WindowSecurity.com Newsletter of July 2011 Sponsored by: ManageEngine
Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
1. Achieving Software Update compliance
Ensuring that all hosts within your organization are configured to a specific standard is not only a good practice but a necessity to prevent malware from taking advantage of various system vulnerabilities. The release of major security updates by vendors after an exploit has been made public is one instance where an organization has to have in place an automated tool that kicks in immediately after the update is released.
To meet compliance requirements all systems need to have specific updates applied, certain applications (firewall, antivirus, etc.) installed and configured appropriately. Many technologies exist to help you achieve such requirements but should we only rely on a tool that provides us with the pushing mechanism without verifying whether the approved software updates have actually been deployed to all computers in your environment? In this month's newsletter I will go through some software update technologies focusing on a free tool that systems administrators can use without the need for creating a business case or for passing through the procurement process, especially in the Summer season when senior management may be away on a long boat trip!
Microsoft Baseline Security Analyzer (MBSA)
Sometimes, the more features and functionality a tool has the less system administrators make full use of it. MBSA is a basic tool that enables system administrators to scan the network to determine which computers are missing updates or are incorrectly configured according to Microsoft best practices recommendations. It can check security configuration settings such as firewall settings. The MBSA tool can integrate with WSUS as well and it will perform scans according to the WSUS approved updates. An important feature found in MBSA is the capability of detecting whether a computer is assigned or not to a software update server. MBSA version 2.2 will work with all supported versions of Windows including Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. Version 2.1 had some limitations but these were fixed in version 2.2. Version 2.2 is the latest version of Microsoft's free security and vulnerability assessment scan tool for administrators, security auditors, and IT professionals.
Unlike other tools such as SCCM 2007 the reports it generates are not as rich but for a fee tool I say they are sufficient. Also, it has no email notification feature for machines that become noncompliant. To download a copy and have some fun with MBSA go here.
If your environment is more complex then I suggest that you go for WSUS (Windows Server Update Services). The current version is WSUS 3.0 SP2 and you can download a copy from here.
WSUS Advanced Reporting
WSUS 3.0 SP2 offers software update compliance reporting functionality in enterprise environments. WSUS reports can be exported to Microsoft Office Excel or PDF formats while implementations based on an SQL server database can benefit from customized reports based on your own set of database queries. However, the built-in reports found in WSUS are more than enough for managing standard compliance. These include a status summary of the number of computers the updates are installed on, those computers that failed to take an update, and for which WSUS has no data. The status report can be run in a detailed version where you can view the report in summary or tabular format.
The basic difference between MBSA and WSUS is that WSUS does not scan computers to determine whether updates are missing but instead records whether updates have been downloaded to target computers and whether the target computers have reported back to the WSUS server that the update has been successfully installed. Briefly, it generates reports based on information communicated with the WSUS server. An important feature in enterprise environments is the complete view of the software update deployment process where multiple WSUS servers may exist.
SCCM (System Center Configuration Manager) 2007 enables you to assess whether the configuration of computers within your organization matches what is referred to as a configuration baseline. SCCM is the high-end solution from Microsoft where you can ensure compliance over the whole infrastructure including mobile environments. SCCM 2007 R3 include power management features that help organizations reduce their IT-based power consumption which can be part of an environmental compliance program. Mind you, SSCM is not just a software update management solution but it includes an asset inventory, a configuration baseline management, a software distribution source, a power management tool and an operating system deployment solution.
With SCCM you can generate a whole slew of reports of every kind. In addition, if the large number of pre-generated reports is not enough you can create custom reports tailored to your specific requirements. As you can imagine, SCCM is the most comprehensive reporting and compliance tool for enterprise environments. To read more about SCCM and download SCCM 2012 Beta 2 go here.
Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you're more than welcome to e-mail me at firstname.lastname@example.org.
See you next month! - George
2. WindowSecurity.com Articles of Interest
3. Tip of the Month
The following are some ideas to consider when planning security baselines:
4. Latest Security Exploits and Concerns
5. Ask George a question
This month, I would like to share a forum post with you. Our WindowSecurity.com Message Boards are a great source of information where you can get free support and an exchange of brilliant ideas. I urge you to participate!
For instance, check this cool thread started by our forum fanatic moondoggie: