Regardless of what you think of patching and patch management, they are indeed a formidable issue to manage on Windows networks. Sure, you can enable Automatic Updates or deploy WSUS, but on any given network there's probably going to be at least a handful of systems that aren't patched, which means a handful of systems aren't secured the way they should be. This is a security gap your organization can't afford to bear.
The benefits of NAP
 |
| Desktop management tips from SearchEnterpriseDesktop.com |
| Sign up for our additional editions of SearchEnterpriseDesktop.com's Desktop Management Adviser to learn more about desktop management, security and virtualization. |
|
|
|
|
With Network Access Protection (NAP), which is Microsoft's version of network access control (NAC), native to Windows Server 2008, Vista and XP running Service Pack 3, you may finally be able to get a better handle on patching your enterprise desktops. But, it's not just about patch management: It's about looking at the overall security status of systems trying to connect to your environment. It also works across wired, wireless and remote access connections.
With Microsoft's NAP, you get:
- Proactive protection -- i.e., it prevents "unhealthy" systems with missing patches from ever connecting to your network.
- Proactive protection once computers are on -- i.e., it automatically patches non-compliant devices.
- Proactive disconnection from the network if anything changes -- i.e., it knocks off or quarantines systems that fall out of compliance for whatever intentional or accidental reasons, such as a patch being uninstalled.
Once you set up NAP (likely the biggest hurdle given its complexity), it will manage your Windows Vista and XP SP3-based systems automagically. Everything's seamless. I know there will be headaches and growing pains, but this is big. Time management experts say that one minute of work up front can save five minutes in execution down the road. I not only see NAP as a patch management enhancer -- among other things -- but I also see it as an excellent time management tool. In other words, less time commitment and (hopefully) fewer headaches for you later on.
Even if you deploy NAP on your network for the sole purpose of increased interoperability with third-party endpoint controls, it's probably worth it. After all, it's free.
Various third-party endpoint security vendors, such as Configuresoft, Lumension Security and St. Bernard Software, are now interacting with NAP. So if you already have one of their solutions deployed, you can better integrate their patch management and other functions directly into your Windows environment. With this I believe what we're seeing is the industry working toward operating with fewer clients.
Security is never 100% perfect -- there's always room for improvement. Given the growing complexity of our information systems, just about anything that can increase control and visibility in your Windows environment is a welcome relief. I really do like the concept of NAC and NAP, but I'm not convinced it's ready for prime time quite yet. Whether or not NAP is ready remains to be seen over the next year, but given all the missing patches I still come across in my work, I'm certain prime time is ready for it.
With our current patch management tools built into Windows and available via third parties, there's just no reason to not have this patch management thing nailed down. I believe that NAP may be just the ticket to fill in the gaps and bring patch management full circle. Good for the enterprise; bad for penetration testers.
About the author: Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.
