IT administrators understand that patching is a necessary evil, but they've been given a lot of help. Microsoft...
has simplified patch management processes and deployment with its monthly Patch Tuesday releases, and organizations have patch testing and deployment strategies, and automated patch management tools such as Windows Server Update Services (WSUS).
Case closed then, right?
Well, not so fast. What happens when a new employee joins the company and their computer is provisioned after patches have been deployed? What happens to the laptops of roaming users who aren't connected to the network when the patches are rolled out? What happens when a user installs new software on their PC and is not aware that the application has critical security updates?
Above and beyond the processes and tools put in place to manage and automate patch implementation, organizations also need some way to identify machines that are missing patches proactively, before an unpatched vulnerability exposes the vulnerable machine, and by extension the rest of the network, to compromise.
Let's look at the three primary options for identifying missing patches on Windows desktop systems.
Microsoft tools. Microsoft offers a handful of options that administrators can use to varying degrees of effectiveness for the purpose of identifying missing patches. The Microsoft Baseline Security Analyzer (MBSA) is freely available.
The good news is that MBSA extends beyond just the Windows operating system and identifies security issues and missing patches for other applications such as Microsoft Office, SQL Server and others. The bad news is that the scope of MBSA is still Microsoft-centric, so you are still on your own for figuring out whether your systems have the latest Firefox or Adobe Flash updates.
WSUS is a free download available to licensed users of Windows Server 2003 or Windows Server 2008. WSUS accomplishes the goal of identifying missing patches because client systems phone home and determine what patches are available. Like MBSA, WSUS is a Microsoft-centric solution that won't identify or deploy missing third-party patches.
Patch management applications. Third-party patch management platforms from vendors such as GFI Software Ltd. and Shavlik Technologies Inc. generally provide some capability for scanning and identifying systems that are missing patches. Unlike their free Microsoft counterparts, these products are also able to identify missing patches and updates for other applications on Windows systems, such as Apple iTunes or Adobe Flash, as well as being able to scan other operating system platforms and identify missing patches on Linux and Mac OS X systems.
Vulnerability scanners. A vulnerability scanner such as Nessus is also an effective tool for identifying missing patches. Nessus does not require an agent on target systems in order to gather information.
Scanning target systems with Nessus will identify missing security patches and vulnerable system configuration. Rather than relying on information from the Windows Registry, Nessus probes deeper to verify the vulnerability actually exists. In addition, Nessus has plug-ins to scan for various compliance standards, such as ensuring that systems meet SOX, or PCI DSS requirements.
One issue you will encounter with virtually any solution is the need for credentials that span the network and the target systems. If security controls are configured at all as they should be, no scanner should be able to just analyze every system in the environment across the network without proper authorization.
More Windows patch management resources
Automating Windows patch management with WSUS: Microsoft offers Windows Server Update Services (WSUS) as a free download, but there are installation and agent-related issues to contend with.
Determine when to use a workaround rather than patch a system: Learn how to determine when your midmarket organization should employ a workaround, rather than patch immediately.
Regardless of which tool or method you choose, it is important to incorporate periodic scans to identify missing patches into the overall patch management process. Ignorance of unpatched systems won't prevent exposure or compromise, and could make the rest of the patch management efforts a waste of time.
Tony Bradley is the founder and president of S3KUR3, Inc. Follow him on Twitter @PCSecurityNews.
Send comments on this technical tip firstname.lastname@example.org.