Implementing Security Patch Management Alun Rogers Principal Consultant - Lynx alun.rogers@lynxtec.com

It’s all about Processes… Microsoft Operations Framework Datacenters are all about process Windows admins have grown from desktop/helpdesks MOF will prescribe processes to manage Windows in a datacenter Based on ITIL specs Templates to apply People Technology Process

Microsoft Solutions for Management Integrated people, process and technology Targeted customer scenarios Engineered, tested and proven MOF/ITIL Available Offerings: Offerings: Ops Assessment Security Patch Mgt Service Monitoring New Application Deployment Core Windows Mgt Server Consolidation Business Desktop Deployment

Security And Patching - Today Patch management too complex Time to exploit accelerating Exploits are more sophisticated Current approach is not sufficient Days between patch and exploit Sasser 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer 17 Security is our No. 1 Priority There is no silver bullet Change requires innovation

Management at Microsoft Microsoft is committed to making management an asset for the company Make Windows the best managed environment Make Windows the best platform for customers to manage from and ISV’s to write on Build the best management solutions for Windows All management unified under one group Single VP, 600+ working on mgmt & supportability Infrastructure - WMI, MMC, Group Policy, Windows Installer, SAF (The PC Health Support Automation Framework), Help and Support Center, PC Health Solutions - SMS, MOM, Application Center 2000, Terminal Server, Windows Update

Patch Management End to End Awareness Obtain information about the latest software update vulnerabilities Audit your enterprise for applicable software updates Response Assess and authorize available software updates Deploy updates in a timely, accurate, and efficient manner Measurements Track update deployment/compliance

Microsoft Baseline Security Analyser MBSA 1.2.1 Microsoft Baseline Security Analyser

MBSA Objectives What are we trying to solve with MBSA? Know which computers are at risk and how to mitigate / manage MBSA is free assessment (agent less too!) SUS is the free patch deployment tool SMS is the full featured management product MBSA 1.2.1 increases the coverage of Microsoft’s products More consistent patch detection results with MBSA 1.2.1 Target 1-10,000 seat org, 1-5 admin staff, the IT Pro, and power users too

Tool Overview Single executable that runs on Windows 2000, Windows XP, and Windows Server 2003 Performs remote scans against Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 systems Focused on agent less assessment, tactical deployment, easy to use AND easy to leverage MSI package contains GUI (mbsa.exe) Command line interface (mbsacli.exe) Latest version is 1.2.1, released August ‘04

Microsoft Download Center MBSA How It Works* Microsoft Download Center MSSecure.CAB Run MBSA on Admin system, specify targets Bulletin IDs Product specific updates File data Registry data KB article numbers Checks MBSA version, downloads MSSecure.CAB & verifies digital signature Scans target systems for OS, OS components, & applications MBSA Console Parses MSSecure.CAB to see if updates available Checks if required updates are missing Generates time stamped report of missing updates *Only covers security patch scanning capabilities, not security configuration detection issues

MBSA SUS Support Perform security update portion of scan observing local SUS server approved updates GUI: MBSA reads registry for SUS server info, or user types in Command line mbsacli.exe /sus “http://mysusserver” mbsacli.exe /hf /sus “http://mysusserver” Scans for approved updates on SUS server rather than all available updates Reads ApprovedItems.txt file via HTTP on SUS server Looks up these approved items in static mapping table in MSSecure.XML file Ultimately performs scan against the appropriate patches in MSSecure.XML

MBSA SMS Support Compatibility with SMS 2.0 Software Update Services Feature Pack and SMS 2003 Pushes mbsacli.exe to each client to perform local scan (mbsacli.exe /hf) Parses output SMS Administrators can centrally distribute security updates to clients SMS is now using MBSA v1.2.1 Service packs in addition to security updates and update rollups

Supported Products For security updates For config settings Windows NT4, 2K, XP, 2K3 IIS 4.0, 5.0, 6.0 SQL 7.0, 2000 / MSDE IE 5.01+ Exchange 5.5, 2000, 2003 Windows Media Player 6.4+ Office 2000, XP, 2003 MSXML 2.5, 2.6, 3.0, 4.0 MDAC 2.5, 2.6, 2.7, 2.8 Microsoft Virtual Machine (JVM) Commerce Server 2000, 2002 Content Mgt Server 2001, 2002 BizTalk 2000, 2002, 2004 HIS 2000, 2004 (+SNA Server 4.0) For config settings Windows NT4, 2K, XP, 2K3 IIS 4.0, 5.0, 6.0 SQL 7.0, 2000 IE 5.01+ Office 2000, XP, 2003 New in MBSA V1.2

Software Update Services SUS Software Update Services

SUS SP1 Enhancements Ability to install SUS server on a DC or SBS SUS client (AU) ability to kick off scheduled install upon reboot if machine was switched off at scheduled install time. No automatic reboot after scheduled installation for non-admin users

SUS Considerations Targeting Reporting Control over client detection If targeting is required then multiple SUS servers must be used Reporting Basic “pingback” client status info sent as raw IIS log data Reporting Tool from http://www.susserver.com Control over client detection Occurs every 17.6 to 22 hours GPO workaround (AD environment) Net stop/start workaround (non-AD environment)

How does it work? Internet Intranet Public Windows Update Windows: Critical Updates and Service Packs Pull mechanism TCP 80 only Internet Intranet 1. Sync Updates 2. Admin Approves Updates SUS Central Client Config 3. Download and install Approved Updates Corporate Servers, Desktops and Laptops with the Automatic Updates Client

Patching the Enterprise SMS 2003 and SUS Patching the Enterprise

SMS 2003 & Patch Management Vulnerability Assessment Leverages existing tools like MS Baseline Security Analyzer Collects MBSA results for storage in a central repository Rich reporting provides detailed vulnerability analysis and enables mitigation planning Status and Compliance Reporting Deployment status as patches are delivered Built-in reports, status messaging, and summarization Determine actual baselines in the environment before changing the environment Reference computer templates for baseline determination and compliance

SMS 2003 Software Update Key Components Sync tools Periodically check microsoft.com for updated catalog and scan tools Scan tools Detect applicable patches and populate SMS database Windows and Office for SMS 2.0 Feature Pack SQL, Exchange, IIS, IE for SMS 2003 and upcoming 2.0 FP Distribute Software Updates Wizard Helps administrators authorize and download software updates Software Update Installation Agent Allows admin to control end-user experience for enforcement and reboots Reports Various reports for software updates – machine as well as enterprise level

Scan Tool + Inventory Collection Overview Download Center / Office Update, etc. Scheduled and Database Updates MSSecure.XML, etc. Patches, QFEs, SRPs, etc. Internet Intranet MMC / Patch Wizard, Status Messages / Inventory Managed Corporate Servers, Workstations and Laptops Web Reports Scan Tool + Inventory Collection SMS 2.x Site Infra-structure Scan Tool + Install Applicable Patches

Patch Management Client Experience

Adopt the solution that best meets the needs of your organization Patch Management Solution – Selection Criteria Adopt the solution that best meets the needs of your organization Capability Windows Update SUS 1.0 SMS 2003 Supported Platforms for Content NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 Win2K, WS2003, WinXP NT 4.0, Win2K, WS2003, WinXP, Win98 Supported Content Types All patches, updates (including drivers), & service packs (SPs) for the above Only security & security rollup patches, critical updates, & SPs for the above All patches, SPs & updates for the above; supports patch, update, & app installs for MS & other apps Granularity of Control Targeting Content to Systems No Yes Network Bandwidth Optimization Yes (for patch deployment) Yes (for patch deployment & server sync) Patch Distribution Control Basic Advanced Patch Installation & Scheduling Flexibility Manual, end user controlled Admin (auto) or user (manual) controlled Administrator control with granular scheduling capabilities Patch Installation Status Reporting Assessing computer history only Limited (client install history & server based install logs) Comprehensive (install status, result, and compliance details) Core Patch Management Capabilities

Choosing a Patch Management Solution Customer Type Scenario Customer Chooses Consumer Home use Windows Update Small Business No Windows servers Have 1-3 Windows servers and 1 IT administrator** SUS Medium or Large Enterprise Want patch management solution with basic level of control that updates Windows 2000 and newer versions* of Windows** Want single flexible patch management solution with extended level of control to patch & update (+ distribute) all software SMS  

Futures

General Futures XP SP2 - Automatic Update (WUS ready) Includes Windows 2000 SP3 and 2003 SP1 SMS 2003 SP1 - AU from XP SP2 WUS – Greater flexibility Beta open today www.microsoft.com/wus

Customer Feature Requests Top Features Requested SUS 1.0 SP1 WUS Support for service packs  Install on SBS and domain controller Support for Office and other MS products Support additional update content types Update uninstall Update targeting Improve support for low bandwidth networks Reduce amount of data that needs to be downloaded Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * Deploy update for ISV and custom apps NT4 support *Partially addressed through polling frequency control and scripts

WUS Features Administrator control Bandwidth efficiency Initiate install, uninstall, pre-deployment check Deploy different updates to target groups Date-based deadlines for patch deployment Configurable polling frequency Pre-set rules for auto-deployment Non-administrators can receive update notifications Explicit server admin roles Bandwidth efficiency BITS for client-server and server-server downloads Update subscriptions (per product/classification) Support for “delta compression” technologies Option to only download updates when deployed

WUS Supported Products And Content Updates for All Microsoft products over time At RTM Windows 2000 SP3 and later versions of Windows Office XP SP2 and Office 2003 SQL 2000 and MSDE 2000 Exchange 2003 Platform support/requirements for Windows 2000 SP3 (SP4 for Server) and later Windows XP RTM and later Windows Server 2003 RTM and above All localized versions (including MUI)

Update Management Features Target Groups Registry-based policy support for AD environments Server-side lists for non-AD environments Administrator control Initiate scan of machines for patch applicability Approve for install and uninstall (requires update support) Date-based deadlines for approved updates Deploy different updates to target groups Configurable client polling frequency Configurable reboot behavior Port configurability Non-administrators can install updates (like administrators) Install at Shutdown (XP SP2 only)

Network Use Optimization Features Resilient and transparent BITS* for client-server and server-server downloads Downloads are in the background Minimized data downloads Update subscriptions (per product/classification) Support for “delta compression” technologies for client-server communications Option to only download approved updates *Background Intelligent Transfer Service

Reporting Features Standard consolidated reports(for client activity) Per machine/per update/per target group Download, install success & failures with error information Content synchronization status reports What’s new, what changed Aggregate reports for multiple servers Summary event roll-up to parent server Event log integration Client and server status events sent to local event log

Web Resources Management Microsoft Management Alliance http://www.microsoft.com/management Microsoft Management Alliance http://www.microsoft.com/management/mma Microsoft Solutions for Management http://www.microsoft.com/solutions/msm http://www.microsoft.com/mof SMS http://www.microsoft.com/smserver SUS http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp ITIL http://www.itil.co.uk http://www.itsmf.net

Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.microsoft.com/communities/mvp Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers http://www.microsoft.com/communities/usergroups default.mspx

Microsoft Learning Security Resources for IT Professionals Free Online Skills Assessments Hands-On Instructor-Led Training Course 2823 Implementing and Administering Security in a Windows Server 2003 Network (5 days) Managing the Deployment of Service Packs and Security Updates Introduction to Microsoft Security Guidance Course 2830 Designing Security for Microsoft Networks (3 days) Hands On Labs 2811 Applying Microsoft Security Guidance (1 day) Protecting the Perimeter of Networks Free Self-Paced E-Learning Clinics Course 2824 Implementing Internet Security and Acceleration Server 2004 (4 days) Clinic 2801 Microsoft Security Guidance Training I (1 day) Clinic 2802 Microsoft Security Guidance Training II (1 day) Microsoft Certified Professional Specializations Self-Paced Microsoft Press Reference Books Assessing Network Security ISBN: 0-7356-2033-4 Microsoft Windows Security Resource Kit ISBN: 0-7356-1868-2 Microsoft Windows Server 2003 PKI and Certificate Security ISBN: 0-7356-2021-0

Event Information What’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18th April Please complete your Evaluation Form! View all presentations and more resource information from the Post Event Website. Please complete your evaluations – we need your feedback to improve!

© 2004 Microsoft Corporation. All rights reserved © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.