Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd

Agenda What are patches and why do we need them? Windows Update Software Update Services (SUS) Raven Update Service Office Update and application patches Microsoft Update and Windows Update Services (WUS) – the future SMS vs WUS/SUS/RUS Conclusion and Q&A

What are Patches Also known as Hotfixes Modifications to the original program code, normally to fix a problem or vulnerability Quick Fix Engineering – QFE Not normally tested as thoroughly as normal software –May introduce new problems

Worms and Vulnerabilities Windows XP contains over 40 Million lines of code – Mistakes are inevitable Bugs may be discovered and exploited –Buffer Overflows Worms –Programs are written to automate the exploitation of the bug –Like Virus’s but may not require you to open them –Can spread very quickly, causing havoc –Blaster, Nimda, SOBig Entire exploitation process is automated –You do not need to be specifically targeted

Consequences of being exploited Trojans / Spyware –Programs sneaked onto your computer –May allow complete control of computer, using your password Therefore whole network may be compromised by 1 pc –Harvesting of passwords and account details As you log into online banking, process is recorded and sent to hacker –Internet Activity can be logged and used to target advertisements to you or direct you to other sites

Consequences of being exploited Zombie/Drone PCs –Your system may be used to attack other networks – DDoS –Your computers may be used to store and distribute illegal material –Your computer may be used to execute illegal or antisocial activities such as SPAM –Bandwidth, Storage and even Processing power can be consumed and abused

Consequences of being exploited Loss or destruction of data –Files may be deleted, altered or corrupted –Confidential data may be shipped outside your network –Your systems may crash as a result causing untold amounts of downtime

The Worlds 1 st JPG virus On September 14 th Microsoft issued Security Bulletin MS –Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) A bug in many products allows a specially crafted JPG file to execute malicious code simply by viewing the picture Many MS products affected including Windows 2000/XP (prior to SP2), Office XP, Office 2003, IE6.1, and many others Each product must be patched separately JPG files are ignored by most AntiVirus software as they were previously thought to be harmless On 26/09/04 a trojan was found on Internet news groups (Usenet) which exploits this bug A DIY Virus kit to automate the exploitation is now known to be available on the Internet

Types of patch Critical Security fixes –Created in direct response to a newly discovered threat –Must be applied quickly to protect against worms written to exploit the vulnerability –Time to release is very short, so testing is “Rapid” –Should almost always be applied if they are relevant to your setup

Types of patch Non-Critical Updates –Created to fix specific bugs or to enhance functionality –Should only be applied if the particular problem affects your computer –Can be more thoroughly tested before release

Types of patch Service Packs –Combination of several hotfixes and updates –Thoroughly tested in a wide range of environments before release –Form a new baseline for the product against which future software will be tested –Should be applied when deemed stable

Windows Update Built into Windows 98, Me, 2000 and XP Visit web page to determine what patches should be applied Tries to only propose relevant patches Must be run manually from each computer Requires user to have Admin privileges on local computer Linked from start menu –

Automatic Update Agent Introduced with Windows XP SP1 and Win2k SP4 Available as a download for Win2k SP3 Automates download of critical security patches Can automatically apply and restart computer Can wait for approval before applying Each computer operates separately and fetches its own updates

Software Update Services - SUS Your own Windows Update server Runs on a server on your site Integrates into IIS Administrator approves and downloads patches Client agent on PCs installs approved updates from SUS server No admin rights needed on local PC Can be managed through Group Policy

Microsoft Software Update Services (SUS)

SUS Client Agent Built into Windows XP SP1 and Win2k SP4 Can be managed and deployed through Active Directory Group Policy Machines can be told to install patches at specified times Machines can be told to reboot at specified times if they are left on Could use Wake on LAN to power compatible PCs on for updates during the night

SUS Requirements Runs on Windows 2000 SP3 or later, or Windows 2003 Server running IIS Client PCs must run Windows 2000 SP3 or later, or Windows XP –Windows 9x not supported Installs IISLockdown, so may interfere with some Intranets Administrator must manually approve each update Typical Installation time around ½ day. May vary on some sites

SUS Capabilities SUS can apply all Windows critical security updates and can now deploy service packs to Windows 2000 and Windows XP Next version WUS (due H1 05) will allow security patches for Office, Exchange Server and SQL Server to be automatically deployed too (more shortly)

Raven Update Services

Subscription service - £50 per month –Requires SUS server to be installed Raven Engineers approve updates after testing on a representative sample of platforms Local SUS server pulls only approved “Safe” updates from Raven Update Server Requires no local administration “Hands Free” update of client PCs

Office Patch Management –Like Windows Update, but for Office –Scans your local machine and proposes relevant updates Binary Patches or Full File updates? –Binary Patches are smaller but require access to original installation files (CD or Network Share) –Full File Updates are much bigger downloads but can be applied without the original files

Administrative Deployment of Office Patches Either distribute patches separately to clients or update Administrative Install Point Distribute separate patches to clients –Requires Admin rights on local machine unless using SMS –Patches can be shipped out in logon script, or Intranet etc or using SMS Server –Common baseline remains original installation Update Admin Install Point –Clients must be instructed to reinstall affected features or whole product –New installations are already patched –Necessary if using “Run from Network” –Clients all maintain a common baseline –Once source is patched, clients may be unable to repair or install on demand until reinstalled so may need to maintain an unpatched copy as well –Can use “Elevated Privileges” for installation

Microsoft Update Will combine and replace Windows Update and Office Update web sites Initially will support patching of Windows, Office, Exchange Server and SQL Server Over time will support all Microsoft Products Long Overdue – Now expected H Requires better cooperation within MS teams –Currently there are at least 7 separate, incompatible installer programs in use for MS patches –Will be reduced to 2 for MU

WUS – Windows Update Services Next version of SUS (2.0) Will support all products covered by Microsoft Update – Windows, Office, Exchange, SQL etc Late again, but expected H Many enhanced technologies and new management features RUS will be updated to incorporate WUS Public Beta beginning soon –RUS may be extended to include WUS Beta if stable

Customer Feature Requests *Partially addressed through polling frequency control and scripts Top Features Requested SUS 1.0 SP1WUS Support for service packs Install on SBS and domain controller Support for Office and other MS products Provide reporting (e.g. deployment status) Update targeting Improve support for low bandwidth networks Allow subscriptions to only certain content Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * NT4 support

Supported Products And Content Updates for –All Microsoft products over time –At RTM Windows 2000 SP3 and later versions of Windows Office XP SP2 and Office 2003 SQL 2000 and MSDE 2000 Exchange 2003 Platform support/requirements –Windows 2000 SP3 (SP4 for Server) and later –Windows XP RTM and later –Windows Server 2003 RTM and above –All localized versions (including MUI)

Administrator subscribes to update categoriesServer downloads updates from Microsoft UpdateClients register themselves with the server Administrator puts clients in different target groups Administrator approves updates Agents install administrator approved updates Microsoft Update WUS Server Desktop Clients Target Group 1 Server Clients Target Group 2 WUS Administrator Solution Overview

Disconnected Servers Desktop Clients Microsoft Update WUS Server

Update Management Features Target Groups –Allow Administrator to manage different groups of PCs differently –OU based policy support for AD environments –Server-side lists for non-AD environments Administrator control of deployment –Initiate scan of machines for patch applicability –Approve for install and uninstall (requires update support) –Date-based deadlines for approved updates –Deploy different updates to target groups

Update Management Features Agent Configurations –Polling frequency –Notification and Install behaviors –Reboot behaviors –Port configurability –Non-administrators can install updates (like administrators) –Install at Shutdown (XP SP2 only)

Network Use Optimization Features Resilient and transparent –BITS* for client-server and server-server downloads –Downloads are in the background –Can throttle bandwidth usage Minimized data downloads –Update subscriptions (per product/classification) –Support for “delta compression” technologies for client-server communications –Option to only download approved updates *Background Intelligent Transfer Service

Reporting Features Standard consolidated reports (for client activity) –Per machine/per update/per target group –Download, install success and failures with error information Content synchronization status reports –What’s new, what changed – much easier for Administrator Event log integration –Agent and server status events sent to local event log

Deployment/Management Flexibility Server deployment options –Updates hosted on Microsoft Update RUS server acts as a control point –Hierarchical deployment Independent servers (admin wishes not inherited) “Replica” servers (admin wishes inherited) Manageability (and extensibility) –.NET based Server APIs (for admin tasks) –COM based Client APIs (with scripting and remoting support) –Automatic deployment of updates –Command line options to trigger update detection Big Red Button!

SMS 2003 Systems Management Server Allows Inventory and discovery of Servers, PCs, Print Servers, Palmtops etc on the network Allows Targeted Software Distribution based on many criteria –Applications, Patches and even OS’s Remote Control and Management of all Windows computers Will be updated shortly to incorporate WUS engine

Comparing WUS And SMS Simple (WUS) versus Advanced (SMS) –SMS not intended for small networks (<20pcs) Client support – SMS still supports Win9x/NT4 Update / Application deployment Reporting features – SMS far more wide ranging WUS: Want update management-only solution that provides simple updating for Microsoft software SMS: Single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OS’s and Applications, as well as an integrated asset management solution

*Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by WUS or Microsoft Update Customer Type Scenario Customer Chooses Large or Medium Enterprise Want single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OSes and Applications, as well as an integrated asset management solution SMS 2003 Want update management-only solution that provides simple updating for Microsoft software and initially supports Windows (Win2K & later versions), Office (2003 & XP), Exchange 2003, SQL Server 2000, and MSDE 2000 WUS*/RUS Small Business Have at least 1 Windows server and 1 IT administrator WUS* / RUS All other scenarios RUS / Microsoft Update* Consumer All scenarios RUS / Microsoft Update* Choosing A Patch Management Solution Typical customer decisions

Consolidated Solutions Roadmap Manual / Script Based Updating Windows Update Download Center Windows Update Microsoft Update Download Center Update Content Repositories and Online Services Current H1/2005 SMS 2003 FP Time frame Longhorn Time frame Windows Update Microsoft Update WUS SMS 2003 with Feature Pack WUS n.0 Windows Server Longhorn Office Inventory Tool SUS 1.0 SMS 2.0 with Feature Pack SMS 2003 WUS Client In-house developed apps update repository 3 rd party apps update repository Update Management Products System Center 3 rd Party / In-house Tools Office Update MBSA 1.2 (includes OIT) MBSA Standalone Update Scanning Tools Office Inventory Tool MBSA MBSA 2.0

Additional Information Sign up to receive information about the Open Evaluation Program at Visit for the latest information on SUS 1.0www.microsoft.com/sus Join the SUS news groupSUS news group Microsoft’s prescriptive guidance for patch managementprescriptive guidance For information on SMS 2003 go to Or just ask your Raven Representative

Conclusions Patch management is essential in the current computing climate –Otherwise you Will be hacked SUS can automate deployment of Windows Patches, but needs managing –Contact your Raven representative to arrange installation NOW RUS removes the burden of approving Windows patches enabling SUS to run virtually hands free –Sign up for RUS here, today! Office and other products must be patched separately for now –Raven Consultants are available to assist in deployment WUS will improve manageability of SUS and extend it to include other products RUS will support WUS when it is available For larger enterprises, consider SMS –Speak to your Raven representative to find out if SMS is for you

Any Questions? David Wallis Senior Systems Consultant Raven Computers Ltd