After the recent spate of virus-related network outages at major corporations, you may be wondering how well your own systems are protected against malicious software and viruses. While no system can be 100% foolproof in protecting your computer-based assets, there are a number of steps you can take to ensure that your network assets are as secure as possible.
Don't bother looking for one single measure, technique or software package that can protect your network. Instead, you should strive to achieve "defense in depth" where you have layer upon layer of security measures in place. Just as you should maintain redundant copies of your organization's data to protect yourself against disaster, you should likewise have more than one measure in place to provide additional security and protection for your critical resources.
Patching better than it was, still a chore
While limiting the release of software patches to one day a month -- on "Patch Tuesday" -- has made the process somewhat simpler to manage (compared to earlier years where systems administrators would sometimes receive notification of new patches multiple times in a single week), the fact remains that we still need a way to apply these critical patches to all computers in our internal network. Luckily there are a number of software utilities -- some free, some not -- that will help to automate the process for networks of any size.
For one or two computers in a small office environment, you can configure your network to receive updates directly from the Microsoft Web site using Windows Update service. The disadvantage to this is that you have no way of picking and choosing which updates are downloaded and installed from the Microsoft site; you receive every available update that applies to your computer.
If you have even one dedicated server in your environment, you can improve the situation by installing Software Update Services, which runs on Windows 2000 and Windows Server 2003 and deploys critical security updates only. Or, install Windows Server Update Services, which runs on 2003 only but will deploy patches and service packs for a much wider range of products including SQL Server and Microsoft Exchange.
SUS and WSUS are free downloads; both products allow you to point clients to your local server to receive updates, and they will only receive those specific updates that you have approved for distribution. You can even scale a SUS or WSUS deployment to support multiple locations by configuring local "child" SUS/WSUS servers in individual branches to obtain their updates from a "parent" SUS/WSUS server at your main office. You would configure your clients to "check in" with the SUS/WSUS server on a regular basis using Group Policy or by modifying registry keys on each workstation.
Some food for thought on drawbacks
The one major drawback to SUS/WSUS in my mind is that there is no good way to forcibly push out a specific update; you need to wait for the next time each client "checks in" with the SUS/WSUS server. If you must exert more control over the update process than this, you can move to a paid product such as Microsoft's Systems Management Server, which is a systems management tool that includes patch management as one of many features. If SMS is overkill for your needs, opt for a third-party tool that is dedicated solely to patch management, like Shavlik's HFNetChkPro.
One concern that many corporations have about software updates is one of software compatibility: What if one of the new Microsoft updates causes our mission-critical accounting or human resources software to malfunction? Some people take a wait-and-see approach to solving this problem -- they'll wait a few days or even a week or two after Patch Tuesday to see if anyone reports problems with the new updates.
Waiting can be somewhat dangerous, though, because of something called a "zero-day exploit." You've probably heard about this phenomenon on the news recently, but what does it actually mean? Microsoft releases patches to correct vulnerabilities in its software. A side effect of patch releases, unfortunately, is that they also notify hackers that a vulnerability exists which they can exploit or use to create a new worm.
Typically, it takes a bit of time for virus writers to develop these exploits once Microsoft releases its updates. But, a zero-day exploit is one that is released on the Internet on the same day that a patch is made available for it -- and sometimes even before. So, in the time it takes you to wait and see if new patches are safe to install, you may be putting your critical systems at risk.
Your organization's security will be much better served if you devote a chunk of time every Patch Tuesday to downloading and testing the new updates against your line-of-business applications, and then deploying those patches as quickly as possible.
10 tips in 10 minutes: Windows IT management
Tip 1: The long-range plan for 64-bit hardware
Tip 2: A Window into interoperability
Tip 3: Third-party software: Do you need it?
Tip 4: Buy 64-bit now; you won't regret it
Tip 5: Maintaining a secure Active Directory network
Tip 6: Firewalls can help or hurt, so plan carefully
Tip 7: Weak passwords can make your company vulnerable
Tip 8: Keys to finalizing your Active Directory migration
Tip 9: Network safety relies on reaction time to Patch Tuesday
Tip 10: Make friends with your security auditors
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-networking. She is the author of the "Active Directory Field Guide" (APress Publishing). You can contact her at firstname.lastname@example.org.