If you update the system of a server on which important applications and services are running, the server may shut down, and serious consequences may occur to your enterprise. Before you fix software vulnerabilities on your server, you must fully consider business continuity and high availability of services to prevent the fix from affecting your business. This topic provides suggestions on how to fix software vulnerabilities on a server without affecting business continuity and stability.
You can use the suggestions provided in this topic to fix vulnerabilities that are detected in different operating systems, network devices, databases, and middleware on a server.
Precautions for fixing
The methods used to fix software vulnerabilities on a server are different from the methods used to fix vulnerabilities on a common computer. Expertise in software security is required to fix software vulnerabilities. When you fix software vulnerabilities on a server, take note of the following items:
Before fixing
Check the asset information of the server and check whether the asset information includes the software version information of the vulnerabilities that are detected by Security Center.
Determine the vulnerabilities that you want to fix. You do not need to immediately fix all software vulnerabilities at the time the vulnerabilities are detected. You can determine the priority to fix the vulnerabilities based on your business requirements, server resource usage, and impacts caused by vulnerability fixes.
Install patches for the vulnerabilities that you want to fix in the test environment, test compatibility and security, and then generate test reports on the vulnerability fixes after the tests are complete. A test report must include the vulnerability fixing results, fixing duration, patch compatibility, and impacts caused by vulnerability fixes.
Use the backup and restoration feature to back up the data on the server in case exceptions occur. For example, you can use the snapshot feature of Elastic Compute Service (ECS) to create a snapshot of an ECS instance or create a snapshot when you fix a vulnerability in the Security Center console.
To reduce the impacts on your business, we recommend that you fix vulnerabilities during off-peak hours.
During fixing
Upload vulnerability patches to the server and use the patches to fix vulnerabilities. This task requires at least two administrators. One administrator is responsible for fixing the vulnerabilities and the other is responsible for recording the fixing process. This prevents misoperations.
Follow the system vulnerability list to upgrade the system and fix vulnerabilities one by one.
After fixing
Check whether vulnerabilities on the server are fixed. Make sure that the vulnerabilities are fixed and no exceptions occur on the server.
Generate a vulnerability fix report based on the vulnerability fixing process and archive the relevant documents.
Measures for risk prevention
To ensure that a server runs as expected during the vulnerability fixing process and minimize the possibility of exceptions, take the following measures:
Develop a vulnerability fixing plan
Carry out investigation and research on the operating system and application system of the server and develop an applicable vulnerability fixing plan. Verify the feasibility of the plan in a test environment. Fix the vulnerabilities by strictly following the instructions in the plan and make sure that the operations do not have negative impacts on the server.
Use a test environment
Use a test environment to verify the feasibility of the vulnerability fixing plan. Make sure that the plan does not have negative impacts on the online business system that you want to fix.
Make sure that the test environment meets the following requirements:
The operating system and database system in the test environment must be the same as those in the online business system.
The application system in the test environment must be the same as that in the online business system.
We recommend that you use the most recent full backup of the online business system as the test data.
Back up the business system
Back up the entire business system, including the operating system, applications, and data. Then, check whether the backup data can be used to restore the system. If an error or data loss occurs in your system, you can use the backup data and rollback feature to restore the system. This helps ensure business stability. When you fix vulnerabilities, we recommend that you select Create snapshots automatically and fix. This way, Security Center automatically creates snapshots. If exceptions occur, you can perform the rollback operation to restore your business system to the point in time before you fix vulnerabilities.
NoteSecurity Center automatically creates a system snapshot of your server only if the vulnerability that you want to fix is a Linux software vulnerability or a Windows system vulnerability.