Management of Security Updates in the Windows 2000 Environment

Diligence in the timely deployment of security updates is necessary as part of any effective security program. This paper will address the following areas: Mitigating some risks by initially deploying a secure base configuration, Learning of newly discovered vulnerabilities, Getting the security updates, Testing the security updates in a non-production environment, Scanning production systems for patch installation status, Deploying the security updates and Management policy. While the focus of this paper will be on the enterprise or corporate computing environment, some issues affecting the home or small business user will be highlighted as well. Also, the scope of this paper is limited to the Microsoft Windows 2000 server and Windows 2000/XP desktop operating systems, widely deployed Microsoft server applications such as SQL Server and Internet Information Services (IIS) Server, and key desktop applications such as Internet Explorer and the Office productivity suite. Although non-Microsoft operating systems and applications are not discussed here, proper management of security updates for these products is equally as important to the overall effectiveness of the security program.