Questions and Answers

1. 

Which of the following types of updates is/are cumulative? (Choose all that apply.)

1. Updates

2. Security updates

3. Critical updates

4. Hotfixes

5. Security rollup packages

6. Feature packs

7. Service packs

2. 

Which of the following types of updates can reduce the number of vulnerabilities on a computer? (Choose all that apply.)

1. Updates

2. Security updates

3. Critical updates

4. Hotfixes

5. Security rollup packages

6. Feature packs

7. Service packs

3. 

Which of the following types of updates have not been fully tested for compatibility by Microsoft? (Choose all that apply.)

1. Updates

2. Security updates

3. Critical updates

4. Hotfixes

5. Security rollup packages

6. Feature packs

7. Service packs

4. 

Which of the following pieces of information are not contained in a security bulletin?

1. Software affected by the vulnerability

2. Location from which to download update

3. Location from which to download programs that exploit vulnerabilities

4. Severity rating

1. 

g. Only service packs are cumulative, meaning that they include all previous service packs. Security rollup packages include multiple security updates, but they do not necessarily include every previous update.

2. 

b, d, e, and g. Security updates, security rollup packages, and service packs all include updates that remove known vulnerabilities. Hotfixes might or might not be security related.

3. 

a, b, c, d, and e. Only service packs and feature packs undergo a complete set of testing by Microsoft to ensure the highest level of compatibility with non-Microsoft applications. Other types of updates must bypass thorough testing in order to be released to customers quickly.

4. 

c. Security bulletins do not include a location from which to download programs that exploit the vulnerability. Other companies will frequently release tools to exploit a vulnerability, either to test your computers for the presence of the vulnerability, or to be used maliciously.

1. 

How does your current organization deploy updates to computers on the network?

2. 

How long does it take for updates to be delivered to computers on your network? Is the current delay acceptable, or does it leave your network vulnerable to attack?

3. 

Who decides on whether an update should be deployed? In retrospect, have updates been deployed unnecessarily, or have important updates been skipped? Is the same group responsible for both identifying and deploying updates, and, if so, is this a conflict of interest?

4. 

If you had the opportunity to perform an overhaul of your organization’s updating infrastructure, which deployment method would you use?

1. 

Answers will vary based on your own experience.

2. 

Answers will vary based on your own experience.

3. 

Answers will vary based on your own experience.

4. 

Answers will vary based on your own experience. However, Software Update Services is the ideal method for deploying updates for most organizations that do not use Systems Management Server.

1. 

Which of the following deployment methods gives administrators the opportunity to approve updates before releasing them to clients? (Choose all that apply.)

1. Windows Update

2. Software Update Services

3. Group Policy

4. Add/Remove Programs

5. Systems Management Server

2. 

Which of the following deployment methods can be used to automatically deploy all security updates that Microsoft releases to client computers, without administrator intervention? (Choose all that apply.)

1. Windows Update

2. Software Update Services

3. Group Policy

4. Add/Remove Programs

5. Systems Management Server

1. 

b, c, d, and e. Only Windows Update, which users use to manually apply updates to their own computers, denies the administrator the opportunity to choose which updates to deploy.

2. 

a, b, and e. Windows Update, Software Update Services, and Systems Management Server can all be configured to automatically deploy updates to clients. Windows Update and Software Update Services rely on the Automatic Update client being correctly configured to download and install updates.

1. 

Has your organization formally identified and documented an updating process? If so, what is that process?

2. 

Has your organization ever had to remove an update after deploying it? If not, are you prepared to quickly remove an update from all computers on your network?

1. 

Answers will vary based on your own experience.

2. 

Answers will vary based on your own experience.

1. 

How can you validate that an update is genuine?

2. 

Which requires more testing, a service pack or a security update?

1. 

Security bulletins released by Microsoft are Pretty Good Privacy (PGP) signed. You can verify the PGP signature of the message by using a PGP tools application, which is available from various software companies. You can also retrieve the security bulletin directly from the Microsoft Web site. If you retrieve the bulletin by using Hypertext Transfer Protocol Secure (HTTPS), you can verify the certificate of the server. Finally, you can verify the actual update itself by right-clicking the file, clicking Properties, and then clicking the Digital Signatures tab.

2. 

Generally, a service pack requires more testing than a security update because a service pack implements many more changes than a security update.

1. 

How should you validate the updates your friend described to be sure that they really were released by Microsoft?

2. 

Which of the computers should receive the update titled Buffer Overrun in the HTML Converter Could Allow Code Execution (KB823559)? (Choose all that apply.)

1. The computer running Windows 2000 Server

2. The computer running Windows Server 2003

3. The computers running Windows XP Professional

4. The computers running Windows 98

5. The networked printer

6. The hardware firewall

7. The hardware router

3. 

Besides applying the update, how can you protect your network from the vulnerability resolved by the update titled Buffer Overrun in the HTML Converter Could Allow Code Execution (KB823559)?

4. 

Which of the computers should receive the update titled A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs (KB824146)? (Choose all that apply.)

1. The computer running Windows 2000 Server

2. The computer running Windows Server 2003

3. The computers running Windows XP Professional

4. The computers running Windows 98

5. The networked printer

6. The hardware firewall

7. The hardware router

5. 

Which of the computers should receive the update titled Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (KB825119)? (Choose all that apply.)

1. The computer running Windows 2000 Server

2. The computer running Windows Server 2003

3. The computers running Windows XP Professional

4. The computers running Windows 98

5. The networked printer

6. The hardware firewall

7. The hardware router

6. 

Which of the computers should receive the update titled Update for Windows Media Player Script Command Behavior (KB828026)? (Choose all that apply.)

1. The computer running Windows 2000 Server

2. The computer running Windows Server 2003

3. The computers running Windows XP Professional

4. The computers running Windows 98

5. The networked printer

6. The hardware firewall

7. The hardware router

7. 

How should you handle updates for the printer, firewall, and router?

1. 

Though your friend is being honest, there have been several viruses and worms that masqueraded as updates from Microsoft. You should visit the Microsoft Web site and look up each of the Knowledge Base (KB) articles referenced. You can use the URL http://support.microsoft.com/?kbid=###### (where ###### is the number of the particular article) to access a KB article directly. For example, to read KB article 823559, you can visit http://support.microsoft.com/?kbid=823559. You should only retrieve the updates directly from Microsoft.

2. 

a, b, c, and d. The update applies to all Windows-based computers on your network, so all computers should eventually receive the update.

3. 

The vulnerability can only be exploited if a computer visits a malicious Web page. Therefore, you can remove the vulnerability without applying the update in several different ways:

• Configure the firewall to block all outgoing Web requests.

• Use Group Policy objects to restrict computers from visiting untrusted Web sites.

• Use Group Policy objects to remove user access to Internet Explorer.

4. 

a, b, and c. All computers on your network should eventually receive this update, except for the computers running Windows 98, which do not require the update. (Complete information about which systems the update applies to is located in the Knowledge Base article.) Note that the firewall will protect all computers from an attack originating from the public Internet. However, you have mobile computers behind your firewall. If one of these mobile computers connects to another network, such as the user’s home network or a network at an airport or coffee shop, the computer could be infected by an attack to that vulnerability. When the infected computer connects to your network, the malicious program can propagate to the other computers behind your firewall because the firewall is only blocking requests originating from the public Internet.

5. 

b and c. This particular vulnerability is considered critical only for computers running Windows Server 2003 and Windows XP. Although computers running Windows 2000 are technically vulnerable, they cannot be exploited, and you can safely wait until the next service pack is released to update these computers.

6. 

c. Only the computers running Windows XP need to receive this update, because they are the only computers likely to be using Windows Media Player. Server computers should not be using Windows Media Player, and they should have that component of Windows removed to protect against the vulnerability.

7. 

Almost every networked device requires occasional updates. However, Microsoft is only responsible for releasing updates for Microsoft software. You should regularly visit the Web sites of the vendors you purchased the printer, firewall, and router from to learn about security updates that have been released for the devices.

1. 

“Our Operations group decided not to deploy an update that would have prevented this worm infection. Their reasoning was that an attack against the vulnerability would have to connect to the computers across the network, and we have a firewall blocking that traffic on our Internet connection. How could we have gotten infected?”

2. 

“What can we do to prevent this from happening in the future?”

3. 

“We simply don’t have time to apply all these updates to our computers. How can we possibly keep up?”

1. 

Perimeter security is insufficient to protect modern networks because mobile clients might become infected while connected to different networks, and then introduce worms and viruses behind the firewall. After it is introduced, a worm or virus can spread quickly on the unprotected internal network.

2. 

First, you need to separate the roles of evaluating and deploying updates. Currently, your Operations group is performing both roles. They cannot objectively identify updates to be deployed because each update they identify requires them to perform additional work. They might be inclined not to deploy an update when they are already occupied with more interesting assignments.

Second, you need to acknowledge that perimeter security is insufficient to protect against network-borne attacks. You must apply updates to clients on the internal network. In addition to updating internal computers, using host-based firewalls in addition to a perimeter firewall will significantly reduce the likelihood that a worm or virus will spread within your internal network.

3. 

Choose an automated update deployment mechanism, such as Software Update Services and the Automatic Update client. The effort required to deploy updates, even to a large organization, is minimal. It’s certainly less than the effort required to clean up an entire network of computers that have become infected because a vulnerability was not updated.