Painful patching: How to lock down networked devices

Given the fact that almost all networks are connected to the Internet nowadays, your one hope of staying secure is to constantly patch all machines on the network with the latest vulnerability fixes. This may not be a big deal in environments consisting only of Windows 2003 servers and Windows XP workstations, for which you can simply use Microsoft's Software Update Services (SUS), System Management Server (SMS) or any number of third-party tools for patch updates. However, if your computers are running non-Microsoft operating systems or non-PC devices, or if your VPN allows connections by computers not controlled by your company, keeping everything up-to-date on your network becomes much more complex -- although not impossible.

Comprehensive patch management for heterogeneous environments is considerably more difficult and more expensive than homogenous environments, but there are ways to manage patches in such environments. In the sections below, I discuss some of your options in difficult patch management situations.

Patching networked devices

Many people don't realize it, but networked non-PC devices, such as personal digital assistants (PDAs), can pose a significant threat to your network's security. Of all the PDAs you see people using in your company, how many of those PDAs does your company own and maintain? People often bring PDAs into the workplace running an out-of-the-box configuration and attach them to the network. Although PDA-based exploits aren't as common as PC-based exploits, there are documented cases, nevertheless, where Trojans were found running on PDAs. Unless you control PDA usage in your company, you could be exposing your network and the data it contains to exploits.

The best way I know to counter such threats is to establish a policy mandating that only PDAs issued by the company are allowed to be connected to the corporate network or to computers belonging to the company. Once you control all of the PDAs used throughout the company, you can focus on patch management.

An easy way to patch your mobile devices is to make sure they are running Windows CE 4.2 or higher or Windows Mobile 2003 or higher. You can then use the SMS 2003 Device Management Feature Pack to manage mobile devices exactly as you would computers on your network. SMS can discover mobile devices and automatically deploy patches to them.

Patching heterogeneous operating systems

Keeping heterogeneous operating systems patched is more difficult than keeping a purely Windows environment patched. Doing so requires third-party software. There are lots of patch-management solutions out there, but the best choice for your organization will depend greatly on the operating systems being used and on your budget.

For organizations running only Windows and Linux operating systems, I like GFI Software Limited's LANguard Network Security Scanner because it's reasonably priced, it does a good job, and it's easy to use.

If you require a more comprehensive patch-management solution, check out Citadel Security Software Inc.'s Hercules. I have never actually used this product, so I can't tell you how good it is, but it exemplifies a tool that can patch Windows, AIX, HP-UX, Solaris, Linux and Mac OSX.

Patching remote computers not controlled by your company

Unpatched computers passing through corporate VPNs have proved particularly troublesome for sometime now. There is a solution built into Windows Server 2003, but it can be extremely difficult to use. The solution is called Network Access Quarantine Control, which places a machine in a quarantined environment when it connects to your network. At that point, you run a query to make sure the operating system has all of the latest patches and the remote system is running an approved antivirus program with up-to-date virus definitions. If everything checks out, the PC is allowed to connect to the network. If the machine does not meet all of the requirements set forth by the corporate security policy, the patches are either applied on the spot or the connection is severed (your choice).

As I mentioned, though, the big problem with quarantine mode is that you practically need a doctorate in computer science to configure it -- it is script intensive. However, rumor has it that Microsoft will greatly simplify quarantine mode in Windows Server 2003 R2, to be released later this year. The company also plans to change the name to Network Access Protection (NAP).

• Take a look at tools that enforce network device compliance.
• News, tips and expert advice on endpoint security.
• How to undo Windows patching mistakes.

About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics IE 8 beta 2 security features may mark improvements for browser security Screencast: How to use Nipper to create network security reports Mining enterprise SIM logs for relevant security event data How to configure NAP for Windows Server 2008 Exploring Microsoft's Network Access Protection policy options Screencast: How to use Wikto for Web server assessment How to avoid DLP implementation pitfalls Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Endpoint Security Companies Finding a Place for Maturing NAC Projects Product Review: Sophos Endpoint Security and Control 8.0 PCI DSS 1.2 clarifies wireless, antivirus use Hidden endpoints: Mitigating the threat of non-traditional network devices Symantec launches Endpoint Management Suite Symantec to offer Endpoint Management Suite Sophos finds patching issues through endpoint NAC tool Websense, Reconnex top Forrester ranking of DLP vendors Cisco, EMC to partner on data protection, PCI Product review: Promisec's Spectator Patch Management Eleven patches due from Microsoft next week Microsoft provides guidance on GDI flaws Microsoft plugs Media Player, graphics handling flaws Microsoft to patch critical flaws in Office, SQL Server Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? Microsoft patches critical Access, Excel flaws Inside MSRC: Microsoft addresses critical Snapshot Viewer flaw Microsoft to issue seven critical August patches Microsoft to revamp patching, add exploitability index Valuable lesson emerges from DNS flaw handling RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary brute force cracking  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) Crash Course: Spyware  (SearchSecurity.com) email spoofing  (SearchSecurity.com) endpoint security  (SearchSecurity.com) phishing  (SearchSecurity.com) rootkit  (SearchSecurity.com) social engineering  (SearchSecurity.com) tunneling  (SearchSecurity.com) Wired Equivalent Privacy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.