Resources for Security Patches and Vulnerabilities


At a minimum, you should sign up for the Microsoft Security Bulletin notifications Comprehensive edition. This gives you an email on the second Tuesday of every month listing exactly what patches have been released. In addition, it gives you a heads-up email on the Thursday before and security advisories as shown in Figure 22.3.

Figure 22.3. Sample security advisory from Microsoft warning customers of the release of Worm.


Best Practice: Signing Up for Security Patch Information

If you sign up for no other security notification, make sure that you sign up for the Microsoft Advanced Security notifications at http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Patches are announced the first Thursday of the month and released the second Tuesday of the month (unless there is a vulnerability in the wild and the patch is deemed of high priority to be released "out of band").


If you want additional resources for not only patched but unpatched vulnerabilities, your resources include the following (also see Appendix A, "SBS Resources," for more):

  • Microsoft Security Advisorieshttp://www.microsoft.com/technet/security/advisory/default.mspx

  • Secuniahttp://secunia.com/ RSS feed on the right

  • MSRC bloghttp://blogs.technet.com/msrc/

The important point that you should not overlook is that generally small businesses are not specifically targeted, unlike the larger firms, so the resources you need to spend looking at unpatched vulnerabilities (with one exception discussed next) should not be as much as those in large corporations. You could argue strongly that your client's risks are not the same as those running the web servers at amazon.com or Microsoft.com. The one exception is random drive-by attacks on browsers (this includes all web browsers such as Internet Explorer, Firefox, Opera, and so on). Due to the foundational way that the Internet was built, such that processing of pages was intended to be offloaded to local computers, we run a risk when our machines run as local administrator rights on the workstation. Thus, make sure that you have antispyware protecting you on all workstations.

Windows Update and Automatic Updates

Once upon a time, the only automatic tool you had to update the systems in an SBS network was a tool built into workstations and servers called Windows Update. The only problem with this tool was that it only patched Windows security issues. Thus for your workstations with Office installed, you had to then also visit the Microsoft Office Update website to perform an update of Office software. Furthermore, there was (and is) software included in your operating system that even Windows Update did not patch. Today the recommendation is, for every workstation and server, that you flip each of these over to the Microsoft Update if you are on supported platforms. Microsoft Update, at this time, patches both Windows and Office patches, thus eliminating the need to manually go to the Office Update site.

Furthermore for the server platform, Microsoft Update covers Exchange and SQL and will cover ISA server in the future. Thus to ensure that you are up to date on the basics of Microsoft patches, you are strongly encouraged to use Microsoft Update and not Windows Update.

For workstations, however, there is one caveat that you need to be aware of: On workstations not running Office 2003 where the caching the installation files have been left behind (Microsoft Office Assistance: Distributing Office 2003 Product Updates: http://office.microsoft.com/en-us/assistance/HA011402381033.aspx), or for earlier versions of Office, you many times have to point to the original install source. Thus in these earlier versions, many consultants have used a little trick to ensure that they didn't have to dig around and find where the firm stored the original OEM CD-ROM of that Office installation. On workstations with large hard drives, they would copy the entire OEM CD-ROM of Office to the local workstation and either reinstall the application from there, or repoint the patch dialog box to the copied CD-ROM files. This eliminated the need for scotch taping the media to the side of the computer or other unusual ways to ensure that the original media was kept near the machine needing patching.

Before being able to use Microsoft Update, two ActiveX files are installed on your system:

  • MUWebControl Class

  • WUWebControl Class

These files will automatically be deployed the first time you visit Microsoft Update, but you will need to allow them to be installed on XP SP2 systems by clicking on XP SP2's ActiveX block toolbar. Additional downloads may be required such as updated background installers and other tools as follows:

  • Windows Genuine Advantage control

  • Windows Installer 3.1

  • Background Intelligent Transfer Service (BITS) update

After this first visit is completed you are then able to receive downloads and automatic updates for both Windows and Office from the same site. Although you can return to Windows Update by going to the Change Settings options and selecting to opt out of Microsoft Update, most would strongly recommend that if you have Windows 2000 and Windows XP clients that you stay on Microsoft Update. (Comparing MBSA, MU, WSUS, and SMS 2003: http://www.microsoft.com/windowsserversystem/updateservices/evaluation/compare.mspx.)

For many small firms, although you would not want to set up automatic updates on a server, it is perfectly acceptable to do so on the workstations. You have your choice of ways to deploy patches even through the automatic method (see Figure 22.4):

Figure 22.4. The Automatic update screen showing the different patch deployment options.


  • Automatic (Recommended)Automatic reboot: This method is the most autocratic of the three. You set up your systems to deploy patches and reboot. You can set them up to deploy in the middle of the night, but you need to make sure that the system is turned on. Keep in mind that this method even deploys patches to a system that is running in Restricted User mode, so you may consider this if your firm has locked-down desktops.

  • Download Updates for Me, But Let Me Choose to Install ThemThis option is for those firms that want to give their end users a bit of flexibility but still mandate patching as soon as the automatic updates pick up the patching. Choosing this option also offers up the ability on Windows XP SP2 machines to download patches on shutdown or to delay them until the next time the user is on the system. This is recommended for laptops in particular as a deployment methodology.

  • Notify Me But Don't Automatically Download or Install ThemThis is an identification and scan only option whereby the "bubble" shows up in the bottom-right corner when the patches are downloaded. In a small firm this would not be recommended because the users may tune out messages in the system tray.

  • Turn off Automatic UpdatesThis option is not recommended unless you know you have a third-party solution in place, or you have assured yourself that you will be manually monitoring the patching of that machine.

For all these options, if you are seeing issues with installing patches, review the log file located typically under the C:\Windows directory. There are two files you are looking for:

  • WindowsUpdate.log is the newer log file for the V.5 and above series of Windows Update, which includes Microsoft Update.

  • Windows Update.log is the older log file for the V.4 and below updates.

Review the last entries in these log files and then inside the Microsoft Update interface, click on Help and Support and then click on Try Solving Your Problem with the Troubleshooter. Many typical errors seen with Microsoft Update and Windows Update are documented there.

Microsoft Baseline Security Analyzer (MBSA)

For a more automated approach of scanning your network for both missing patches and security issues, MBSA is the tool for you. Combine this with Visio, and you can even diagram the risks in your environment. There are currently two versions of MBSA, and they scan different systems, so you may need to install and run both in a firm. MBSA 2.0 obviously covers only the newer operating systems and newer Office packages, thus it would be wise to begin to move your clients to where it's easier for both you and them to protect their assets.

MBSA 2.0 covers users who primarily have:

  • Windows 2000+ SP3 and later

  • Office XP+ and later

  • Exchange 2000+ and later

  • SQL Server 2000 SP4+

MBSA 1.2.1 covers the following:

  • All of the above and

  • Office 2000

  • Exchange 5.0 and 5.5

  • Other products supported by MBSA 1.2.1 and not Microsoft update as identified in Knowledge Base article 895660 (http://support.microsoft.com/?scid=kb;en-us;895660)

For a network where the XP SP2 firewalls are enabled inside the network, which is the recommended way, and the default way that SBS 2003 sets up its networks, you will need an additional patch to allow the workstations to be scanned from the server. Microsoft Knowledge Base 895200 must be obtained and deployed to your Windows XP workstations to be able to remotely scan (Availability of Windows XP COM+ Hotfix Rollup Package 9: http://support.microsoft.com/default.aspx?scid=kb;en-us;895200). Merely call the Microsoft Product Support Services and request the free hotfix for this issue.

Keep in mind that although this tool is primarily for scanning of patches, it is much more than that and includes guidance for passwords, running services, and lack of firewalls. This additional information can be a bit confusing in the typical SBS network. For example, the tool will scan to see whether a firewall is present on the server. For both SBS 2003 Standard (with the RRAS firewall) and Premium (with the ISA firewall) it will say that there is no firewall because it is not configured or is not available on this operating system. In reality because MBSA does not understand the RRAS or ISA firewall, it cannot report on these.

Then in addition, if you have set up the Backup Wizard on the SBS server it will complain about the SBSbackup user not having secure settings for Internet Explorer. Disregard both of these notifications and review the documentation and guidance in the MBSA literature where these issues are discussed in greater detail.

Another tool you may want to download and use to scan your system for keeping it healthy is the Microsoft Exchange Best Practices Analyzer tool, which can be found at http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx. It gives you guidance on settings as well as the condition of the server.

SBS Downloads Site

At times, the SBS 2003 platform has patches unique only to it. Future plans for patching on the SBS 2003 platform include those software fixes unique to the SBS platform, but in the meantime, bookmark the following web page, and when you are patching for security patches, also review this website as well: http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx.

Best Practice: Minimum Patching Recommendations

In a recent book, and in numerous talks around the world, Microsoft Security guru, Dr. Jesper Johansson, states that one of the best ways to get yourself hacked is to not deploy patches. Although the opinion is that servers and workstations in small businesses are not targeted by hackers, they can be hurt by collateral damage in larger attacks on the Internet. Thus keeping up to date on patching is a key security element for any size firm. This should include at least these items:

  • Ensure that you are on SBS 2003 sp1 (latest service pack at the time of this writing).

  • Make sure that the server and workstations are connected to Microsoft Update rather than Windows Update because this ensures that the server and workstations are patched for the majority of needed software patches.

  • Review the SBS specific patches page at http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx.

  • The "best" best practice that you should attempt to perform at each client, in each network, in each customer base you install is to follow a best practice step out of the large enterprise space. The more you standardize the servers and the workstations, the easier your life will be, both in terms of identifying patterns but also in assisting you in streamlining the patch process. Typically small businesses have a copy of nearly every Microsoft operating system starting with Windows 95 all the way to Windows XP, and these days even potentially beta versions of unreleased software. Your life will be easier if you only need to worry about security patch issues for the latest versions of desktop and server operating systems as well as Office platforms.

  • Office 2003 no longer requires the original CD-ROM media to apply security patches, thus making it much easier to keep this version up to date with patches as compared to the prior versions (Microsoft Office Assistance: Local Source Makes Patching Easier: http://office.microsoft.com/en-us/assistance/HA011402371033.aspx).

  • Windows XP Service Pack 2 with the firewall enabled inside the network has additional resiliency to attack vectors and includes Data Execution Prevention (Changes to Functionality in Microsoft Windows XP Service Pack 2: Part 1: Introduction: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx#XSLTsection129121120120).

  • Windows 2003 Service Pack 1 also includes the Data Execution Prevention and enhancements to Internet Explorer that blocks ActiveX scripting and thus many times reducing the criticality of the security bulletin on the server. A new technology called hotpatching reduces the amount of needed rebooting of the server. (A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003: http://support.microsoft.com/kb/875352.)

  • Internet Explorer 7 when released on Windows Vista will include additional protection for phishing, surfing, and overall more security (http://www.microsoft.com/downloads/details.aspx?familyid=718e9b3a-64fe-4a4c-9ddf-57af0472ead2&displaylang=en).

  • Internet Explorer 7 on Windows XP increases security (but not as much as on Windows Vista).

  • Consider the use of patch deployment and reporting tools, discussed later in this chapter.

The lesson to be learned here is that being on the newest versions means that you are on more protected versions and, I would argue, versions that obtain much more testing resources for patch quality purposes. Windows 98 and Windows ME only get critical patches, and one patch for that platform took until April of 2005, two months after the other platforms (Windows 2000, Windows XP), which were patched in early February for the same issue. Your clients may indicate that they cannot afford to upgrade from Windows 98, but I would strongly argue to the contrary. The ability to remotely manage Windows 2000 and XP using the server, the ability to remotely patch, and, as pointed out, the overall lack of support resources for Windows 98 and Windows ME means that these platforms just do not make economic and, especially, security sense anymore. Neither platform has a security foundation, and each was written for a much more innocent time on the Internet.


Shavlik HFNetChk Pro

There is actually a slightly easier way to patch systems than using Microsoft Update and MBSA, and that is to use patch tools. As the old saying goes, you get what you pay for, and HFNetChk Pro, although not a free tool, is a reliable way to ensure that the workstations and servers in your network are kept up-to-date for updates on Windows, Office, Exchange, SQL, and ISA server, and also patches unique to SBS 2003 as well as third-party software such as Adobe, Firefox, and Real Player.

The list of software supported as of the time of this writing includes Windows software as well as many third-party programs.

Given the reasonable price tag of Shavlik's Basic and HFNetChk5 editions, you might be wise to review and examine the flexibility of this patch tool given its lengthy listing of supported software. It is a push technology and not a pull, and thus you can launch the console, scan the computers, push out patches, force a reboot, and then when completed, rescan again to ensure compliance. The streamlining of push patch technology versus pull technology (which is what WSUS offers) should be considered when making your decision. Typically you can be up and installing with this tool in less than 30 minutes, and it can be deployed at the server or at a workstation to be used as a patch deployment method.

Best Practice: Taking a Page from the Enterprise Folks

Some of the best practices can be learned from the enterprise folks. When deploying a new workstation, even if it's an OEM preinstalled machine, either take the time to uninstall all the annoying "phone home" unneeded software, or reinstall it from scratch installing only those pieces of software you need. The less additional software that you need to worry about updating, the better off you are. These days Real Audio, Adobe, Instant Messengers, and even our own antivirus software have been found to have vulnerabilities. Have a listing of software deployed in a firm so that you know what you need to update.

Consider preparing slipstreamed installs to assist you in quickly and easily deploying patches. The document entitled Techniques for Patching New Computers, http://www.microsoft.com/technet/desktopdeployment/articles/080305tn.mspx, includes information about how to easily bring a system up-to-date before installing it in a network.

In general, the wise thing to do is always build new machines behind a firewall router device to ensure that even while the system is being built it is protected.





Microsoft Small Business Server 2003 Unleashed
Microsoft Small Business Server 2003 Unleashed
ISBN: 0672328054
EAN: 2147483647
Year: 2005
Pages: 253

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net