Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patch Management drill down Steven Hope Lead Technical Security Specialist

Published byJack Dale Riley Modified over 9 years ago

Similar presentations

Presentation on theme: "Patch Management drill down Steven Hope Lead Technical Security Specialist"— Presentation transcript:

1 Patch Management drill down Steven Hope Lead Technical Security Specialist steven@microsoft.com

2 Welcome to this TechNet Event FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts FREE comprehensive technical web site Monthly CD / DVD subscription with the latest technical tools & resources FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break www.microsoft.com/uk/technet

3 This is true for you right? We live in a world of plenty… – High bandwidth links everywhere – Low cost & reliable connectivity – Free extra bandwidth as and when we need it We all have an efficient patch process… – Testing is quick – The process is clear and repeatable – Deployment is easy Who said “I WISH” ??? But isn’t this want you really want and need?

4 Patch Management – The Rude Awakening Humans write software, therefore software will ALWAYS have bugs! Utopia = not having to deploy a patch, not that patches no longer exist. Patching should be the LAST line of defence, not the first! And should be avoid wherever possible. Patching is NOT all about tools and scripts. Cleaver system / network designs can significantly reduce the requirement to patch, e.g.: – Use IPSEC to reduce access to services – Use Layer 7 firewalls like ISA Server 2004 to protect core assets. – Reduce the attack surface on machines Monthly controlled releases and responsible disclosure are GOOD things!

5 Organization for Internet Safety Mission: To develop and promote processes for effectively handling security vulnerabilities. Industry-leading vendors, security research firms www.oisafety.org

6 Successful Patch Management Ingredients Tools & Technologies Consistent & repeatable Processes Skilled People

7 http://www.microsoft.com/msm Patch Management Best Practices Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 1. Assess 2. Identify 4. Deploy 3. Evaluate & Plan 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: install on isolated system 3. Evaluate & Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment

8 Today Soon… Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office… Office Update Download Center SUS SMS “Microsoft Update” (Windows Update) VS Update Windows Update Windows only Windows Server Update Services Updating: Roadmap Windows, SQL, Exchange, Office… AutoUpdate

9 Security Update Management Today Disparate sources, limited product support Windows Update/Office Update – Consumer focused web based solutions Software Update Services (SUS) 1.0 – Intermediary between Windows Update and Automatic Updates (globally control updates) Microsoft Baseline Security Analyzer (MBSA) 1.2.1 – Detects security updates for 16 products – Detects configuration vulnerabilities for 7 products Systems Management Server 2003 – SUS Feature Pack (Windows Updates only) – MBSA 1.2.1 for other security update detection – Enterprise Update Scan Tool (EST) – Detects critical and important security updates that MBSA does not – Compatible with SMS

10 Consistent results, extending product support Microsoft Update (MU) – “Hosted” version of Windows Server Update Services – Consumer focused web based solution Windows Server Update Services (WSUS) – Infrastructure for all other updating products and tools – Update management solution with targeting for Microsoft platform Microsoft Baseline Security Analyzer (MBSA) 2.0 – Security focused scanning without the need for a server Systems Management Server 2003 – Inventory Tool for Microsoft Update – Integrated MBSA 2.0 security configuration checks Security Update Management Tomorrow

11 Microsoft Baseline Security Analyser Now and next

12 MBSA – Analysis and reporting tool Scans missing security updates and security configuration settings Born of HFnetchk, now at 1.2.1 Requires up to date reference file (mssecure.xml) GUI and command line versions “Read only” tool - user context requires local admin rights on each target machine Scans: – Windows 2000, Windows XP, Windows Server 2003 – IIS, SQL Server, Internet Explorer, Office, Exchange Server, Windows Media Player, – Microsoft Data Access Components (MDAC), MSXML – Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server

13 MBSA 1.2.1 / MBSA 2.0 Delta MBSA 2.0 shares with MBSA 1.2.1 – Security configuration and update scanning – Command Line scripting – Simple, easy to use interface – Integration with SMS and MOM MBSA 2.0 introduces: – WSUS scan parity – WSUS compliance – Expanding security update product support – Security update install history – CAN/CVE ID when they become available MBSA 2.0 RTW = End of Q2 2005

14 MBSA 2.0 : How It Works* Microsoft Update All content is shared with MU MBSA Computer *Only covers security patch scanning capabilities, not security configuration detection issues WSUS Server 2.Downloads CAB file from MU & verifies digital signature 1.Run MBSA on Admin system, specify targets 3.Scans target systems for OS, OS components, & applications using WUA 4.Generates time stamped report of missing updates

15 Windows Server Update Services WSUS - The software formally knows as SUS and WUS…

16 Windows Server Update Services Successor to SUS (Software Update Services) Automates centralized download, distribution and installation of updates Gets its content from Microsoft Update (MU) Free download – Free to Windows Server (2000 and above) licensees – Requires Windows Server / Core CAL for target systems Does not change currently available offerings – SUS 1.0 continues to get content from WU Core component of Microsoft’s Update Management solutions & roadmap WSUS RTW = Q2 2005

17 WSUS - Supported Products And Content Critical Updates for – All Microsoft products over time – At RTM – Windows 2000 SP3 and later versions of Windows – Office XP SP2 and Office 2003 – SQL 2000 and MSDE 2000 – Exchange 2003 – Critical drivers Platform support/requirements for – Windows 2000 SP3 (SP4 for WSUS Server) and later – Windows XP RTM and later – Windows Server 2003 RTM and above – All localized versions (including MUI)

18 Administrator subscribes to update categoriesServer downloads updates from Microsoft UpdateClients register themselves with the server Administrator puts clients in different target groups Administrator approves updates Agents install administrator approved updates Microsoft Update WSUS Server Desktop Clients Target Group 1 Server Clients Target Group 2 WSUS Administrator WSUS - Solution Overview

19 Desktop Clients WSUS Scalability Microsoft Update Replica Child WSUS Server Autonomous Child WSUS Server Parent WSUS Server

20 Desktop Clients WSUS & disconnected Networks Microsoft Update WSUS Server

21 WSUS – Client Deployment & Configuration Client Deployment – Only required for Windows XP Gold (without SP) – Windows XP SP2 and Windows Server 2003 SP1 include the WSUS client binaries – All other WSUS supported OS’s include AUv2.2 – Automatically self-updates to WSUS client version Client Configuration – Active Directory = via GPO – NT4.0 = Wuau.adm in System Policy – Registry keys via script

22 Administrator control of deployment – Initiate scan of machines for patch applicability – Approve for install and uninstall (requires update support) – Date-based deadlines for approved updates – Deploy different updates to target groups WSUS GUI based reports – Per machine/per update/per target group – Needed, Pending Reboot, Install success and failures with error information WSUS Features

23 WSUS Features (continued)… Target Groups – Client-side targeting using AD GPO – Server-side targeting on WSUS server Client Configurations – Polling frequency – Notification and Install behaviors – Reboot behaviors – Port configurability – Non-administrators can install updates (like administrators) – Install at Shutdown (XP SP2 only)

24 Network Use Optimization Features Resilient and transparent – BITS* for client-server and server-server downloads – Downloads are in the background Minimized data downloads – Update subscriptions (per product/classification) – Support for “delta compression” technologies for client-server communications – Option to only download approved updates *Background Intelligent Transfer Service

25 Customer Feature Requests *Partially addressed through polling frequency control and scripts Top Features Requested SUS 1.0 SP1WSUS Support for service packs Install on SBS and domain controller Support for Office and other MS products Support additional update content types Update uninstall Update targeting Improve support for low bandwidth networks Reduce amount of data that needs to be downloaded Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) * Deploy update for ISV and custom apps NT4 support

26 Systems Management Server 2003 Patching the Enterprise

27 Systems Management Server 2003 Premium Change and Configuration Management Offering Scalable, global enterprise solution for client and server management – Software Distribution – OS Deployment – Mobile Device Management – Hardware Inventory – Software Inventory – Application Usage Tracking – Remote Help Desk Functionality Visit http://www.microsoft.com/sms for more infomationhttp://www.microsoft.com/sms

28 SMS 2003 & Patch Management Supports critical updates for Windows and Office Vulnerability Assessment – Leverages existing tools like MBSA – Collects MBSA results for storage in a central repository – Rich reporting provides detailed vulnerability analysis and enables mitigation planning Status and Compliance Reporting – Deployment status as patches are delivered using built-in reports and client status messaging – Determine actual baselines in the environment before changing the environment – Report on clients not compliant to baseline – Automatically deploy updates to get compliant

29 SMS 2003 Patch Management: How It Works Firewall SMS Site Server SMS Distribution Point SMS Clients Microsoft Download Center SMS Distribution Point 2.Scan components replicate to SMS clients 1.Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer 3.Clients scanned; scan results merged into SMS hardware inventory data 4.Administrator uses Distribute Software Updates Wizard to authorize updates 6.Software Update Installation Agent on clients deploy updates 7.Periodically: Sync component checks for new updates; scans clients; and deploys necessary updates 5.Update files downloaded; packages, programs & advertisements created/updated; packages replicated & programs advertised to SMS clients SMS Clients

30 SMS 2003 - SP1 Ability to authorize critical updates immediately without waiting for inventory scans. Allows deployment of a critical update as soon as it is released. Prior to sp1 = needed to wait for the scans to happen and the data to be returned to the SMS site server and the update would then be available to deploy through the Distribute Software Update wizard.

31 SMS Inventory Tool for Microsoft Updates SMS Inventory Tool for Microsoft Updates (ITMU) – Uses Windows Update Agent for scanning and installation of updates – WUA included with Windows XP SP2 & Windows Server 2003 SP1 – Distributed as a stand-alone install by SMS for older operating systems Provides consistency with content provided on Microsoft Update Non-critical updates are not included in v1.0 of the scan tool Can be used side-by-side with legacy scan tools for additional product coverage Expected Release Date = July 2005

32 Patch Management Client Experience

33 Background Intelligent Transfer Service - BITS Downloads file using Hypertext Transfer Protocol (HTTP) Checkpoint mechanism – Allows for network connectivity interruptions Automatic network throttling – Only uses idle bandwidth NEW! BITS v2.0 – Included in Windows XP SP2 & Windows Server 2003 SP1 – Downloadable for Windows 2000, XP and Server 2003

34 How does Microsoft manage patches? Patching by MSIT

35 Corporate Security (CorpSecIT) monitors vulnerability information CorpSecIT finds & analyzes vulnerability Critical Vulnerability? CorpSecIT determines enforcement schedule Global Client Software (GCS) tests patch 14 Days 7 days (or immediate if critical) GCS creates SMS package GCS distributes package GCS enforces patch yes Wait for service pack no How MS does it: Patch process flow

36 Weds10:00AM Thurs 5:00 AM Fri2:00PM 12%30% Vulnerable Clients 5:00PM 5:00PM 6% 5:00PM 5:00PM 5%3% High Client Impact Method Low Client Impact Patch timeline Windows Update; Email & ITWeb Notification(Optional) Windows Update; Email & ITWeb Notification (Optional) SMS Patch Management (Voluntary > Forced) Internal Scanning & Scripts (Forced) Port Shutdowns How MS does it: The technology

37 http://www.microsoft.com/uk/technet

Download ppt "Patch Management drill down Steven Hope Lead Technical Security Specialist"

Similar presentations

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
WSUS Windows Update Services

WSUS Windows Update Services
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd.

Windows Update Services Patch Management comes of Age David Wallis Senior Systems Consultant Raven Computers Ltd.
Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd
SWOCA TSS ACADEMY Implementing Patch Management and Systems Monitoring on Windows Server 2012.

SWOCA TSS ACADEMY Implementing Patch Management and Systems Monitoring on Windows Server 2012.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
SP2 Mikael Nystrom. Agenda Översikt Installation.

SP2 Mikael Nystrom. Agenda Översikt Installation.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications

Similar presentations

Ads by Google