Server 2003 end of life July 14, 2015. What’s your plan?

2003countdown

Are you prepared for the impending Windows Server 2003 end of life? Support is ending on July 14, 2015, which just so happens to be Patch Tuesday. You get one last round of security updates before support ends. So what are your options? I have had a number of companies approach us about what their options are, so I thought I would share some of those thoughts here.

Option 1: Migrate off of 2003. By the fact that you are here reading this, we can assume that Option 1 is delayed for some time.

Option 2: Premium Support from Microsoft.

You can work with your Microsoft TAM to purchase Premium Support for your Server 2003 systems. My understanding of this process is that you would need to give Microsoft a rough transition plan and a date or target for when you would be off of Server 2003, then negotiations over price begin.

Once you have the Premium Support service in place, Shavlik can provide a Custom Patch Service that would cover as many Server 2003 patches as Microsoft releases to you over a one-year term. If Microsoft releases 10 patches or 50 patches for Server 2003 we would cover them in the same service contract. You can contact your Shavlik territory manager or contact Sales@Shavlik.com for more details on this service. The Shavlik content team would provide a private content feed for you and provide the same level of content research and testing as we did before the end of life. You download the patches, drop them in place and scan and deploy as normal.

Option 3: Accept the risks of not patching and take other measures. Other measures include reducing access\privileges to\on these systems, removing direct accessibility from these systems by moving them into a more protected subnet\vLAN, etc. When XP hit the end of life date back in 2014, I was part of a panel on a InfoSecurity Magazine webinar hosted by Stephen Pritchard, where we talked about several recommend approaches to mitigating the risk of keeping these systems. You can check out that webinar here.

Option 4: Begin the gnashing of teeth and wailing, pound your fist on the table and refuse to take steps, continue rolling the dice to see when these systems cause you a breach because you took no steps to reduce the risk.  (this approach is not recommended)

If you are looking for more details on Option 2, let us know.

 

 

 

 

Federal agencies, cybersecurity, and an order from the White House to step up their game

168799504

Dateline 2015:

Scary stuff, right? Unfortunately, this should all sound very familiar as there has been a steady stream of headlines around the rising concerns of securing U.S. federal agencies from cyber attack.

I recently had a conversation with Ben Tacheny, the U.S. Federal Territory Sales Representative here at Shavlik. Needless to say, Ben has been very busy as of late. He had a lot of really good insights and guidance that I wanted to share.

Q: Ben, what kinds of security problems are federal government agencies facing today?

A: IT security has never been a more prevalent, everyday conversation than right now, and the battle is being fought on multiple fronts – authentication, cyber security policies and practices, privileged user management, mobile device management and, at the top of that list, patch management.

Just look at the recent hacking of OPM and the U.S. Army website, as well as the recent White House call to “tighten cyber defenses immediately” by specifically “patching critical-level software holes without delay.”

And then you have Terry Halvorsen, U.S. Department of Defense CIO, who just spoke publicly at the AFCEA Defensive Cyber Operations Symposium in Baltimore on June 16, who’s first major point in his presentation was stressing the need for all federal agencies to do a better job with patching and said that the industry needs to help the DOD do just that – be more efficient and help ensure that the patches themselves have a high degree of trust.

Q: And Shavlik can assist with this?

A: It’s exactly what we do! As you know, many DOD branches now have an enterprise license of Microsoft SCCM for their patch management needs. But SCCM only patches Microsoft applications, not the hundreds of “third-party” applications like Adobe, Java, etc., which are the most actively targeted applications, according to vulnerability experts. These patches are currently being built manually within the DOD, and DOD admins are struggling to keep up with the number of patches released and the deadlines set to be patch compliant.

Shavlik Patch (a third-party patch data plug-in for SCCM) will help increase both federal end-users patch management efficiency and accuracy, while at the same time drastically reducing the man-hours needed to complete a successful patch management process for over a thousand third-party applications/versions. We also guarantee that the patches we test will be the same patches our clients download direct from the vendor.

Shavlik Patch will enable federal end-users to further enhance their investment in SCCM and those admins to patch their entire networks within the SCCM framework with no additional infrastructure needed (no consoles, agents, training required) and also will work within the DOD IAVA framework (helping DOD admins search and patch by IAVA bulletin numbers).

Q: What if the federal agency or organization doesn’t have SCCM?

A: We have another purpose-built patch management tool for those clients as well. Shavlik Protect is our own on-premise console with agentless capabilities that allow you to scan and remediate all the physical and virtual machines in your environment, including online or offline VMs, VM templates, and hypervisors, all with full scheduling automation and reporting capabilities, as well as our built-in IAVA cross-reference reporter.

Q: I hear that, depending on what part of the federal government companies are with, certain processes and approvals are required to be able to even purchase a product. What are these roadblocks and how do we help companies out there?

A: Each federal organization is unique and although that can be somewhat discouraging for some vendors, that’s where Carahsoft, Shavlik’s exclusive Federal Distributor, has been able to help us so much. Whether our prospects are required to get multiple competitive open market quotes or purchase on GSA, SEWP, etc., we make it as easy as possible to allow our federal clients to purchase our Shavlik patch management offerings however they need to.

Q: Federal agencies need to ensure that the security products they use adhere to certain standards. What are we doing at Shavlik to ensure our customers can be confident in our solutions?

A: We have one of the best product management teams out there and they are constantly at work updating our current federal product certifications as our development team releases updated versions of our software. They also pursue new certifications as they’re adopted and required by our current and prospective clients. Currently, Shavlik is Common Criteria Certified and has additional certifications with all individual DOD organizations (current US Army CoN, US Navy DADMS approved, multiple individual AF ATO’s in place).

Both Ben and the team at Carahsoft are ready to answer any questions you may have. The Carahsoft team has provided some excellent guidance on 8 easy ways to lock down your agency’s cybersecurity systems. You can also view the OPM.Gov Cybersecurity Action Report which shows what steps the OPM is taking to prevent future incidents.

For more details on how Shavlik can help you can take a look at our solutions on our federal government landing page.

Protect 9.2 Sneak Peek: Patch Tuesday + X

Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.

A couple times a year, scheduling a job to run on the second Thursday of the month will be thrown off as the second Thursday will occur before the second Tuesday. Very problematic. So what you need is an anchor date to start your schedule from. Second Tuesday is the start of all your monthly maintenance and Protect 9.2 has your solution.  Observe:

PatchTuesday+X

 

So now you can setup all your reoccurring jobs exactly as they read from your patching maintenance spreadsheet. Ready to play? Beta@Shavlik.com starting soon.

 

June Patch Tuesday Round-Up

We are at Patch Tuesday + 8 days and many of you are probably well in to your third round of patching machines or farther along.  Here is a recap of Patch Tuesday highlights and some things to watch out for:

  • Two Critical updates – MS15-056 and MS15-057
  • Two public disclosures – MS15-056 (CVE-2015-1765) and MS15-060 (CVE-2015-1756).  Public disclosure increases the risk of exploit significantly so MS15-060 should be a higher priority along with the two critical updates from this month.
  • Exploit detected – MS15-061 has been seen used in a targeted attack.  Even though this is rated as important it should be a higher priority to roll-out.  This update plugs a vulnerability used by Duqu 2.0 as discussed by Kaspersky.
  • MS15-061 in combination with certain software can cause Copy\Paste to stop working – In reports on Reddit and PatchManagement.org this can occur if Spector 360 is installed on systems where this occurred.  Still recommended to roll-out as a priority.
  • Adobe Flash update resolves 13 vulnerabilities – Priority 1 update, should be pushed ASAP along with Chrome release.
  • Google Chrome – Released update with support for Adobe Flash update.  This update inherits the Priority 1 from Adobe Flash and should also be pushed ASAP.

Check out our webinars page to sign up for upcoming webinars including our next three Patch Tuesday webinars.

WUB WUB WUB and Windows 10

KeepCalmandWUB

Did you know that WUB is the new UNTS in Electronica Dubstep?  I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB.  Windows Update for Business.

There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.

Microsoft has been making some much needed changes to their development teams over the past year. They have announced a new, quarterly-release schedule that they are moving the product development teams to. They are also working to simplify the complexity of supporting updates for their products. The proposed changes will allow development teams to work toward quarterly releases and launch when prepared. The cost of holding onto code, once tested and ready to ship, is very costly.

What do these changes mean for me as a user? Many of the applications you rely on will start to deliver usability and new-feature changes more quickly. Office 365 is a good example of the future of the application deliver from Microsoft. New features can be delivered more frequently and users will be able to consume those changes much quicker, brining this experience in line with what we have come to expect from our mobile devices. The operating system and server solutions, like SQL Server, Team Server, SharePoint Server, etc., will likely be slower to move to these quarterly release schedules and remain for longer periods of time on the Patch Tuesday cadence.

With Windows 10, Microsoft is introducing some changes to the way updates will be delivered to systems. They are also introducing new features into what will now be known as Windows Update for Business. The new features will allow businesses to control the speed at which updates are rolled out to their systems. One of the most significant changes will be the update rings. There are different tracks that you can opt into that will give you more control over how fast updates are delivered to your systems. Between announcements earlier this year, and additional announcements at the Ignite 2015 show, there will be three or more rings that you can configure in WUB. A Current Branch and Long Term Service Branch have been confirmed, but, at Ignite, a Ludicrous Branch was also announced, which would push updates at a cadence similar to its namesake. Windows 10 Home editions will be limited on options to control what updates are applied to their system. The home-user editions of Windows 10 will update fairly quickly. This is the Current Branch. Current Branch receives new features, fixes and security updates as they release to Windows Update. For the majority of Home users, this will be an ideal experience.

Windows 10 Professional editions will have options for Current Branch or Current Branch for Business. The additional CBB allows businesses more flexibility about when the new features, fixes, and security updates are applied to their systems. Companies that use Microsoft’s free Windows Update for Business (WUB) or Windows Server Update Services (WSUS) will have the ability to defer new feature updates for Windows 10 for a period of time. Microsoft will maintain the current, and a previous branch, that these customers can reside on for a period of time without taking the feature changes. After the next branch is started, the previous branch stops receiving security updates, forcing these companies to move to the new-current or previous branch. Details on how long before companies would be forced to update have not been officially announced.

For those companies on Windows 10 Enterprise, there will be additional options available. These customers will have the ability to mix and match CB and CBB, but will also have access to a Long Term Servicing Branch. This branch allows companies to take only security fixes and defer new features and fixes of a non-security nature. Enterprise customers will be able to utilize all branches to suit the needs of systems in their environment. The Current Branch is for groups of users that have low risk of being impacted by new features and changes. The Current Branch for Business group may contain users with more specific application needs that may be sensitive to new features, changes and behavior. The CBB gives IT more time to accommodate those changes and educate users or respond to issues. The Long Term Servicing Branch is ideal for servers and other critical assets which need the security updates, but also need more control over what changes occur on the system.

There is a really good FAQ on the Microsoft Community which included much of the details described above and a more clear description of the

Service Branch Options Edition
Current Branch
  • Security Updates, Features and Fixes are automatically applied.
  • There is no option to delay or customize these updates.
  • Windows 10 Home
Current Branch for Business (CBB)
  • CBB includes the requirements of the Current Branch, but also provides the option of customizing when and which Security Updates, Features and Fixes are applied, similar to how Windows Update works today in current versions of Windows.
  • Updates cannot be deferred indefinitely.
  • Windows Updates can be managed using enterprise management tools such as Windows Update for Business and/ WSUS.
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
Long Term Servicing Branch (LTSB)
  • Only available to volume license customers running Windows 10 Enterprise.
  • Flexible options for managing Windows Updates.
  • Windows Updates can be customized to only accept Security Fixes.
  • Windows Updates can be managed using enterprise management tools such as Windows Update for Business and/ WSUS.
  • Windows 10 Enterprise

So is Patch Tuesday dead? According to a Microsoft spokesperson, “Windows Update for Business can take responsibility for the timely distribution of security updates for customers for free. Customers that choose to distribute updates themselves (or through a Patch Management Vendor) will continue to receive the updates on the 2nd Tuesday of the month.” For consumers, Patch Tuesday is a non-issue as their system will apply updates as they arrive, similar to their mobile device experience. Some of those may come on Patch Tuesday, but others will come as they are released. For Pro and Enterprise customers utilizing WUB, WSUS, or SCCM, security and other updates will still arrive on the 2nd Tuesday of the month, giving them predictability and control over what gets rolled out to their environment.

May Patch Tuesday Round-Up

SecurityImage

There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.

 

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

Critical Update for Shavlik Patch for Microsoft System Center

110931386-300x199You’ve probably heard by now that Shavlik is requiring all customers to install Update 1 for Shavlik Patch for Microsoft System Center 2.0 and 2.1, but did you know that the whole process takes less than two minutes? That’s right – less than two minutes.

Check out this video from John Rush where he demonstrates the process for applying Update 1 to Shavlik Patch. Did we mention it only takes two minutes?

Now, it’s your turn. Please install Update 1 today so you will not experience an interruption in receiving third-party patch data.

If you are a Shavlik Patch 2.1 user, complete the following actions:

  1. Download the updated version from www.shavlik.com/support/patch/downloads, and copy the executable file to your Configuration Manager console machine.
  2. Close System Center Configuration Manager.
  3. Run the Shavlik Patch executable (sccmpatchsetup_2_1_810.exe) and follow the on-screen instructions. For further details about this step, see the Shavlik Patch User’s Guide.
  4. Open System Center Configuration Manager and commence business as usual.

If you are running Shavlik 2.0, we encourage you to upgrade to 2.1 (see instructions above). In the same amount of time it takes to apply the patch to Version 2.0, you can complete your upgrade to Version 2.1 and enjoy all of the latest features in Shavlik Patch. If you are unable to update from 2.0 to 2.1 at this time, please contact Shavlik Support to obtain the 2.0 update.

This update does not affect customers using the catalog file version (1.0) of Shavlik Patch or Shavlik Protect.

If you have any questions or concerns about applying this patch, please contact Shavlik Support.

 

February Patch Day Round-Up

SecurityImage

February did not have a lot of issues from patches released on Patch Tuesday, but there are a couple of things that occurred that you may want to know about.

First is the update that was pulled from circulation after reports of systems hanging.  An update for Visual Studio 2010 Tools for Office Runtime (KB3001652) reportedly started causing issue on Patch Tuesday.  It was pulled later the same day.

Second, and probably the wider impacting issue this month, was update MS15-009 breaking Cisco AnyConnect VPN clients.  Microsoft has stated they will release a fix in March that should resolve the issue, but until then you have three work around options:

1. Windows 8 compatibility mode for the app

2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click “View installed updates” on the left and locate and uninstall the update labeled with KB3023607.  This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.

3. Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607
https://support.microsoft.com/kb/3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

You can the On Demand February Patch Tuesday webinar or download the presentation for this last months Patch Tuesday release.  Also, sign up for the March Patch Tuesday webinar to discuss the updates released on Patch Tuesday, recommendations, and things to watch out for.

The Communicator’s Corner: Secret Agent, Man

(Title inspired by a favorite song by Johnny Rivers that was a hit just a few years ago.)

Secret Agent

Did you know that Shavlik Protect provides all of this functionality using both agentless and agent-based technologies?

In my last few blog posts, I have talked about three prominent features in Shavlik Protect that go beyond the core patch management capabilities. The threat management, power management, and ITScripts features in Shavlik Protect make it much more than a utility used once a month at patch time. Rather, it is a multi-use, unified IT management platform that provides incredible value to your organization every single day.

Now that that secret is out of the bag, I thought I’d let you in on another. Did you know that Shavlik Protect provides all of this functionality using both agentless and agent-based technologies? It’s true! Most everyone is familiar with Shavlik Protect’s agentless capabilities – it is, after all, part of what helps you get up and running with the product in 30 minutes or less. But agents? That seems to be an untold story.

Here’s the scoop: Although performing actions on your target machines from a central console has many advantages, certain types of users or systems can pose problems for agentless solutions. For example, machines that must reside in a de-militarized zone (DMZ), roaming users, and disconnected or inactive machines can all prove problematic. In these cases an agent-based solution is often the best answer.

Implementing agents in Shavlik Protect is a relatively easy, two-step process. You first configure one or more agent policies on the console. Then, you install the agents on your target machines either by pushing them from the Shavlik Protect console or by manually installing them on individual machines. Once they are up and running, the agents will report all activity to the console so you can track their actions.

Depending on how they are configured when installed on a machine, an agent can:

  • Scan for and deploy missing patches
  • Scan for asset information
  • Provide real-time monitoring and protection against known and unknown threats
  • Scan for and remediate existing threats such as spyware, viruses, Trojans, and rootkits
  • Shut down or restart the agent machine on specific days and times
  • Listen to the console or the cloud for policy updates
  • Report the results to the local console

Not bad, huh? Here are a few options if you are interested in learning more.