Loading...
Please wait, while we are loading the content...
Management of Security Updates in the Windows 2000 Environment
| Content Provider | Semantic Scholar |
|---|---|
| Author | Cebula, Jim |
| Copyright Year | 2019 |
| Abstract | Diligence in the timely deployment of security updates is necessary as part of any effective security program. This paper will address the following areas: • Mitigating some risks by initially deploying a secure base configuration • Learning of newly discovered vulnerabilities • Getti g the security updates • Testing the security updates in a non-production environment • Scanning production systems for patch installation status • Deploying the security updates • Management policy While the focus of this paper will be on the enterprise or corporate computing environment, some issues affecting the home o small business user will be highlighted as well. Also, the scope of this paper is limited to the Microsoft Windows 2000 server and Windows 2000/XP desktop operating systems, widely deployed Microsoft server applications such as SQL Server and Internet Information Services (IIS) Server, and key desktop applications such as Internet Explorer and the Office productivity suite. Although non-Microsoft operating systems and applications are not discussed here, proper management of security updates for these products is equally as important to the overall effectiveness of the security program. SECURING THE INITIAL DEPLOYMENT The first and most important step that can be taken toward securing an organization’s computing environment is to deploy systems in a secure state initially. This statement may seem unnecessary, but in fact many systems (particularly Microsoft products) by default install in an open configuration where many features are enabled and not secured. To mitigate vulnerabilities, steps need to be taken to disable features that will not be in use and to secure various settings and permissions. This needs to be done before considering a strategy for management of updates and prior to placing the systems into production. Microsoft has stated that enhancing the security of default installs is a corporate goal (Refs. 1 and 2), but in reality they are not there yet. Fortunately, a number of tools and guides are available from Microsoft and others to facilitate the task of establishing a secure base configuration. Security settings in Windows 2000/XP are managed through group policy objects that are either applied locally at the machine or are enforced through Active Directory (AD) for machines belonging to an AD domain. Collections of security settings © S A N S In st itu te 2 00 3, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. 2 are defined in template (.inf) files. The Microsoft Security Configuration and Analysis tool (Ref. 3) allows an administrator to quickly compare the settings in a template against the actual settings on a machine and examine the differences. Windows 2000 ships with a number of templates for workstations, member servers, and domain controllers. Three versions of the templates are available allowing the user to establish basic, secure, or highly secure settings. Microsoft has also developed and documented an additional set of templates based on a modified version of the highly secure templates provided with Windows 2000 (Ref. 4). The referenced documents provide instructions on how to implement the settings defined in the templates, either locally or through AD. The Center for Internet Security (CIS), in collaboration with the SANS Institute, th National Security Agency (NSA), the Defense Information Systems Agency (DISA), the National Institute of Standards and Technology (NIST), and the General Services Administration (GSA), has developed a set of consensus baseline security templates for Windows 2000 (Ref. 5). Two levels of consensus templates are provided. The Level 1 templates provide a minimum acceptable level of security. The Level 2 templates are available for both Windows 2000 Professional and Server and are known as the Gold Standard. These provide a step increase in the level of security and have been determined by the consortium of organizations listed above to represent a best practice. In fact, it has been estimated that about 85% of successful computer system attacks could have been prevented if the systems had been secured using the Gold Standard (Ref. 6). NSA has provided additional guides and templates (Ref. 7) that go beyond the scope of the Gold Standard guides by covering Windows XP and Windows 2000 Domain Controllers. NSA also provides extensive guide documents to accompany the templates. For Windows 2000 server, the guides not only cover the operating system, but also discuss hardening specific features such as DNS, DHCP, Kerberos, and Encrypting Fie System (Ref. 8). In addition to NSA, the Computer Incident Advisory Capability (CIAC), operated by the Lawrence Livermore National Laboratory, provides configuration guides and templates for use by the Department of Energy (DOE) (Ref. 9). As shown above, there are a number of tools and pre-defined templates available to enable varying levels of security to be quickly established on an organization’s systems. Unfortunately, there is no one-size-fits-all solution here. For example, disabling certain services may cause applications used by the organization to break. The best practice would be to proceed as follows. First, review several of the templates and their documentation. Next, make some reasonable decisions about what changes need to be made to suit the organization’s needs. Then, test and document the settings. Finally, establish the revised template as the baseline security model for the organization. © S A N S In st itu te 2 00 3, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. 3 LEARNING OF NEWLY DISCOVERED VULNERABILITIES Deployment of an initially secure configuration, as described in the previous section, is an excellent first step toward a secure computing environment, but it is only the beginning. The newly-deployed secure systems will not stay secure for long, since new vulnerabilities with Microsoft products are discovered and publicized at a rapid pace. A quick check of the Microsoft TechNet archives of security bulletins (Ref. 10) indicates that as of this writing, Microsoft has already issued 6 security bulletins in 2003. In 2002, 72 bulletins were issued, 60 were issued in 2001, and 100 in 2000. The sheer number of vulnerabilities and the exploits that result when the vulnerabilities are left unpatched have caused considerable bad publicity for Microsoft. In fact, in March 2002 the WORM_GIBE.A virus began propagating on the Internet as an e-mail attachment designed to look like a Microsoft security bulletin (Ref. 11). Given the statistics above, it’s clear that system administration and security personnel are required to stay abreast of the latest vulnerability announcements. The most important step to take here is to subscribe to one of Microsoft’s e-mail notification services. Microsoft provides two options for e-mail notification of updates. One is the Microsoft Security Update newsletter (Ref. 12) that is geared toward the home user or someone not interested in the technical details of the vulnerability. The other, and the one recommended for system administration and security practitioners is the Microsoft Security Notification Service (Ref 13). The Security Notification Service provides an e-mail version of the security bulletin that has been digitally signed to help prevent worms as described earlier. The Microsoft security bulletins themselves provide a wealth of information concerning the technical details of the vulnerability, mitigating factors, affected systems, severity ratings, links to the patches, and verification of the patch installation. The bulletins also provide valuable information on the patch dependencies, installation requirements, and links to any relevant knowledge base articles. It is important to note that other security organizations, such as the Computer Emergency Response Team Coordination Center (CERT/CC) located at Carnegie Mellon University, and CIAC often issue their own identification numbers and bulletins covering Microsoft vulnerabilities. However, the CERT and CIAC bulletins often either refer back or directly link to the relevant Microsoft bulletin. Therefore, subscribing to the Microsoft bulletins is generally a good practice for administrators to provide early notification of security issues. Another excellent source of regularly updated vulnerability information is the SANS/FBI Top 20 list (Ref. 14). The list contains the top 10 vulnerabilities in both Windows and UNIX. For each vulnerability identified, specific detailed steps to mitigate it are provided. The items on the Top 20 list are somewhat different than the items reported in Microsoft Bulletins. Top 20 list vulnerabilities address known weaknesses in the system and are often mitigated by disabling a specific feature or setting, rather then by applying a patch. The Top 20 are also geared © S A N S In st itu te 2 00 3, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. 4 toward resolving a small number of critical vulnerabilities that have been shown to cause a large number of exploits. GETTING THE SECURITY UPDATES A number of sources are available to obtain the required Microsoft security updates. The first, but least automated method, is by direct download from Microsoft. The Microsoft TechNet archive of security bulletins (Ref. 10) con |
| File Format | PDF HTM / HTML |
| Alternate Webpage(s) | https://www.sans.org/reading-room/whitepapers/win2k/management-security-updates-windows-2000-environment-938 |
| Language | English |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
