1 / 16

Security Patch Management

Security Patch Management. Brodie Desimone, CISSP Senior Technology Specialist BrodieD@microsoft.com Michael Nowacki, CISSP Senior Security Technology Specialist mnowacki@microsoft.com. Customer Feedback. Inadequate Communications, Guidance, and Training. Inconsistent Patching Experience.

kaspar
Télécharger la présentation

Security Patch Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Patch Management Brodie Desimone, CISSP Senior Technology Specialist BrodieD@microsoft.com Michael Nowacki, CISSP Senior Security Technology Specialist mnowacki@microsoft.com

  2. Customer Feedback InadequateCommunications,Guidance, andTraining InconsistentPatching Experience ReduceFrequency,Quantity ofPatches Multiple,Incomplete PatchManagementTools InconsistentPatchQuality

  3. Addressing The Situation • Security and patch management priority #1 – bar none– at Microsoft • Microsoft problem • Industry problem • Ongoing battle with malicious hackers • Need comprehensive, tactical and strategic approach to addressing the situation • Trustworthy Computing Initiative • Security framework and focus • Patch Management Initiative

  4. TWC Overview

  5. SD3 + Communications • Secure architecture • Security aware features • Reduce vulnerabilities in the code Secure by Design • Reduce attack surface area • Unused features off by default • Only require minimum privilege Secure by Default • Protect, detect, defend, recover, manage • Process: How to’s, architecture guides • People: Training Secure in Deployment • Clear security commitment • Full member of the security community • Microsoft Security Response Center Communications Microsoft’s Security Framework

  6. Accurate, effective, easily discoverable, and timely information • Process and best practice guidance; training • Consistent formats and mechanisms for discovery, applicability evaluation, un-installation, etc. of patches and updates • Consistently high quality • Consistently small patch sizes • Minimize reboots on patch installation • The right set of functionality • Easy to deploy, administer, use • Interoperability with third party solutions Patch Management InitiativeGoals Informed & Prepared Customers Consistent & Superior Update Experience Superior Patch Quality Best Patch & Update Management Solutions Cross divisional team with mission to resolve key patch management issues

  7. Improve the Patching ExperienceNew Patch Policies • Extending support to June 2004 • Windows 2000 SP2 • Windows NT SP6a • Non-emergency security patches on a monthly release schedule • Allows for planning a predictable monthly test and deployment cycle • Packaged as individual patches that can be deployed together • Achieves benefits of security rollup with increased flexibility Patches for emergency issues will still release immediately

  8. By late 2004: Consolidation to 2 patch installers for W2k and later, SQL 2000, Office & Exchange 2003; all patches will behave the same way (update.exe, MSI 3.0) Reduce patch complexity Now: Increased internal testing; customer testing of patches before release By mid-2004: Rollback capability for W2k generation products and later (MSI 3.0 patches) May 2004: Microsoft Update (MU) hosts patches for W2k server, and over time SQL 2000, Office & Exchange 2003 By mid-2004: SUS 2.0 receives content from MU & adds capabilities for targeting, basic reporting and rollback Reduce risk of patch deployment By late 2004: Substantially smaller patches for W2k generation and later OS & applications (Delta patching technology, next generation patching installers) Reduce patch size Now:Continued focus on reducing reboots By late 2004: 30% of critical updates on Windows Server 2003 SP1 installed w/o rebooting (“hot patching”) Reduce downtime Improved tools consistency By mid-2004: Consistent results from MBSA, SUS, SMS, Windows Update (will all use SUS 2.0 engine for detection) Improved tools capabilities Improve the Patching ExperiencePatch Enhancements Your Need Our Response

  9. Solution Components

  10. Patch Management Guidance • Prescriptive guidance from Microsoft for effective patch management • Uses Microsoft Operations Framework (MOF) • Based on ITIL* (defacto standard for IT best practices) • Details requirements for effective patch management: • Technical & operational pre-requisites • Operational processes & how technology supports them • Daily, weekly, monthly & as-needed tasks to be performed • Testing options • Three patch management guidance offerings • Microsoft Guide to Security Patch Management** • Patch Management using Software Update Services*** • Patch Management using Systems Management Server*** *Information Technology Infrastructure Library **Emphasizes security patching & overall security management ***Comprehensive coverage of patch management using the specified technology

  11. Delivering Security Technologies • Windows XP SP2 • Improved network protection • Safer email and Web browsing • Enhanced memory protection • Beta by end of 2003, RTM based on customer feedback • Windows Server 2003 SP1 • Role-based security configuration • Inspected remote computers • Inspected internal environment • RTM H2 CY04

  12. Client Shielding Enhancements Security enhancements that protect computers, even without patches; Included in Win XP SP2 (H104) with more to follow • Network Protection: Improved ICF protection turned on by default • Safer email: Improved attachment blocking for Outlook Express and IM • Safer browsing: Better user controls to prevent malicious ActiveX controls and Spyware • Memory Protection: Improved compiler checks (/GS) to reduce stack overruns What it is Helps stop network-based attacks, file attachment viruses and buffer overruns What it does Key Features

  13. Protects enterprise assets from infected computers Enterprise Shielding EnhancementsEnterprise Quarantine Only clients that meet corporate security standards are allowed to connect; included in Win 2003 SP1 (H204) with more to follow • Enforces specific corporate security requirements such as patch level, AV signature state and firewall state • Ensure these standards are met when • VPN connections are made by remote clients • Wired or wireless connections are made by rogue and transient clients What it is What it does Key Features

  14. Today H1 04 H2 04 Future Extended support Monthly patch releases Baseline guidance Community Investments Windows XP SP2 Patching enhancements SMS 2003 SUS 2.0 Microsoft Update Broad training Windows Server 2003 SP1 Security technologies Next generation inspection NGSCB Windows hardening Continued OS-level security technologies

  15. Security Resources • New: IT Pro Security Zone • http://www.microsoft.com/technet/security/community • New: Security Guidance for the Enterprise • http://www.microsoft.com/technet/security/bestprac • Subscribe to MSRC notifications: • http://www.microsoft.com/securitynotification • Trustworthy Computing: • http://www.microsoft.com/mscorp/innovation/twc/ • Hot Fix & Security Bulletin Search: • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

  16. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

More Related