Regardless of your role and function, context is everything when it comes to assets.
Whether you’re responsible for triaging alerts in the SOC or managing a compliance audit, Windows Server hygiene requires situational and up-to-date asset information.
Today, I’ll focus on just one critical job function inside ITOps – managing Windows Server hygiene – and delineate how choosing the right cybersecurity asset management solution can help.
If your role involves managing Windows Server hygiene, you want to start with a complete understanding of the total number of Windows servers you’re responsible for. Answering this question can be difficult in today’s rapidly evolving environment.
Some of your Windows servers are legacy physical servers either in an office, a hosted data center, or perhaps in a manufacturing plant or a warehouse. Other servers are likely virtual instances running on VMware or Hyper-V, whether powered on or off.
These days, your servers might also be found in IaaS cloud providers like AWS or Azure. For most companies, getting an accurate count of those that are powered on and functioning at any given point is an estimate — a snapshot in time.
Choosing the Right Cybersecurity Asset Management Platform
Consideration No. 1
The cybersecurity asset management solution should collect server information across all offices, data centers, and cloud platforms whether the asset is physical, virtual or a container.
Once you have identified your list of Windows servers, you will want to check and confirm the status and required function of each:
- Is the server in the right Active Directory (AD) organizational unit to obtain the appropriate group policies?
- Does the server have the appropriate AD delegation policy?
- Is it a domain controller or does it serve some other function?
- Does the server follow the appropriate naming convention for its location, intended purpose, machine type, etc.?
Knowing the server’s purpose will influence a wide array of downstream decisions the team needs to make for server hardening, patching, exceptions, and security.
Consideration No. 2
The cybersecurity asset management solution should provide critical AD object and attribute information for underlying functionality context.
The next step is to understand which Windows version each server is running. But how do you reconcile the server version from so many different platforms?
In most companies, the process is still manual, requiring an elaborate procedure just to combine various inconsistently aligned datasets. A CSV dump from the cloud platform, a report from the CMDB, a review of AD, and perhaps even a look at your scanning tool sets. And then, a merge into one spreadsheet or database — and a lot of manipulation to normalize the version fields to get some semblance of alignment.
Consideration No. 3
The cybersecurity asset management solution should aggregate server version information from a wide range of sources, and automatically deconflict variances to arrive at the correct version with a high degree of accuracy.
Then comes the minutiae related to tracking and managing version control:
- Which service pack is installed?
- Which service packs are available?
- What exceptions exist for service pack updates?
- What’s the prioritization order for service pack deployment?
- What’s the criticality of the servers requiring the service pack?
- How do you confirm you have applied all the service packs and patches required?
Tagging and tracking all these conditions remain an intricate, time-consuming, and often byzantine process for most companies.
Consideration No. 4
The cybersecurity asset management solution should collect and aggregate service pack and patch related information from various data stores, allowing for grouping and tagging of assets by priority, criticality, and exceptions.
You now have a complete count. You know all the versions. You’re managing service packs and patches. What’s next?
Your attention turns to all those pesky agents required on your servers. Most companies have a minimum of four to five agents running on their devices across a range of services, including endpoint management, endpoint detection and response, antivirus, data loss prevention, encryption, file monitoring, and log collection.
A lot of time is spent managing an extensive checklist of conditions with these agents:
- Which machines are missing which agents?
- Which machine can’t run the agent due to operational exceptions?
- Which machines can’t run the agent due to OS version or service pack dependencies?
- Which machines have an older or incorrect agent version?
- Which machines have disabled, corrupt or malfunctioning agents?
Consideration No. 5
The cybersecurity asset management solution should have pre-built integrations to a wide variety of agent-based tools. This allows for simple aggregation of all agent compute characteristics, providing the user the ability to quickly query and identify agent gaps and a variety of agent conditions.
You have invested a lot of work in your journey to this point, but you still have work to do:
- Each version, build, and patch can have an impact on server hardening. Ensuring only the required services and processes are running is the first line of security defense for your critical server infrastructure.
- Checks for installed software need to be frequent and monitoring nearly continuous. Prohibited software can present security challenges, while a prevalence of irrelevant software can impact performance.
- Routine performance checks for disk, memory, and processor utilization are part of the game as well. Under-resourced and overtaxed servers have downstream impacts to the user community and possibly to customer service and revenue generation activities as well.
The asset management solution should have integrations to accommodate the continuous collection and synthesis of all compute characteristics that may be used to surface any combination of server hardening, resource management, or performance monitoring.