How To: Implement Patch Management

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Last Revised: January 2006

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: This How To explains patch management, including how to keep single or multiple servers up to date. Additional software is not required, except for the tools available for download from Microsoft.

Operations and security policy should adopt a patch management process. This How To defines the processes required to create a sound patch management system. The patch management process can be automated using the guidance in this How To.

Contents

This How To shows you how to implement each phase of the patch management process. These phases include:

What You Must Know Before You Begin Detecting Assessing Acquiring Testing Deploying Maintaining Additional Resources

What You Must Know

Before using this How To, you should be aware of the following issues and considerations.

The Patch Management Process

Patch management is a circular process and must be ongoing. The unfortunate reality about software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed tomorrow.

Develop and automate a patch management process that includes each of the following:

  • Detect. Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.
  • Assess. If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.
  • Acquire. If the vulnerability is not addressed by the security measures already in place, download the patch for testing.
  • Test. Install the patch on a test system to verify the ramifications of the update against your production configuration.
  • Deploy. Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.
  • Maintain. Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.

The Role of MBSA in Patch Management

The Microsoft Baseline Security Analyzer (MBSA) is a tool that is designed for two purposes: first, to scan a computer against vulnerable configurations; and second, to detect the availability of security updates that are released by Microsoft.

In this How To, you use MBSA without scanning for vulnerable configurations. When using the graphical user interface (GUI), specify this by unchecking the options in Figure 1 and only choosing Check for security updates.

Ff647981.fz2thcm01(en-us,PandP.10).gif

Figure 1

MBSA scan options

When using the command line interface (Mbsacli.exe), you can use the following command to scan only missing security updates.

Mbsacli.exe /n OS+IIS+SQL+PASSWORD

The option /n specifies the checks to skip. The selection (OS+IIS+SQL+PASSWORD) skips the checks for vulnerabilities and weak passwords.

For more details about using MBSA, including the security configuration scan, see "How To: Use MBSA" in the How To section of this guide.

Backups and Patch Management

You should perform backups prior to deploying an update on production servers. Regularly test backups as well as your backup process. Discovering that your backup process is broken during restoration can be devastating.

Before You Begin

This section provides information about downloads and documentation that are needed before you walk through the steps in this How To.

Tools You Will Need

You need the following tools in order to be able to perform the steps in this How To:

  • Microsoft Baseline Security Analyzer (MBSA)

    Download MBSA from the MBSA Home Page: https://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp

  • Latest Mssecure.cab

    By default, MBSA downloads the latest update list (Mssecure.cab) from Microsoft.com. If you do not have Internet access from the computer running MBSA, you must download the file and copy it to the MBSA installation directory. You can download the update file from: https://technet.microsoft.com/en-us/security/cc184923.aspx

  • Microsoft Software Update Service (SUS)

    Microsoft Software Update Services (SUS) Server 1.0 Service Pack 1 (SP1) enables administrators to deploy critical updates to Windows 2000-based, Windows XP, and Windows Server 2003 computers. You can download it from: [Content link no longer available, original URL:"https://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en"]

Detecting

Use MBSA to detect missing security patches for Windows 2000, Windows XP, and Windows Server 2003. You can use MBSA in two modes; GUI and command line. Both modes are used to scan single or multiple computers. The command line can be scripted to run on a schedule.

Note   The login used to run MBSA must be a member of the Administrators group on the target computer(s). To verify adequate access and privilege, use the command net use \\computername\c$ where computername is the network name of a machine which you are going to scan for missing patches. Resolve any issues accessing the administrative share before using MBSA to scan the remote computer.

To manually detect missing updates using the MBSA graphical interface

  1. Run MBSA by double-clicking the desktop icon or by selecting it from the Programs menu.

  2. Click Scan a computer. MBSA defaults to the local computer. To scan multiple computers, select Scan more than one computer and select either a range of computers to scan or an IP address range.

  3. Clear all check boxes except Check for security updates. This option detects uninstalled patches and updates.

  4. Click Start scan. Your server is now analyzed. When the scan is complete, MBSA displays a security report and also writes the report to the %userprofile%\SecurityScans directory.

  5. Download and install the missing updates.

    Click the Result details link next to each failed check to view the list of uninstalled security updates. A dialog box displays the Microsoft security bulletin reference number. Click the reference to find out more about the bulletin and to download the update.

To detect missing updates using the MBSA command line interface

  • From a command window, change directory to the MBSA installation directory, and type the following command:

    mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD
    

    You can also specify a computer name. For example:

    mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD
    

    You can also specify a range of computers by using the /r option. For example:

    mbsacli /r 192.168.0.1-192.168.0.254 /n OS+IIS+SQL+PASSWORD
    

    Finally, you can scan a domain by using the /d option. For example:

    mbsacli /d NameOfMyDomain /n OS+IIS+SQL+PASSWORD
    

To analyze the generated report

  1. Run MBSA by double-clicking the desktop icon or by selecting it from the Programs menu.
  2. Click Pick a security report to view and open the report or reports, if you scanned multiple computers.
  3. To view the results of a scan against the target machine, mouse over the computer name listed. Individual reports are sorted by the timestamp of the report.

As previously described, the advantage of the command line method is that it may be scripted and scheduled to execute. This schedule is determined by the exposure of your systems to hostile networks, and by your security policy.

MBSA Output Explained

The following example was taken using the MBSA version 1.1.

Ff647981.fz2thcm02(en-us,PandP.10).gif

Figure 2

Screenshot of the report details for a scanned machine

The top portion of the MBSA screenshot shown in Figure 2 is self explanatory.

Red crosses indicate that a critical issue has been found. To view the list of missing patches, click the associated Result details link.

The results of a security update scan might show two types of issues:

  • Missing patches
  • Patch cannot be confirmed

Both types include links to the relevant Hotfix and security bulletin pages that provide details about the patch together with download instructions.

Missing patches are indicated by a red cross. An example is shown in Figure 3.

Ff647981.fz2thcm03(en-us,PandP.10).gif

Figure 3

Missing patch indication

When a patch cannot be confirmed, it is indicated by a blue asterisk. This occurs when your system has a file that is newer than the file provided with a security bulletin. This might occur if you install a new version of a product that updates a common file.

Ff647981.fz2thcm04(en-us,PandP.10).gif

Figure 4

Patch cannot be confirmed indication

For updates that cannot be confirmed, review the information in the bulletin and follow the instructions. This may include installing a patch or making configuration changes. For more information on patches that cannot be verified by MBSA, see Microsoft Knowledge Base article, 306460, "HFNetChk Returns Note Messages for Installed Patches."

Assessing

With the list of missing patches identified by MBSA, you must determine if the vulnerabilities pose a significant risk. Microsoft Security Bulletins provide technical details to help you determine the level of threat the vulnerability poses to your systems.

The details from security bulletins that help you assess the risk of attack are:

  • Technical details of requirements an attacker needs to exploit the vulnerability addressed by the bulletin. For example, an attack may require physical access or the user must open a malicious email attachment.

  • Mitigating factors that you need to compare against your security policy to determine your level of exposure to the vulnerability. It may be that your security policy mitigates the need to apply a patch. For example, if you do not have the Indexing Service running on your server, you do not need to install patches to address vulnerabilities in the service.

  • Severity rating that assists in determining priority. The severity rating is based on multiple factors including the role of the machines that may be vulnerable, and the level of exposure to the vulnerability.

    For more information about the severity rating system used by the security bulletins, see the TechNet article, "Microsoft Security Response Center Security Bulletin Severity Rating System" at https://www.microsoft.com/technet/security/bulletin/rating.mspx

    Note   If you use an affected product, you should almost always apply patches that address vulnerabilities rated critical or important. Patches rated critical should be applied as soon as possible.

Acquiring

There are several ways you can obtain patches, including:

  • Using MBSA report details. MBSA links to the security bulletin that contains the patch, or instructions about obtaining the patch. You can use the link to download the patch and save it on your local network. You can then apply the patch to multiple computers.
  • Windows Update. With a list of the updates you want to install, use Internet Explorer on the server that requires the patch, and access https://windowsupdate.microsoft.com/. Then select the required updates for installation. The updates are installed from the site and cannot be downloaded for installation on another computer. Windows Update requires that an ActiveX control is installed on the server (you will be prompted when you visit the site if the control is not found.) This method works well for standalone workstations or where a small number of servers are involved.
  • HotFix & Security Bulletin Search. MBSA includes the Microsoft Knowledge Base article ID of the corresponding article for a given security bulletin. You can use the article ID at the HotFix and Security Bulletin Search site to reach the matching security bulletin. The search page is located at https://www.microsoft.com/technet/security/current.aspx. The bulletin contains the details to acquire the patch.

Testing

If the results of your assessment determine that a patch must be installed, you should test that patch against your system to ensure that no breaking changes are introduced or, if a breaking change is expected, how to work around the change.

Methods for Testing Security Patches

Methods used to test the installation of security patches against your systems include:

  • Testing security patches against a test mirror of your live server configuration and scenario. This method allows you to both test the installation offline, without disrupting service, and the freedom to test workarounds if a breaking change is introduced, again without disrupting service.
  • Testing the patch on a few select production systems prior to fully deploying the update. If a test network that matches your live configuration is not available, this is the safest method to introduce the security patch. If this method is employed, you must perform a backup prior to installing the update.

Confirming the Installation of a Patch

Before deploying a patch to production servers, confirm that the tested patch has made the appropriate changes on the test servers. Each security bulletin includes the information you need to confirm that the patch has been installed. In each bulletin, the Additional information about this patch section contains the entry Verifying patch installation. It includes registry values, file versions, or similar configuration changes that you can use to verify that the patch is installed.

Uninstalling a Security Patch

If you need to uninstall a patch, use Add/Remove Programs in the Control Panel. If an uninstall routine is not an option for the patch and its installation introduces breaking changes, you must restore your system from backup. Make sure that your testing process also covers the patch uninstall routine.

The security bulletin lists the availability of an uninstall routine in the Additonal information about this patch section.

Deploying

If you decide that the patch is safe to install, you must deploy the update to your production servers in a reliable and efficient way. You have a number of options for deploying patches throughout the enterprise. These include:

  • Using Windows Server Update Services (WSUS)
  • Using Systems Management Server (SMS)

Using Windows Server Update Services (WSUS)

WSUS provides a way to automatically deploy crucial updates and security rollups to computers throughout a network, without requiring you to visit each computer or write script. For more information about WSUS, see "Windows Server Update Services Product Information" at https://technet.microsoft.com/en-us/wsus/bb466202.aspx.

Using Systems Management Server (SMS)

SMS is an enterprise management tool for delivering configuration and change management of Microsoft Windows server and workstation operating systems. For more information about using SMS to deploy updates, see TechNet article, "Patch Management Using Microsoft Systems Management Server" at https://technet.microsoft.com/en-us/solutionaccelerators/default.aspx.

Maintaining

Bringing your servers up to date with the latest patches is part of the patch management cycle. The patch management cycle begins again by knowing when new security vulnerabilities are found and missing security updates become available.

Keeping your servers up to date with the latest security patches involves this entire cycle. You start the cycle again by:

  • Performing security assessments
  • Using security notification services

Performing Security Assessments

Use MBSA to regularly check for security vulnerabilities and to identify missing patches and updates. Schedule MBSA to run daily and analyze the results to take action as needed. For more information about automating MBSA, see "How To: Use MBSA" in the How To section of this guide.

Using Security Notification Services

Register to receive notifications of security bulletins released by Microsoft. Use the following services:

Additional Considerations

When bringing a new service online on an existing server, run MBSA to verify the patches for the service have been applied prior to having the server and service listening on the network. For example, disconnect the network cable or apply network based rules that block the newly added service's ports.

Additional Resources

For related information, see the following resources:

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.