RES Automation Manager Emergency Patch Management

I previously covered the reasons why you probably wouldn’t use RES Automation Manager for patch management (see here). Max Ranzau (AKA @RESguru) made a great point that you can certainly use Automation Manager to push a patch out individual patches easily. With the release of the Microsoft RDP critical patch MS12-020 and an exploit apparently in the wild, this proves that RES Automation Manager certainly still has its place in your patch management strategy.

Assuming that you haven’t exposed port 3389 directly to the internet you may feel that you’re somewhat “safe.” I actually think that the greater risk comes from worms that will be run from within the corporate network firewalls. All it takes is for one machine to be compromised… How many desktops and servers do you have inside the corporate network that have RDP access enabled?

Microsoft provides some workarounds that will give you time to test the patch prior to deployment. Fortunately, RES Automation Manager gives you the following options in dealing with this exploit using the built-in Automation Manager tasks/tasklets:

    1. Deploy the patch within minutes and/or
    2. Disable RDP connections completely and/or
    3. Enable/modify the Windows firewall rules to block RDP connections and/or
    4. Enable Network Level Authentication for RDP connections.

One thing is for certain, you need to be acting and mitigating this risk now. I think it’s only a matter of time before things get interesting. Who remembers Slammer?! I know people who are still mentally scarred by its long lasting effects!

GPOs could help you with some of this, but nothing is going to be able to deploy any of (or a mixture of) the above workarounds within minutes. How will you be sure that your workarounds are in place on all machines? RES Automation Manager will give you near instant feedback on what tasks failed and provide you with the data to target those computers. Remember, if you use RDP/Remote Assistance for support then you’re probably limited to option #1 (or maybe #4).

If you don’t have RES Automation Manager today, you probably wish you did! You’ve been warned Smile with tongue out..

Iain

2 Comments

  1. Patrick Author March 19, 2012 (12:37 pm)

    Not only is RES AM handy for emergency fixes, but also when you need some patches installed on the server before you can install other software. When rolling out a new server it can take some time before wsus kicks in and most preferred is to roll out a server/client in one go. On that moment it is easy to just make a module with only the patches you need in place to install the software and do the rest of the wsus after the big installation of the server

  2. Iain Brighton Author March 19, 2012 (12:44 pm)

    Hi Patrick,

    A great point! I guess I was trying to point out that RES AM is not a great patch management product, but it is excellent for deploying one or more patches that you know you need, e.g. as a prerequisite (as you’ve pointed out) or an emergency patch. I’d still recommend WSUS for general patch management any day!

    Iain

Leave a Reply

Archives

Categories