Microsoft Patch
Management
Patch management is a circular process
and must be ongoing. The unfortunate reality about software vulnerabilities is
that, after you apply a patch today, a new vulnerability must be addressed
tomorrow.
Develop and automate a patch management process that includes each
of the following:
Detect:
Use tools to scan your systems for missing security patches. The detection
should be automated and will trigger the patch management process.
Assess:
If necessary updates are not installed, determine the severity of the issue(s)
addressed by the patch and the mitigating factors that may influence your
decision. By balancing the severity of the issue and mitigating factors, you
can determine if the vulnerabilities are a threat to your current environment.
Acquire:
If the vulnerability is not addressed by the security measures already in
place, download the patch for testing.
Test:
Install the patch on a test system to verify the ramifications of the update
against your production configuration.
Deploy:
Deploy the patch to production computers. Make sure your applications are not
affected. Employ your rollback or backup restore plan if needed.
Maintain:
Subscribe to notifications that alert you to vulnerabilities as they are
reported. Begin the patch management process again.
The Role of MBSA
in Patch Management
The Microsoft Baseline Security Analyzer (MBSA) is a tool that is
designed for two purposes:
1. To scan a computer against vulnerable
configurations
2. To detect the availability of security
updates those are released by Microsoft
MBSA scan options
When using the command line interface
(Mbsacli.exe), you can use the following command to scan only missing security
updates.
Mbsacli.exe /n
OS+IIS+SQL+PASSWORD
The
option /n specifies the checks to skip. The selection (OS+IIS+SQL+PASSWORD)
skips the checks for vulnerabilities and weak passwords.
From a command window, change directory to the MBSA installation directory, and type the following command:
mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD
You can also specify a computer name. For example:
mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD
You can also specify a range of computers by using the /r option. For example:
mbsacli /r 192.168.0.1-192.168.0.254 /n OS+IIS+SQL+PASSWORD
Finally, you can scan a domain by using the /d option. For example:
mbsacli /d NameOfMyDomain /n OS+IIS+SQL+PASSWORD
From a command window, change directory to the MBSA installation directory, and type the following command:
mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD
You can also specify a computer name. For example:
mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD
You can also specify a range of computers by using the /r option. For example:
mbsacli /r 192.168.0.1-192.168.0.254 /n OS+IIS+SQL+PASSWORD
Finally, you can scan a domain by using the /d option. For example:
mbsacli /d NameOfMyDomain /n OS+IIS+SQL+PASSWORD
No comments:
Post a Comment