Your Weekly Tech Tidbit – Security – Back to Basics Part II

March 2nd, 2018
Your Weekly Tech Tidbit – Security – Back to Basics Part II

The 2018 Yankees have taken the field.  We'll all find out soon who is playing second and third base.

In the meantime, I want to continue my discussion of the basics of patching.

Many sites decide not to patch or patch only in the summer.  That is a very dangerous strategy.  If this is you, sooner or later bad things will happen to you.

Many sites simply turn on Windows Updates as automatic updates and walk away.  This is almost as bad a plan because sooner or later Microsoft will have an EULA that needs to be accepted or Windows Update will need an update.   Once that happens all your updates will cease to flow.  You won't know it until you visit the machine and try to do a Windows Update.

And regardless of that how are you patching the application side with Chrome, and Firefox, Adobe Reader, Adobe Flash, and Java?  These are the major ways that exploits find their way into your network to take advantage of your unpatched Windows.

Microsoft has WSUS to patch the OS and other Microsoft applications.  The WSUS software is free.  If you have nothing else, you should have a WSUS server.

Unfortunately, WSUS won't patch the non-Microsoft products.   There are some third-party products that overlay WSUS to patch applications for an additional licensing fee.

Then there are the more robust class of client management products that can patch, perhaps image machines, and push out other application installs and updates.  Some of the more popular products are:

  • KACE by Dell
  • PDQ Deploy
  • Symantec Altiris
  • Microsoft Configuration Manager (aka) SCCM.
  • Microsoft Intune for Education

Some let WSUS do its work and manage everything else.  Some replace WSUS functionality entirely.

Microsoft's flagship client management product is Configuration Manager previously referred to as SCCM.  The current version is 1710 plus a hotfix.   SCCM does WSUS, can do imaging, and can push out application installs and updates such as Java and Flash.

A number of you started down the SCCM route a few years ago.  You implemented SCCM and it does what it does.  However, in my wanderings, most of your SCCM boxes really haven't been updated to keep up with Microsoft's current offerings.  With the release of Windows 10 Microsoft has tied SCCM upgrades to Windows 10 releases.   If you want to remain current in Windows 10 deploys, you must now also remain current in SCCM.

The older releases of SCCM offered no direct, easy way to upgrade.  However, Microsoft realized they had to do better and started incorporating their own Windows Update, SCCM Update feature inside of newer version of SCCM.  Microsoft has done a nice job trying to remove a lot of the upgrade complexity version to version.

If you have SCCM and you have the Updates and Servicing choice either under Cloud Services or out on the main menu on the left under Administration, it is time to update to the current version.  If you don't have those choices and intend to deploy and maintain Windows 10, it is imperative that you talk to us and map out a plan to get current and make your SCCM server much easier to update for future releases.

If you want to discuss your specific situation or require assistance, please give us a call.

Scott Quimby