Taking the First Step: Patch Management

It s tempting to get your security news from mass media outlets ”that way, you can find out about new security holes as you check the stock market s performance and find out which Hollywood stars are abusing which substances. However, you ll be better off getting your security advisories from a more trustworthy (and technically accurate) source than the New York Times , CNN, the Wall Street Journal , or sites maintained by random Internet publishers (many of whom regularly amplify rumors or half-facts into full blown controversies), all of which have flubbed security disclosures in the past. What source do I recommend? Microsoft.

The MSRC-produced bulletins are available for free from a number of sources. The Microsoft bulletin site ( http://www.microsoft.com/technet/security/current.asp ) is the most authoritative , and it allows you to subscribe to a service that e- mails new bulletins to you as soon as they re released. A surprisingly small number of administrators use the service, which means that many people are missing out on a free, simple way to get immediate notification of new bulletins ”don t be one of them! A number of reputable security- related mailing lists (including NTbugtraq and Bugtraq) republish and rebroadcast these bulletins, often with commentary providing more detail on the threat level. However, this additional commentary sometimes delays the bulletins arrival in your inbox, and the mail-list processing strips off the Pretty Good Privacy (PGP) signature you would normally use to verify the bulletins authenticity.

Why am I interrupting the chapter to tell you all this? Because it s important. Right now, put this book down and go sign up to receive security bulletins through e-mail . Signing up only takes a short time and virtually guarantees you won t be taken unaware by future problems.

Downloading and Installing MBSA

MBSA itself is packaged as a Windows Installer (.msi) file you can obtain from http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp . Any user who has the ability to install programs can install MBSA; however, you can scan only the machines on which you have administrative rights, and that includes the local machine. This restriction is an important safety feature; because MBSA can scan IP ranges and domains, you wouldn t want anyone using it for nefarious purposes.

To install the product, just download the package to your local computer, saving it somewhere that you can find it again. Alternatively, when your Web browser asks whether you want to open or save the file, you can choose to open it to install the package without saving it locally.

Because MBSA is built as a Windows Installer package, you can make it available through Active Directory Group Policy Objects (GPOs). Doing so allows you to automatically install the tool on multiple computers. This can be useful in circumstances in which you don t have, and can t get, administrative access to every machine. Use MBSA in multiple-computer mode to scan machines you do have access to, and then install it locally on the others so that the local administrators can scan for flaws themselves .

Installation is simple: you are presented with a summary page and then the ever- popular end user license agreement page (EULA). Once you ve agreed to the EULA, you ll be asked to personalize MBSA with your name and organization, and to choose whether you want MBSA to be available to everyone on the computer or just to the account you re installing it with. Consider this question carefully . If an attacker actually gets on your machine and can elevate his or her privileges to admin level to run MBSA, he or she might be able to get a list of all of the potential vulnerabilities in your domain ”because administrators often configure systems identically (or close to it). This information could be very useful to an attacker. For this reason, we recommend that you restrict MSBA access to essential people only. After indicating your preference, there are a few more pages to click through ”including one on which you specify the install location ”but they re so simple there s no real point in discussing them.

Running MBSA

Once MBSA is installed, you re ready to run it. MBSA contains both a command-line interface (Mbsacli.exe) and a GUI (Mbsa.exe). The first time MBSA is launched (using either the shortcuts it installs or by running either of the mentioned executables), it attempts to download the current version of Mssecure.xml over a local Internet connection. It does so by contacting the Microsoft Download Center Web site and downloading a digitally signed .cab file that contains a compressed version of the XML file. After verifying the signature, the .cab file is decompressed and the local copy of the XML file is used until the next time MBSA is launched. Each time you run it, the tool checks the Download Center to see whether a newer version of the XML file is available. This might cause you to see notifications like the one shown in Figure 6-2, indicating that a new version of the .cab file is being downloaded.

Figure 6-2: If you have good security settings in Internet Explorer, you ll be notified whenever a signed ActiveX component or .cab file is downloaded.

MBSA Command-Line Switches

Table 6-1 shows the MBSA command-line options. These options simplify the process of using MBSA from the command line, although they don t eliminate the need for you to understand how to use the command-line interpreter.

Using HFNetChk-Style Command-Line Switches

The HFNetChk style of command-line options give you somewhat more flexibility than the MBSA-style options, at the cost of learning a more complicated syntax. You can use these options by specifying the /hf switch, followed by the switches you want to use. Because the MBSA GUI does a lot of the work for you, don t be surprised if your HFNetChk-style command lines are longer than their MBSA equivalents.

 Patch NOT Found MS02-008        Q318203 File C:\winnt\system32\msxml3.dll has an invalid checksum and its file version is equal to or less than what is expected. 

Using the Microsoft Software Update Services

Shortly before the release of Windows 2000 Server Service Pack 3, Microsoft released the Software Update Services (SUS) package, a radical upgrade to the Windows Update engine. Where Windows Update was originally targeted at individual users of any of the Windows family of operating systems, SUS is targeted squarely at medium- sized corporate and institutional networks that are using Windows 2000 Server, Windows XP, and Windows Server 2003 as their base operating systems. Since then, they ve released Service Pack 1 for SUS 1.0, which is the version I ll talk about in the remainder of this section.

The basic idea behind SUS is simple: it s designed to quickly deliver critical updates to machines inside your firewall. It does this by allowing you to set up a synchronization server on your network that periodically synchronizes itself with the master Windows Update catalog. This master server downloads critical updates and makes them available on your internal network (see Figure 6-4). As an administrator, you control which updates are copied to the synchronization server and when they re released to servers and desktops on your network. Those servers and desktops, in turn, can pull updates from your intranet s SUS servers (think of these machines as your own personal Windows Update machine) on a schedule you specify. You can set up a single SUS server that all clients use, or you can have a single server that pulls critical fixes from Windows Update and distributes them to a set of staging servers, from which clients get updates.

For example, you can set a schedule that tells the SUS client on your Exchange servers to automatically download and install any needed updates at 2 A.M. local time each day, rebooting if necessary. If you re the hands-on type, you could set a policy that would allow the Exchange servers to download the patches so that you could install them yourself.

Note

If you prefer, SUS can be set to automatically install patches. However, you ll almost certainly be happier , and safer, if you manually install patches on a test server, evaluate their impact, and then push those patches (and only those patches) to your internal SUS server for distribution to your production machines. Figure 6-4: The SUS server pulls data from Windows Update and makes it available on your intranet, subject to the policies you define.

The complete deployment and installation process for the SUS update servers you ll need on your network is straightforward; rather than go over it chapter and verse, I m going to outline the basic steps.

1. Decide which machines will act as SUS servers. SUS itself is fairly lightweight, so it doesn t require a superpowerful machine. However, even though you can make your Exchange servers act as SUS distribution points, I don t recommend this. Keep them separate, because both SUS and Exchange are providing security-sensitive services.

2. Download and install the SUS server, which you can get from http://go.microsoft.com/fwlink/?LinkId=6930 . The download package actually includes both SUS and Service Pack 1, so you don t need a separate download. Installing SUS actually installs three main components: the Windows Update Synchronization Service downloads content to the SUS server, an IIS subweb accepts client requests, and a separate subweb provides a Web-based administrative interface to SUS. As part of the SUS installation, Windows 2000 Server machines automatically get IIS Lockdown 2.0 (and its buddy, URLScan 2.5) installed. This might have side effects on other applications running on the same server, so be careful. Microsoft explicitly says that ASP.NET, SharePoint Team Services, and the FrontPage Server Extensions are known to work on the same server with SUS; for other applications, you re on your own.

3. Configure the SUS server. You do this through the SUS Web interface (available from http://yourServerName/SUSAdmin/ ); the basic steps are pretty simple. If your server requires a proxy server to get to the Internet, you can specify the server s location; you can also specify the DNS name of the SUS server so that clients can reach it. The most important step in this process is probably specifying where your SUS server should get content. You can allow it to pull data directly from Windows Update, or from another server inside your firewall. You can also specify what should happen to patches that are updated after they ve been installed, how you want patches stored, and what languages your clients need.

4. Synchronize the server by selecting Synchronize Server in the navigation pane of the SUS Administrative page, then click Synchronize Now. You should expect synchronization to take a while; Microsoft estimates that a single language worth of SUS updates takes up approximately 150 MB of disk space. Approve or reject the individual updates retrieved by the synchronization so that when clients begin to connect, they ll get the baseline patch set you want applied.

5. Set a synchronization schedule to control when your SUS server will pull updates from Microsoft. By default, synchronization occurs daily, but you can customize this. Note that this synchronization period is different from the interval at which clients will ask the SUS server for updates.

6. Install the SUS client on your machines. Windows XP Service Pack 1 and Windows Server 2003 already include the SUS client; Windows 2000 Server systems need Service Pack 3 or later. The SUS client is actually an extension of the base Windows Update client from Windows XP; it adds support for downloading from SUS instead of Windows Update and for scheduling automatic installations, as well as some additional Group Policy-based controls. On machines that don t already have the client, you ll need to install it somehow. Active Directory s software installation features are a great way to accomplish this.

7. Decide how you want to configure the clients. SUS includes a Group Policy template (WUAU.adm) you can use to distribute SUS settings using Active Directory. This method is the simplest and most flexible; it gives you the ability to set different SUS policies for different OUs, Active Directory sites, or Active Directory domains. If you prefer, you can create registry subkeys beneath the HKEY_LOCAL_MACHINE\SOFTWARE\ Policies\Microsoft\Windows\WindowsUpdate\AU key .

   Note	The Deploying Microsoft Software Update Services white paper (available from http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx ) describes the registry keys you can use to configure SUS manually.

8. Set your SUS client policies. These policies can include the following:

   • Which update server should be used to pull updates. If none is specified or if the specified server can t be reached, the client will use the public Windows Update site.

   • How often updates will take place. By default, each SUS client will poll approximately once per day (every 22 hours, minus a random time offset to avoid load surges on the server).

   • What happens when updates that require rebooting are sent to clients. By default, when SUS installs a component that requires a reboot to completely install, it will automatically reboot the machine, but you can change this.

   • How updates will be downloaded. You can specify three policies: notify for download and notify for install, download automatically and notify for install, or download automatically and schedule install. These policies do exactly what you d expect, and nonadministrative users cannot change these options.

     Tip

     You can use GPOs to specify that SUS be used, but did you know that there s already a Group Policy setting that blocks users from using Windows Update? In Windows XP, the Remove Access To Use All Windows Update Features Group Policy setting (located in User Configuration\Administrative Templates\Windows Components\Windows Update) blocks user access to Windows Update. Combine the two to automatically push patches to workstations and servers without giving even local administrators the ability to fool around with Windows Update.

Using Microsoft Systems Management Server

Microsoft Systems Management Server (SMS) is an extremely powerful product usually found in medium-scale to large-scale enterprise networks, where it is normally used to inventory software and operating system configuration and push predefined sets of applications and components to machines based on their role, physical location, or network location. The big difference between SMS and SUS is that the latter is designed only for pushing out critical software updates, whereas the former is a general-purpose tool for distributing arbitrary bits to machines on your network. SMS has some additional capabilities, too: it can target updates to machines based on their IP subnet, group, or OU membership, and it understands the concept of Active Directory sites and the links between them, making it useful for large wide area network (WAN) environments with varying kinds, speeds, and latencies of communication links.