Implementing Security Patch Management

Slides:



Advertisements
Similar presentations
Patch Management Patch Management in a Windows based environment
Advertisements

WSUS Presented by: Nada Abdullah Ahmed.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Patch Management Strategy
IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.
16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Kai Axford, CISSP, MCSE-Security TechNet Presenter Microsoft Corporation Implementing Security Update Management.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Two Deploying Windows Servers.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
Raven Services Update December 2003 David Wallis Senior Systems Consultant Raven Computers Ltd.
Implementing Update Management
Module 14: Configuring Server Security Compliance
The Microsoft Baseline Security Analyzer A practical look….
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Security Assessment Tools Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Paul Butterworth Management Technology Architect
Module 6: Designing Security for Network Hosts
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Microsoft Management Seminar Series SMS 2003 Change Management.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
ArcGIS for Server Security: Advanced
Patch Management Module 13.
Implementing Client Security on Windows 2000 and Windows XP
Implementing Update Management
Configuring Windows Firewall with Advanced Security
Microsoft’s Security Strategy
Information Security Session October 24, 2005
Check Point Connectra NGX R60
Hands-On Ethical Hacking and Network Defense
Applied Security Strategies
Information Security Awareness
Implementing Client Security on Windows 2000 and Windows XP Level 150
Security through Group Policy
5/12/2019 2:57 PM © Microsoft Corporation. All rights reserved.
Agenda The current Windows XP and Windows XP Desktop situation
Microsoft Virtual Academy
Security in the Real World – Plenary Day One
Preparing for the Windows 8.1 MCSA
Presentation transcript:

Implementing Security Patch Management Thomas Lee tfl@psp.co.uk

Session Prerequisites Hands-on experience with Windows 2000 Server or Windows Server 2003 management tools Reasonable networking background Level 200

Agenda Patch Management Overview Why patch management matters Patch Management Process Process matters more than techology Patch Management Tools Microsoft tools for patch management Future Roadmap Future MS strategy

Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

Business Case for Patch Management When determining the potential financial impact of poor patch management, consider: Downtime Remediation time Questionable data integrity Lost credibility Negative public relations Legal defenses Stolen intellectual property

The Importance of Proactive Patch Management Attack Patch release date date Number of days patch was available before the attack Nimda Oct 17, 2000 Sept 18, 2001 336 Klez-E Mar 29, 2001 Jan 17, 2002 294 Code Red Jun 18, 2001 Jul 16, 2001 28 SQL Slammer Jul 24, 2002 Jan 24, 2003 184 Trojan.Kaht Mar 17, 2003 May, 5 2003 49

Exploit Timeline Vulnerability reported Security bulletin and patch released Worm or virus code created No Exploit Exploit Patch developed Patch reverse engineered Worm or virus launched; infects unprotected or unpatched systems Begin race to protect and patch systems before attack is launched

Microsoft Patch Severity Ratings Definition Critical Exploitation could allow the propagation of an Internet worm Important Exploitation could result in compromise of user data or the availability of processing resources Moderate Exploitation is serious, but is mitigated to a significant degree by default configuration, auditing, need for user action, or difficulty of exploitation Low Exploitation is extremely difficult or impact is minimal The Microsoft Security Response Center team assigns a severity rating to each patch released in a security bulletin. The rating definitions are: Critical - Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action. Important - Exploitation could result in the compromise of user data (confidentiality, integrity, or availability), the integrity of processing resources, or the availability of processing resources. Moderate – – Exploitation is serious, but factors such as default configuration, auditing, need for user action, or difficulty of exploitation have mitigated the threat to a significant degree. Low - Exploitation is extremely difficult or impact is minimal. Security Bulletin List: http://www.microsoft.com/technet/security/CurrentDL.aspx

Patching Time Frames Severity rating Recommended patching time frame Recommended maximum patching time frame Critical Within 24 hours Within two weeks Important Within one month Within two months Moderate Depending on expected availability, wait for next service pack or patch rollup that includes the patch, or deploy the patch within four months Deploy the patch within six months Low Depending on expected availability, wait for next service pack or patch rollup that includes the patch, or deploy the patch within one year Deploy the patch within one year, or choose not to deploy at all

Improving the Patching Experience Your need Microsoft’s response Reduce patch frequency Reduced frequency of non-emergency patch releases from once per week to once per month Reduce patching complexity Reduced number of patch installer technologies Reduce risk of patch deployment Improved patch quality and introduced patch rollback capability Reduce patch size Developed “delta patching” technology to reduce patch size Reduce downtime Reduced patch-related reboots Improve tool consistency Developing consistent tools Improve tool capabilities Developing more capable tools

Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data OS hardening, authentication, patch management, HIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACLs, encryption, EFS Security documents, user education Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Defense in Depth Defense in Depth Using a layered approach Increases attacker’s risk of detection Reduces attacker’s chance of success Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data ACLs, encryption, EFS Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Security documents, user education

Patch Management Process Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

Requirements for Successful Patch Management Project management, four-phase patch management process Effective Processes Effective Operations Tools and Technologies Products, tools automation People who understand their roles and responsibilities

Patch Management Process 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify  Discover new updates  Determine whether updates are relevant to your environment  Obtain patch, confirm it is safe  Determine if patch is a normal change or an emergency 2. Identify 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify 3. Evaluate and Plan Determine whether the patch is actually required Plan the release of the patch Build the release Perform acceptance testing 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify 1. Assess 2. Identify 3. Evaluate and Plan  Prepare for deployment Deploy the patch to targeted computers Review the deployment 4. Deploy  Determine whether the patch is actually required Plan the release of the patch Build the release Perform acceptance testing  Inventory computing assets Assess threats and vulnerabilities Determine the best source for information about new patches Assess your software distribution infrastructure Assess operational effectiveness  Discover new updates  Determine whether updates are relevant to your environment  Obtain patch, confirm it is safe Determine if patch is a normal change or an emergency 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify  Prepare for deployment Deploy the patch to targeted computers Review the deployment 4. Deploy 1. Assess  Inventory computing assets  Assess threats and vulnerabilities  Determine the best source for information about new patches  Assess your software distribution infrastructure  Assess operational effectiveness 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify

Microsoft Patch Management Guidance Guide: The Patch Management Process How To: Implement Patch Management How To: Use Microsoft Baseline Security Analyzer (MBSA) How To: Perform Patch Management Using SUS How To: Perform Patch Management Using SMS The guide and articles are available at http://www.microsoft.com/security/guidance/topics/ PatchManagement.mspx

Patch Management Tools Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

Key Microsoft Patch Management Toolsets The web: Windows Update/Office Update Targeted at consumers Software Update Services Small-Medium businesses, departments in an Enterprise SMS Enterprise More than just patch management

Choosing a Patch Management Solution Customer type Scenario Solution Consumer All scenarios Windows Update Small organization Has no Windows servers Has a few Windows 2000 or newer servers and few IT administrators MBSA and SUS Medium-sized or large enterprise Wants a patch management solution with basic level of control that updates Windows 2000 and newer versions of Windows Wants a single flexible patch management solution with extended level of control to patch, update, and distribute all software SMS

Patch Management Solution for Consumers and Small Organizations Patch management solution based on Protect Your PC: 1. Use an Internet firewall 2. Get computer updates Windows Update Office Update 3. Use up-to-date antivirus software Protect Your PC Web site: http://www.microsoft.com/protect

How to Use Windows Update To configure Automatic Updates: Open the System application in Control Panel 1 Select Keep my computer up to date 2 On the Automatic Updates tab, select the option you want 3

Office Update Benefits: Limitation: Single location for office patches and updates Easy to use Can be configured to update consumer or enterprise systems Does not support Automatic Updates; updating must be initiated manually Office Update Web site: http://office.microsoft.com/officeupdate

How to Use Office Update Go to http://office.microsoft.com/officeupdate 1 Click Check for Updates 2 Install the Office Update Installation Engine (if not already installed) 3 Select the updates you want to install 4 Click Start Installation 5

Patch Management Solution for Small and Medium-Sized Organizations Size of organization Scenario Patch management solution Small Has one to three Windows 2000 or later servers and one IT administrator MBSA and SUS Medium or large Wants a patch management solution with basic level of control that updates Windows 2000, Windows XP, and Windows Server 2003 computers

MBSA Benefits Scans systems for: Missing security patches Potential configuration issues Works with a broad range of Microsoft software Allows an administrator to centrally scan multiple computers simultaneously MBSA is a free tool, and can be downloaded from http://www.microsoft.com/mbsa

MBSA Considerations MBSA reports important vulnerabilities: Password weaknesses Guest account not disabled Auditing not configured Unnecessary services installed IIS vulnerabilities IE zone settings Automatic Updates configuration Internet Connection Firewall configuration

Windows Download Center MBSA – How It Works Windows Download Center MSSecure.xml MBSA Computer

MBSA – Scan Options MBSA has three scan options: MBSA graphical user interface (GUI) MBSA standard command-line interface (mbsacli.exe) HFNetChk scan (mbsacli.exe /hf) MBSA has three scan options:

How to Use MBSA 1 2 3 4 5 6 Download and install MBSA (once only) Launch MBSA 2 Select the computer(s) to scan 3 Select relevant options 4 Click Start scan 5 View the Security Report 6

SUS Benefits Gives administrators basic control over patch management Administrators can review, test, and approve updates before deployment Simplifies and automates key aspects of the patch management process Can be used with Group Policy, but Group Policy is not required to use SUS Easy to implement Free tool from Microsoft

SUS Considerations Can only update computers running Windows 2000, Windows XP, and Windows Server 2003 No method to target specific updates to specific computers Not push technology—client must pull updates from the SUS server No predefined reports

SUS – How It Works Windows Update Child SUS Server Client Computers Firewall Child SUS Server Client Computers Parent SUS Server Client Computers

SUS – Sample Deployment Scenario Windows Update Firewall Pilot SUS Server Pilot Client Computers Regional SUS Server Main Office SUS Server Regional Client Computers Main Office Client Computers

SUS – Client Component Can be configured to pull updates either from corporate SUS server or from Windows Update Three ways to configure Automatic Updates: Centrally, by using Group Policy Manually configure clients Use scripts to configure clients The client component of SUS is Automatic Updates

SUS – Server Component The server component of SUS is Software Update Services Can pull updates from Windows Update on a schedule Provides a Web-based administrative GUI Has several built-in default security features Provides XML-based logging to a Web server Supports geographically distributed or scale-out deployments Localized in English and Japanese

SUS – MBSA Integration MBSA is a stand-alone tool, but it is designed to work with SUS MBSA can be configured to scan for missing updates based on the approved updates on the SUS server instead of available updates on Windows Update You can use the GUI or command-line versions of MBSA to specify the SUS server MBSA will use to check for missing patches against

1 2 3 How to Use SUS On the SUS server: On each SUS client: Configure the SUS server at http://<server name>/SUSAdmin 1 Set the SUS server synchronization schedule 2 Review, test, and approve updates 3 On each SUS client: Configure Automatic Updates on the client to use the SUS server Use Group Policy, manually configure each client, or use scripts

Patch Management Solution for Medium-Sized and Large Organizations Capability SUS 1.0 SMS 2003 Supported Platforms for Content Windows 2000 Windows XP Windows Server 2003 Windows NT 4.0 Windows 98 Windows 2000 Windows XP Windows Server 2003 Supported Content Types Security and security rollup patches, critical updates, and service packs for the above operating systems All patches, service packs, and updates for the above operating systems; supports patch, update, and application installations for Microsoft and other applications Patch Distribution Control Basic Advanced

SMS Benefits For a full software distribution patch management solution, use: Benefits of using SMS: SMS 2003 or SMS 2.0 with SUS Feature Pack Gives administrators comprehensive control over patch management Automates key aspects of patch management Can update a broad range of Microsoft products Can be used to update third-party software and install other software updates or applications

SMS – MBSA Integration MBSA integration included with SMS 2003 and the SUS Feature Pack for SMS 2.0 Scans SMS clients for missing security updates using mbsacli.exe /hf SMS directs client to run local MBSA scan 1 SMS server parses data to determine which computers need which security updates 3 Administrator pushes missing updates only to clients that require them 4 Client performs scan, returns data to SMS server 2

SMS Considerations Limitations of SMS: Command-line syntax must be configured for unattended installation of each update Microsoft Office patches require extraction to edit a settings file for unattended installation International updates must be manually downloaded from a Web page

SMS – How It Works Microsoft Download Center SMS Distribution Point Firewall SMS Distribution Point SMS Distribution Point SMS Clients SMS Site Server SMS Clients SMS Clients

How to Use SMS to Deploy Patches Open the SMS Administrator Console 1 Right-click All Windows XP Computers, and then select All Tasks > Distribute Software Updates 3 Use the wizard to create a new package and program 4 Browse to the patch to be deployed 5 Configure options for how and when the patch will be deployed to clients 6 Expand the Site Database node 2

Best Practices for Patch Management Implement a good patch management process Choose a patch management solution that meets your organization’s needs Subscribe to the Microsoft Security Notification Service Make use of Microsoft guidance and resources Keep your systems up to date

Future Roadmap Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

Patch Management Tools Roadmap Microsoft Update – will combine the functionality of Windows Update and Office Update Windows Update Services (SUS 2.0): Support for additional Microsoft products More administrative control and improved reporting Improved bandwidth efficiency Future Plans

Patch Management Roadmap Longhorn Time frame Q4/2004 H1/2005 Update Content Repositories and Online Services Download Center Download Center Windows Update Windows Update Windows Update Office Update Microsoft Update Microsoft Update 3rd party apps update repository Standalone Update Scanning Tools Office Inventory Tool Office Inventory Tool In-house developed apps update repository MBSA 1.2.1 (XPSP2 Support) MBSA 2.0 MBSA 1.1.1 MBSA 1.1.1 SMS 2.0 with Feature Pack SMS 2003/ WUS phase 1 integration SMS v4 3rd Party / In-house Tools WUS N.0 Windows Server Longhorn SMS 2003 SUS 1.0 WUS Server WUS Client Update Management Products Manual / Script Based Updating

Patch Management Tools MBSA Version 1.2.1 – needed for Windows XP SP2 MBSA 2.0 – delivery with WUS Windows Update Service (WUS) Replaces SUS Due by June 2005 Longer Time Frame (e.g. Longhorn) SUS integrated into Windows, full product support 3rd party integration

Session Summary Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

For more information SUS MBSA http://www.microsoft.com/windowsserversystem/sus/default.mspx MBSA http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance

Questions and Answers