1 / 12

Efficient Patch Management System for Enhanced Security

The patch management system at Graham Titmus Computer Laboratory involves distributing patches using Group Policy, SUS server, SMS feature pack, monitoring systems, and MBSA scans. Machines are targeted via OU, with group policy applied, forcing updates daily from Microsoft Update Server. The system includes web-based reporting, fine-grain distribution targeting, and testing updates before approval. SMS capabilities for monitoring and distribution are independent and offer web-based reporting. The system is essential as a backstop for machines that may go unnoticed in the network, providing instant reports and valuable insights for crisis situations. Various tools are used for effective management and reporting, with plans for further enhancements in the next version.

lwestern
Télécharger la présentation

Efficient Patch Management System for Enhanced Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Patch management Graham Titmus Computer Laboratory

  2. Patching and verifying • Distribution of Patches • Group Policy • SUS server within domain • Monitoring systems • SMS feature pack add-on for SMS 2.0 • Web aggregation of status • MBSA • Scans of domain

  3. Group Policy • Targeting of machines via OU • Computers (CL SUS) • Group policy applied here • Computers • Test machines with no group policy • Group Policy forced onto machine • Lock out override so users can’t turn it off • Place exceptions on another VLAN

  4. Control by Group Policy

  5. Group Policy Settings

  6. SUS distribution • Local SUS server • Collects updates via CS SUS server • Approval of updates controlled within domain • Test updates • Several machines forced to update via Microsoft Update Server daily • Servers tested independantly • Approve updates after testing

  7. SMS for patches • Capabilities include • Monitoring and Distribution • Are independent of one another • Monitoring uses same scan engine as MBSA • Benefits • Central point for all information • Fine grain targeting for distribution • Web based reporting

  8. SMS Inventory

  9. Patches outstanding

  10. Machine status

  11. MBSA • Useful backstop • Machines may slip through the net • Scan address range – finds stealth systems • Instant report of current state • Important tool for crisis situation • Useful to scan VPN connected hosts • Poor discrimination on causes • High level of noise in a diverse world

  12. Why so many tools? • Basic mechanism is Group Policy + SUS • That offers limited (no) reporting • Reporting host tools added in next version • Management in addition • SMS provides good information collection • Can be used to distribute • Summary of status needed to plan work • Point inspection • For visitor laptops etc.

More Related