Can high endpoint uptime be a bad thing

In this blog, I want to share a (less obvious) way in which the recently released AppSense Insight V10 can be used to solve a potential security problem.

If this is the first time you’ve heard of Insight, you can find out more and request a demo here

Most people are aware of the importance of the timely installation of security updates as part of a security threat mitigation strategy. Microsoft’s regular Security Intelligence reports (in addition to other vendors and sources) provide demographic statistics of exploited vulnerabilities throughout the series which re-enforce this message.

Enterprises are generally well on top of patch management, with tools and policies available for pushing out and reporting on the successful installation of updates.

One often overlooked factor which may be crucial to mitigating the vulnerability addressed by a patch, is whether the endpoint was subsequently rebooted to complete the installation of the update.

According to this Microsoft TechNet article, evidence collected from Windows Server 2008 showed that statistically 10% of updates did not require a reboot to take effect, 10% were kernel updates that did require a reboot, and the remaining 80% required a subsequent reboot if components to be updated were running at the time of installation in order to complete successfully.

Group policies to auto-restart endpoints aren’t infallible, where locked processes can override shutdown, or local admins may disable the auto-restart policy.

Combine this with the fact that laptop users, in particular, do not frequently shut down their endpoints – they will often just close the lid so they can pick up where they left off.  It’s therefore not uncommon to see end user Windows devices with very high amounts of uptime.

How do you, as an administrator, keep track of this so that you can intervene if or when you need to ensure that security updates have been correctly installed?

This is where AppSense Insight can help out. In the recently released Version 10 appliance, we have a ‘System Restart by Computer’ report which is an uptime indicator to show how many hours since the last operating system boot.

To access this, log into Insight as your ‘reports’ (or higher) user and select Reports and System Restart under the devices section:

You are then presented with a list of computers from highest to lowest uptime:

This lets you quickly identify potentially vulnerable endpoints so that you can take remedial action (getting those pesky users to reboot!) to ensure they’re fully up to date.

Stay tuned for future blog posts, as I have some further security centric tips and tricks to share. As always, please comment below if you have any questions or feedback.