What you will learn from this tip: Options for patching endpoints in heterogeneous environments.
Given the fact that almost all networks are connected to the Internet nowadays, your one hope of staying secure is to constantly patch all machines on the network with the latest vulnerability fixes. This may not be a big deal in environments consisting only of Windows 2003 servers and Windows XP workstations, for which you can simply use Microsoft's Software Update Services (SUS), System Management Server (SMS) or any number of third-party...
tools for patch updates. However, if your computers are running non-Microsoft operating systems or non-PC devices, or if your VPN allows connections by computers not controlled by your company, keeping everything up-to-date on your network becomes much more complex -- although not impossible.
Comprehensive patch management for heterogeneous environments is considerably more difficult and more expensive than homogenous environments, but there are ways to manage patches in such environments. In the sections below, I discuss some of your options in difficult patch management situations.
Patching networked devices
Many people don't realize it, but networked non-PC devices, such as personal digital assistants (PDAs), can pose a significant threat to your network's security. Of all the PDAs you see people using in your company, how many of those PDAs does your company own and maintain? People often bring PDAs into the workplace running an out-of-the-box configuration and attach them to the network. Although PDA-based exploits aren't as common as PC-based exploits, there are documented cases, nevertheless, where Trojans were found running on PDAs. Unless you control PDA usage in your company, you could be exposing your network and the data it contains to exploits.
The best way I know to counter such threats is to establish a policy mandating that only PDAs issued by the company are allowed to be connected to the corporate network or to computers belonging to the company. Once you control all of the PDAs used throughout the company, you can focus on patch management.
An easy way to patch your mobile devices is to make sure they are running Windows CE 4.2 or higher or Windows Mobile 2003 or higher. You can then use the SMS 2003 Device Management Feature Pack to manage mobile devices exactly as you would computers on your network. SMS can discover mobile devices and automatically deploy patches to them.
Patching heterogeneous operating systems
Keeping heterogeneous operating systems patched is more difficult than keeping a purely Windows environment patched. Doing so requires third-party software. There are lots of patch-management solutions out there, but the best choice for your organization will depend greatly on the operating systems being used and on your budget.
For organizations running only Windows and Linux operating systems, I like GFI Software Limited's LANguard Network Security Scanner because it's reasonably priced, it does a good job, and it's easy to use.
If you require a more comprehensive patch-management solution, check out Citadel Security Software Inc.'s Hercules. I have never actually used this product, so I can't tell you how good it is, but it exemplifies a tool that can patch Windows, AIX, HP-UX, Solaris, Linux and Mac OSX.
Patching remote computers not controlled by your company
Unpatched computers passing through corporate VPNs have proved particularly troublesome for sometime now. There is a solution built into Windows Server 2003, but it can be extremely difficult to use. The solution is called Network Access Quarantine Control, which places a machine in a quarantined environment when it connects to your network. At that point, you run a query to make sure the operating system has all of the latest patches and the remote system is running an approved antivirus program with up-to-date virus definitions. If everything checks out, the PC is allowed to connect to the network. If the machine does not meet all of the requirements set forth by the corporate security policy, the patches are either applied on the spot or the connection is severed (your choice).
As I mentioned, though, the big problem with quarantine mode is that you practically need a doctorate in computer science to configure it -- it is script intensive. However, rumor has it that Microsoft will greatly simplify quarantine mode in Windows Server 2003 R2, to be released later this year. The company also plans to change the name to Network Access Protection (NAP).
- Take a look at tools that enforce network device compliance.
- News, tips and expert advice on endpoint security.
- How to undo Windows patching mistakes.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.