Microsoft releases updates for products ranging from Windows Desktop and Server to Microsoft Office on the second Tuesday of each month. The practice, which started way back in the days of Windows 98, has become known as “Patch Tuesday.” Primarily intended to apply security and bug fixes, some updates have “important” or “critical” priority levels.
Unfortunately, software updates are a generally overlooked aspect of security management. Most users aren’t able to tell if updates are being installed at all, and often small companies don’t have anyone to ensure all workstations (and servers) are getting these crucial updates.
Luckily, Microsoft makes a great tool (called Windows Server Update Services (or WSUS for short)) to allow centralized management, deployment and auditing of updates. To make matters better, WSUS is totally free if you have a Microsoft server of almost any vintage.
WSUS isn’t a silver bullet though; someone still needs to be approving the updates and checking to ensure the approved software is being installed. That’s where one’s IT company should come in. Sadly we’ve found that updates fall very low on the list of priorities for managed service providers and IT companies.
While auditing two offices of my previous employer, both offices using different IT companies, I found one site had gone six months without server updates being installed. The second site had workstations that hadn’t received updates in over two years!!!
Some IT companies claim they “only approve tested updates for installation.” While this sounds like a good reason to delay update installations (software updates could, in theory cause problems) we find that generally if Microsoft releases an update the update is very stable. Also, if the approval process takes longer than a couple of weeks you’re information systems are left vulnerable to would-be attackers.
At Elite Security Auditors we believe these updates should be installed as quickly as possible after their release to ensure the highest level of security and to adhere to best practices. If you aren’t sure whether these crucial updates are being installed, please contact us to find out how we can help.