Microsoft EMEA Retail Technology Conference 2004 Microsoft EMEA Retail Technology Conference 2004 System Management in Store Willem Haring
AgendaSecurity Patch Management Device management
Patches proliferating Time to exploit decreasing Exploits are more sophisticated Current approach is not sufficient Security is our #1 Priority There is no silver bullet Change requires innovation Blaster Welchia/ Nachi SQL Slammer 26 Nimda Days between patch and exploit Security: Patch & Exploit
Microsoft Baseline Security Analyzer (MBSA) 1.2 Virus Cleaner Tools Systems Management Server (SMS) 2003 Desktop QFE Installer Tool 1.0 Device Update Agent Software Update Services (SUS) SP1 Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition Windows XP Embedded with Service Pack 2 Microsoft ISA Server 2004 Enterprise Edition Software Update Services Client (SUS 2.0) = Windows Update Services Client (WUS) Patching Technology Improvements (MSI 3.0) Systems Management Server 2003 SP1 Microsoft Operations Manager 2005 Windows Server 2003 Service Pack 1 Audit Collection Services (ACS) Security Configuration Wizard (SCW) Windows Update Services (WUS Server) Windows Rights Management Services SP1 System Center 2005 Windows Server 2003 “R2” Network Access Protection (“Quarantine 2”) Vulnerability Assessment and Remediation Active Protection Technologies Visual Studio “Whidbey” Security: Timeline Today H2 04 Future 2005 *Items in red don’t apply to XP Embedded *Items in green are XP Embedded-specific
Patch Management Device Update Agent Desktop QFE Installer Software Update Services Systems Management Server
Device Update Agent (DUA) What is it? Management tool that enables app/operating system-level updates and/or bug fixes What is the customer benefit? Ships in the box today Small footprint impact How does it work? Building an image with DUA support and redistributing the DUA Script compiler (if needed to support third-party script authoring) enables device-users. How does pricing/licensing work? Royalty-free, ships with SP1
Desktop QFE Installer Tool V1.0 What is it? Group of Windows files and registry keys that enables in-field devices to consume unmodified Windows XP Professional updates What is the customer benefit? Updates devices as soon as Pro updates are issued No re-imaging/rebuilding required How does it work? Provides supporting file and registry entries for Windows Update installation packages How does pricing/licensing work? Only available on the OEM Secure Site. Supporting documentation will be available only on the OEM Restricted Access Site, detailing how to drop the Pro update. Other important items Will only work with Pro updates issued May 11, 2004 and later
Software Update Services (SUS) What is it? New in SP2 Management schema that enables device scans for security updates followed by deployment What is the customer benefit? XP Embedded-based devices are maintained with security updates, either automatically or via end-user intervention. How does it work? SUS Client (ships in XP Embedded with SP2) communicates with SUS server (the engine behind Windows Update) to transfer update from SUS server is run by Administrator, who is ultimately in charge of what security updates get applied. *ONLY* works over the intranet, not the *internet* -- so if an OEM is managing the device using SUS, must be on the enterprise intranet How does pricing/licensing work? SUS client ships free of charge with SP2. SUS server is free Web download. Windows Server + Core CALs required. If using WinSVR03 Web Edition and no remote DB, then no CALs required
SUS: How It Works Parent SUS Server Firewall Child SUS Server Bandwidth Throttling Windows Update Service Bandwidth Throttling 2.Administrator reviews, evaluates, and approves updates 1.SUS Server check for updates every hours 3.Approvals & updates synced with child SUS servers* 4.AU gets approved updates list from SUS server 6.AU either notifies user or auto-installs updates 7.AU records install history 5.AU downloads approved updates from SUS server or Windows Update *SUS maintains approval logs & download, sync, & install statistics
WU v. SUS: Key Differences Windows Update Works with Windows XP Pro/Home Enables your device to use *anything* posted to om (security updates, driver updates, service packs) om omRoyalty-free Software Update Services Works with Windows XP Pro/Home, and Windows XP Embedded Enables your device to consume only security updates from (no driver updates, no service packs) Requires Windows Server license and CAL licensing
Systems Management Server (SMS) What is it? Manageability application that enables software inventory and patch management for embedded devices What is the customer benefit? Manage embedded devices just as you manage personal computers/servers Control, reporting, and planning schema incorporated into SMS How does it work? Use SMS 2003 to drop application and/or platform updates onto your device. Must use MBSA to detect what updates are required. NOT AVAILABLE YET–functionality coming in CY05 with WUS. XP Embedded-based devices may show up as unpatched during an MBSA scan. How does pricing/licensing work? Evaluate SMS 2003 Advanced Client for XP Embedded (free download) SMS 2003 evaluation copy (free download) Redistribute Windows Server + SMS + Windows Server CAL + SMS CAL
Customer Type Scenario Customer Chooses Large or Medium Enterprise Want single flexible patch management solution with extended level of control to patch and update (+ distribute) all software SMS Want patch management solution with basic level of control that updates Windows 2000 and newer versions* of Windows** SUS Small Business Have at least 1 Windows server and 1 IT administrator** SUS All other scenarios DUA * Windows XP, Windows Server 2003, Windows 2000 **Customer uses Windows Update or manual process for other operating system versions and applications software Choosing A Patch Management Solution Typical Customer Decisions
IT Challenges Today’s IT Desired IT
WEPOS Management Existing Microsoft Management technology support Active Directory Event Log MMC Technology Telnet Server Terminal Services Windows Management Instrumentation support VB Scripting Support
Device Management Tool Provides the current device status Details the resources an OPOS device is using Ability to enable/disable an OPOS device Details the Service Object information
Capability Windows Update SUS SMS 2003 Supported Platforms for Content WS2003, WinXP, WinME, Win2K, NT 4.0, Win98 WS2003, Windows XP Embedded, WinXP, Win2K WS2003, Windows XP Embedded, WinXP, Win2K, NT 4.0, Win98 Supported Content Types All patches, updates (including drivers), and service packs (SPs) for the above Only security and security rollup patches, critical updates, and SPs for the above (no SPs on Windows XP Embedded) All patches, SPs, and updates for the above; supports patch, update, and app installs for MS and other apps (no SPs on Windows XP Embedded) Granularity of Control Security Update Detection YesYes No (Yes in all products, except Windows XP Embedded) Targeting Content to Systems NoNo No (Yes in all products, except Windows XP Embedded) Network Bandwidth Optimization No Yes (for patch deployment) Yes (for patch deployment and server sync) Patch Distribution Control NoBasicAdvanced Patch Installation and Scheduling Flexibility Manual, end user-controlled Admin- (auto) or user- (manual) controlled Administrator control with granular scheduling capabilities Patch Installation Status Reporting Assessing computer history only Limited (client install history and server- based install logs) Comprehensive (install status, result, and compliance details) Additional Software Distribution Capabilities Deployment Planning N/AN/AYes Inventory Management N/AN/AYes Compliance Checking N/AN/AYes Adopt the solution that best meets the needs of your organization Core Patch Management Capabilities Choosing A Patch Management Solution Needs-Based Selection
Patch Management Strategy NameDescriptionBenefitCostProsCons CD Manually update devices Controlled method for devices that are not networked Royalty-freeFoolproofResource-intensive Device Update Agent (DUA) SP1 manageability tool In-box product to control updating app/operating system Royalty-free with SP1 (and SP2) Small footprint Proprietary to XP Embedded SMS 2003 Enterprise-wide technology Integrated management schema for app and operating system updates Client royalty-free, must pay for Windows/ SMS and Windows/SMS CALs Scalability, reporting, scheduling Patch scanning not functional Desktop QFE Installer Tool 1.0 (DQI) Update in-field devices with Pro updates, without a restart Delta approx. zero between update and deployment Royalty-free–please ask your OEM for more info. Can update in-field devices with Pro updates Not automatic by itself SUS Enterprise-wide technology Intelligent management schema for updating devices Client royalty-free, must pay for WinSVR & CAL (unless using SVR WE) Auto-scan for security update deployment Only works with WU packages NOTE: EXCEPT FOR SUS, All these technologies require knowledge of component dependencies and are not automatic (like WU).
Patch Management Interrelationships
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.