Endpoint Admission Defense Help >> Typical Applications >> Patch Check Application

Patch Check Application

Scenario Description

It is not rarely seen that the Windows system is attacked by viruses due to the bugs in it, causing the system malfunctioning or even down. The broadcast of viruses in a company will effect the normal operation of the network. Therefore, to prevent potential security problems, a group enterprise requires all the internal computers to pass a Windows patch check before they can be connected to the intranet. And those failing to pass the check are isolated.

Patch check networking

Scenario Analysis

Suppose a network as shown in the above diagram. You need to check if the terminal of the intranet is installed with KB923191, a hotfix for the critical security bugs of Windows. Any terminal not having the patch installed is isolated with a prompt for update through a specified updates server. A user gets access to the network only when it passes the patch check. Suppose the other configurations are as follows:

• IP address of the user access manager server: 10.153.128.75.
• IP address of the policy server: 10.153.128.75.
• IP address of the proxy server: 10.153.128.75.
• IP address of the updates server and path of patch: \\10.153.128.63\system\patch\windows.
• Access terminal OS: Windows XP SP2.
• The access terminal has iNode client installed.

Operation Procedure

1. Configure patch pontrol (refer to Windows Patches for details).
   (1) Type the patch name KB923191.
   (2) Type the message Hotfix for critical security bug bulletin MS06-057.
   (3) Set the patch level to Critical.
   (4) Set the applicable software to Windows XP Service Pack 2.
2. Configure security level (refer to Security Level Management for details).
   (1) Type the security level name Critical patch check.
   (2) In the Check Windows Patches area, set the security mode for critical patch to Isolate.
3. Configure security policy (refer to Security Policy Management for details).
   (1) Type the security policy name Security policy for patch control check.
   (2) Select Critical patch check for the security level.
   (3) Select the Check Windows Patches check box.
   (4) Set the patch check mode to Check Manually.
   (5) Set the patch level to Critical.
   (6) In the Patch Server Address area, type the updates server address.
4. Change the security policy for the subscribed service to Security policy for patch control check (refer to Service Configuration for details).
5. With the above configurations, when an account user accessing through the iNode client is found not having the specified patch installed during security authentication, it is isolated with a prompt for manual update at \\10.153.128.63\system\patch\windows.
   

Precautions

• In configuring the isolation ACL, be sure to include the updates server in the isolation area. Then when a user fails to pass the patch check, it can directly access the server for patch control.

Related Topics

• Windows Patches
• Windows Version
• Security Policy Management
• Security Level Management
• Service Configuration Management