Appendix

B

Securing Your Patch Management Server

In this appendix:

•

Secure Your Server With

SSL

•

Use Secure Passwords

•

Turn Off File and Printer

Sharing

•

Put Your Server Behind a

Firewall

•

Turn Off Non-Critical

Services

•

Lock Down Unused TCP and UDP Ports

•

Apply All Security Patches

This appendix identifies the various options available when securing your Patch Management Server.

Secure Your Server With SSL

Secure Sockets Layer (SSL) is a protocol used to secure data transmitted over the internet. SSL support is included in browsers, web servers, and operating systems so that any type of client and server can use authenticated and encrypted communications over private as well as public networks. ZENworks Patch Management always uses SSL when downloading vulnerability data and packages from the Global Subscription Server. Additionally, SSL can be used when transmitting data between the Patch Management Server and Patch Management Agents by enabling SSL during the installation of ZENworks Patch Management. This process involves obtaining a SSL certificate (.CER), and installing the certificate during the installation. Refer to ZENworks Patch Management Server 6.4 SP2 Server Install Guide for details regarding installing with SSL enabled.

- 321 -

ZENworks Patch Management

Use Secure Passwords

Worm attacks frequently try to log in with weak and commonly used passwords. For secure passwords, the Department of Defense standard of 12 characters with alpha, numeric, punctuation and mixed case characters all included in a password is recommended.

Turn Off File and Printer Sharing

The ZENworks Patch Management Server should not be used as a file or print server.

Additionally, an intruder can exploit a Windows networking share. Therefore, File and Printer

Sharing for Microsoft Networks should be disabled.

Turning Off File and Printer Sharing

1. From within the Windows Control Panel, select the Network Connections icon.

2. Open the Local Area Connection.

3. Click Properties.

Step Result: The Local Area Connection Properties window opens.

Figure 175: Local Area Connection Properties

- 322 -

Securing Your Patch Management Server

4. Select File and Printer Sharing for Microsoft Networks.

Caution: Do not uninstall Client for Microsoft Networks because it is required by both

Microsoft SQL Server and Internet Information Server.

5. Click Uninstall.

6. Click OK.

Result: File and Printer Sharing for Microsoft Networks is no longer enabled.

Put Your Server Behind a Firewall

Since the ZENworks Patch Management Server receives its patch updates from the Global

Subscription Server (GSS), there is no need to allow access from the Internet into the

Patch Management Server. However, access to the GSS must be specified in your Firewall configuration.

Turn Off Non-Critical Services

The default installation of Microsoft Windows has most features and services active. Therefore, there are a number of services that can be turned off (e.g.: RPC, Remote Registry, etc.) to reduce the risk of outside attacks. Although Novell does not encourage this type of lock down, it can be an effective method to reduce the risk of hacker attacks. The following services are required to run ZENworks Patch Management:

• World Wide Web Publishing Service

• IIS Admin Service

• MSSQLSERVER

• ZENworks Patch Management

Lock Down Unused TCP and UDP Ports

Preventing network traffic on various unused and vulnerable TCP and UDP ports should be completed through the use of a firewall. However, if a firewall is not available or additional machine level locking is desired, TCP and UDP ports can be locked down as a function of the network connection.

Locking Unused Ports

1. From within the Windows Control Panel, select the Network Connections icon.

2. Open the Local Area Connection.

- 323 -

ZENworks Patch Management

3. On the Local Area Connection Status General tab, click Properties.

Step Result: The Local Area Connection Properties window opens.

Figure 176: Local Area Connection Properties

4. Select the Internet Protocol (TCP/IP) protocol.

- 324 -

Securing Your Patch Management Server

5. Click Properties.

Step Result: The Internet Protocol (TCP/IP) Properties window opens.

Figure 177: Internet Protocol (TCP/IP) Properties

6. In the General tab, click Advanced...

Step Result: The Advanced TCP/IP Settings window opens.

7. Select the Options tab.

8. Select TCP/IP Filtering.

- 325 -

ZENworks Patch Management

9. Click Properties.

Step Result: The TCP/IP Filtering window opens.

Figure 178: TCP/IP Filtering

10.Enable the Enable TCP/IP Filtering (All Adapters) option.

11.Select the Permit Only TCP Ports option.

12.Add TCP ports 443 and 80 to the listing of permitted ports.

a) Click Add...

Step Result: The Add Filter window opens.

b) Type 443 in the TCP Port field.

c) Click OK.

Step Result: The Add Filter window closes.

d) Repeat steps a, b, and c to add port 80.

Note: No other ports are required, although you may want to enable additional ports to allow DNS, TS, or VNC.

13.Select the Permit Only UDP Ports option, leaving the UPP Ports window blank since no

UDP ports are required.

14.Close the open windows.

After Completing This Task:

With all ports locked (except for ports 80 and 443), it will be necessary to add entries to your

Proxy or HOSTS file for the necessary Novell websites and the Global Subscription Server.

- 326 -

Securing Your Patch Management Server

Apply All Security Patches

Apply all applicable Microsoft Security Patches to ensure that the server remains protected against all known security threats. Be sure to apply the most recent patches for IIS, SQL Server, and Windows Server 2003.

- 327 -

ZENworks Patch Management

- 328 -