Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd."— Presentation transcript:

1 Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd

2 Agenda What are patches and why do we need them? Windows Update Software Update Services (SUS) Raven Update Service Office Update and application patches Microsoft Update and Windows Update Services (WUS) – the future SMS vs WUS/SUS/RUS Conclusion and Q&A

3 What are Patches Also known as Hotfixes Modifications to the original program code, normally to fix a problem or vulnerability Quick Fix Engineering – QFE Not normally tested as thoroughly as normal software –May introduce new problems

4 Worms and Vulnerabilities Windows XP contains over 40 Million lines of code – Mistakes are inevitable Bugs may be discovered and exploited –Buffer Overflows Worms –Programs are written to automate the exploitation of the bug –Like Virus’s but may not require you to open them –Can spread very quickly, causing havoc –Blaster, Nimda, SOBig Entire exploitation process is automated –You do not need to be specifically targeted

5 Consequences of being exploited Trojans / Spyware –Programs sneaked onto your computer –May allow complete control of computer, using your password Therefore whole network may be compromised by 1 pc –Harvesting of passwords and account details As you log into online banking, process is recorded and sent to hacker –Internet Activity can be logged and used to target advertisements to you or direct you to other sites

6 Consequences of being exploited Zombie/Drone PCs –Your system may be used to attack other networks – DDoS –Your computers may be used to store and distribute illegal material –Your computer may be used to execute illegal or antisocial activities such as SPAM –Bandwidth, Storage and even Processing power can be consumed and abused

7 Consequences of being exploited Loss or destruction of data –Files may be deleted, altered or corrupted –Confidential data may be shipped outside your network –Your systems may crash as a result causing untold amounts of downtime

8 The Worlds 1 st JPG virus On September 14 th Microsoft issued Security Bulletin MS04-028 –Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) A bug in many products allows a specially crafted JPG file to execute malicious code simply by viewing the picture Many MS products affected including Windows 2000/XP (prior to SP2), Office XP, Office 2003, IE6.1, and many others Each product must be patched separately JPG files are ignored by most AntiVirus software as they were previously thought to be harmless On 26/09/04 a trojan was found on Internet news groups (Usenet) which exploits this bug A DIY Virus kit to automate the exploitation is now known to be available on the Internet

9 Types of patch Critical Security fixes –Created in direct response to a newly discovered threat –Must be applied quickly to protect against worms written to exploit the vulnerability –Time to release is very short, so testing is “Rapid” –Should almost always be applied if they are relevant to your setup

10 Types of patch Non-Critical Updates –Created to fix specific bugs or to enhance functionality –Should only be applied if the particular problem affects your computer –Can be more thoroughly tested before release

11 Types of patch Service Packs –Combination of several hotfixes and updates –Thoroughly tested in a wide range of environments before release –Form a new baseline for the product against which future software will be tested –Should be applied when deemed stable

12 Windows Update Built into Windows 98, Me, 2000 and XP Visit web page to determine what patches should be applied Tries to only propose relevant patches Must be run manually from each computer Requires user to have Admin privileges on local computer Linked from start menu – www.windowsupdate.com

13 Automatic Update Agent Introduced with Windows XP SP1 and Win2k SP4 Available as a download for Win2k SP3 Automates download of critical security patches Can automatically apply and restart computer Can wait for approval before applying Each computer operates separately and fetches its own updates

14 Software Update Services - SUS Your own Windows Update server Runs on a server on your site Integrates into IIS Administrator approves and downloads patches Client agent on PCs installs approved updates from SUS server No admin rights needed on local PC Can be managed through Group Policy

15 Microsoft Software Update Services (SUS)

16 SUS Client Agent Built into Windows XP SP1 and Win2k SP4 Can be managed and deployed through Active Directory Group Policy Machines can be told to install patches at specified times Machines can be told to reboot at specified times if they are left on Could use Wake on LAN to power compatible PCs on for updates during the night

17 SUS Requirements Runs on Windows 2000 SP3 or later, or Windows 2003 Server running IIS Client PCs must run Windows 2000 SP3 or later, or Windows XP –Windows 9x not supported Installs IISLockdown, so may interfere with some Intranets Administrator must manually approve each update Typical Installation time around ½ day. May vary on some sites

18 SUS Capabilities SUS can apply all Windows critical security updates and can now deploy service packs to Windows 2000 and Windows XP Next version WUS (due H1 05) will allow security patches for Office, Exchange Server and SQL Server to be automatically deployed too (more shortly)

19 Raven Update Services

20 Subscription service - £50 per month –Requires SUS server to be installed Raven Engineers approve updates after testing on a representative sample of platforms Local SUS server pulls only approved “Safe” updates from Raven Update Server Requires no local administration “Hands Free” update of client PCs

21 Office Patch Management www.officeupdate.com –Like Windows Update, but for Office –Scans your local machine and proposes relevant updates Binary Patches or Full File updates? –Binary Patches are smaller but require access to original installation files (CD or Network Share) –Full File Updates are much bigger downloads but can be applied without the original files

22 Administrative Deployment of Office Patches Either distribute patches separately to clients or update Administrative Install Point Distribute separate patches to clients –Requires Admin rights on local machine unless using SMS –Patches can be shipped out in logon script, email or Intranet etc or using SMS Server –Common baseline remains original installation Update Admin Install Point –Clients must be instructed to reinstall affected features or whole product –New installations are already patched –Necessary if using “Run from Network” –Clients all maintain a common baseline –Once source is patched, clients may be unable to repair or install on demand until reinstalled so may need to maintain an unpatched copy as well –Can use “Elevated Privileges” for installation

23 Microsoft Update Will combine and replace Windows Update and Office Update web sites Initially will support patching of Windows, Office, Exchange Server and SQL Server Over time will support all Microsoft Products Long Overdue – Now expected H1 2005 Requires better cooperation within MS teams –Currently there are at least 7 separate, incompatible installer programs in use for MS patches –Will be reduced to 2 for MU

24 WUS – Windows Update Services Next version of SUS (2.0) Will support all products covered by Microsoft Update – Windows, Office, Exchange, SQL etc Late again, but expected H1 2005 Many enhanced technologies and new management features RUS will be updated to incorporate WUS Public Beta beginning soon –RUS may be extended to include WUS Beta if stable

25 Customer Feature Requests *Partially addressed through polling frequency control and scripts Top Features Requested SUS 1.0 SP1WUS Support for service packs Install on SBS and domain controller Support for Office and other MS products Provide reporting (e.g. deployment status) Update targeting Improve support for low bandwidth networks Allow subscriptions to only certain content Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * NT4 support

26 Supported Products And Content Updates for –All Microsoft products over time –At RTM Windows 2000 SP3 and later versions of Windows Office XP SP2 and Office 2003 SQL 2000 and MSDE 2000 Exchange 2003 Platform support/requirements –Windows 2000 SP3 (SP4 for Server) and later –Windows XP RTM and later –Windows Server 2003 RTM and above –All localized versions (including MUI)

27 Administrator subscribes to update categoriesServer downloads updates from Microsoft UpdateClients register themselves with the server Administrator puts clients in different target groups Administrator approves updates Agents install administrator approved updates Microsoft Update WUS Server Desktop Clients Target Group 1 Server Clients Target Group 2 WUS Administrator Solution Overview

28 Disconnected Servers Desktop Clients Microsoft Update WUS Server

29 Update Management Features Target Groups –Allow Administrator to manage different groups of PCs differently –OU based policy support for AD environments –Server-side lists for non-AD environments Administrator control of deployment –Initiate scan of machines for patch applicability –Approve for install and uninstall (requires update support) –Date-based deadlines for approved updates –Deploy different updates to target groups

30 Update Management Features Agent Configurations –Polling frequency –Notification and Install behaviors –Reboot behaviors –Port configurability –Non-administrators can install updates (like administrators) –Install at Shutdown (XP SP2 only)

31 Network Use Optimization Features Resilient and transparent –BITS* for client-server and server-server downloads –Downloads are in the background –Can throttle bandwidth usage Minimized data downloads –Update subscriptions (per product/classification) –Support for “delta compression” technologies for client-server communications –Option to only download approved updates *Background Intelligent Transfer Service

32 Reporting Features Standard consolidated reports (for client activity) –Per machine/per update/per target group –Download, install success and failures with error information Content synchronization status reports –What’s new, what changed – much easier for Administrator Event log integration –Agent and server status events sent to local event log

33 Deployment/Management Flexibility Server deployment options –Updates hosted on Microsoft Update RUS server acts as a control point –Hierarchical deployment Independent servers (admin wishes not inherited) “Replica” servers (admin wishes inherited) Manageability (and extensibility) –.NET based Server APIs (for admin tasks) –COM based Client APIs (with scripting and remoting support) –Automatic deployment of updates –Command line options to trigger update detection Big Red Button!

34 SMS 2003 Systems Management Server Allows Inventory and discovery of Servers, PCs, Print Servers, Palmtops etc on the network Allows Targeted Software Distribution based on many criteria –Applications, Patches and even OS’s Remote Control and Management of all Windows computers Will be updated shortly to incorporate WUS engine

35 Comparing WUS And SMS Simple (WUS) versus Advanced (SMS) –SMS not intended for small networks (<20pcs) Client support – SMS still supports Win9x/NT4 Update / Application deployment Reporting features – SMS far more wide ranging WUS: Want update management-only solution that provides simple updating for Microsoft software SMS: Single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OS’s and Applications, as well as an integrated asset management solution

36 *Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by WUS or Microsoft Update Customer Type Scenario Customer Chooses Large or Medium Enterprise Want single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OSes and Applications, as well as an integrated asset management solution SMS 2003 Want update management-only solution that provides simple updating for Microsoft software and initially supports Windows (Win2K & later versions), Office (2003 & XP), Exchange 2003, SQL Server 2000, and MSDE 2000 WUS*/RUS Small Business Have at least 1 Windows server and 1 IT administrator WUS* / RUS All other scenarios RUS / Microsoft Update* Consumer All scenarios RUS / Microsoft Update* Choosing A Patch Management Solution Typical customer decisions

37 Consolidated Solutions Roadmap Manual / Script Based Updating Windows Update Download Center Windows Update Microsoft Update Download Center Update Content Repositories and Online Services Current H1/2005 SMS 2003 FP Time frame Longhorn Time frame Windows Update Microsoft Update WUS SMS 2003 with Feature Pack WUS n.0 Windows Server Longhorn Office Inventory Tool SUS 1.0 SMS 2.0 with Feature Pack SMS 2003 WUS Client In-house developed apps update repository 3 rd party apps update repository Update Management Products System Center 3 rd Party / In-house Tools Office Update MBSA 1.2 (includes OIT) MBSA 1.1.1 Standalone Update Scanning Tools Office Inventory Tool MBSA 1.1.1 MBSA 2.0

38 Additional Information Sign up to receive information about the Open Evaluation Program at http://www.microsoft.com/wushttp://www.microsoft.com/wus Visit www.microsoft.com/sus for the latest information on SUS 1.0www.microsoft.com/sus Join the SUS news groupSUS news group Microsoft’s prescriptive guidance for patch managementprescriptive guidance For information on SMS 2003 go to www.microsoft.com/smserver www.microsoft.com/smserver Or just ask your Raven Representative

39 Conclusions Patch management is essential in the current computing climate –Otherwise you Will be hacked SUS can automate deployment of Windows Patches, but needs managing –Contact your Raven representative to arrange installation NOW RUS removes the burden of approving Windows patches enabling SUS to run virtually hands free –Sign up for RUS here, today! Office and other products must be patched separately for now –Raven Consultants are available to assist in deployment WUS will improve manageability of SUS and extend it to include other products RUS will support WUS when it is available For larger enterprises, consider SMS –Speak to your Raven representative to find out if SMS is for you

40 Any Questions? David Wallis Senior Systems Consultant Raven Computers Ltd davidw@raven-computers.co.uk

Download ppt "Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd."

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
WSUS Windows Update Services

WSUS Windows Update Services
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Windows Anti-virus and Security WNUG Meeting 2-7-2002.

Windows Anti-virus and Security WNUG Meeting
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

Similar presentations

Ads by Google