Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Update Server Registration, Active scanning and Windows patching.

Similar presentations

Presentation on theme: "Security Update Server Registration, Active scanning and Windows patching."— Presentation transcript:

1 Security Update Server Registration, Active scanning and Windows patching

2 Bastion Host Policy Ensure that critical servers are managed with appropriate levels of security Define the overheads: management, operation and security Identify all network servers and establish purpose, security requirements, user base and support staff Limit exposure of network servers to those apps that are critical for their primary purpose Establish network ACLs for specific IP applications. ACLs will restrict access to specific apps to those servers that have been registered to provide them

3 Bastion Host A network system that may be exposed to attack from other internal or external network systems Deployed, configured, operated and managed in a manner that mitigates this exposure Fulfills a specific role All unnecessary services, protocols, applications disabled or removed Avoids trust relationships with other systems to guard against 'key to the castle' attacks Apply bastion host principles to all University servers

4 Role Purpose - services and applications User community Sensitivity Legal / regulatory requirements Security Considerations Availability requirements

5 Location Physical security Environmental –Air conditioning –Emergency power source –Fire prevention Dedicated network ports Not in staff offices

6 Management, Support and Operation Identify personnel responsible –System administrators –System operators –Application support specialists –Maintenance contractors At least 2 individuals identified with at least one being the system administrator

7 Management, Support and Operation 2 Asset register detailing hardware and software components, including licensed software System configuration details inc security measures and details of admin/root accounts System change procedures –including reversion procedures Contractors callout procedures Disaster recovery plans

8 Sys Admin Guidelines

9 Protection via the Network Filtering policies –Default allow –Default deny Default deny –Inbound –Outbound ? Protect –Servers –Clients

10 Client Campus Internet Segment 2 Segment 3 sshsmbssh http rdp http https imap pop smtp FileWebMailstore Segment 1 Client

11 Server Registration Database Demo

12 Friendly Probing Identify remotely exploitable systems –new machines missing critical patches –old machines brought out of the cupboard Locate holes before the enemy do Automatic notification for IT staff Initially, testing the most critical Microsoft holes –Then including other OSes Scanner host: currently )

13 Windows Patching TRG working group investigated options for automated patching of Microsoft systems Recommended WSUS Evolution: –SUS –WUS –WSUS Available at:

14 Patch Classes Updates Installed –Security Updates –Critical Updates –Definition Updates (Windows Defender) –Service Packs –Update Roll Ups –Tools –Updates (non-critical fixes) Not Installed –Drivers –Feature packs

15 Does not help with: Weak passwords Lack of configuration hardening –Removing unneeded services better than patching Executing untrustworthy code Social Engineering

16 Thanks: Andrew Cooper Steve McIntosh - WSUS Service Derek Higgins - Server Registration System

17 Thats all folks! Questions…

Download ppt "Security Update Server Registration, Active scanning and Windows patching."

Similar presentations

Ads by Google