1 / 24

Efficient Security Patch Management Strategies

Learn how to stay updated on security patches, assess their validity, deploy them, and utilize Microsoft tools for effective patch management. Discover the process of patch notification, assessment, deployment, and validation. Key tools include HFNetChk for identifying machines needing patches and Corporate Windows Update for centralized patch distribution. Explore Microsoft's efforts in simplifying patch assessment and deployment, including SMS, Group Policy, and Custom Windows Update Servers. Stay informed about Microsoft's initiatives, such as Trustworthy Computing, Rollup Packages, and No-Reboot patches.

ramya
Télécharger la présentation

Efficient Security Patch Management Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft

  2. Questions • How do I know if I’m up to date on patches? • How do I know when a new patch is released? • How do I know that the patch is valid on my system? • How can I deploy patches to all my machines? • What is Microsoft doing to make it easier to assess and deploy patches?

  3. Patch Process • New Patch Notification • Host and Network Assessment • Deployment • Validation

  4. Notification • How do I know when new security patches are available? • Security Bulletin Notification Service • www.microsoft.com/technet/security • Windows Update • Client Update Notification Applet • HFNetChk

  5. How can I tell which machines need patches? • HFNetChk • Can be run against Windows NT 4, Windows 2000, Windows XP • Evaluates patch status for OS, IIS, IE, and a limited amount of SQL 7 and 2000. • See KB article Q303215 for more info and download location

  6. HFNetChk Demo

  7. How Does HFNetChk Work? • Downloads signed CAB file (containing XML data) from microsoft.com • May also use a local copy of the XML file from a file or http share • Tool Version Check • Language \ OS \ SP \ Application check • Identifies all relevant security patches for OS \ SP \ App

  8. MSSecure.XML

  9. How Does HFNetChk Work? For each applicable hotfix: • Compare registry key from XML file to registry key on the system • If reg key does NOT exist, file is determined to be NOT installed • Reg key check can be bypassed with the –z switch

  10. How Does HFNetChk Work? • If registry key DOES exist*, compare file version information from XML file to files on system • If registry key DOES exist*, compare file checksum information from XML file to files on system * Or if registry checks were bypassed

  11. MSSecure.XML

  12. How Does HFNetChk Work? • If either the file version and/or the checksum does NOT match for any file, the patch is considered NOT installed • (a Warning is given if the fileversion is greater than expected) • In every instance file versions and checksums are evaluated!

  13. New MSSecure Schema • Patch details for all languages • Download URL for each patch for each language • hotfix installer engine and related switches • MD5 and SHA1 file hashes • Specific file location (relative and/or system variable) • 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 32 bit vs 64 bit architecture • Severity data • CVE data • reboot actions

  14. Deployment • How do I push patches to the machines that need them? • SMS • Third party tools • Active Directory / Group Policy

  15. SMS

  16. HFNetChkPro

  17. HFNetChkPro

  18. HFNetChkPro

  19. Group Policy and MSI • Create MSI package for hotfix • Future MS hotfixes may include MSI packages • Use third party MSI creator • InstallShield, SMS, etc. • Create Group Policy with Computer Settings for Software Installation

  20. Group Policy and MSI

  21. Corporate Windows Update • Allows Corporations to host their own Windows Update Server. • CorpWU Server downloads catalogs and patches from Microsoft • Administrator chooses which ones to make available on corpnet • New WU clients are configured (via Group Policy or Reg key) to perform WU operations against CorpWU Server

  22. Corporate Windows Update • Clients can also be configured via Group Policy to autodownload and apply the patches within a given period of time, should the system owner not do it on their own.

  23. What else is Microsoft doing? • Focus on Trustworthy Computing email from BillG • Rollup Packages • Cumulative • Every two months for latest Service Pack • May be released as MSI • Increase in No-Reboot patches • Additional Tools like HFNetChk

  24. Contact Info • ericschu@microsoft.com

More Related