After posting a message to the patchmanagement.org distribution list about my strategy as a reaction to the following article, where I said that:
My strategy has always been a risk based approach.
If there’s a vulnerability, something needs to be done about the risk. The risk needs first to be identified and assessed.
The risk can then be:
– accepted (just inventory and evaluate your specific context, wait for a patch when it’s a 0-day)
– reduced, mitigated (apply the workaround instead of patching first, that gives you more time and you can patch later)
– shared, transferred (get more budget and buy a more expensive insurance)
– avoided (patch immediately or remove the offending software/component)
I’ve been contacted by Mitch Tulloch who is a widely recognized expert on Windows Server and cloud technologies who has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press. He is a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management.
I provided some recent examples to illustrate the above strategy.
He wrote a nice article on http://techgenix.com/patch-management/
I mentioned in the above article that:
Whenever there’s a zero-day in Flash, you can apply the workaround and set a kill-bit in the registry
The kill-bit is a registry value to tell the browser to avoid loading the vulnerable component.
It’s always documented as a mitigation in the workaround section of every Adobe FlashPlayer security bulletin posted by Microsoft:
The Office part is also well documented on this support page: https://support.microsoft.com/en-hk/help/4058123/security-settings-for-com-objects-in-office
Let’s see how to easily achieve using #PowerShell 🙂
You end up with the following GPO settings:
What’s next? Just link the GPO in Active Directory where it makes sense to apply it to computers beneath.