Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Security Patch Management

Published byЕлена Битяговская Modified over 5 years ago

Similar presentations

Presentation on theme: "Implementing Security Patch Management"— Presentation transcript:

1 Implementing Security Patch Management
Thomas Lee

2 Session Prerequisites
Hands-on experience with Windows 2000 Server or Windows Server 2003 management tools Reasonable networking background Level 200

3 Agenda Patch Management Overview Why patch management matters
Patch Management Process Process matters more than techology Patch Management Tools Microsoft tools for patch management Future Roadmap Future MS strategy

4 Patch Management Overview
Patch Management Process Patch Management Tools Future Roadmap

5 Business Case for Patch Management
When determining the potential financial impact of poor patch management, consider: Downtime Remediation time Questionable data integrity Lost credibility Negative public relations Legal defenses Stolen intellectual property

6 The Importance of Proactive Patch Management
Attack Patch release date date Number of days patch was available before the attack Nimda Oct 17, 2000 Sept 18, 2001 336 Klez-E Mar 29, 2001 Jan 17, 2002 294 Code Red Jun 18, 2001 Jul 16, 2001 28 SQL Slammer Jul 24, 2002 Jan 24, 2003 184 Trojan.Kaht Mar 17, 2003 May, 49

7 Exploit Timeline Vulnerability reported
Security bulletin and patch released Worm or virus code created No Exploit Exploit Patch developed Patch reverse engineered Worm or virus launched; infects unprotected or unpatched systems Begin race to protect and patch systems before attack is launched

8 Microsoft Patch Severity Ratings
Definition Critical Exploitation could allow the propagation of an Internet worm Important Exploitation could result in compromise of user data or the availability of processing resources Moderate Exploitation is serious, but is mitigated to a significant degree by default configuration, auditing, need for user action, or difficulty of exploitation Low Exploitation is extremely difficult or impact is minimal The Microsoft Security Response Center team assigns a severity rating to each patch released in a security bulletin. The rating definitions are: Critical - Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action. Important - Exploitation could result in the compromise of user data (confidentiality, integrity, or availability), the integrity of processing resources, or the availability of processing resources. Moderate – – Exploitation is serious, but factors such as default configuration, auditing, need for user action, or difficulty of exploitation have mitigated the threat to a significant degree. Low - Exploitation is extremely difficult or impact is minimal. Security Bulletin List:

9 Patching Time Frames Severity rating Recommended patching time frame
Recommended maximum patching time frame Critical Within 24 hours Within two weeks Important Within one month Within two months Moderate Depending on expected availability, wait for next service pack or patch rollup that includes the patch, or deploy the patch within four months Deploy the patch within six months Low Depending on expected availability, wait for next service pack or patch rollup that includes the patch, or deploy the patch within one year Deploy the patch within one year, or choose not to deploy at all

10 Improving the Patching Experience
Your need Microsoft’s response Reduce patch frequency Reduced frequency of non-emergency patch releases from once per week to once per month Reduce patching complexity Reduced number of patch installer technologies Reduce risk of patch deployment Improved patch quality and introduced patch rollback capability Reduce patch size Developed “delta patching” technology to reduce patch size Reduce downtime Reduced patch-related reboots Improve tool consistency Developing consistent tools Improve tool capabilities Developing more capable tools

11 Policies, Procedures, & Awareness
Physical Security Perimeter Internal Network Host Application Data OS hardening, authentication, patch management, HIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACLs, encryption, EFS Security documents, user education Using a layered approach Increases an attacker’s risk of detection Reduces an attacker’s chance of success Defense in Depth Defense in Depth Using a layered approach Increases attacker’s risk of detection Reduces attacker’s chance of success Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data Policies, Procedures, & Awareness Physical Security Perimeter Internal Network Host Application Data ACLs, encryption, EFS Application hardening, antivirus OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Guards, locks, tracking devices Security documents, user education

12 Patch Management Process
Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

13 Requirements for Successful Patch Management
Project management, four-phase patch management process Effective Processes Effective Operations Tools and Technologies Products, tools automation People who understand their roles and responsibilities

14 Patch Management Process
4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify  Discover new updates  Determine whether updates are relevant to your environment  Obtain patch, confirm it is safe  Determine if patch is a normal change or an emergency 2. Identify 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify 3. Evaluate and Plan Determine whether the patch is actually required Plan the release of the patch Build the release Perform acceptance testing 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify 1. Assess 2. Identify 3. Evaluate and Plan  Prepare for deployment Deploy the patch to targeted computers Review the deployment 4. Deploy  Determine whether the patch is actually required Plan the release of the patch Build the release Perform acceptance testing  Inventory computing assets Assess threats and vulnerabilities Determine the best source for information about new patches Assess your software distribution infrastructure Assess operational effectiveness  Discover new updates  Determine whether updates are relevant to your environment  Obtain patch, confirm it is safe Determine if patch is a normal change or an emergency 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify  Prepare for deployment Deploy the patch to targeted computers Review the deployment 4. Deploy 1. Assess  Inventory computing assets  Assess threats and vulnerabilities  Determine the best source for information about new patches  Assess your software distribution infrastructure  Assess operational effectiveness 4 Deploy 3 Evaluate and Plan 1 Assess 2 Identify

15 Microsoft Patch Management Guidance
Guide: The Patch Management Process How To: Implement Patch Management How To: Use Microsoft Baseline Security Analyzer (MBSA) How To: Perform Patch Management Using SUS How To: Perform Patch Management Using SMS The guide and articles are available at PatchManagement.mspx

16 Patch Management Tools
Patch Management Overview Patch Management Process Patch Management Tools Future Roadmap

17 Key Microsoft Patch Management Toolsets
The web: Windows Update/Office Update Targeted at consumers Software Update Services Small-Medium businesses, departments in an Enterprise SMS Enterprise More than just patch management

18 Choosing a Patch Management Solution
Customer type Scenario Solution Consumer All scenarios Windows Update Small organization Has no Windows servers Has a few Windows 2000 or newer servers and few IT administrators MBSA and SUS Medium-sized or large enterprise Wants a patch management solution with basic level of control that updates Windows 2000 and newer versions of Windows Wants a single flexible patch management solution with extended level of control to patch, update, and distribute all software SMS

19 Patch Management Solution for Consumers and Small Organizations
Patch management solution based on Protect Your PC: 1. Use an Internet firewall 2. Get computer updates Windows Update Office Update 3. Use up-to-date antivirus software Protect Your PC Web site:

20 How to Use Windows Update
To configure Automatic Updates: Open the System application in Control Panel 1 Select Keep my computer up to date 2 On the Automatic Updates tab, select the option you want 3

21 Office Update Benefits: Limitation:
Single location for office patches and updates Easy to use Can be configured to update consumer or enterprise systems Does not support Automatic Updates; updating must be initiated manually Office Update Web site:

22 How to Use Office Update
Go to 1 Click Check for Updates 2 Install the Office Update Installation Engine (if not already installed) 3 Select the updates you want to install 4 Click Start Installation 5

23 Patch Management Solution for Small and Medium-Sized Organizations
Size of organization Scenario Patch management solution Small Has one to three Windows 2000 or later servers and one IT administrator MBSA and SUS Medium or large Wants a patch management solution with basic level of control that updates Windows 2000, Windows XP, and Windows Server 2003 computers

24 MBSA Benefits Scans systems for: Missing security patches
Potential configuration issues Works with a broad range of Microsoft software Allows an administrator to centrally scan multiple computers simultaneously MBSA is a free tool, and can be downloaded from

25 MBSA Considerations MBSA reports important vulnerabilities:
Password weaknesses Guest account not disabled Auditing not configured Unnecessary services installed IIS vulnerabilities IE zone settings Automatic Updates configuration Internet Connection Firewall configuration

26 Windows Download Center
MBSA – How It Works Windows Download Center MSSecure.xml MBSA Computer

27 MBSA – Scan Options MBSA has three scan options:
MBSA graphical user interface (GUI) MBSA standard command-line interface (mbsacli.exe) HFNetChk scan (mbsacli.exe /hf) MBSA has three scan options:

28 How to Use MBSA 1 2 3 4 5 6 Download and install MBSA (once only)
Launch MBSA 2 Select the computer(s) to scan 3 Select relevant options 4 Click Start scan 5 View the Security Report 6

29 SUS Benefits Gives administrators basic control over patch management
Administrators can review, test, and approve updates before deployment Simplifies and automates key aspects of the patch management process Can be used with Group Policy, but Group Policy is not required to use SUS Easy to implement Free tool from Microsoft

30 SUS Considerations Can only update computers running Windows 2000, Windows XP, and Windows Server 2003 No method to target specific updates to specific computers Not push technology—client must pull updates from the SUS server No predefined reports

31 SUS – How It Works Windows Update Child SUS Server Client Computers
Firewall Child SUS Server Client Computers Parent SUS Server Client Computers

32 SUS – Sample Deployment Scenario
Windows Update Firewall Pilot SUS Server Pilot Client Computers Regional SUS Server Main Office SUS Server Regional Client Computers Main Office Client Computers

33 SUS – Client Component Can be configured to pull updates either from corporate SUS server or from Windows Update Three ways to configure Automatic Updates: Centrally, by using Group Policy Manually configure clients Use scripts to configure clients The client component of SUS is Automatic Updates

34 SUS – Server Component The server component of SUS is Software Update Services Can pull updates from Windows Update on a schedule Provides a Web-based administrative GUI Has several built-in default security features Provides XML-based logging to a Web server Supports geographically distributed or scale-out deployments Localized in English and Japanese

35 SUS – MBSA Integration MBSA is a stand-alone tool, but it is designed to work with SUS MBSA can be configured to scan for missing updates based on the approved updates on the SUS server instead of available updates on Windows Update You can use the GUI or command-line versions of MBSA to specify the SUS server MBSA will use to check for missing patches against

36 1 2 3 How to Use SUS On the SUS server: On each SUS client:
Configure the SUS server at name>/SUSAdmin 1 Set the SUS server synchronization schedule 2 Review, test, and approve updates 3 On each SUS client: Configure Automatic Updates on the client to use the SUS server Use Group Policy, manually configure each client, or use scripts

37 Patch Management Solution for Medium-Sized and Large Organizations
Capability SUS 1.0 SMS 2003 Supported Platforms for Content Windows Windows XP Windows Server 2003 Windows NT Windows 98 Windows 2000 Windows XP Windows Server 2003 Supported Content Types Security and security rollup patches, critical updates, and service packs for the above operating systems All patches, service packs, and updates for the above operating systems; supports patch, update, and application installations for Microsoft and other applications Patch Distribution Control Basic Advanced

38 SMS Benefits For a full software distribution patch management solution, use: Benefits of using SMS: SMS 2003 or SMS 2.0 with SUS Feature Pack Gives administrators comprehensive control over patch management Automates key aspects of patch management Can update a broad range of Microsoft products Can be used to update third-party software and install other software updates or applications

39 SMS – MBSA Integration MBSA integration included with SMS 2003 and the SUS Feature Pack for SMS 2.0 Scans SMS clients for missing security updates using mbsacli.exe /hf SMS directs client to run local MBSA scan 1 SMS server parses data to determine which computers need which security updates 3 Administrator pushes missing updates only to clients that require them 4 Client performs scan, returns data to SMS server 2

40 SMS Considerations Limitations of SMS:
Command-line syntax must be configured for unattended installation of each update Microsoft Office patches require extraction to edit a settings file for unattended installation International updates must be manually downloaded from a Web page

41 SMS – How It Works Microsoft Download Center SMS Distribution Point
Firewall SMS Distribution Point SMS Distribution Point SMS Clients SMS Site Server SMS Clients SMS Clients

42 How to Use SMS to Deploy Patches
Open the SMS Administrator Console 1 Right-click All Windows XP Computers, and then select All Tasks > Distribute Software Updates 3 Use the wizard to create a new package and program 4 Browse to the patch to be deployed 5 Configure options for how and when the patch will be deployed to clients 6 Expand the Site Database node 2

43 Best Practices for Patch Management
Implement a good patch management process Choose a patch management solution that meets your organization’s needs Subscribe to the Microsoft Security Notification Service Make use of Microsoft guidance and resources Keep your systems up to date

44 Future Roadmap Patch Management Overview Patch Management Process
Patch Management Tools Future Roadmap

45 Patch Management Tools Roadmap
Microsoft Update – will combine the functionality of Windows Update and Office Update Windows Update Services (SUS 2.0): Support for additional Microsoft products More administrative control and improved reporting Improved bandwidth efficiency Future Plans

46 Patch Management Roadmap
Longhorn Time frame Q4/2004 H1/2005 Update Content Repositories and Online Services Download Center Download Center Windows Update Windows Update Windows Update Office Update Microsoft Update Microsoft Update 3rd party apps update repository Standalone Update Scanning Tools Office Inventory Tool Office Inventory Tool In-house developed apps update repository MBSA (XPSP2 Support) MBSA 2.0 MBSA 1.1.1 MBSA 1.1.1 SMS 2.0 with Feature Pack SMS 2003/ WUS phase 1 integration SMS v4 3rd Party / In-house Tools WUS N.0 Windows Server Longhorn SMS 2003 SUS 1.0 WUS Server WUS Client Update Management Products Manual / Script Based Updating

47 Patch Management Tools
MBSA Version – needed for Windows XP SP2 MBSA 2.0 – delivery with WUS Windows Update Service (WUS) Replaces SUS Due by June 2005 Longer Time Frame (e.g. Longhorn) SUS integrated into Windows, full product support 3rd party integration

48 Session Summary Patch Management Overview Patch Management Process
Patch Management Tools Future Roadmap

49 For more information SUS MBSA
MBSA

50 Next Steps Find additional security training events:
Sign up for security communications: default.mspx Order the Security Guidance Kit: default.mspx Get additional security tools and content:

51 Questions and Answers

Download ppt "Implementing Security Patch Management"

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
Patch Management Strategy

Patch Management Strategy
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
16.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.

16.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 16: Examining Software Update.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google