Re: Patching internet facing MS systems

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-03-10 Dan Lynch wrote:
> I'm looking for current best practice recommendations regarding the
> maintenance and patching of internet-facing Windows servers. In my
> environment, these are hardened, stand-alone (i.e., non-domain member)
> servers, mainly running IIS, and in at least one case, MS SQL Server.
> They reside on a network segregated behind a firewall from the internet,
> and from our core network. At this time, no connections are allowed from
> them to the private network. All unnecessary services are disabled,
> including the Server Service. 
>
> Currently, Remote Desktop is used for many maintenance tasks, but
> patching remains a problem. Applicable patches are copied to a USB
> memory stick, and an administrator at the server console manually
> installs. This sneaker-net solution is the source of much wailing and
> gnashing of teeth among our sysadmins. 
>
> A number of options are available that run the gamut from turning on
> automatic updates and allowing them to make outbound HTTP connections to
> microsoft.com, to making them domain member servers and using SMS to
> push patches. 

My suggestion is to turn on automatic updates. If you're using Remote
Desktop anyway, you can set automatic updates to download the patches
automatically, and then approve them manually when doing maintenance.

I'd strongly recommend against making any Internet-facing server a
member of your domain, as that would require not only running several
otherwise unneeded services, but also to open your LAN towards the DMZ
(thus breaking the DMZ).

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq