Enhancing patch management with NAP

Regardless of what you think of patching and patch management, they are indeed a formidable issue to manage on Windows networks. Sure, you can enable Automatic Updates or deploy WSUS, but on any given network there's probably going to be at least a handful of systems that aren't patched, which means a handful of systems aren't secured the way they should be. This is a security gap your organization can't afford to bear.

The benefits of NAP

With Network Access Protection (NAP), which is Microsoft's version of network access control (NAC), native to Windows Server 2008, Vista and XP running Service Pack 3, you may finally be able to get a better handle on patching your enterprise desktops. But, it's not just about patch management: It's about looking at the overall security status of systems trying to connect to your environment. It also works across wired, wireless and remote access connections.

With Microsoft's NAP, you get:

Once you set up NAP (likely the biggest hurdle given its complexity), it will manage your Windows Vista and XP SP3-based systems automagically. Everything's seamless. I know there will be headaches and growing pains, but this is big. Time management experts say that one minute of work up front can save five minutes in execution down the road. I not only see NAP as a patch management enhancer -- among other things -- but I also see it as an excellent time management tool. In other words, less time commitment and (hopefully) fewer headaches for you later on.

Even if you deploy NAP on your network for the sole purpose of increased interoperability with third-party endpoint controls, it's probably worth it. After all, it's free.

Various third-party endpoint security vendors, such as Config

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop security tips How Windows 7 stands up to security tests Securing sensitive data on Windows-based laptops Gathering and documenting your Windows desktop security policies Windows desktop security standards documentation best practices Desktop security preparation for a new wave of Windows apps Four Internet Explorer 8 group policy security settings The state of enterprise security and emerging threats in 2009 Why should Windows shops use Microsoft Baseline Security Analyzer? A first look at Windows 7 security enhancements Using Sysinternals tools in security management scenarios Microsoft Windows patches and critical updates Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator Why should Windows shops use Microsoft Baseline Security Analyzer? The 10 most common Windows security vulnerabilities Windows security in the enterprise: Tutorials Microsoft will release three critical patches in May Critical patches for IE and Office released Have my Windows patches actually been installed? PatchLink Update 6.4 What's hot in Microsoft Windows security Windows Vista security issues, updates and alerts Ten ways to sell security to management Improve Windows security with our top 10 tips Windows Vista management tutorial Minasi says Vista SP1 solves problems, adds new ones Does Vista's strong security make it better than XP? Are Windows Vista's features silencing critics? Managing single sign-on security burdens in Windows Top 10 ways to improve Windows Vista security A Windows security checklist for IT managers Unauthenticated vs. authenticated security testing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

uresoft, Lumension Security and St. Bernard Software, are now interacting with NAP. So if you already have one of their solutions deployed, you can better integrate their patch management and other functions directly into your Windows environment. With this I believe what we're seeing is the industry working toward operating with fewer clients.

Security is never 100% perfect -- there's always room for improvement. Given the growing complexity of our information systems, just about anything that can increase control and visibility in your Windows environment is a welcome relief. I really do like the concept of NAC and NAP, but I'm not convinced it's ready for prime time quite yet. Whether or not NAP is ready remains to be seen over the next year, but given all the missing patches I still come across in my work, I'm certain prime time is ready for it.

With our current patch management tools built into Windows and available via third parties, there's just no reason to not have this patch management thing nailed down. I believe that NAP may be just the ticket to fill in the gaps and bring patch management full circle. Good for the enterprise; bad for penetration testers.

About the author: Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.