Shulou(Shulou.com)06/02 Report--

Worm virus using MS17-010loophole has become the main task since last weekend. When there are a large number of machines in the organization, it takes a lot of manpower and resources to protect and update a large number of business systems in a short time. Of course, if the means and methods are effective, things will be much smoother.

Goal:

1. Get updates on all machine patches for MS17-010. patches for window 7\ windows 2008 R2 and above were actually released in March, while special patches (KB4012598) for machines such as winxp,windows server 2003 that lost support were released on May 13. If you have an approval policy (such as approving only security updates, these patches for winxp,2003 and the like do not seem to be approved automatically, you need to manually import in WSUS and approve the installation.

two。 In order to update the patch as soon as possible, you need to modify the group policy so that the client can detect patches more quickly and frequently, or if you have NAP, you can check whether the policy of MS17-010is updated before the user accesses the production network. If not, enter the quarantined network to update the patch.

3. In order for lazy users, such as those who are too lazy to click to install the patch, to install the patch as soon as possible, you also have to change the patch installation strategy to plan to install, install at noon or other non-affected time, and prompt the user to restart as soon as possible.

4. In order to track the release of patches, WSUS provides built-in local reports, but each patch (just like KB4021598, each corresponds to multiple operating systems correspond to a report), then you need to use wsus's built-in reports to track quickly, which is not fast and convenient, or you can use powershell to use wsus's API to generate reports, but for enterprises such a multi-person collaborative environment, the previous solutions often require special permissions. So we can use the view of WSUS to create a reporting service.

* set the KB number involved in MS17-010to the default parameter, so that a report can track multiple patches.

The general contents of the report RDL are as follows:

5. For infected machines, it is best to cut off the network, reinstall as far as possible, or update the patch after antivirus and then access.

6. If the network can monitor traffic, monitor abnormal ARP scans, port 445 access to the top number of connected computers.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.