Security Basics mailing list archives
Re: Patching internet facing MS systems
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 11 Mar 2008 15:32:57 +0100
On 2008-03-10 Dan Lynch wrote:
I'm looking for current best practice recommendations regarding the maintenance and patching of internet-facing Windows servers. In my environment, these are hardened, stand-alone (i.e., non-domain member) servers, mainly running IIS, and in at least one case, MS SQL Server. They reside on a network segregated behind a firewall from the internet, and from our core network. At this time, no connections are allowed from them to the private network. All unnecessary services are disabled, including the Server Service. Currently, Remote Desktop is used for many maintenance tasks, but patching remains a problem. Applicable patches are copied to a USB memory stick, and an administrator at the server console manually installs. This sneaker-net solution is the source of much wailing and gnashing of teeth among our sysadmins. A number of options are available that run the gamut from turning on automatic updates and allowing them to make outbound HTTP connections to microsoft.com, to making them domain member servers and using SMS to push patches.
My suggestion is to turn on automatic updates. If you're using Remote Desktop anyway, you can set automatic updates to download the patches automatically, and then approve them manually when doing maintenance. I'd strongly recommend against making any Internet-facing server a member of your domain, as that would require not only running several otherwise unneeded services, but also to open your LAN towards the DMZ (thus breaking the DMZ). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Patching internet facing MS systems Dan Lynch (Mar 11)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 11)
- Re: Patching internet facing MS systems Josh Haft (Mar 11)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- RE: Patching internet facing MS systems Dan Denton (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- <Possible follow-ups>
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)