Vulnerability Scanning and Patch Management

Transcription

1 Vulnerability Scanning and Patch Management

2 Vulnerability Scanning and Patch Management Security vulnerabilities remain amongst the most disruptive and damaging types of problem experienced in real-world networks, causing lost time and potentially security breaches to customers. This in turn can soak up large amounts of time remediating the problems and cleaning up the systems. The variety and number of threats continues to increase and it is impractical to manage them without effective tools to automate the process. Ensuring that your customers networks have all of the relevant patches applied for the products of all of the key software vendors is one of the most effective pro-active steps you can take towards ensuring the minimum level of disruption for your customers. However, doing this separately across all of the networks for which you are responsible is a tedious and time-consuming task. To overcome this problem, Dashboard v5.14 and Agent v8.5 Release Candidate include the awardwinning vulnerability scanning and patch management technology of GFI LANguard, to provide vulnerability scanning and patch management capabilities to GFI MAX RemoteManagement. This provides an effective and efficient solution not only for Microsoft Windows and Office applications, but also non-microsoft applications such as Adobe Reader, Adobe Flash Player, Mozilla Firefox, Mozilla Thunderbird, Java and more. Follow the simple steps below to scan for vulnerabilities and remediate missing patches on monitored servers and workstations, all from your GFI MAX RemoteManagement Dashboard. Step 1 Update to Agent v8.5 RC Vulnerability Scanning and Patch Management requires Advanced Monitoring Agent v8.5 Release Candidate. From the Agent menu, select Download Agent v8.5 RC and run this on each server and workstation on which Vulnerability Scanning and Patch Management is to be enabled. Alternatively, select Download Site Installation Package to generate a silent installer for installation on multiple workstations via Group Policies or the one-click Remote Worker installer for workstations not connected to Active Directory. All existing configuration settings are retained when the Agent is updated. The Summary tab displays Agent Supported Features reflecting whether Patch Management is active. Agent v8.5 should be available on auto-update late October

3 Step 2 Designate a Site Concentrator (Optional) A typical workstation may require as much as 20-30MB of Microsoft Windows patches alone in any given month. If there are a large number of workstations at a site, then a server at that site running Agent v8.5 can be designated as a Site Concentrator for that site. The Site Concentrator will download and cache Agent features, vulnerability and patch definition updates as well as the actual patch installation files as they are required by other Agents at the site. These other Agents, then download them from the Site Concentrator, ensuring that each patch is downloaded only once, reducing external network traffic. Select the required site in the Dashboard and then from the Edit menu, select Edit Site and the Site Concentrator tab. Select the server (running Agent v8.5) that is to act as the Site Concentrator and also the port on the Server that other Agents at that site should connect to. Please note that if you have a firewall running on the server, you may need to create a rule to allow Agents to connect to this port. If the Site Concentrator is unavailable for whatever reason, other Agents at the site will download patches directly from the vendors web-sites as normal. Step 3 Enable and Configure Vulnerability Scanning and Patch Management Vulnerability Scanning and Patch Management can be switched on for all servers and workstations or for servers and workstations at individual clients and sites only, from the Settings menu, Patch Management, Settings. Should you wish to exclude a server or workstation, or only enable Vulnerability Scanning and Patch Management on specific servers and workstations, this can be done from the Patch Management tab of the Edit Server and Edit Workstation dialogs. (These settings are available to Superusers only.) By default, servers and workstations will inherit configuration from site, which will in turn inherit from client, which will in turn inherit default configuration for all servers and workstations. The Vulnerability Check is a Daily Safety Check that runs each day and scans for Missing Patches. This check can operate in Alert Mode, which will cause the check to fail, a red cross to be displayed in the Dashboard and an alert to be sent (if configured) if a missing security patch is 3

4 detected. Alternatively, this check can operate in Report Mode, which will ensure the check always passes and a green tick is displayed in the Dashboard (even if missing security patches are detected). In either mode, details of the missing security patches will be displayed in the check results in the Dashboard. The Vulnerability Check can optionally Include Vulnerabilities from databases based on OVAL and SANS Top 20. Please note that the names of vulnerabilities are in English only and may contain profanities. The check can operate in Alert Mode or Report Mode and if vulnerabilities are identified, these will also be displayed in the check results in the Dashboard. All security patches must be Approved before they can be installed, giving you the flexibility to choose which patches are to be installed on which servers and workstations at each client, allowing you to trial the installation of patches before deploying them to all servers and workstations. Missing security patches for the operating system represent the most significant threat to a server or workstation and therefore, when missing Microsoft security patches are detected, these can be Automatically Approved depending on the severity so that they are scheduled for installation without any intervention from you. In the Microsoft Patch Auto Approval section you can choose to Automatically Approve, Ignore or Do Nothing (i.e. manually approve at a later date) missing security patches depending on their severity (Critical, Important, Moderate or Low). 4

5 Lastly, choose the Installation Schedule for approved security patches. Patches can be installed Manually from within the Dashboard on an ad-hoc basis or Scheduled for installation at a time of your choosing on one or more days of the week. Please be aware that we are not responsible for the patches you choose to install and any harmful effects they may have on your system. Step 4 Scan for Missing Security Patches and Vulnerabilities Once Vulnerability Scanning and Patch Management has been enabled on individual servers and workstations or all servers and workstations at a client or site, Agent v8.5 on each of those servers and workstations will then download, from the Site Concentrator if available, and silently install the required software. Please note that it will take up to two 24x7 monitoring cycles for Vulnerability Scanning and Patch Management to become active, after which point, the results of the Vulnerability Check will be displayed in the Dashboard alongside the rest of the Daily Safety Checks. Click the link in the Extra column to open the More Information dialog listing the vulnerabilities and missing security patches that have been identified. 5

6 Step 5 Install a Missing Security Patch on an individual server or workstation The Patches tab for each server and workstation on which Vulnerability Scanning and Patch Management is installed and active, will list all required patches for that server or workstation, along with the Status of that patch, which will be one of the following:» Missing (Patch is required and is awaiting approval for installation)» Pending (Patch has been approved and is awaiting manual or scheduled installation)» Installing (Patch is currently being installed)» Installed (Patch has been installed successfully. The date the patch was installed will also be listed (if it was installed using GFI MAX RemoteManagement).» Failed (Installation of the patch was not completed successfully. On a small number of occasions a reboot may be required to complete this installation. In a future release, we hope to be able to indicate if this is the case).» Ignored (Patch is required and is missing, but is not approved for installation and will not be listed as missing in future vulnerability checks on this server or workstation) 6

7 To trial the installation of one or more patches on one server or workstation only, simply check the missing patches to be installed and then from the Patch drop down, select Approve. These patches have now been approved for installation on this server or workstation only. They will be installed according to the configured schedule, or can be installed on the next 24x7 monitoring cycle by selecting Install Patches Now from the Server drop down. Step 6 Install a Missing Security Patch on all servers or workstations at a client or site To deploy one or more missing security patches across multiple servers or workstations at different clients or sites, click Approval Policy (also accessible from Settings menu, Patch Management). The approval policy is a set of one or more rules for each patch that determine what action to take on a server or workstation when identifying and remediating missing security patches. All security patches that are required on servers and workstations on which Vulnerability Scanning and Patch Management is installed and active will be displayed. The list of security patches can be filtered by Status, by Client or Site, by Severity, by Patch Name or by Product. The default policy for security patches is Do Nothing, which means that the patch has not been approved for installation (unless it was automatically approved as described in Step 3) and will be listed as missing in the results of future Vulnerability Checks. Patches can be Approved for installation (or Ignored, in which case they will not be listed as missing in future Vulnerability Checks) on all servers and workstations, or servers and workstations at specific Clients or Sites only (including those on which the Advanced Monitoring Agent may be 7

8 installed at a later date). To do this, select the required patches and then choosing either servers or workstations and the clients and sites where the patch is to be installed, next click Apply. By default, servers and workstations will Inherit the approval policy for each security patch from the site, which will in turn inherit the policy of the client, which will in turn inherit the policy for all servers or workstations. Click on any security patch to see the approval policy that exists for that patch as well as a summary of the status of that patch on the servers and workstations on which it is required. If you wish to set the approval policy for an individual server or workstation only, then this can be done in the Patches tab on the Dashboard as described in Step 5 above. Step 7 View the results of the Vulnerability Check, Missing and Installed Patches in Reports Any changes to the configuration of Vulnerability Scanning and Patch Management and all changes to the Approval Policy are included in the User Audit Report, accessible from the Reports menu. The results of the Vulnerability Check will be included in the Client Daily Report and Client Weekly Report alongside all other Daily Safety Checks (remember that the check can be configured to run in Report Mode to ensure that it always passes, even when missing security patches and vulnerabilities are identified). Optionally, in your Client Monthly Reports, you can include the list of security patches installed in the last calendar month along with the date installed (if installed by GFI MAX RemoteManagement) as well as those that have been identified as missing. This can be done for all clients (Settings Menu, Default Monthly Report Content) or for specific clients only (Settings Menu, Client Report Settings, Monthly Reports, Override Content) enabling you to 8

9 TC/0002/v1.0/EN demonstrate the work you do each month on your clients behalf to keep their systems up-to-date and disruption to a minimum. Please note missing security patches cannot be included without also including installed security patches From the Reports menu, there is the Patch Management Overview Report that displays, for each status selected (Missing, Pending, Installed etc), the security patches required on each server and workstation on which Vulnerability Scanning and Patch Management is installed and active, along with the status of the patch and the date installed (if installed by GFI MAX RemoteManagement). You can choose to Group by Device (for each server and workstation, list the patches it requires) allowing you to quickly see how up-to-date all of your clients servers and workstations are and where your time should be spent to keep disruption to a minimum. Or you can choose to Group by Patch (for each patch, list the servers and workstations on which it is required) allowing you to see if a critical security patch has been installed on all servers and workstations on which it is required. The Patch Management Overview Report can be generated for all clients or for a specific client only and you could use this to sell a security patch update service (list missing security patches at the client) and then demonstrate the work you have done (list installed security patches at the client) GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners. 9