Windows 10 Security Mitigations When You Can’t Apply Cumulative Updates
The introduction of Windows 10 cumulative updates will force enterprises to make a difficult choice: security or availability. Security in the sense of eliminating the risk of known vulnerabilities through patching. Availability where an application or Windows 10 feature only works when an update isn’t applied. Enterprises will need to plan on Windows 10 security mitigations when applying cumulative updates isn’t an option.
Bad patches are like any other software bugs: they happen. In speaking with many of our customers, we hear about them experiencing bad Windows patches a few times a year. When these patches are applied they break functionality in Windows or third party applications.
Sometimes Microsoft needs to fix something – sometimes a third party vendor (see Windows 10 Cumulative Updates Overview for an example with Citrix XenDesktop). In the past, the solution was fairly straight forward: don’t apply the bad patch, address the security risk of the vulnerabilities in that patch, wait for a fixed patch or third party software to be released, apply the improved patch or software and move forward.
Windows 10 security mitigations
With the cumulative updates, selectively applying patches is over. Rather that fretting over the situation, there are a number of mitigations that might be applied in place of the update when issues arise. In April 2014, Gartner’s Neil MacDonald, wrote a report on Best Practices for Secure Use of Windows XP After Support Ends to address the issues of not being able to patch vulnerabilities that would continue to be found.
Many of these practices can be used with Windows 10 for these situations where a patch breaks functionality. These practices can also be used persistently, but are often seen as too restrictive. Consider these approaches as part of a flexible security strategy that goes along with your patch management program. I will highlight a few of the practices in that report that can be addressed with Ivanti solutions.
Restrict network connectivity to the minimum possible
This can be challenging for many client systems, but easier to achieve with fixed function devices like kiosks or POS systems. Ivanti Security Suite can limit network connectivity through Windows firewall management or the Ivanti firewall.
Whitelisting is a very effective method of securing a system as it stops unauthorized applications from running. Ivanti Security Suite and our recently acquired Ivanti Application Manager both provide industry leading whitelisting with plans to blend both capabilities in future product releases.
Remove administrative rights
Many Microsoft vulnerabilities can be mitigated if the user does not run with an administrator account. Removing administrative rights is easy, but the limitations from such an action often stop organizations from taking this step.
Privilege management software, including Ivanti Application Manager, can be used to grant privileges to applications that need them so users can use non-administrative accounts. On the reverse, privilege management software can also be used to remove administrative rights from an application that is vulnerable and cannot be patched.
Address the most common attack vectors — web browsing and email
There are a number of things that go into securing web browsing and email. Neil mentions the following controls:
- Patch Management: As discussed in my previous article, third party patch management is a strength of Ivanti Patch Manager
- Containerization: there are a number of solutions that use technology to isolate applications including our partner Bufferzone. With these solutions, attacks are contained to that application unable to spread to the operating system or other applications.
Keep the rest of the software stack updated where possible, including Office
Can I get one more amen for patch management? Enough said.
Use an IPS to shield systems from attack
Ivanti Security Suite includes a Host Intrusion Prevention component to address behavioral based attacks and apply file protection rules. Add to that, Ivanti Antivirus brings an industry leading anti-malware engine.
Disable USB ports and CD\DVD drives
Often malware is introduced through removable media. Ivanti Security Suite provides device control to disable external media devices, make them read-only, and\or shadow copy files that move across those devices.
Here are some points to remember and share:
- Expect Windows 10 cumulative updates to occasionally break features or third party applications.
- Selective application of patches is no longer an option with Windows 10.
- Build out a strategy of security mitigations when applying the cumulative update isn’t feasible.
The article marks a stopping point for this series. There will likely be updates and changes to this conversation as new branch upgrades are released, but this gives you a solid foundation. Hopefully this series has been helpful and I wish you great success with managing Windows 10 updates.