Patching may be a mundane task, but the reality is we’ve yet to master it. Although we’re in an era of automatic software updates, you still need centralized visibility and control to keep everything in check.
In any network security assessment I do, I inevitably come across workstations running Windows Server Update Services and Windows Update that aren’t properly patched. Whether this is a Microsoft flaw or an internal misstep is unclear, but it’s a dilemma across every industry. A big part of the problem is that organizations rely on Microsoft to do all the work. After all, the flaws are in Microsoft’s software, so subsequent patches are its responsibility, right?
As with anti-malware, logging and monitoring, and network intrusion prevention systems (IPS), just because Microsoft offers a patching option doesn’t mean it’s a good fit for your business.
There are many third-party alternatives for keeping Windows 7-based systems up to snuff, including:
These vendors have lots of bells and whistles for enterprise patching, like patching third-party software, that Microsoft doesn’t. Based on new research on patching offline/dormant virtual machines, we can expect even more advances in desktop patching, especially from third-party vendors.
Another mistake that enterprises make is they assume that Microsoft's commitment to releasing security updates and the enhanced security features in Windows 7 will keep them safe. This isn’t necessarily the case.
Windows endpoints often serve as the path of least resistance in the enterprise. Although I've found Windows 7 to be secure, that goes for that operating system as well. You have to keep Windows 7 and any running third-party software well patched. This is especially important because tools such as Rapid7’s Metasploit and its easier-to-use commercial counterpart Metasploit Express can be used maliciously. They both serve a legitimate purpose, but they can easily be used against enterprises. One rogue user or piece of malware combined with a single unpatched Windows 7 system is all it takes to harm the enterprise network.
It’s important to take a close look at Microsoft’s products and see how they’re working. Maybe they are, maybe they aren’t. Your internal security assessments and audits should paint the most accurate picture. Odds are there are some weaknesses. It’s up to you to make some changes to get this beast under control once and for all.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta-based Principle Logic LLC. He can be reached at www.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.
This was first published in January 2011