Vulnerabilities are discovered in Windows operating systems and applications at a staggering rate. Some may be of little consequence to your network, while others may leave critical resources exposed to external threats. How do you go about finding the systems that need to be patched? Here are three approaches you can take:
Scan for specific vulnerabilities
If you just need to determine if any system on your network is vulnerable to a specific threat, try using a free scanning tool. Foundstone Professional Services, now a division of McAfee Inc., in Santa Clara, Calif., has tools available to scan systems that need to be patched for a variety of flaws or vulnerabilities. eEye Digital Security, in Aliso Viejo, Calif., also releases many free tools to scan for systems vulnerable to specific threats.
Scan for all vulnerabilities
Free tools are great, and the firms that create them are providing an important service. But the goal is often to scan the network for systems that need to be patched in general -- not to scan for systems that need to be patched only against a specific threat. For Windows environments, you can use the Microsoft Baseline Security Analyzer (MBSA), available for free from Microsoft. MBSA scans all current versions of the Windows operating system and many other Microsoft products, such as Exchange, SQL Server and Internet Information Services (IIS), and reports back about missing security updates and patches.
If you want to scan a network that includes non-Microsoft devices, or you want a more comprehensive scan that detects and reports missing patches for various applications and programs running on the network, you need something stronger. One of the best tools available is the recently released open source program Nessus 2.2.3. There are also commercial scanners like eEye's Retina or Bethesda, Md.-based Saint Corp.'s Saint Scanning Engine.
Proactively scan new systems
Scanning the entire network can be a valuable exercise that ultimately helps you maintain network security. But the scan is only as valuable as the last time it was run, and it is only effective for the devices that are scanned. If a new, unpatched machine is added to the network, the security of the network is still compromised.
Tools like Cisco System Inc.'s Network Admission Control, Trend Micro Inc.'s Network VirusWall 300 and StillSecure's Safe Access help corporate network administrators check that devices are patched, running updated antivirus software and conform to corporate security policies before allowing the devices to join the network. A device that doesn't conform may be redirected to a server where it can obtain the resources needed to conform to network security policy, or it can simply be denied access to the network.
Tony Bradley is a consultant and writer with a focus on network security and antivirus and incident response. He is the About.com guide for Internet/Network Security, providing a broad range of security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.
More Information from SearchWindowsSecurity.com
This was first published in March 2005