Before using this How To, you should be aware of the following issues and considerations.
Patch management is a circular process and must be ongoing. The unfortunate reality about software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed tomorrow.
Develop and automate a patch management process that includes each of the following:
Detect . Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.
Assess . If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.
Acquire . If the vulnerability is not addressed by the security measures already in place, download the patch for testing.
Test . Install the patch on a test system to verify the ramifications of the update against your production configuration.
Deploy . Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.
Maintain . Subscribe to notifications that alert you to vulnerabilities as they are reported . Begin the patch management process again.
The Microsoft Baseline Security Analyzer (MBSA) is a tool that is designed for two purposes: first, to scan a computer against vulnerable configurations; and second, to detect the availability of security updates that are released by Microsoft.
In this How To, you use MBSA without scanning for vulnerable configurations. When using the graphical user interface (GUI), specify this by unchecking the options in Figure 1 and only choosing Check for s e curity updates .
When using the command line interface (Mbsacli.exe), you can use the following command to scan only missing security updates.
Mbsacli.exe /n OS+IIS+SQL+PASSWORD
The option /n specifies the checks to skip. The selection ( OS+IIS+SQL+PASSWORD ) skips the checks for vulnerabilities and weak passwords.
For more details about using MBSA, including the security configuration scan, see "How To: Use MBSA" in the How To section of this guide.
You should perform backups prior to deploying an update on production servers. Regularly test backups as well as your backup process. Discovering that your backup process is broken during restoration can be devastating.