Patch Management –Pedro Carrasquilla –Sean Garrett –Jeni Li Arizona State University East Information Technology October 2, 2003 By Presented to WNUG/CCC

 GOAL: prevent client downtime due to critical patch issues  OUTCOME: patch management for domain clients

METHODS  GPO / MSI Packages – Script out, use existing server (GPO) – Potential for hiccups with different models – More background time for building package(s)  SUS server – Requires W2k server and IIS – Ease, point and click – Less admin time overall unless (until ?) compromised

HARDWARE  Dell Power Edge 4300  6 drives  2 Raid Containers  -RAID 1 mirrored (2 drives), OS only (C)  -RAID 5 (4 drives), SUS installation (F)

SOFTWARE  Windows 2000 server with SP3  IIS 5.0  SUS 1.0  Upgrade to SP4 + critical patches  AV (Netshield)

SUS setup  Setup for weekly downloads from Microsoft  Approved only the post SP4 updates  Set client to request reboot after downloading updates from SUS server  Client will apply update next time computer reboots in 24 hr period

Client GPO

WINDOWS LOCKDOWN  Windows Security – CIS Gold Standard template – How Get it from cisecurity.org Security Configuration & Analysis snap-in Review changes before applying!!! – Afterward, clean up the gotchas Set LSA_RestrictAnonymous as required if you have Backup Exec or some other reason it can’t be set to 2 Remove Web anonymous users (IUSR, IWAM) from Guests group Ensure Web anonymous users have permission to logon as batch jobs Ensure Web services are Started and set to Automatic (CIS template disables them) – IIS Admin Service – World Wide Web Publishing Service

WINDOWS LOCKDOWN  Other Security issues – IIS components not installed FTP, SMTP, NNTP, Internet Services Manager (HTML) – IIS tweaks: delete default IIS sites removed directory c:\inetpub\ Bind site to eastsus1.east.ad.asu.edu Allow only ASU subnet to see site Auto-update / administration: no indexing, server IP only Edit URLScan.ini, change RemoveServerHeader to 1 Shared: no indexing, no read, no execute (global.asp, used only by other ASP scripts Modified ACLs for the e:\ Changed encryption level to high (128) LSA restrict anonymous to 1

SUS LOCKDOWN Special IIS Lockdown template for SUS 1. Built in to SUS installation 2. Better than standard IIS Lockdown  What it does – Disallows Web service userid’s from running key system commands – Sets reasonable default settings in URLscan.ini  Caution 1. May break existing Web services on multifunction servers

IIS LOCKDOWN CONT…  Bind Web service to host name – How IIS snap-in Properties, Web Site Identification, Advanced Specify IP address and host header name (FQDN) – Why Keeps IIS from responding to requests without HTTP Host request header Makes your server less vulnerable to worms which find targets by generating random IP addresses Even unpatched Web servers, with this one setting, would have been invulnerable to Code Red, Code Blue, and Nimda worms  Set directory permissions on Web home directory

Deployment  -Testing Production Environment with test OU and several 2000 & XP clients  -Communication with our users. ( )  -GPO Applied WUAU.ADM to production OU for domain PCs

Future Updates  SUS 2.0 system & application (Office, SQL, and Exchange) patching In Beta, but posponed  Staging second server for testing patches initialy  Restricting IPs  Firewall

Web Resources  SUS10sp1.exe 6E41-4F54-972C-AE66A4E4BF6C&displaylang=en  CIS Gold Standard Template  Client GPO wuau.adm D274-42E C667B4C94E9&displaylang=en  Microsoft Solutions for Management: Patch Management Using Microsoft Systems Management Server (SMS) and Microsoft Software Update Services (SUS) yid=7d8999af-7e88-416c f886e8d  Microsofts Software Update Services  Software Update Services Deployment White Paper ment.asp  SUS with SP1 Release Notes and Installation Instructions