including kernel updates -- via a simple push of the button. Downloads and installs are done (without reboots) and the system continues.

Windows Update is ok but it means I have to visit their website and I have found that to be an annoying experience at times. Up2date is a tool -- system admin run -- that is included. After my first year of free service, I can either continue by manually checking or paying a modest fee ($60/yr) to get updates. They also have a mail service to notify me of vulnerabilities.

It's not to say that up2date is perfect but I think it's a step above Windows Update. Given the price paid for Microsoft Server products, I would think a little support should be included.

[tonybradley]

Well, aside from manually visiting the Windows Update site they have introduced Automatic Update which does notify you when critical updates are available.

The problem is that it is not comprehensive enough or reliable enough. Plus, they also have an Office Update site which you have to manually go to separately from the Windows Update site if you want to scan for new Office updates.

If they would beef it up so that we could be confident that it is correct and ensure that it scans for vulnerabilties not only in Windows, but in as many additional technologies as possible- IIS, Exchange, SQL Server, Internet Explorer, Microsoft Office, etc. then they would have something similar to Up2Date and something system admins could rely on.

[HTRegz]

Hey Hey

MsM:
You can have Windows Update run automatically and then you don't have to visit the site. I do that on this 2K laptop.

[Edit]
Looks like our thoughts overlapped on this one Tony
[/edit]

Tony:
Sounds like a decent product.. I might have to play around with the demo on their page....

As for me... I scan the computer on my network with GFI LANguard N.S.S. on a regular basis... It tells me everything going on with my system. What patches I need and alerts me on what's going on with my system, as well as displaying my policies, my registry, what patches are installed, and what ports are open.

I swear by the program, it's incredible.... Anyways.. that's just my two cents.

[MrLinus]

Well, I'd want to know what it's downloading but I don't want to open my browser for it. Their scripts just annoy me and I've seen one place filter them so you can't access anything then. In addition, up2date also tells me WHY I need to patch something. Each patch has a little info blurb with it. It's a nice little tool that is unobtrusive but effective.

But Tony has hit on the more important point. If I have a RH Linux box with Apache installed and other tools, it even checks for updates on that. That is what Windows Update should do. AFAIK, WU does not check for the status of IIS, SQL, Exchange, etc. (oddly enough all MS products -- you'd think it would -- go figure).

That is what I think WU should be doing.

[ConsummatumEst]

AFAIK, WU does not check for the status of IIS, SQL, Exchange, etc. (oddly enough all MS products -- you'd think it would -- go figure).

That's the part of this whole update situation that kills me. Microsoft pushes their Baseline Security tool as the end all solution for Microsoft Security, yet what did it do towards securing computers against the Slammer worm? Absolutely nothing. Part of the fault is Microsoft's for leading consumers to believe that running the MBSA on their systems makes their systems secure and up to date. And of course part of the fault lies with each consumer for not taking the time to understand what the MBSA actually does. If consumers as a whole understood that it was just another tool in their security arsenal instead of a total solution, the Slammer incident would have been a mere footnote in some obscure corner of computer security instead of making headlines in the news and crippling portions of the internet.

If linux users aren't careful, they too could someday fall prey to a worm like the slammer worm. Up2date is a great tool, and it's a valuable tool in my security arsenal, but I think a lot of new users make the same assumptions about up2date that MS users made about the MBSA - that running it made them secure. In some cases, a false sense of security is worse than no security at all.

[MrLinus]

Absolutely dead on ConsummatumEst (where'd you come up with this long handle!?!?!).

The reality is up2date is good security but better security still requires the human being element. I am on their mailing list plus about a dozen of Securityfocus' Bugtraq variations. I do daily visits to a variety of sites to keep up-to-date and informed.

But it still would be good to have a tool like the one suggested by Tony to help make finding those patches easier.

[ConsummatumEst]

My initials in real life are CE and I took too much latin in high school. CE works if you don't want to type the whole thing.

-CE

[nyx]

Well, Microsoft has released the Software Update Services, wich downloads the latest service packs from windows update and after an Admin aprove the updates it installs on the machine you have configured to use SUS on group policy.

It's good because u don't have to download the patchs from the internet to every machine, it installs directly from your server and after you aproved the updates it installs and if necessary reboots the client machines at the time you specified on the policy.

You also have an option of checking the last service pack installed by scripting on the logon script, so if the last patch isn't installed it launchs the install of the patch, but its much more complex and time consuming then SUS.

There is also a way to check and update the client machines through SMS, but I've never check it...

I think Microsoft isn't making a bad job on making available tools to keep windows machines updated, but it's just my 2 cents...