Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Security Patch Management

Published byLeon Morrison Modified over 6 years ago

Similar presentations

Presentation on theme: "Implementing Security Patch Management"— Presentation transcript:

1 Implementing Security Patch Management
Alun Rogers Principal Consultant - Lynx

2 It’s all about Processes… Microsoft Operations Framework
Datacenters are all about process Windows admins have grown from desktop/helpdesks MOF will prescribe processes to manage Windows in a datacenter Based on ITIL specs Templates to apply People Technology Process

3 Microsoft Solutions for Management
Integrated people, process and technology Targeted customer scenarios Engineered, tested and proven MOF/ITIL Available Offerings: Offerings: Ops Assessment Security Patch Mgt Service Monitoring New Application Deployment Core Windows Mgt Server Consolidation Business Desktop Deployment

4 Security And Patching - Today
Patch management too complex Time to exploit accelerating Exploits are more sophisticated Current approach is not sufficient Days between patch and exploit Sasser 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer 17 Security is our No. 1 Priority There is no silver bullet Change requires innovation

5 Management at Microsoft
Microsoft is committed to making management an asset for the company Make Windows the best managed environment Make Windows the best platform for customers to manage from and ISV’s to write on Build the best management solutions for Windows All management unified under one group Single VP, 600+ working on mgmt & supportability Infrastructure - WMI, MMC, Group Policy, Windows Installer, SAF (The PC Health Support Automation Framework), Help and Support Center, PC Health Solutions - SMS, MOM, Application Center 2000, Terminal Server, Windows Update

6 Patch Management End to End
Awareness Obtain information about the latest software update vulnerabilities Audit your enterprise for applicable software updates Response Assess and authorize available software updates Deploy updates in a timely, accurate, and efficient manner Measurements Track update deployment/compliance

7 Microsoft Baseline Security Analyser
MBSA 1.2.1 Microsoft Baseline Security Analyser

8 MBSA Objectives What are we trying to solve with MBSA?
Know which computers are at risk and how to mitigate / manage MBSA is free assessment (agent less too!) SUS is the free patch deployment tool SMS is the full featured management product MBSA increases the coverage of Microsoft’s products More consistent patch detection results with MBSA 1.2.1 Target 1-10,000 seat org, 1-5 admin staff, the IT Pro, and power users too

9 Tool Overview Single executable that runs on Windows 2000, Windows XP, and Windows Server 2003 Performs remote scans against Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 systems Focused on agent less assessment, tactical deployment, easy to use AND easy to leverage MSI package contains GUI (mbsa.exe) Command line interface (mbsacli.exe) Latest version is 1.2.1, released August ‘04

10 Microsoft Download Center
MBSA How It Works* Microsoft Download Center MSSecure.CAB Run MBSA on Admin system, specify targets Bulletin IDs Product specific updates File data Registry data KB article numbers Checks MBSA version, downloads MSSecure.CAB & verifies digital signature Scans target systems for OS, OS components, & applications MBSA Console Parses MSSecure.CAB to see if updates available Checks if required updates are missing Generates time stamped report of missing updates *Only covers security patch scanning capabilities, not security configuration detection issues

11 MBSA SUS Support Perform security update portion of scan observing local SUS server approved updates GUI: MBSA reads registry for SUS server info, or user types in Command line mbsacli.exe /sus “ mbsacli.exe /hf /sus “ Scans for approved updates on SUS server rather than all available updates Reads ApprovedItems.txt file via HTTP on SUS server Looks up these approved items in static mapping table in MSSecure.XML file Ultimately performs scan against the appropriate patches in MSSecure.XML

12 MBSA SMS Support Compatibility with SMS 2.0 Software Update Services Feature Pack and SMS 2003 Pushes mbsacli.exe to each client to perform local scan (mbsacli.exe /hf) Parses output SMS Administrators can centrally distribute security updates to clients SMS is now using MBSA v1.2.1 Service packs in addition to security updates and update rollups

13 Supported Products For security updates For config settings
Windows NT4, 2K, XP, 2K3 IIS 4.0, 5.0, 6.0 SQL 7.0, 2000 / MSDE IE 5.01+ Exchange 5.5, 2000, 2003 Windows Media Player 6.4+ Office 2000, XP, 2003 MSXML 2.5, 2.6, 3.0, 4.0 MDAC 2.5, 2.6, 2.7, 2.8 Microsoft Virtual Machine (JVM) Commerce Server 2000, 2002 Content Mgt Server 2001, 2002 BizTalk 2000, 2002, 2004 HIS 2000, 2004 (+SNA Server 4.0) For config settings Windows NT4, 2K, XP, 2K3 IIS 4.0, 5.0, 6.0 SQL 7.0, 2000 IE 5.01+ Office 2000, XP, 2003 New in MBSA V1.2

14 Software Update Services
SUS Software Update Services

15 SUS SP1 Enhancements Ability to install SUS server on a DC or SBS
SUS client (AU) ability to kick off scheduled install upon reboot if machine was switched off at scheduled install time. No automatic reboot after scheduled installation for non-admin users

16 SUS Considerations Targeting Reporting Control over client detection
If targeting is required then multiple SUS servers must be used Reporting Basic “pingback” client status info sent as raw IIS log data Reporting Tool from Control over client detection Occurs every 17.6 to 22 hours GPO workaround (AD environment) Net stop/start workaround (non-AD environment)

17 How does it work? Internet Intranet
Public Windows Update Windows: Critical Updates and Service Packs Pull mechanism TCP 80 only Internet Intranet 1. Sync Updates 2. Admin Approves Updates SUS Central Client Config 3. Download and install Approved Updates Corporate Servers, Desktops and Laptops with the Automatic Updates Client

18 Patching the Enterprise
SMS 2003 and SUS Patching the Enterprise

19 SMS 2003 & Patch Management Vulnerability Assessment
Leverages existing tools like MS Baseline Security Analyzer Collects MBSA results for storage in a central repository Rich reporting provides detailed vulnerability analysis and enables mitigation planning Status and Compliance Reporting Deployment status as patches are delivered Built-in reports, status messaging, and summarization Determine actual baselines in the environment before changing the environment Reference computer templates for baseline determination and compliance

20 SMS 2003 Software Update Key Components
Sync tools Periodically check microsoft.com for updated catalog and scan tools Scan tools Detect applicable patches and populate SMS database Windows and Office for SMS 2.0 Feature Pack SQL, Exchange, IIS, IE for SMS 2003 and upcoming 2.0 FP Distribute Software Updates Wizard Helps administrators authorize and download software updates Software Update Installation Agent Allows admin to control end-user experience for enforcement and reboots Reports Various reports for software updates – machine as well as enterprise level

21 Scan Tool + Inventory Collection
Overview Download Center / Office Update, etc. Scheduled and Database Updates MSSecure.XML, etc. Patches, QFEs, SRPs, etc. Internet Intranet MMC / Patch Wizard, Status Messages / Inventory Managed Corporate Servers, Workstations and Laptops Web Reports Scan Tool + Inventory Collection SMS 2.x Site Infra-structure Scan Tool + Install Applicable Patches

22 Patch Management Client Experience

23 Adopt the solution that best meets the needs of your organization
Patch Management Solution – Selection Criteria Adopt the solution that best meets the needs of your organization Capability Windows Update SUS 1.0 SMS 2003 Supported Platforms for Content NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 Win2K, WS2003, WinXP NT 4.0, Win2K, WS2003, WinXP, Win98 Supported Content Types All patches, updates (including drivers), & service packs (SPs) for the above Only security & security rollup patches, critical updates, & SPs for the above All patches, SPs & updates for the above; supports patch, update, & app installs for MS & other apps Granularity of Control Targeting Content to Systems No Yes Network Bandwidth Optimization Yes (for patch deployment) Yes (for patch deployment & server sync) Patch Distribution Control Basic Advanced Patch Installation & Scheduling Flexibility Manual, end user controlled Admin (auto) or user (manual) controlled Administrator control with granular scheduling capabilities Patch Installation Status Reporting Assessing computer history only Limited (client install history & server based install logs) Comprehensive (install status, result, and compliance details) Core Patch Management Capabilities

24 Choosing a Patch Management Solution
Customer Type Scenario Customer Chooses Consumer Home use Windows Update Small Business No Windows servers Have 1-3 Windows servers and 1 IT administrator** SUS Medium or Large Enterprise Want patch management solution with basic level of control that updates Windows 2000 and newer versions* of Windows** Want single flexible patch management solution with extended level of control to patch & update (+ distribute) all software SMS

25 Futures

26 General Futures XP SP2 - Automatic Update (WUS ready)
Includes Windows 2000 SP3 and 2003 SP1 SMS 2003 SP1 - AU from XP SP2 WUS – Greater flexibility Beta open today

27 Customer Feature Requests
Top Features Requested SUS 1.0 SP1 WUS Support for service packs Install on SBS and domain controller Support for Office and other MS products Support additional update content types Update uninstall Update targeting Improve support for low bandwidth networks Reduce amount of data that needs to be downloaded Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * Deploy update for ISV and custom apps NT4 support *Partially addressed through polling frequency control and scripts

28 WUS Features Administrator control Bandwidth efficiency
Initiate install, uninstall, pre-deployment check Deploy different updates to target groups Date-based deadlines for patch deployment Configurable polling frequency Pre-set rules for auto-deployment Non-administrators can receive update notifications Explicit server admin roles Bandwidth efficiency BITS for client-server and server-server downloads Update subscriptions (per product/classification) Support for “delta compression” technologies Option to only download updates when deployed

29 WUS Supported Products And Content
Updates for All Microsoft products over time At RTM Windows 2000 SP3 and later versions of Windows Office XP SP2 and Office 2003 SQL 2000 and MSDE 2000 Exchange 2003 Platform support/requirements for Windows 2000 SP3 (SP4 for Server) and later Windows XP RTM and later Windows Server 2003 RTM and above All localized versions (including MUI)

30 Update Management Features
Target Groups Registry-based policy support for AD environments Server-side lists for non-AD environments Administrator control Initiate scan of machines for patch applicability Approve for install and uninstall (requires update support) Date-based deadlines for approved updates Deploy different updates to target groups Configurable client polling frequency Configurable reboot behavior Port configurability Non-administrators can install updates (like administrators) Install at Shutdown (XP SP2 only)

31 Network Use Optimization Features
Resilient and transparent BITS* for client-server and server-server downloads Downloads are in the background Minimized data downloads Update subscriptions (per product/classification) Support for “delta compression” technologies for client-server communications Option to only download approved updates *Background Intelligent Transfer Service

32 Reporting Features Standard consolidated reports(for client activity)
Per machine/per update/per target group Download, install success & failures with error information Content synchronization status reports What’s new, what changed Aggregate reports for multiple servers Summary event roll-up to parent server Event log integration Client and server status events sent to local event log

33 Web Resources Management Microsoft Management Alliance
Microsoft Management Alliance Microsoft Solutions for Management SMS SUS ITIL

34 Community Resources Community Resources
Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers default.mspx

35 Microsoft Learning Security Resources for IT Professionals
Free Online Skills Assessments Hands-On Instructor-Led Training Course Implementing and Administering Security in a Windows Server 2003 Network (5 days) Managing the Deployment of Service Packs and Security Updates Introduction to Microsoft Security Guidance Course Designing Security for Microsoft Networks (3 days) Hands On Labs 2811 Applying Microsoft Security Guidance (1 day) Protecting the Perimeter of Networks Free Self-Paced E-Learning Clinics Course Implementing Internet Security and Acceleration Server 2004 (4 days) Clinic 2801 Microsoft Security Guidance Training I (1 day) Clinic 2802 Microsoft Security Guidance Training II (1 day) Microsoft Certified Professional Specializations Self-Paced Microsoft Press Reference Books Assessing Network Security ISBN: Microsoft Windows Security Resource Kit ISBN: Microsoft Windows Server 2003 PKI and Certificate Security ISBN:

36 Event Information What’s Next?
Technical Roadshow Post Event Website Available from Monday 18th April Please complete your Evaluation Form! View all presentations and more resource information from the Post Event Website. Please complete your evaluations – we need your feedback to improve!

37 © 2004 Microsoft Corporation. All rights reserved
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Implementing Security Patch Management"

Similar presentations

The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
WSUS Windows Update Services

WSUS Windows Update Services
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Tech·Ed North America /19/2017 7:21 AM

Tech·Ed North America /19/2017 7:21 AM
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
Wally Mead Senior Program Manager Microsoft Corporation.

Wally Mead Senior Program Manager Microsoft Corporation.
Patch Management drill down Steven Hope Lead Technical Security Specialist

Patch Management drill down Steven Hope Lead Technical Security Specialist
Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.

Managing CERN Desktops with Systems Management Server (SMS 2003) Michel Christaller Internet Services Group Department of Information Technology CERN May.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.

Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance

Similar presentations

Ads by Google