|
Security Basics
Patching internet facing MS systems Mar 10 2008 10:44PM Dan Lynch (DLynch placer ca gov) (5 replies) RE: Patching internet facing MS systems Mar 12 2008 10:25PM Dan Lynch (DLynch placer ca gov) (1 replies) Re: Patching internet facing MS systems Mar 13 2008 03:49PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies) RE: Patching internet facing MS systems Mar 13 2008 05:48PM Dan Lynch (DLynch placer ca gov) (2 replies) Re: Patching internet facing MS systems Mar 13 2008 06:35PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) RE: Patching internet facing MS systems Mar 13 2008 06:13PM Dan Denton (ddenton remitpro com) (1 replies) Re: Patching internet facing MS systems Mar 13 2008 06:47PM Ansgar -59cobalt- Wiechers (cobalt planetcobalt net) Re: Patching internet facing MS systems Mar 11 2008 02:32PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) |
|
|
Privacy Statement |
to have any server that needs internet access to go through a proxy.
External connection toward your IIS servers will not be effected, only
server initiated connections will use the proxy. Even if the proxy is
simple like Squid. This will keep all the "bad guys" from seeing the
real server.
For your IIS servers, if you want them patch them say monthly or
whenever, use WSUS...this will also keep the "bad guys" away from your
servers and you can patch with a little more confidence. You can set
WSUS up to only push patches you approve ( after testing of course ) ...
If you are concerned with security BTW..... Stop using remote desktop
(unless you have properly configured the terminal services rdp-tcp
general connection settings on the server. Maybe even add a cert)
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Dan Lynch
Sent: Monday, March 10, 2008 3:45 PM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Patching internet facing MS systems
Greetings group,
I'm looking for current best practice recommendations regarding the
maintenance and patching of internet-facing Windows servers. In my
environment, these are hardened, stand-alone (i.e., non-domain member)
servers, mainly running IIS, and in at least one case, MS SQL Server.
They reside on a network segregated behind a firewall from the internet,
and from our core network. At this time, no connections are allowed from
them to the private network. All unnecessary services are disabled,
including the Server Service.
Currently, Remote Desktop is used for many maintenance tasks, but
patching remains a problem. Applicable patches are copied to a USB
memory stick, and an administrator at the server console manually
installs. This sneaker-net solution is the source of much wailing and
gnashing of teeth among our sysadmins.
A number of options are available that run the gamut from turning on
automatic updates and allowing them to make outbound HTTP connections to
microsoft.com, to making them domain member servers and using SMS to
push patches.
How do _you_ do it?
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
This email, its contents and attachments contain information from j2 Global Communications, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies. j2 Global Communications. 6922 Hollywood Blvd., Hollywood, CA 90028.
[ reply ]