At a minimum, you should sign up for the Microsoft Security Bulletin notifications Comprehensive edition. This gives you an email on the second Tuesday of every month listing exactly what patches have been released. In addition, it gives you a heads-up email on the Thursday before and security advisories as shown in Figure 22.3. Figure 22.3. Sample security advisory from Microsoft warning customers of the release of Worm.
If you want additional resources for not only patched but unpatched vulnerabilities, your resources include the following (also see Appendix A, "SBS Resources," for more):
The important point that you should not overlook is that generally small businesses are not specifically targeted, unlike the larger firms, so the resources you need to spend looking at unpatched vulnerabilities (with one exception discussed next) should not be as much as those in large corporations. You could argue strongly that your client's risks are not the same as those running the web servers at amazon.com or Microsoft.com. The one exception is random drive-by attacks on browsers (this includes all web browsers such as Internet Explorer, Firefox, Opera, and so on). Due to the foundational way that the Internet was built, such that processing of pages was intended to be offloaded to local computers, we run a risk when our machines run as local administrator rights on the workstation. Thus, make sure that you have antispyware protecting you on all workstations. Windows Update and Automatic UpdatesOnce upon a time, the only automatic tool you had to update the systems in an SBS network was a tool built into workstations and servers called Windows Update. The only problem with this tool was that it only patched Windows security issues. Thus for your workstations with Office installed, you had to then also visit the Microsoft Office Update website to perform an update of Office software. Furthermore, there was (and is) software included in your operating system that even Windows Update did not patch. Today the recommendation is, for every workstation and server, that you flip each of these over to the Microsoft Update if you are on supported platforms. Microsoft Update, at this time, patches both Windows and Office patches, thus eliminating the need to manually go to the Office Update site. Furthermore for the server platform, Microsoft Update covers Exchange and SQL and will cover ISA server in the future. Thus to ensure that you are up to date on the basics of Microsoft patches, you are strongly encouraged to use Microsoft Update and not Windows Update. For workstations, however, there is one caveat that you need to be aware of: On workstations not running Office 2003 where the caching the installation files have been left behind (Microsoft Office Assistance: Distributing Office 2003 Product Updates: http://office.microsoft.com/en-us/assistance/HA011402381033.aspx), or for earlier versions of Office, you many times have to point to the original install source. Thus in these earlier versions, many consultants have used a little trick to ensure that they didn't have to dig around and find where the firm stored the original OEM CD-ROM of that Office installation. On workstations with large hard drives, they would copy the entire OEM CD-ROM of Office to the local workstation and either reinstall the application from there, or repoint the patch dialog box to the copied CD-ROM files. This eliminated the need for scotch taping the media to the side of the computer or other unusual ways to ensure that the original media was kept near the machine needing patching. Before being able to use Microsoft Update, two ActiveX files are installed on your system:
These files will automatically be deployed the first time you visit Microsoft Update, but you will need to allow them to be installed on XP SP2 systems by clicking on XP SP2's ActiveX block toolbar. Additional downloads may be required such as updated background installers and other tools as follows:
After this first visit is completed you are then able to receive downloads and automatic updates for both Windows and Office from the same site. Although you can return to Windows Update by going to the Change Settings options and selecting to opt out of Microsoft Update, most would strongly recommend that if you have Windows 2000 and Windows XP clients that you stay on Microsoft Update. (Comparing MBSA, MU, WSUS, and SMS 2003: http://www.microsoft.com/windowsserversystem/updateservices/evaluation/compare.mspx.) For many small firms, although you would not want to set up automatic updates on a server, it is perfectly acceptable to do so on the workstations. You have your choice of ways to deploy patches even through the automatic method (see Figure 22.4): Figure 22.4. The Automatic update screen showing the different patch deployment options.
For all these options, if you are seeing issues with installing patches, review the log file located typically under the C:\Windows directory. There are two files you are looking for:
Review the last entries in these log files and then inside the Microsoft Update interface, click on Help and Support and then click on Try Solving Your Problem with the Troubleshooter. Many typical errors seen with Microsoft Update and Windows Update are documented there. Microsoft Baseline Security Analyzer (MBSA)For a more automated approach of scanning your network for both missing patches and security issues, MBSA is the tool for you. Combine this with Visio, and you can even diagram the risks in your environment. There are currently two versions of MBSA, and they scan different systems, so you may need to install and run both in a firm. MBSA 2.0 obviously covers only the newer operating systems and newer Office packages, thus it would be wise to begin to move your clients to where it's easier for both you and them to protect their assets. MBSA 2.0 covers users who primarily have:
MBSA 1.2.1 covers the following:
For a network where the XP SP2 firewalls are enabled inside the network, which is the recommended way, and the default way that SBS 2003 sets up its networks, you will need an additional patch to allow the workstations to be scanned from the server. Microsoft Knowledge Base 895200 must be obtained and deployed to your Windows XP workstations to be able to remotely scan (Availability of Windows XP COM+ Hotfix Rollup Package 9: http://support.microsoft.com/default.aspx?scid=kb;en-us;895200). Merely call the Microsoft Product Support Services and request the free hotfix for this issue. Keep in mind that although this tool is primarily for scanning of patches, it is much more than that and includes guidance for passwords, running services, and lack of firewalls. This additional information can be a bit confusing in the typical SBS network. For example, the tool will scan to see whether a firewall is present on the server. For both SBS 2003 Standard (with the RRAS firewall) and Premium (with the ISA firewall) it will say that there is no firewall because it is not configured or is not available on this operating system. In reality because MBSA does not understand the RRAS or ISA firewall, it cannot report on these. Then in addition, if you have set up the Backup Wizard on the SBS server it will complain about the SBSbackup user not having secure settings for Internet Explorer. Disregard both of these notifications and review the documentation and guidance in the MBSA literature where these issues are discussed in greater detail. Another tool you may want to download and use to scan your system for keeping it healthy is the Microsoft Exchange Best Practices Analyzer tool, which can be found at http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx. It gives you guidance on settings as well as the condition of the server. SBS Downloads SiteAt times, the SBS 2003 platform has patches unique only to it. Future plans for patching on the SBS 2003 platform include those software fixes unique to the SBS platform, but in the meantime, bookmark the following web page, and when you are patching for security patches, also review this website as well: http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx.
Shavlik HFNetChk ProThere is actually a slightly easier way to patch systems than using Microsoft Update and MBSA, and that is to use patch tools. As the old saying goes, you get what you pay for, and HFNetChk Pro, although not a free tool, is a reliable way to ensure that the workstations and servers in your network are kept up-to-date for updates on Windows, Office, Exchange, SQL, and ISA server, and also patches unique to SBS 2003 as well as third-party software such as Adobe, Firefox, and Real Player. The list of software supported as of the time of this writing includes Windows software as well as many third-party programs. Given the reasonable price tag of Shavlik's Basic and HFNetChk5 editions, you might be wise to review and examine the flexibility of this patch tool given its lengthy listing of supported software. It is a push technology and not a pull, and thus you can launch the console, scan the computers, push out patches, force a reboot, and then when completed, rescan again to ensure compliance. The streamlining of push patch technology versus pull technology (which is what WSUS offers) should be considered when making your decision. Typically you can be up and installing with this tool in less than 30 minutes, and it can be deployed at the server or at a workstation to be used as a patch deployment method.
|