With the Ransomware that ran amok all over the Internet last week a lot of smaller companies, ones that we’d normally consider to be the Small/Medium Business (SMB) backbone of America were left in a very dangerous state. Many of these companies don’t have full time IT teams, so they don’t have someone watching and reacting when security events like this happen. They may not even have anyone handy to ensure that workstations, laptops and servers are being patched correctly. They probably don’t have someone to ensure that newer operating systems are in use instead of hardware and software that’s almost old enough to drive, vote or drink (depending on the age of your software).
But there are lots of tools out there to help the SMB keep their systems patched. Most are going to require some technical knowledge to implement simply because we need to set up a service to handle the approving of patches and the automatic installation of patches. Once these systems are in place and working correctly, they should be able to work for years without much if any manual intervention.
One popular option is called Windows Server Update Services (WSUS). This is a software package written by Microsoft and included with the Windows Server Operating System. It can be configured to automatically download, approve and force the installation of patches for a variety of Microsoft software, including Windows Server, Windows 7, Windows 8, Windows 10, etc. It can also be used to help with the patching of some third party software, however this can be a bit harder of a configuration process. One of the big advantages to Windows Server Update Services is that it can be configured on every computer within the company using Active Directory’s Group Policy Objects (GPOs). These GPOs allow the administrator to push out the settings to all the computers in the network so that employees can’t bypass the patching settings.
With regard to last weeks ransomware attack, proper patching would have protected most companies. The patch had already been released, but a number of companies had not installed it, due to limited resources. Setting up a server patching infrastructure using WSUS would have protected these companies from this security threat.
If someone clicked a link and the Ransomware was downloaded and installed, that computer may have been compromised. However the virus wouldn’t haven’t been able to spread as the patch which was needed to prevent these machines from being infected had been released weeks before the Ransomware attack happened.
The next most important thing for setting up proper SMB security is to have an Anti-Virus installed on all the computers, and have it running regularly scheduled scans including real time scans. This way, if a viruses makes its way onto the computer, it will be detected and stopped. Sadly no Antivirus is a guarantee against infection, but they will stop a good number of computer viruses from taking hold. Even the free antivirus that Windows includes called Windows Defender is good enough for a lot of small companies.
Windows Defender is included with all modern Windows Operating Systems (Windows 7, Windows 8, and Windows 10) and runs automatically. There are group policy settings which can be set within Active Directory which can turn on regularly scheduled scans on computers across the company.
There are lots of other things which should be done as well, but these two will get most small companies most of the way there, and can usually be setup and configured within a day or two.