IT tutorials
 
Applications Server
 

Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 3) - Keeping Up with Security Patches and Updates

10/24/2014 3:19:38 AM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Keeping Up with Security Patches and Updates

Applying service packs, updates, and hotfixes in a timely manner is critical to maintaining the security of an environment. Whether you are talking about a server operating system, an application such as Exchange Server 2007, a client operating system, or even client applications, keeping your systems up to date with the latest releases ensures that you are protected against known vulnerabilities.

Organizations often underestimate the importance of these updates, so let’s look at them in a different light. These updates are released to protect against known vulnerabilities. That means that there is a good possibility that malicious users in the hacker community already know how to exploit them. So, there the system sits, not only does it have an unlocked door, but the criminals know it is unlocked.

In the past, updates often had to be manually implemented on a system-by-system basis and, for companies with hundreds (or thousands) of workstations, it proved to be a monumental task. These manual processes still exist, but rarely need to be used today.

With Windows Server 2003, Windows Vista, and Windows XP, utilities exist that allow you to automate this process and simplify the distribution of updates. Microsoft has provided several options: Windows Update, Microsoft Update, Microsoft Windows Server Update Services (WSUS), and Microsoft Systems Management Server (SMS). In addition, there are a variety of third-party applications that can assist you with this endeavor.

Note

In today’s environments, distribution of updates is often considered the “easy” part. Automated methods of deployment have made the process fairly simple. However, one of the most important steps, and one of the most often overlooked, is the thorough and complete testing of updates in a lab environment before the release to a production environment. Strongly consider implementing a patch management system that includes adequate time and resources for testing.


Windows Update

Windows Update, located at http://www.microsoft.com/windowsupdate, is a website that scans a local system and determines whether it has the latest updates applicable to the operating system. Windows Update is a very useful tool when dealing with a small number of systems. One shortcoming of Windows Update is that it only addresses updates to the operating system—not to any applications installed on the computer. Windows Update was designed for Microsoft Windows 2000 SP2 and earlier. Those using later versions of the operating system (including Windows 2000 SP3 and higher, Windows 2003, Windows Vista, and Windows XP) can instead use the Microsoft Update discussed in the following section.

Microsoft Update

So, what are you to do for the other Microsoft applications on your system, including Microsoft Outlook? Enter Microsoft Update, located at http://update.microsoft.com. This website offers the same downloads available on the Windows Update site, plus the latest updates for Microsoft Office and other Microsoft applications.

When you visit the website, it scans your computer and allows you to review a list of available updates and select the ones you want to implement.

The site breaks down the available updates into categories, identifying those that are critical to the security and reliability of your computer as high-priority updates. Interestingly enough, updates to the antispam features of Microsoft Outlook are considered high-priority updates as well, showing that Microsoft has listened to the user community and no longer considers spam to be simply a “nuisance.”

One other feature of the Microsoft Update website is the ability to review your update history. By selecting this link, you can see the update, the product it applied to, the status of the implementation, the date it was applied, and the method used to apply the patch—for example, Windows Update or Automatic Updates, which is discussed in the next section.

Like Windows Update, Microsoft Update is intended for managing one system at a time. As useful as it is for individual users and small environments, other alternatives should still be considered for larger organizations.

Note

You can remove an update by using the Add and Remove Programs applet in Control Panel. When this feature first appeared, it had the reputation of being somewhat unreliable. Sometimes, updates were removed and the system experienced problems afterward. However, this process has been greatly improved over the past several years and is significantly more stable and reliable now.


Automatic Updates

One of the most reliable, and least time consuming, methods of implementing updates from Microsoft is built in to Windows Server 2003, Windows Vista, and Windows XP. Known as Automatic Updates, this feature allows your system to automatically download and install high-priority updates, without manual intervention. Optional updates, however, still need to be implemented using other methods.

With Automatic Updates, shown in Figure 2, you can configure the utility to automatically download and install updates on a daily or weekly basis, at the time of day of your choice (for example, every Saturday at 2:00 a.m.).

Figure 2. Configuration options for Automatic Updates.


Alternatively, you can select one of the following options:

  • Download Updates for Me, But Let Me Choose When to Install Them.

  • Notify Me But Don’t Automatically Download or Install Them.

  • Turn Off Automatic Updates.

When connecting to Microsoft Update or Windows Update, this method has a few drawbacks that must be mentioned. First, by automatically downloading and applying hotfixes, you are not afforded the opportunity to download and implement them in a test lab prior to deployment. Second, some high-priority updates require a reboot and might automatically restart your system without your prior approval.

To mitigate these shortcomings, you can configure Automatic Updates to not download and install updates directly from Microsoft, but can instead receive updates from a Microsoft Windows Server Update Services (WSUS) server, discussed next.

Windows Server Update Services (WSUS)

Realizing the increased administration and management efforts that challenge administrators of larger environments, Microsoft created the Microsoft Software Update Services (SUS), and the newer version called Windows Server Update Services (WSUS). This no-charge add-in component is designed to simplify the process of keeping computers in your organization up to date with the latest updates and service packs. WSUS communicates directly and securely with Microsoft to gather the latest security updates for a variety of Microsoft products, including Exchange Server, and enables administrators to manage the distribution of these updates to clients and servers in their environment. By utilizing WSUS, administrators can download updates, test them, and schedule the deployment to additional systems.

Utilizing Background Intelligent Transfer Service (BITS), the application allows administrators to download updates in the background, using available network bandwidth, to minimize the impact on their user community.

WSUS version 3.0 includes a new MMC-based user interface and has the following features:

  • Advanced filtering and reporting

  • Improved performance and reliability

  • Branch office optimizations and reporting rollup

  • Microsoft Operations Manager Management Pack

Note

You can find more information on WSUS and download the product from http://www.microsoft.com/windowsserversystem/updateservices/default.mspx.


Client-Based Virus Protection

One of the primary reasons why the installation of service packs and software updates in a timely manner is so important is the prevalence of computer viruses. Many viruses are written to exploit specific vulnerabilities that are found in computer operating systems and applications—both on clients and servers. Because Microsoft products are used so widely throughout the world, those who create viruses generally write them specifically to attack Microsoft products. This has resulted in the creation of an entire industry focused solely on protecting businesses and individuals from attack.

Companies truly concerned with protecting their environment from attack should use a multilayer approach to virus protection. By including antivirus applications on gateways, Exchange servers, and on the desktop, outbreaks can be prevented, or quickly detected and dealt with.

There are many ways to distribute viruses, and one of the most effective is by installing unauthorized software on a workstation and turning it into a distribution point. This method might (or might not) utilize an existing messaging system. If it does not, gateway and Exchange-level antivirus methods might not be able to help at all. By implementing a separate antivirus solution on the desktop itself, you can minimize your exposure to attack.

An aggressive plan should be in place to keep antivirus signature files and engines up to date. Virus outbreaks that once took days (or weeks) to become widespread can now travel around the globe in a matter of hours. Antivirus updates (often referred to as “signature files”) should be updated daily at a minimum and more often if your product supports it.

Windows Lockdown Guidelines and Standards

Microsoft has gone to great lengths to provide secure and reliable products. This endeavor was not accomplished in a vacuum—Microsoft has worked closely with companies, government agencies, security consultants, and others to identify and address security issues in the computer industry. Through this concerted effort and teamwork, security standards and guidelines have been developed that are applicable to not only Microsoft products, but also to the computing industry as a whole.

In addition to researching and implementing Microsoft recommended security standards and guidelines, responsible administrators can also use recommended best practices that have been compiled by the National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA).

Both NIST and NSA provide security lockdown configuration standards and guidelines that can be downloaded from their websites (http://www.nist.gov and http://www.nsa.gov, respectively).

 
Others
 
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 2) - Utilizing Security Templates
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 1) - Windows Server 2003 Security Improvements , Windows Vista Security Improvements
- Securing an Exchange Server 2007 Environment : Client-Level Secured Messaging - Exchange Server 2007 Client-Level Security Enhancements
- Microsoft Exchange Server 2010 Requirements : Additional Requirements
- Microsoft Exchange Server 2010 Requirements : Software Requirements (part 2) - Windows Server Roles and Features
- Microsoft Exchange Server 2010 Requirements : Software Requirements (part 1) - Additional Software
- Microsoft Exchange Server 2010 Requirements : Getting the Right Server Hardware (part 3) - Disk Requirements
- Microsoft Exchange Server 2010 Requirements : Getting the Right Server Hardware (part 2) - Memory Recommendations, Network Requirements
- Microsoft Exchange Server 2010 Requirements : Getting the Right Server Hardware (part 1) - The Typical User , CPU Recommendations
- Upgrading to Sharepoint 2013 : Upgrading Service Applications
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS