Tip

Windows Server Update Services weaknesses you may not know about

I've always believed that using what you've got is a wise approach to IT security, but just because a technology is built in or "free" doesn't mean it's the best solution for the enterprise. Microsoft's Windows Server Update Services (WSUS) is no exception. Without fail, in every internal security assessment I'm involved with, there's at least a handful -- often dozens or more -- of workstations that are missing critical patches. With auditors, regulators and malware writers doing everything they can to make IT administrators' lives more difficult, unpatched desktops are the last thing you need.

It doesn't require elaborate hacking skills to uncover these desktop vulnerabilities. All it takes is running a basic vulnerability scanner such as QualysGuard or GFI LanGuard to find the weaknesses. I often find missing patches in Windows XP dating back to 2002. Even current Windows 7 patches are absent. Yet, at the same time, WSUS reports that everything is current. What gives?

Even more of a concern is WSUS's lackluster ability to patch third-party software from Adobe, Java and the like. The extensibility is available, but it's hardly ever used. Unpatched third-party software is arguably the biggest desktop hole. According to Microsoft's 2011 Security Intelligence Report, Java exploits made up 33% to 50% of all exploits.

More on WSUS and Windows patching

How to remove a bad patch using WSUS

Answering a WSUS configuration question

Addressing problems with WSUS connectivity

Use WSUS to automate Windows patch management

Windows 7 has built-in security tools

The simple solution to this age-old problem may be to invest in a third-party patch management tool that can handle third-party applications. If your budget is a little tight, you may want to check out the open source Local Update Publisher tool that integrates with WSUS. The important thing is to not overlook third-party patches.

I've yet to get to the bottom of why WSUS falsely reports that all's well with Windows patching when that's not the case. It may be related to certain patch installations failing and Windows not reporting back to WSUS. Or perhaps admins, vendors or users have uninstalled certain patches, and the changes never made it to WSUS. Regardless, if you use WSUS, this is a problem that's virtually guaranteed to be on your network right now. There's only one way to find out: Run a vulnerability scanner of every desktop. Ideally, you'll want to run your first scan with authentication so the tool can actually log in to see everything that's missing.

Centralized management, control and visibility are essential for security. WSUS certainly helps in this regard, but it's not a complete solution. In security, the simple stuff will get you. Unpatched desktops should not be ignored. As Microsoft outlined in its Security Intelligence Report, nearly half of malware infections were the result of people making bad choices. You have to set your users up for success. A fragile and unproven patching process that facilitates the exploitation of user gullibility is not really a user problem. It's a failure of IT shops to use the proper security tools to keep desktops in check.

Know your environment -- including potential gaps in desktop security. Even if WSUS reports that all is well, you still need to verify. This Windows patching weakness is everywhere, and it doesn't have to be. Address gaps in desktop patch management today, and be done with it. There are many bigger and better things you can be doing with your time.

This was first published in January 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.