With Microsoft’s ongoing improvements to the patch management process, you may find yourself letting automation take over on patch Tuesday. I sat down at my PC this morning and saw that it had rebooted because it automatically installed new updates. Although I spent half the day yesterday writing patch reports for several clients, I forgot to apply the patches on my own system. The fact is that nowadays you can get away with doing that.

With better patch detection in place and greatly improved patch quality, it’s tempting to just sit back and let the cruise control take over. But even if you do that, don’t forget about reading the security bulletins and knowledge bases. The KB’s are a great source for, well, knowledge.

The KB’s and security bulletins are quite detailed nowadays and can alert you to potential problems you might encounter with certain patches. My two favorite sections of the security bulletins are the Mitigating Factors and Workarounds. The patches fix the flaws in the code, but these two sections in the security bulletin teach us how we might prevent the problem in the first place.

Prevention. Usually we call it hardening. The fact is that most issues addressed in the security bulletins are preventable, probably even foreseeable. Patch management is a critical part of a security plan, but prevention can make patch management less urgent. The fact is that most months I really wouldn’t need to install any patches on my critical servers. SNMP? Not installed. Media Player? Removed. Outlook Express? Gone.

I have an extremely detailed hardening process but I constantly improve it. With each new vulnerability I ask myself how could this have been prevented and was it foreseeable? The security bulletins and KB’s often answer these questions for me and give me a few nuggets to add to my lockdown process. For example, here are some of the prevention tips I gathered from this month’s batch of security bulletins:

MS06-073 - Set the kill bit on the WMI Object Broker control
MS06-078 - Set the kill bits for various versions of Media Player
MS06-074 - Set IP address restrictions for the SNMP service
MS06-077 - Configure the TFTP service as read only
MS06-076 - Remove the .wab file association
MS06-072 - Disable “Drag and Drop or copy and paste files” in Internet Explorer

Related posts

• No related posts.