Patch Management drill down Steven Hope Lead Technical Security Specialist

Slides:



Advertisements
Similar presentations
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
Advertisements

WSUS Presented by: Nada Abdullah Ahmed.
WSUS Windows Update Services
System Center Configuration Manager Push Software By, Teresa Behm.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd.
Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd
SWOCA TSS ACADEMY Implementing Patch Management and Systems Monitoring on Windows Server 2012.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
SP2 Mikael Nystrom. Agenda Översikt Installation.
IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.
Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.
Training on ManageEngine Desktop Central
Technology from Microsoft David Overton Head of Technology for Small Business
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 2 Managing Windows Server 2003 Hardware and Software.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Module 13: Maintaining Software by Using Windows Server Update Services.
CSI-E Computer Security Investigator – Enterprise.
Managing and Monitoring Windows 7 Performance Lesson 8.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Module 14: Configuring Server Security Compliance
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
Migration from Software Update Services to Windows Server Update Services Jeff Alexander IT Pro Evangelist Microsoft Australia Scott Korman WSUS MVP SEC316.
Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Paul Butterworth Management Technology Architect
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Microsoft Management Seminar Series SMS 2003 Change Management.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Reducing server sprawl and IT power/cooling costs Moving from reactive to proactive state Quickly troubleshooting PC and laptop issues Deploying new.
Security Configuration Wizard Keith D Miller Microsoft European Support Readiness Manager.
Managing your IT Environment. Microsoft Operations Manager 2005 Overview.
Microsoft EMEA Retail Technology Conference 2004 Microsoft EMEA Retail Technology Conference 2004 System Management in Store Willem Haring
Ellis Paul Technical Solution Specialist – System Center Microsoft UK Operations Manager Overview.
Active Directory design recommended practices Mark Cribben Consultant.
Windows Small Business Server 2003 R2 Powering Small Businesses.
Microsoft Deployment Workshop Deploying Office 2003 Editions Joe Liptrot Linkpad Limited.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
ITMT 1371 – Window 7 Configuration 1 ITMT Windows 7 Configuration Chapter 8 – Managing and Monitoring Windows 7 Performance.
Maintaining and Updating Windows Server 2008 Lesson 8.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Implementing Security Patch Management
Implementing Security Patch Management
Microsoft Virtual Academy
Microsoft Deployment Workshop Deploying Office 2003 Editions
Presentation transcript:

Patch Management drill down Steven Hope Lead Technical Security Specialist

Welcome to this TechNet Event FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts FREE comprehensive technical web site Monthly CD / DVD subscription with the latest technical tools & resources FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit or speak to a Microsoft representative during the break

This is true for you right? We live in a world of plenty… – High bandwidth links everywhere – Low cost & reliable connectivity – Free extra bandwidth as and when we need it We all have an efficient patch process… – Testing is quick – The process is clear and repeatable – Deployment is easy Who said “I WISH” ??? But isn’t this want you really want and need?

Patch Management – The Rude Awakening Humans write software, therefore software will ALWAYS have bugs! Utopia = not having to deploy a patch, not that patches no longer exist. Patching should be the LAST line of defence, not the first! And should be avoid wherever possible. Patching is NOT all about tools and scripts. Cleaver system / network designs can significantly reduce the requirement to patch, e.g.: – Use IPSEC to reduce access to services – Use Layer 7 firewalls like ISA Server 2004 to protect core assets. – Reduce the attack surface on machines Monthly controlled releases and responsible disclosure are GOOD things!

Organization for Internet Safety Mission: To develop and promote processes for effectively handling security vulnerabilities. Industry-leading vendors, security research firms

Successful Patch Management Ingredients Tools & Technologies Consistent & repeatable Processes Skilled People

Patch Management Best Practices Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 1. Assess 2. Identify 4. Deploy 3. Evaluate & Plan 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: install on isolated system 3. Evaluate & Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment

Today Soon… Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office… Office Update Download Center SUS SMS “Microsoft Update” (Windows Update) VS Update Windows Update Windows only Windows Server Update Services Updating: Roadmap Windows, SQL, Exchange, Office… AutoUpdate

Security Update Management Today Disparate sources, limited product support Windows Update/Office Update – Consumer focused web based solutions Software Update Services (SUS) 1.0 – Intermediary between Windows Update and Automatic Updates (globally control updates) Microsoft Baseline Security Analyzer (MBSA) – Detects security updates for 16 products – Detects configuration vulnerabilities for 7 products Systems Management Server 2003 – SUS Feature Pack (Windows Updates only) – MBSA for other security update detection – Enterprise Update Scan Tool (EST) – Detects critical and important security updates that MBSA does not – Compatible with SMS

Consistent results, extending product support Microsoft Update (MU) – “Hosted” version of Windows Server Update Services – Consumer focused web based solution Windows Server Update Services (WSUS) – Infrastructure for all other updating products and tools – Update management solution with targeting for Microsoft platform Microsoft Baseline Security Analyzer (MBSA) 2.0 – Security focused scanning without the need for a server Systems Management Server 2003 – Inventory Tool for Microsoft Update – Integrated MBSA 2.0 security configuration checks Security Update Management Tomorrow

Microsoft Baseline Security Analyser Now and next

MBSA – Analysis and reporting tool Scans missing security updates and security configuration settings Born of HFnetchk, now at Requires up to date reference file (mssecure.xml) GUI and command line versions “Read only” tool - user context requires local admin rights on each target machine Scans: – Windows 2000, Windows XP, Windows Server 2003 – IIS, SQL Server, Internet Explorer, Office, Exchange Server, Windows Media Player, – Microsoft Data Access Components (MDAC), MSXML – Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server

MBSA / MBSA 2.0 Delta MBSA 2.0 shares with MBSA – Security configuration and update scanning – Command Line scripting – Simple, easy to use interface – Integration with SMS and MOM MBSA 2.0 introduces: – WSUS scan parity – WSUS compliance – Expanding security update product support – Security update install history – CAN/CVE ID when they become available MBSA 2.0 RTW = End of Q2 2005

MBSA 2.0 : How It Works* Microsoft Update All content is shared with MU MBSA Computer *Only covers security patch scanning capabilities, not security configuration detection issues WSUS Server 2.Downloads CAB file from MU & verifies digital signature 1.Run MBSA on Admin system, specify targets 3.Scans target systems for OS, OS components, & applications using WUA 4.Generates time stamped report of missing updates

Windows Server Update Services WSUS - The software formally knows as SUS and WUS…

Windows Server Update Services Successor to SUS (Software Update Services) Automates centralized download, distribution and installation of updates Gets its content from Microsoft Update (MU) Free download – Free to Windows Server (2000 and above) licensees – Requires Windows Server / Core CAL for target systems Does not change currently available offerings – SUS 1.0 continues to get content from WU Core component of Microsoft’s Update Management solutions & roadmap WSUS RTW = Q2 2005

WSUS - Supported Products And Content Critical Updates for – All Microsoft products over time – At RTM – Windows 2000 SP3 and later versions of Windows – Office XP SP2 and Office 2003 – SQL 2000 and MSDE 2000 – Exchange 2003 – Critical drivers Platform support/requirements for – Windows 2000 SP3 (SP4 for WSUS Server) and later – Windows XP RTM and later – Windows Server 2003 RTM and above – All localized versions (including MUI)

Administrator subscribes to update categoriesServer downloads updates from Microsoft UpdateClients register themselves with the server Administrator puts clients in different target groups Administrator approves updates Agents install administrator approved updates Microsoft Update WSUS Server Desktop Clients Target Group 1 Server Clients Target Group 2 WSUS Administrator WSUS - Solution Overview

Desktop Clients WSUS Scalability Microsoft Update Replica Child WSUS Server Autonomous Child WSUS Server Parent WSUS Server

Desktop Clients WSUS & disconnected Networks Microsoft Update WSUS Server

WSUS – Client Deployment & Configuration Client Deployment – Only required for Windows XP Gold (without SP) – Windows XP SP2 and Windows Server 2003 SP1 include the WSUS client binaries – All other WSUS supported OS’s include AUv2.2 – Automatically self-updates to WSUS client version Client Configuration – Active Directory = via GPO – NT4.0 = Wuau.adm in System Policy – Registry keys via script

Administrator control of deployment – Initiate scan of machines for patch applicability – Approve for install and uninstall (requires update support) – Date-based deadlines for approved updates – Deploy different updates to target groups WSUS GUI based reports – Per machine/per update/per target group – Needed, Pending Reboot, Install success and failures with error information WSUS Features

WSUS Features (continued)… Target Groups – Client-side targeting using AD GPO – Server-side targeting on WSUS server Client Configurations – Polling frequency – Notification and Install behaviors – Reboot behaviors – Port configurability – Non-administrators can install updates (like administrators) – Install at Shutdown (XP SP2 only)

Network Use Optimization Features Resilient and transparent – BITS* for client-server and server-server downloads – Downloads are in the background Minimized data downloads – Update subscriptions (per product/classification) – Support for “delta compression” technologies for client-server communications – Option to only download approved updates *Background Intelligent Transfer Service

Customer Feature Requests *Partially addressed through polling frequency control and scripts Top Features Requested SUS 1.0 SP1WSUS Support for service packs Install on SBS and domain controller Support for Office and other MS products Support additional update content types Update uninstall Update targeting Improve support for low bandwidth networks Reduce amount of data that needs to be downloaded Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * Deploy update for ISV and custom apps NT4 support

Systems Management Server 2003 Patching the Enterprise

Systems Management Server 2003 Premium Change and Configuration Management Offering Scalable, global enterprise solution for client and server management – Software Distribution – OS Deployment – Mobile Device Management – Hardware Inventory – Software Inventory – Application Usage Tracking – Remote Help Desk Functionality Visit for more infomationhttp://

SMS 2003 & Patch Management Supports critical updates for Windows and Office Vulnerability Assessment – Leverages existing tools like MBSA – Collects MBSA results for storage in a central repository – Rich reporting provides detailed vulnerability analysis and enables mitigation planning Status and Compliance Reporting – Deployment status as patches are delivered using built-in reports and client status messaging – Determine actual baselines in the environment before changing the environment – Report on clients not compliant to baseline – Automatically deploy updates to get compliant

SMS 2003 Patch Management: How It Works Firewall SMS Site Server SMS Distribution Point SMS Clients Microsoft Download Center SMS Distribution Point 2.Scan components replicate to SMS clients 1.Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer 3.Clients scanned; scan results merged into SMS hardware inventory data 4.Administrator uses Distribute Software Updates Wizard to authorize updates 6.Software Update Installation Agent on clients deploy updates 7.Periodically: Sync component checks for new updates; scans clients; and deploys necessary updates 5.Update files downloaded; packages, programs & advertisements created/updated; packages replicated & programs advertised to SMS clients SMS Clients

SMS SP1 Ability to authorize critical updates immediately without waiting for inventory scans. Allows deployment of a critical update as soon as it is released. Prior to sp1 = needed to wait for the scans to happen and the data to be returned to the SMS site server and the update would then be available to deploy through the Distribute Software Update wizard.

SMS Inventory Tool for Microsoft Updates SMS Inventory Tool for Microsoft Updates (ITMU) – Uses Windows Update Agent for scanning and installation of updates – WUA included with Windows XP SP2 & Windows Server 2003 SP1 – Distributed as a stand-alone install by SMS for older operating systems Provides consistency with content provided on Microsoft Update Non-critical updates are not included in v1.0 of the scan tool Can be used side-by-side with legacy scan tools for additional product coverage Expected Release Date = July 2005

Patch Management Client Experience

Background Intelligent Transfer Service - BITS Downloads file using Hypertext Transfer Protocol (HTTP) Checkpoint mechanism – Allows for network connectivity interruptions Automatic network throttling – Only uses idle bandwidth NEW! BITS v2.0 – Included in Windows XP SP2 & Windows Server 2003 SP1 – Downloadable for Windows 2000, XP and Server 2003

How does Microsoft manage patches? Patching by MSIT

Corporate Security (CorpSecIT) monitors vulnerability information CorpSecIT finds & analyzes vulnerability Critical Vulnerability? CorpSecIT determines enforcement schedule Global Client Software (GCS) tests patch 14 Days 7 days (or immediate if critical) GCS creates SMS package GCS distributes package GCS enforces patch yes Wait for service pack no How MS does it: Patch process flow

Weds10:00AM Thurs 5:00 AM Fri2:00PM 12%30% Vulnerable Clients 5:00PM 5:00PM 6% 5:00PM 5:00PM 5%3% High Client Impact Method Low Client Impact Patch timeline Windows Update; & ITWeb Notification(Optional) Windows Update; & ITWeb Notification (Optional) SMS Patch Management (Voluntary > Forced) Internal Scanning & Scripts (Forced) Port Shutdowns How MS does it: The technology

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.