Sweet Spot – Patch Operating Systems

Microsoft Windows Software Update Services (WSUS)provides automated patching of Microsoft operating systems and products. The WSUS administrator can schedule categories of patches and schedule their installation. Also included is a reporting feature that can send daily reports via email to administrators notifying them of new patch releases and the status of their installation across the organization. This would be valuable not only to the security team, but also for system administrators. It is easily configurable and may lead to an increased awareness of the importance of patching.

Ensure that after patches are applied that you verify outside the patching tool that the patch has actually been applied. Look for clues such as registry values, installed programs and the last system reboot to help measure the effectiveness of this control.

A free and automated way to check for the patches is to use the built-in Windows tool wmic. A wonderful resource on practical and entertaining ways to use wmic can be found in the blog Command Line Kung Fu. Use wmic to perform the below checks help ensure updates are applied as they are delivered. Wmic is an excellent compliment to WSUS as these commands can be automated and run regularly.

·      wmic os get lastbootuptime shows the exact time of the last system reboot
·      wmic os list brief shows the current version of Windows
·      wmic qfe list brief shows the Microsoft patches that are installed

Another free tool, Microsoft Baseline Security Analyzer (MBSA) can be used to help determine the security status of Windows operating systems. It can be run from the graphical or command line interface and can show previous test results for comparison purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *