-
Notifications
You must be signed in to change notification settings - Fork 20
Patching
SI-2.a, SI-2.c, SI-2 (1), SI-2 (2)
This Azure Blueprint Solution implements these Patching based controls using a combination of Microsoft Operating Management Suite (OMS) and Windows Update Service. Collectively with these two capabilities turned on within the solution the security controls for this group are all addressed.
SI-2.a: The organization identifies, reports, and corrects information system flaws.
This Azure Blueprint Solution deploys the OMS Automation & Control solution to track the status of updates for the Windows virtual machines deployed in this architecture. From the OMS dashboard, the Update Management tile displays flaw remediation status for all deployed Windows servers.
SI-2.c: The organization installs security-relevant software and firmware updates within [Assignment: 30 days] of the release of the updates.
Windows virtual machines deployed by this Azure Blueprint Solution are configured by default to receive automatic updates from Windows Update Service. This solution also deploys the OMS Automation & Control solution through which Update Deployments can be created to deploy patches to Windows servers when needed. (Also see issue #21.)
SI-2 (1): The organization centrally manages the flaw remediation process.
This Azure Blueprint Solution deploys the OMS Automation & Control solution to track the status of updates for the Windows virtual machines deployed in this architecture. From the OMS dashboard, the Update Management tile displays flaw remediation status for all deployed Windows servers. Update Deployments can be created to deploy patches to Windows servers when needed.
SI-2 (2): The organization employs automated mechanisms monthly to determine the state of information system components with regard to flaw remediation.
This Azure Blueprint Solution deploys the OMS Automation & Control solution to track the status of updates for the Windows virtual machines deployed in this architecture. For each managed Windows computer, a scan is performed twice per day. Every 15 minutes the Windows API is called to query for the last update time to determine if status has changed and if so a compliance scan is initiated.