Beyond extended support: virtual patching is key to keeping Windows Server secure

By Mohamed Inshaff

This past week, the US National Security Agency (NSA) released a rare security advisory urging organisations to patch a list of critical vulnerabilities. The top 25 list detailed the software flaws most frequently being targeted by state-sponsored Chinese operatives. Although most CVEs were published in 2020, a few date back several years.

What does this tell us? That many organisations are still not patching systems promptly enough, even though the result of a major state-sponsored or cybercrime intrusion could be catastrophic. This is where virtual patching can save the day.

An urgent message
Among the NSA’s list are bugs dating back to 2015, 2017 and 2018. They affect systems as diverse as Oracle WebLogic server, Adobe ColdFusion, and Pulse Secure VPNs. But one of the most commonly affected products listed is Microsoft Windows Server. Of the five critical CVEs detailed by the NSA, the vulnerability dubbed “Zerologon”stands out. Fixed back in August, it’s a critical elevation of privilege bug affecting Windows 2008 and more recent versions, which could allow attackers to remotely take control of a domain control, and in so doing own an entire network.

Cyber-criminals have been quick to develop and weaponise exploits in attacks, chaining Zerologon with VPN exploitsand commodity tools to deliver ransomware and other payloads worryingly quickly. 

The problem with patching
Organisations aren’t necessarily being negligent by not patching promptly. Many may be running legacy operating systems which they can’t upgrade because of compatibility issues with mission critical applications. Others may be unable to afford the downtime required to test patches before applying them. For these organisations, not patching is a risk worth taking when set against the potential business impact and cost associated with doing so. 

Some organisations might simply be overwhelmed by the sheer number of patches they need to apply and prioritise across multiple systems today. Others may choose extended support options from vendors like Microsoft, which are meant to provide security updates, at a significant extra cost, past the official end-of-life date. However, our research has indicated that organisations may still be exposed to some threats even with these hefty support packages in place.

Why virtual patching works
In order to address potential threats and also to achieve compliance requirements such as Cyber Essentials Plus, PCI DSS, etc in an EOS system like Windows Server 2008; on top of Antimalware, additional security controls are needed to detect and protect against network bound attacks and suspicious activity. Our solution is virtual patching: multi-layered protection against known and unknown vulnerabilities. Featured in and other offerings.

Deep Security and Cloud One – Workload Security host-based Intrusion detection and prevention (IDS/IPS) capability can protect critical servers against network attack vectors which can lead to security breach. We can also monitor the integrity of system files, registry settings, and other critical application files to ensure that unplanned or suspicious changes are flagged. 

Using a single modular agent; we can automatically scan your servers for both operating system, as well as common enterprise application vulnerabilities and protect these unpatched, servers automatically without the need to reboot the servers.

Virtual patching adds an extra layer of defence to any organisation to:

  • Buy time until vendor patches can be rolled out
  • Prevent unnecessary downtime that might otherwise stem from patching 
  • Support regulatory compliance
  • Provide protection above and beyond vendors’ extended support programmes

On the latter point, we recently analysed Windows Server 2008 R2, which reached end-of-life in January 2020. Since then, we have released nearly 200 IPS rules in Deep Security (effectively virtual patches), 67 of which were related to OS bugs. In fact, even organisations with Extended Support for the product were recommended to apply 23 virtual patches, 14 of which we rated critical.

Virtual patching in action
This highlights that organisations wanting to enhance resilience to cyber-threats should choose virtual patching as an essential extra layer of protection for Windows Server and other products—whether they have invested in Extended Support or not.

Organisations like Carbery Group are already using virtual patching to good effect. After seeing the damage Zerologon could do, the multinational dairy group recently asked Trend Micro to help it accelerate vulnerability protection for hundreds of servers. Virtual patching was deployed seamlessly via Deep Security to provide peace-of-mind to the IT team.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.