Risk Assessment means that, according to the system environment for each enterprise, you comprehensively determine your degree of urgency based on the information gathered in "3.2
Collecting Information"). In the environment for which you have properly implemented hardening as described in Chapter 2 "Hardening", you will often find that an "urgent application" is unnecessary because the degree of urgency is lower than that in the environment for which hardening has not been implemented.
Microsoft applies the severity rating system to each Microsoft report on security vulnerability to help you determine the urgency of applying the security update program. The following table lists the ratings and their definitions. However, this rating information is based on the assumption that you have not
implemented hardening for your system. You should determine the degree of urgency for your
enterprise by comprehensively assessing such aspects as the importance of your system and the state of your hardening implementation. In the environment for which you have properly implemented hardening as described in Chapter 2 "Hardening", the degree of urgency is less critical than in the environment for which hardening has not been implemented.
Table 15: Sites Providing Information on Security Vulnerability
Site Name Address
Microsoft Security
Bulletin Summaries http://www.microsoft.com/technet/security/bulletin/summary.mspx Microsoft TechNet
Security Center http://www.microsoft.com/technet/security/default.mspx Microsoft Security
Notification Service http://www.microsoft.com/technet/security/bulletin/notify.mspx
SAP Hardening and Patch Management Guide for Windows Server 51 For more information, see the Microsoft Security Response Center Security Bulletin Severity Rating System (http://www.microsoft.com/technet/security/bulletin/rating.mspx).
This whitepaper uses four categories to describe the urgency of applying the security update program:
"Urgent application", "Applying during regular operation", "Applying with the service pack", and "No application". Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
Example of the Emergency Assessment Categories
Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
1. Urgent application
Apply within 1 month.
2. Applying during the regular course of operation
At least once every 3 to 6 months.
3. Applying with the service pack
When installing the next service pack.
4. No application
OS, functionality, product not affected.
Table 16: Definitions of the Severity Ratings
Rating Definition
Critical Describes vulnerability that, if exploited, could allow propagation of an Internet worm without user action.
Important Describes vulnerability that, if exploited, could compromise user data confidentiality, integrity, or availability, as well as compromise the integrity or availability of processing resources.
Moderate Describes vulnerability for which the possibility of exploitation is
significantly lessened by the existing configuration, or by the difficulty of infiltration or exploitation.
Low Describes vulnerability that is extremely difficult to exploit or the exploitation of which has minimal impact.
SAP Hardening and Patch Management Guide for Windows Server 52 Additional information: You can also obtain general emergency assessment from
http://www.microsoft.com/technet/itsolutions/techguide/msm/default.mspx.
However, this example of the emergency assessment categories was written based on actual SAP-related consulting cases provided by Microsoft Consulting Services with some changes added. You should consider the trade-offs among various assessment factors, such as your hardening
circumstances, risks, costs, time necessary to assess the security update program, and other practicalities, when deciding your emergency assessment category.
Assessing the Consequences and Urgency of the Vulnerability
As described above, Microsoft releases information about security vulnerability once a month. But taking measures against all security vulnerabilities would increase costs and shutdown times for your system resulting in decreased availability. Since the consequences of the vulnerability vary depending on the environment, it is important to determine the degree of urgency for your particular situation.
Even if the maximum severity rating of the security vulnerability is "Critical", if you do not use that particular vulnerable service, in many cases you can respond to the vulnerability by application during the regular course of operation (once every 3 to 6 months) or by application with the next service pack (when installing the next service pack). To reduce the operational cost involved in applying the security update program and to maintain high availability, you can create a matrix as one method for
determining the consequences of the vulnerability and the degree of urgency. It will be referred to as the vulnerability assessment matrix in this whitepaper.
What is a Vulnerability Assessment Matrix?
The vulnerability assessment matrix is a matrix that can help you to determine the consequences of the vulnerability on your system and the countermeasures to take against it, even if your system
environment is complex. You can create the matrix based on the information provided by Microsoft about the security vulnerability.
Example of a Method for Determining the Degree of Urgency
Determine the appropriate emergency assessment category to suit your operation depending on your system environment and security policies.
- Vulnerability Assessment Matrix
SAP Hardening and Patch Management Guide for Windows Server 53
Creating the Vulnerability Assessment Matrix
The vulnerability assessment matrix consists of three major parts: "Organizing the information about the security vulnerability", "Assessing the pros and cons of the risk", and "Determining the degree of urgency for applying the security update program for each enterprise" (see Table 18: Vulnerability Assessment Matrix. Once you organize the information about the security vulnerability, you can create the steps "Organizing the information about the security vulnerability" and "Assessing the pros and cons of the risk". The portion "Organizing the information about the security vulnerability" is taken from the monthly Security Bulletin described in section 0, “Collecting Information about Security Vulnerability"
(summarized from http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx, for example), available from the Microsoft Security Bulletin Summaries at
http://www.microsoft.com/technet/security/bulletin/summary.mspx. For the contents of the excerpt, see the following section, "Organizing the Information about the Security Vulnerability". The part "Assessing the pros and cons of the risk" is created based on the information organized in the "Organizing the Information about the Security Vulnerability" along with your system configuration, and provides the criteria for determining the degree of urgency. By this determination, you can decide when to apply the security update program.
To create the vulnerability assessment matrix, you must perform the following steps.
Figure 31 – Process for Creating the Vulnerability Assessment Matrix
Organizing the Information about Security Vulnerability
In this step, you organize the following information about the security vulnerability.
Consequences of the vulnerability
Maximum severity rating
Affected software
Technical details
o Technical description o Mitigating factors
Workarounds
Information about the security update program o Restart requirement
o Information about uninstalling the program
Step 1: Organizing Information about Security Vulnerability
Step 2: Assessing Pros and Cons of Risks
Step 3: Determining Urgency for Each Enterprise
SAP Hardening and Patch Management Guide for Windows Server 54
Assessing the Pros and Cons of the Risk
Assess each criterion based on the information from the step "Organizing the Information about Security Vulnerability".
Are there consequences of the vulnerability?
o Is there an affected OS?
o Are there affected products or functionality?
Is it possible for someone to attack anonymously? (simply an open port makes such an attack possible)
Is it possible for someone to obtain or upgrade privileges?
There is no effective workaround.
Is it possible that the hardening implemented by each enterprise is not effective?
Determining the Degree of Urgency
The degree of urgency for each enterprise is determined by the result of the step "Assessing the Pros and Cons of the Risk". See below for examples. In the first example, the determination is "Urgent application" because all the criteria in "Assessing the Pros and Cons of the Risk" apply to the system. In the second example, the determination is "Applying during regular operation" because the criterion
"Your system is affected by the vulnerability" applies to the system and the maximum severity rating is
"Important". The determination will vary depending on system configurations and environments.
Table 17: Determining Whether to Apply the Security Update Program
Determination Criteria
Urgent application All the criteria in the "Assessing the Pros and Cons of the Risk" apply to your system.
Applying during regular operation The criterion "Are there consequences of the
vulnerability?" applies to your system and the maximum severity rating is "Critical" or "Important".
Applying with the service pack The criterion "Are there consequences of the
vulnerability?" applies to your system and the maximum severity rating is other than "Critical" or "Important".
No application Your system is not affected.
SAP Hardening and Patch Management Guide for Windows Server 55 To help in the determination of whether to apply the security update program, you may want to create a flowchart. Note that the flowchart will vary according to system configurations and environments.
Figure 32 – Sample Flowchart for Determining Whether to Apply the Security Update Program
Urgent application Apply during the regular
course of operation Apply with the service pack YES
NO
YES
NO Affected by the
Pros/Cons of the Risk
Pros and Cons of the Risk: All criteria apply
to the system.
No application YES
Maximum severity is NO
"Critical" or
"Important"
Start
SAP Hardening and Patch Management Guide for Windows Server 56
Table 18: Vulnerability Assessment Matrix
Determination Sample 1 - Hardening has not been Implemented
Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. MS03-026
URL for information about the vulnerability http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Original release date of the vulnerability information report
July 17, 2003 Time elapsed between information release and
occurrence of computer virus -
Affected software Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows 2000 Microsoft Windows XP
Microsoft Windows Server 2003 Maximum Severity Rating Critical
Nature of the vulnerability Buffer overruns in RPC interface could allow code execution (823980) (MS03-026)
Characteristics There is vulnerability in a part of RPC that handles message exchange over TCP/IP. The issue stems from incorrect handling of illegal messages.
Mitigating factors In order to exploit this vulnerability, the attacker would need to have specially altered or sent a request to port 135, 139, 445 on the remote machine, or to another port configured for RPC.
Restart required Yes
This security update program can be uninstalled Yes Step 2: Assessing the Pros and Cons of the Risk
Are there consequences of the vulnerability? Yes
Is there an affected OS? Yes
Are there affected products or functionality?
Is it possible for someone to attack anonymously?
Yes Is it possible for someone to obtain privileges? Yes
There is no effective workaround. Yes
Pros and Cons of the Risk
Is it possible that the hardening implemented by each enterprise is not effective?
Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise
Determination Urgent application.
(After hardening is implemented, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server 57
Table 19: Vulnerability Assessment Matrix
Determination Sample 2 - Hardening has not been Implemented
Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. MS04-003
URL for information about the vulnerability http://www.microsoft.com/technet/security/bulletin/MS04-003.mspx
Original release date of the vulnerability information report
January 14, 2004 Time elapsed between information release and
occurrence of computer virus
-
Affected software Microsoft Windows
Maximum Severity Rating Important
Nature of the vulnerability Buffer overrun in MDAC function could allow code execution (832483)
Characteristics Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client.
Mitigating factors For an attack to be successful, an attacker would have to simulate an SQL server that is on the same IP subnet as the target system.
Restart required Yes
This security update program can be uninstalled No
Step 2: Assessing the Pros and Cons of the Risk
Are there consequences of the vulnerability? Yes
Is there an affected OS? Yes
Are there affected products or functionality? - Is it possible for someone to attack
anonymously?
No Is it possible for someone to obtain privileges? Yes
There is no effective workaround. No
Pros and Cons of the Risk
Is it possible that the hardening implemented by each enterprise is not effective?
Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination Apply during the regular course of operation.
(After implementing hardening, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server 58
Table 20: Vulnerability Assessment Matrix
Determination Sample 3 - Hardening has not been Implemented
Step 1: Organizing the Information about Security Vulnerability
Security Bulletin No. MS04-006
URL for information about the vulnerability http://www.microsoft.com/technet/security/bulletin/MS04-006.mspx
Original release date of the vulnerability information report
February 11, 2004 Time elapsed between information release and
occurrence of computer virus
-
Affected software Microsoft Windows NT Server Maximum Severity Rating Microsoft Windows 2000 Server Nature of the vulnerability Microsoft Windows Server 2003
Characteristics Important
Mitigating factors Vulnerability in the Windows Internet Naming Service (WINS) could allow code execution (830352) Restart required A security vulnerability exists in the Windows Internet
Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of
specially-crafted packets.
This security update program can be uninstalled The WINS service is not installed by default.
Step 2: Assessing the Pros and Cons of the Risk
Are there consequences of the vulnerability? No
Is there an affected OS? No
Are there affected products or functionality? No Is it possible for someone to attack
anonymously?
No Is it possible for someone to obtain privileges? No
There is no effective workaround. No
Pros and Cons of the Risk
Is it possible that the hardening implemented by each enterprise is not effective?
Yes
Step 3: Determining Degree of Urgency for Applying Security Update Program for each Enterprise Determination Only needs to be applied to the WINS server.
Application to the WINS server during regular operation.
(After hardening is implemented, the degree of urgency will be lessened.)
SAP Hardening and Patch Management Guide for Windows Server 59
Applying the Security Update Program
After you determine that the security update program needs to be applied through the result of risk assessment of the vulnerability, you should apply it to your system. Applying the security update program is performed according to the following steps: "Devising a plan for responding to the vulnerability", "Testing the security update program before applying", "Applying the security update program", "Verifying the behavior after application", and if problems occur from the application, then
"Restoring through the roll-back process".
Figure 33 – Process Flow of Applying the Security Update Program
For the details on applying security update programs, see the document listed below.
Devising a Plan for Responding to the Vulnerability
To apply the security update program, you should first devise a plan for responding to the vulnerability.
It is important to clarify the required security level since it varies depending on the system environment.
Before applying the security update program, you may want to create a flowchart for managing the modification. By creating the flowchart, you can implement a better quality application. When devising the plan, you should refer to SAP Notes 30478, 62988 and 664607 to check whether this security update program has ever caused problems in the SAP environment.
Step 1: Devising a plan for responding to the vulnerability
Step 2: Testing the security update program before application
Step 3: Applying the security update program
Step 4: Verifying the behavior after application
Step 5: Restoring through the roll-back process
Table 21: Reference Information
How To Implement Patch Management
http://msdn.microsoft.com/library/en-us/secmod/html/secmod108.asp
SAP Hardening and Patch Management Guide for Windows Server 60 Figure 34 – Sample Flowchart for Managing Changes
NO
Plan the steps for change and restoration
Test the steps for change and restoration
Adjust before applying to the production environment
Finish
Apply to the production environment
Testing required?
Test quickly
Finish NO
YES
YES
NO Plan the steps for rapid change
and restoration
Adjust before applying, then apply to the production environment Emergency?
YES Start
Normal process Emergency process
Successful?
YES
NO
Successful?
SAP Hardening and Patch Management Guide for Windows Server 61