Download presentation
Presentation is loading. Please wait.
Published byScott Stanley Modified over 8 years ago
1
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6
2
Chapter 6: Deploying an Update Management Infrastructure2 SECURITY CONFIGURATION AND ANALYSIS Applies security templates to the local computer Compares the computer’s current security configuration to a baseline stored as a security template Applies security templates to the local computer Compares the computer’s current security configuration to a baseline stored as a security template
3
Chapter 6: Deploying an Update Management Infrastructure3 ANALYZING A COMPUTER Create (or open) a database Import a security template Perform the analysis Create (or open) a database Import a security template Perform the analysis
4
Chapter 6: Deploying an Update Management Infrastructure4 VIEWING THE ANALYSIS
5
Chapter 6: Deploying an Update Management Infrastructure5 CHANGING SECURITY SETTINGS Apply the database settings to the computer Modify the database settings Create a new template Modify the computer’s settings manually Apply the database settings to the computer Modify the database settings Create a new template Modify the computer’s settings manually
6
Chapter 6: Deploying an Update Management Infrastructure6 USING MICROSOFT BASELINE SECURITY ANALYZER Scans one or multiple computers Detects missing updates Scans one or multiple computers Detects missing updates
7
Chapter 6: Deploying an Update Management Infrastructure7 USING MICROSOFT BASELINE SECURITY ANALYZER (CONTINUED) Detects security vulnerabilities Includes graphical and command-line interfaces Detects security vulnerabilities Includes graphical and command-line interfaces
8
Chapter 6: Deploying an Update Management Infrastructure8 MBSA SCANNING CRITERIA The registry key installed by the update The version numbers of the files installed by the update The checksum of the update (only if MBSA is running from the command line) The registry key installed by the update The version numbers of the files installed by the update The checksum of the update (only if MBSA is running from the command line)
9
Chapter 6: Deploying an Update Management Infrastructure9 MBSA RESULTS
10
Chapter 6: Deploying an Update Management Infrastructure10 MBSA RESULTS (CONTINUED) Green check mark Check passed. All required updates have been installed or no issue was found in this particular feature. Red X Critical check failed. Typically indicates that an important update is missing or that configuration of a feature is required. Green check mark Check passed. All required updates have been installed or no issue was found in this particular feature. Red X Critical check failed. Typically indicates that an important update is missing or that configuration of a feature is required.
11
Chapter 6: Deploying an Update Management Infrastructure11 MBSA RESULTS (CONTINUED) Yellow X Noncritical check failed/warning message. In most cases, means that reconfiguration of a specific feature is recommended, but not imperative. Blue asterisk Best practice check. Indicates that the current configuration does not conform to the recommended best practice. Yellow X Noncritical check failed/warning message. In most cases, means that reconfiguration of a specific feature is recommended, but not imperative. Blue asterisk Best practice check. Indicates that the current configuration does not conform to the recommended best practice.
12
Chapter 6: Deploying an Update Management Infrastructure12 MBSA RESULTS (CONTINUED) Blue i in a white circle Provides information about the computer being scanned. Blue i in a white circle Provides information about the computer being scanned.
13
Chapter 6: Deploying an Update Management Infrastructure13 USING MBSACLI.EXE Operates in two modes: MBSA mode Provides similar functionality to that of the graphical MBSA console. HFNetChk mode Provides backward compatibility with earlier versions of the tool. Operates in two modes: MBSA mode Provides similar functionality to that of the graphical MBSA console. HFNetChk mode Provides backward compatibility with earlier versions of the tool.
14
Chapter 6: Deploying an Update Management Infrastructure14 SECURING THE OPERATING SYSTEM INSTALLATION PROCESS Disconnect the computer from the network Build a separate installation network Integrate updates into the installation Disconnect the computer from the network Build a separate installation network Integrate updates into the installation
15
Chapter 6: Deploying an Update Management Infrastructure15 BUILDING AN INSTALLATION NETWORK FOR MULTIPLE COMPUTERS
16
Chapter 6: Deploying an Update Management Infrastructure16 BUILDING AN INSTALLATION NETWORK FOR ONE COMPUTER
17
Chapter 6: Deploying an Update Management Infrastructure17 SLIPSTREAMING A SERVICE PACK Copy the entire Microsoft Windows installation CD to a distribution folder Run the service pack’s network installation executable file, using the following syntax: servicepackname.exe –s:pathname Copy the entire Microsoft Windows installation CD to a distribution folder Run the service pack’s network installation executable file, using the following syntax: servicepackname.exe –s:pathname
18
Chapter 6: Deploying an Update Management Infrastructure18 INTEGRATING UPDATES Copy the Windows installation CD to a distribution folder Open the Dosnet.inf file and add the [OptionalSrcDirs] and svcpack lines Create a folder called Svcpack under \I386, and copy into it those update packages that you want to integrate Rename each of the update packages with an 8.3 file name Extract each of the update packages to a temporary folder Copy the Windows installation CD to a distribution folder Open the Dosnet.inf file and add the [OptionalSrcDirs] and svcpack lines Create a folder called Svcpack under \I386, and copy into it those update packages that you want to integrate Rename each of the update packages with an 8.3 file name Extract each of the update packages to a temporary folder
19
Chapter 6: Deploying an Update Management Infrastructure19 INTEGRATING UPDATES (CONTINUED) For each update, copy the catalog file, KB######.cat, to the \I386\svcpack folder Copy the binary files for each update to \I386 In Dosnet.inf, add each binary file to the [Files] section. Create a new Svcpack.inf text file in the \I386 folder, listing the catalog and binary files for the updates For each update, copy the catalog file, KB######.cat, to the \I386\svcpack folder Copy the binary files for each update to \I386 In Dosnet.inf, add each binary file to the [Files] section. Create a new Svcpack.inf text file in the \I386 folder, listing the catalog and binary files for the updates
20
Chapter 6: Deploying an Update Management Infrastructure20 APPLYING UPDATES WITH ANSWER FILES [GuiRunOnce] "server\updates\update1.exe /Z /M" "server\updates\update2.exe /Z /M" "server\updates\update3.exe /Z /M"
21
Chapter 6: Deploying an Update Management Infrastructure21 MANUALLY APPLYING UPDATES /passive Performs unattended installation while displaying progress bar Performs unattended installation, but no progress bar displayed Prevents computer from automatically restarting Stores backed up files in specified folder New Parameter Description /norestart /n Saves disk space by not backing up files that are replaced /quiet /forcerestart Forces applications to close without saving files before restarting /D folder
22
Chapter 6: Deploying an Update Management Infrastructure22 MANUALLY APPLYING UPDATES (CONTINUED) /o Causes service pack to overwrite OEM-supplied files Lists installed updates in dialog box Uninstalls previously installed update Extracts installation files to specified folder New Parameter Description /uninstall /er Enables extended return codes /l /S folder Slipstreams the service pack into installation files located in specified folder /x [folder] Displays help information /help or /h
23
Chapter 6: Deploying an Update Management Infrastructure23 USING WINDOWS UPDATE
24
Chapter 6: Deploying an Update Management Infrastructure24 USING SUS Install IIS Install SUS Configure SUS Server Synchronize SUS Server Approve Updates Configure Automatic Updates clients Install IIS Install SUS Configure SUS Server Synchronize SUS Server Approve Updates Configure Automatic Updates clients
25
Chapter 6: Deploying an Update Management Infrastructure25 CONFIGURING SUS OPTIONS Select a proxy server configuration Specify the name your clients use to locate this update server Select which server to synchronize content from Select how you want to handle new versions of previously approved updates Select where you want to store updates Synchronize installation packages only for these locales Select a proxy server configuration Specify the name your clients use to locate this update server Select which server to synchronize content from Select how you want to handle new versions of previously approved updates Select where you want to store updates Synchronize installation packages only for these locales
26
Chapter 6: Deploying an Update Management Infrastructure26 SYNCHRONIZING SUS
27
Chapter 6: Deploying an Update Management Infrastructure27 APPROVING UPDATES
28
Chapter 6: Deploying an Update Management Infrastructure28 USING THE AUTOMATIC UPDATES CLIENT Manually configure the client from the Control Panel Use group policies to configure the client for a group of computers Manually modify the registry settings associated with the client Manually configure the client from the Control Panel Use group policies to configure the client for a group of computers Manually modify the registry settings associated with the client
29
Chapter 6: Deploying an Update Management Infrastructure29 MANUALLY CONFIGURING AUTOMATIC UPDATES
30
Chapter 6: Deploying an Update Management Infrastructure30 CONFIGURING AUTOMATIC UPDATES WITH GROUP POLICIES
31
Chapter 6: Deploying an Update Management Infrastructure31 SUMMARY The graphical MBSA console is the most efficient way to scan computers for the presence of updates. You can configure MBSA to scan a single computer, a range of IP addresses, or all computers contained within a domain. Mbsacli.exe provides a scriptable, schedulable, command-line interface to MBSA’s scanning functionality. Mbsacli.exe functions in two modes: standard MBSA mode and the backward-compatible HFNetChk mode. The graphical MBSA console is the most efficient way to scan computers for the presence of updates. You can configure MBSA to scan a single computer, a range of IP addresses, or all computers contained within a domain. Mbsacli.exe provides a scriptable, schedulable, command-line interface to MBSA’s scanning functionality. Mbsacli.exe functions in two modes: standard MBSA mode and the backward-compatible HFNetChk mode.
32
Chapter 6: Deploying an Update Management Infrastructure32 SUMMARY (CONTINUED) Computers should not be connected to the Internet, or even to a private network with other hosts, until after the operating system and all updates have been installed. Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software. Computers should not be connected to the Internet, or even to a private network with other hosts, until after the operating system and all updates have been installed. Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software.
33
Chapter 6: Deploying an Update Management Infrastructure33 SUMMARY (CONTINUED) Microsoft updates support a standard set of command-line parameters to simplify the deployment of updates by using scripts. SUS requires that IIS be installed on the local computer and that the Web site be configured to use the default port 80. The Automatic Updates client can be configured in three ways: Manually with the System Properties dialog box, automatically with group policies, or directly from the local system registry. Microsoft updates support a standard set of command-line parameters to simplify the deployment of updates by using scripts. SUS requires that IIS be installed on the local computer and that the Web site be configured to use the default port 80. The Automatic Updates client can be configured in three ways: Manually with the System Properties dialog box, automatically with group policies, or directly from the local system registry.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.