Overlooked Features of Windows Security - Key Area No. 3: Updates Management

(Page 3 of 4 )

A common complaint is that users do not deploy Windows security updates, yet updates are still not being deployed. Many reasons are always offered as to why systems have not been updated. Some stem from the fear of breaking systems during patching, while others cite a lack of time and adequate resources. If users don't patch, they're living with a ticking time bomb. According to Craddock, there are three Microsoft- based options for patching: 

Microsoft Update (MU)

• Consumer/small businesses

Windows Server Update Services (WSUS)

• Businesses requiring simple low-cost solutions

System Management Server SMS

• Flexible and advanced patch management

The problem users may face while updating the system is that they may end up breaking something when a patch is applied. While Microsoft is now very responsible about testing patches, they cannot possibly test every patch with every combination of software running on different systems.

In a business-critical environment it is essential that a company's IT department tests patches before deploying them onto critical systems; this requirement rules out the use of Microsoft Update. According to Craddock, a good patch management strategy should encompass:  

• Monitoring for security bulletins and updates

• Determining the risk level

• Testing an update

• Deploying an update

• Checking for a successful deployment 

Once an update has been tested, it is recommended that a phased deployment is carried out either by department or region. This limits the exposure in case the user has missed something during testing; some company's use third-party solutions for patch management. For those on a tight budget who don't already have a system in place, Craddock recommends taking a look at Microsoft Windows Server Update Services (WSUS), which is available as a free download.

Key Area No. 4: Security Lockdown through Group Policy

Active Directory includes a powerful mechanism that provides central management and security lockdown through group policy. Group policy allows administrators to configure thousands of settings that can apply to servers and workstations. It's quite common to seeinstallations of AD where minimal use is made of group policy, yet group policy is one area where companies can proactively enhance their security posture. When deploying security settings through group policy, it is important that users follow a few simple rules:

• Start with the Microsoft security guidance.

• Take ownership for all of the changes you make.

• Never deploy a configuration you do not understand and document.

• Never deploy a security change without first testing it in your test environment.

• Create the appropriate OU structure to support the required group policies.

• Use base and incremental policies.

• Know how to back up and restore policies.

Microsoft provides good documentation and templates for security lockdown, and according to Craddock, these should be taken as a starting point andnotas a definitive solution.

Next: Key Area No. 5: Unmanaged and Noncompliant Clients >>
 

More Windows Security Articles
More By Joe Eitel

Comments On: Overlooked Features of Windows Security

>>> Be the FIRST to comment on this article!