1 / 37

Patch Management drill down

Patch Management drill down. Steven Hope Lead Technical Security Specialist steven@microsoft.com. Welcome to this TechNet Event. FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts

japheth
Télécharger la présentation

Patch Management drill down

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Patch Management drill down Steven Hope Lead Technical Security Specialist steven@microsoft.com

  2. Welcome to this TechNet Event • FREE bi-weekly technical newsletter • FREE regular technical events hosted across the UK • FREE weekly UK & US led technical webcasts • FREE comprehensive technical web site • Monthly CD / DVD subscription with the latest technical tools & resources • FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

  3. Who said “I WISH” ??? But isn’t this want you really want and need? This is true for you right? • We live in a world of plenty… • High bandwidth links everywhere • Low cost & reliable connectivity • Free extra bandwidth as and when we need it • We all have an efficient patch process… • Testing is quick • The process is clear and repeatable • Deployment is easy

  4. Patch Management – The Rude Awakening • Humans write software, therefore software will ALWAYS have bugs! • Utopia = not having to deploy a patch, not that patches no longer exist. • Patching should be the LAST line of defence, not the first! And should be avoid wherever possible. • Patching is NOT all about tools and scripts. • Cleaver system / network designs can significantly reduce the requirement to patch, e.g.: • Use IPSEC to reduce access to services • Use Layer 7 firewalls like ISA Server 2004 to protect core assets. • Reduce the attack surface on machines • Monthly controlled releases and responsible disclosure are GOOD things!

  5. Organization for Internet Safety • Mission: To develop and promote processes for effectively handling security vulnerabilities. • Industry-leading vendors, security research firms www.oisafety.org

  6. Successful Patch Management Ingredients Skilled People Tools & Technologies Consistent & repeatable Processes

  7. Patch ManagementBest Practices Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: install on isolated system 1. Assess 2. Identify 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 3. Evaluate & Plan 3. Evaluate & Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing 4. Deploy http://www.microsoft.com/msm

  8. Updating: Roadmap “Microsoft Update”(Windows Update) Windows Update Download Center Office Update VS Update Soon… Today AutoUpdate Windows Server Update Services Windows, SQL, Exchange, Office… Windows only SUS SMS Windows only Windows, SQL, Exchange, Office… Windows, SQL, Exchange, Office…

  9. Security Update Management Today Disparate sources, limited product support • Windows Update/Office Update • Consumer focused web based solutions • Software Update Services (SUS) 1.0 • Intermediary between Windows Update and Automatic Updates (globally control updates) • Microsoft Baseline Security Analyzer (MBSA) 1.2.1 • Detects security updates for 16 products • Detects configuration vulnerabilities for 7 products • Systems Management Server 2003 • SUS Feature Pack (Windows Updates only) • MBSA 1.2.1 for other security update detection • Enterprise Update Scan Tool (EST) • Detects critical and important security updates that MBSA does not • Compatible with SMS

  10. Security Update Management Tomorrow Consistent results, extending product support • Microsoft Update (MU) • “Hosted” version of Windows Server Update Services • Consumer focused web based solution • Windows Server Update Services (WSUS) • Infrastructure for all other updating products and tools • Update management solution with targeting for Microsoft platform • Microsoft Baseline Security Analyzer (MBSA) 2.0 • Security focused scanning without the need for a server • Systems Management Server 2003 • Inventory Tool for Microsoft Update • Integrated MBSA 2.0 security configuration checks

  11. Microsoft Baseline Security Analyser Now and next

  12. MBSA – Analysis and reporting tool • Scans missing security updates and security configuration settings • Born of HFnetchk, now at 1.2.1 • Requires up to date reference file (mssecure.xml) • GUI and command line versions • “Read only” tool - user context requires local admin rights on each target machine • Scans: • Windows 2000, Windows XP, Windows Server 2003 • IIS, SQL Server, Internet Explorer, Office, Exchange Server, Windows Media Player, • Microsoft Data Access Components (MDAC), MSXML • Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server

  13. MBSA 1.2.1 / MBSA 2.0 Delta • MBSA 2.0 shares with MBSA 1.2.1 • Security configuration and update scanning • Command Line scripting • Simple, easy to use interface • Integration with SMS and MOM • MBSA 2.0 introduces: • WSUS scan parity • WSUS compliance • Expanding security update product support • Security update install history • CAN/CVE ID when they become available • MBSA 2.0 RTW = End of Q2 2005

  14. MBSA 2.0 : How It Works* All content is shared with MU • Run MBSA on Admin system, specify targets MicrosoftUpdate • Downloads CAB file from MU & verifies digital signature • Scans target systems for OS, OS components, & applications using WUA MBSAComputer • Generates time stamped report of missing updates WSUS Server *Only covers security patch scanning capabilities, not security configuration detection issues

  15. Windows Server Update Services WSUS - The software formally knows as SUS and WUS…

  16. Windows Server Update Services • Successor to SUS (Software Update Services) • Automates centralized download, distribution and installation of updates • Gets its content from Microsoft Update (MU) • Free download • Free to Windows Server (2000 and above) licensees • Requires Windows Server / Core CAL for target systems • Does not change currently available offerings • SUS 1.0 continues to get content from WU • Core component of Microsoft’s Update Management solutions & roadmap • WSUS RTW = Q2 2005

  17. WSUS - Supported Products And Content • Critical Updates for • All Microsoft products over time • At RTM • Windows 2000 SP3 and later versions of Windows • Office XP SP2 and Office 2003 • SQL 2000 and MSDE 2000 • Exchange 2003 • Critical drivers • Platform support/requirements for • Windows 2000 SP3 (SP4 for WSUS Server) and later • Windows XP RTM and later • Windows Server 2003 RTM and above • All localized versions (including MUI)

  18. WSUS - Solution Overview Microsoft Update WSUS Server Desktop ClientsTarget Group 1 Server ClientsTarget Group 2 WSUS Administrator Administrator approves updates Administrator puts clients in different target groups Administrator subscribes to update categories Server downloads updates from Microsoft Update Clients register themselves with the server Agents install administrator approved updates

  19. WSUS Scalability Parent WSUS Server Microsoft Update Replica Child WSUS Server Autonomous Child WSUS Server Desktop Clients Desktop Clients

  20. Desktop Clients WSUS & disconnected Networks Microsoft Update WSUS Server WSUS Server

  21. WSUS – Client Deployment & Configuration • Client Deployment • Only required for Windows XP Gold (without SP) • Windows XP SP2 and Windows Server 2003 SP1 include the WSUS client binaries • All other WSUS supported OS’s include AUv2.2 • Automatically self-updates to WSUS client version • Client Configuration • Active Directory = via GPO • NT4.0 = Wuau.adm in System Policy • Registry keys via script

  22. WSUS Features • Administrator control of deployment • Initiate scan of machines for patch applicability • Approve for install and uninstall (requires update support) • Date-based deadlines for approved updates • Deploy different updates to target groups • WSUS GUI based reports • Per machine/per update/per target group • Needed, Pending Reboot, Install success and failures with error information

  23. WSUS Features (continued)… • Target Groups • Client-side targeting using AD GPO • Server-side targeting on WSUS server • Client Configurations • Polling frequency • Notification and Install behaviors • Reboot behaviors • Port configurability • Non-administrators can install updates (like administrators) • Install at Shutdown (XP SP2 only)

  24. Network Use Optimization Features • Resilient and transparent • BITS* for client-server and server-server downloads • Downloads are in the background • Minimized data downloads • Update subscriptions (per product/classification) • Support for “delta compression” technologies for client-server communications • Option to only download approved updates *Background Intelligent Transfer Service

  25. Customer Feature Requests *Partially addressed through polling frequency control and scripts

  26. Systems Management Server 2003 Patching the Enterprise

  27. Systems Management Server 2003 • Premium Change and Configuration Management Offering • Scalable, global enterprise solution for client and server management • Software Distribution • OS Deployment • Mobile Device Management • Hardware Inventory • Software Inventory • Application Usage Tracking • Remote Help Desk Functionality • Visit http://www.microsoft.com/sms for more infomation

  28. SMS 2003 & Patch Management • Supports critical updates for Windows and Office • Vulnerability Assessment • Leverages existing tools like MBSA • Collects MBSA results for storage in a central repository • Rich reporting provides detailed vulnerability analysis and enables mitigation planning • Status and Compliance Reporting • Deployment status as patches are delivered using built-in reports and client status messaging • Determine actual baselines in the environment before changing the environment • Report on clients not compliant to baseline • Automatically deploy updates to get compliant

  29. SMS 2003 Patch Management: How It Works MicrosoftDownload Center • Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer • Scan components replicate to SMS clients SMS Site Server Firewall • Clients scanned; scan results merged into SMS hardware inventory data • Administrator uses Distribute Software Updates Wizard to authorize updates SMS DistributionPoint SMS Clients • Update files downloaded; packages, programs & advertisements created/updated; packages replicated & programs advertised to SMS clients SMS DistributionPoint • Software Update Installation Agent on clients deploy updates SMS Clients • Periodically: Sync component checks for new updates; scans clients; and deploys necessary updates SMS Clients

  30. SMS 2003 - SP1 • Ability to authorize critical updates immediately without waiting for inventory scans. Allows deployment of a critical update as soon as it is released. • Prior to sp1 = needed to wait for the scans to happen and the data to be returned to the SMS site server and the update would then be available to deploy through the Distribute Software Update wizard.

  31. SMS Inventory Tool for Microsoft Updates • SMS Inventory Tool for Microsoft Updates (ITMU) • Uses Windows Update Agent for scanning and installation of updates • WUA included with Windows XP SP2 & Windows Server 2003 SP1 • Distributed as a stand-alone install by SMS for older operating systems • Provides consistency with content provided on Microsoft Update • Non-critical updates are not included in v1.0 of the scan tool • Can be used side-by-side with legacy scan tools for additional product coverage • Expected Release Date = July 2005

  32. Patch Management Client Experience

  33. Background Intelligent Transfer Service - BITS • Downloads file using Hypertext Transfer Protocol (HTTP) • Checkpoint mechanism • Allows for network connectivity interruptions • Automatic network throttling • Only uses idle bandwidth • NEW! BITS v2.0 • Included in Windows XP SP2 & Windows Server 2003 SP1 • Downloadable for Windows 2000, XP and Server 2003

  34. How does Microsoft manage patches? Patching by MSIT

  35. How MS does it: Patch process flow Corporate Security (CorpSecIT) monitors vulnerability information CorpSecIT determines enforcement schedule CorpSecIT finds & analyzes vulnerability Critical Vulnerability? yes no Wait for service pack Global Client Software (GCS) tests patch GCS creates SMSpackage GCS distributespackage GCS enforces patch 14 Days 7 days (or immediate if critical)

  36. How MS does it: The technology HighClient Impact LowClient Impact Windows Update; Email & ITWeb Notification(Optional) SMS Patch Management (Voluntary > Forced) Internal Scanning & Scripts (Forced) Method Port Shutdowns Patch timeline Thurs 5:00 AM Fri 2:00PM 5:00PM Weds 10:00AM 5:00PM 5:00PM 5:00PM Vulnerable Clients 30% 12% 6% 5% 3%

  37. http://www.microsoft.com/uk/technet

More Related