By Mark Burnett
You should always keep your systems up-to-date with the latest patches. But it isn’t always that easy to stay current, especially on critical production servers that require careful testing and planned deployment.
This can be a problem because there are bad people out there who scour new security bulletins, trying to exploit the newly announced flaw on as many unpatched systems as possible.
But here’s a secret: you can significantly reduce your exposure to current and future vulnerabilities just by following some basic security best practices. In fact, there are surprisingly few patches that address issues that security professionals have not already anticipated.
All it takes is hardening
As a security consultant, I provide two primary services for my clients: system hardening and patch management. In the hardening process, I eliminate unnecessary OS components, tighten permissions, and tweak settings to reduce exposure to attack.
Then I follow up with monthly summaries of the latest patches. When reading these reports, I like to determine what I could have done to prevent exposure to the issue. Surprisingly, most of the time it’s stuff I’ve already done in the hardening process.
Take, for example, the latest Microsoft security bulletin, released on May 10 and known as MS05-024. According to MS, the issue is a vulnerability in the way that the Windows Explorer Web View handles HTML page previews.
The easiest way to mitigate exposure to this vulnerability — at least until you can install a patch — is to simply disable Web views in Explorer. This is something I already do when securing a server system. (For more on MS05-024, see Susan Bradley’s article, above.)
Finding that I’ve already applied the workaround is quite typical, month after month. If you look back at all of the bulletins over the years, most of them don’t need immediate patching if you followed basic security best practices.
Most of the time it isn’t anything too complicated, just the basics of installing a firewall, not opening untrusted files, and disabling services and components you don’t use.
Vulnerabilities can be foreseeable
Now, disabling Web view in Explorer might sound like a strange thing to include on a hardening checklist, but I’ve done it for more than five years now. There were no known vulnerabilities at the time I started doing it, and for the last five years I had to explain why I did it.
Why did I disable it? Because Web view is of little use on a server managed by administrators. Since they weren’t using it, I just disabled it. It seemed likely that there would eventually be someone trying to exploit that and I would rather just have it be gone. In other words, the issue was foreseeable.
It was foreseeable because it was something that I could imagine someone exploiting. I could therefore formulate a plan to defend against it. Fortunately, most vulnerabilities are foreseeable to some extent. And even if you can’t prevent the actual vulnerability, you can at least reduce your attack surface by using a firewall and removing unused services and components.
Can you live without patches?
It actually is possible to secure a system so well that it rarely needs patches, although I certainly would not recommend that. But it’s nice to know that you can buy yourself more time for proper testing and deployment.
When I first started securing Windows 2000 servers, I did an experiment. I tried to see how long I could go on one Web server without patching, relying only upon foreseeable workarounds. To my surprise, it was almost three years before I ran into an issue that I simply could not mitigate without patching. I stopped keeping track after that, but based on what I see every month, I might have been able to go without patches for yet another long stretch.
Of course, you should always patch, but system hardening can greatly reduce the monthly rush to get to your servers before the hackers do.
For more information on how to keep your systems secure, visit Microsoft’s Trustworthy Computing page.