Weed out those unpatched systems

Vulnerabilities are discovered in Windows operating systems and applications at a staggering rate. Some may be of little consequence to your network, while others may leave critical resources exposed to external threats. How do you go about finding the systems that need to be patched? Here are three approaches you can take:

Scan for specific vulnerabilities

If you just need to determine if any system on your network is vulnerable to a specific threat, try using a free scanning tool. Foundstone Professional Services, now a division of McAfee Inc., in Santa Clara, Calif., has tools available to scan systems that need to be patched for a variety of flaws or vulnerabilities. eEye Digital Security, in Aliso Viejo, Calif., also releases many free tools to scan for systems vulnerable to specific threats.

Scan for all vulnerabilities

Free tools are great, and the firms that create them are providing an important service. But the goal is often to scan the network for systems that need to be patched in general -- not to scan for systems that need to be patched only against a specific threat. For Windows environments, you can use the Microsoft Baseline Security Analyzer (MBSA), available for free from Microsoft. MBSA scans all current versions of the Windows operating system and many other Microsoft products, such as Exchange, SQL Server and Internet Information Services (IIS), and reports back about missing security updates and patches.

If you want to scan a network that includes non-Microsoft devices, or you want a more comprehensive scan that detects and reports missing patches for various applications and programs running on the network, you need something stronger. One of the best tools available is the recently released open source program Nessus 2.2.3. There are also commercial scanners like eEye's Retina or Bethesda, Md.-based Saint Corp.'s Saint Scanning Engine.

Proactively scan new systems

Scanning the entire network can be a valuable exercise that ultimately helps you maintain network security. But the scan is only as valuable as the last time it was run, and it is only effective for the devices that are scanned. If a new, unpatched machine is added to the network, the security of the network is still compromised.

Tools like Cisco System Inc.'s Network Admission Control, Trend Micro Inc.'s Network VirusWall 300 and StillSecure's Safe Access help corporate network administrators check that devices are patched, running updated antivirus software and conform to corporate security policies before allowing the devices to join the network. A device that doesn't conform may be redirected to a server where it can obtain the resources needed to conform to network security policy, or it can simply be denied access to the network.

Tony Bradley is a consultant and writer with a focus on network security and antivirus and incident response. He is the About.com guide for Internet/Network Security, providing a broad range of security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.

More Information from SearchWindowsSecurity.com

  • Tip: Learn what not to do when patching Windows systems
  • Tip: Get help prioritizing critical Windows patches
  • Topics: Research new Windows patches and get patching best practices in this section

  • This was first published in March 2005

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.