Wednesday 26 February 2014

MICROSOFT PATCH MANAGEMENT

Microsoft Patch Management
Patch management is a circular process and must be ongoing. The unfortunate reality about software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed tomorrow.

Develop and automate a patch management process that includes each of the following:

Detect: Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.

Assess: If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.

Acquire: If the vulnerability is not addressed by the security measures already in place, download the patch for testing.

Test: Install the patch on a test system to verify the ramifications of the update against your production configuration.

Deploy: Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.

Maintain: Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.

The Role of MBSA in Patch Management
The Microsoft Baseline Security Analyzer (MBSA) is a tool that is designed for two purposes:
1. To scan a computer against vulnerable configurations
2. To detect the availability of security updates those are released by Microsoft

MBSA scan options
When using the command line interface (Mbsacli.exe), you can use the following command to scan only missing security updates.

Mbsacli.exe /n OS+IIS+SQL+PASSWORD

The option /n specifies the checks to skip. The selection (OS+IIS+SQL+PASSWORD) skips the checks for vulnerabilities and weak passwords.

From a command window, change directory to the MBSA installation directory, and type the following command:

mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD

You can also specify a computer name. For example:

mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD

You can also specify a range of computers by using the /r option. For example:

mbsacli /r 192.168.0.1-192.168.0.254 /n OS+IIS+SQL+PASSWORD

Finally, you can scan a domain by using the /d option. For example:


mbsacli /d NameOfMyDomain /n OS+IIS+SQL+PASSWORD

No comments:

Post a Comment