IT:Network:Microsoft Applications Network Patch Management
Agenda Network Patch Management Microsoft Baseline Security Analyzer Windows Software Update Services Third Party Products
Network Patch Management What is it? The process of controlling the deployment and maintenance of interim software releases into production environments Patch management is a critical part of maintaining the security of your systems and network. The patch management system that you build and maintain is, among other things, the channel through which you deploy security updates from Microsoft and other vendors. The timely application of security updates is one of the most important and effective things you can do to protect your systems and network, therefore, your patch management system must be as efficient as possible.
Network Patch Management Poor update management can result in: Downtime Remediation time Questionable data integrity Lost credibility Negative public relations Legal defenses Stolen intellectual property
Network Patch Management Ten Principles of Microsoft Patch Management Service packs should form the foundation of your patch management strategy Make Product Support Lifecycle a key element in your strategy Perform risk assessment using the Severity Rating System as a starting point Use mitigating factors to determine applicability and priority Only use workarounds in conjunction with deployment Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article Test updates before deployment Contact Microsoft Product Support Services if you encounter problems in testing or deployment Use only methods and information recommended for detection and deployment The Security Bulletin is always authoritative
Network Patch Management Microsoft process for updating software after release Microsoft makes available periodic updates. Every Microsoft product group includes a sustaining engineering team which develops updates to resolve problems. The process is as follows: Microsoft is made aware of a security vulnerability. Issue is evaluated and verified by the Microsoft Security Response Center. The product groups sustaining team creates and tests update. Microsoft distributes the software update through the Microsoft Download Center and other services: Automatic Updates and User Initiated Updates
Network Patch Management Microsoft Update Definitions Term Definition Security patch A broadly released fix for a specific product, addressing a security vulnerability Critical update A broadly released fix for a specific problem, addressing a critical, non-security–related bug Update A broadly released fix for a specific problem, addressing a non-critical, non-security–related bug Hotfix A single package composed of one or more files used to address a problem in a product. Service pack A cumulative set of hotfixes, security patches, critical updates, and updates since the release of the product, including many resolved problems that have not been made available through any other software updates. Service packs may also contain a limited number of customer-requested design changes or features.
Network Patch Management Windows updates—additions to software that can help prevent or fix problems, improve how your computer works, or enhance your computing experience Windows updates can be managed through Control PanelSystem and SecurityWindows Update.
Microsoft Baseline Security Analyzer (MBSA) A tool designed for the IT professional that helps determine their security state in accordance with Microsoft security recommendations and offers remediation guidance. You can use MBSA to detect common security misconfigurations and missing security updates on your computer systems. The MBSA can check computers running: Windows Server 2012, R2 Windows 8 Windows Server 2008 R2, Windows Server 2008 Windows 7 Windows Server 2003 Windows Vista
Microsoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer (MBSA)
Windows Software Update Services Enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. Must be added as a Role for Windows Server 2008 R2 Requires Internet Information Services to be added as a Role Service
Windows Software Update Services
Windows Software Update Services Enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. Must be added as a Role for Windows Server 2008 R2 Requires Internet Information Services to be added as a Role Service
Windows Software Update Services What client platforms support WSUS? Windows XP Windows Vista Windows 7 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
Windows Software Update Services
Windows Software Update Services
References and other solutions Ten Principles of Microsoft Patch Management http://technet.microsoft.com/en-us/library/cc512589.aspx Windows Software Update Services http://www.microsoft.com/windowsserversystem/updateservices/default. mspx Lumension http://www.lumension.com/ Spiceworks http://www.spiceworks.com/ Microsoft System Center Essentials 2010 http://www.microsoft.com/systemcenter/en/us/essentials.aspx