Chapter 27:Patch Management BAI617
Chapter Topics • The Four Phases of Patch Management • Windows Server Update Services • WSUS Deployment Scenarios • Installing WSUS • Pointing Your Clients to the WSUS Server
Patch Management • Patch management refers to the process by which software updates are installed on computers managed by your organization • You need to know whether each update is applicable to computers on your network, whether it is compatible with your existing applications, and how urgent it is to deploy this update.
The Four Phases of Patch Management • Installing updates on the computers on your organization’s network is critical to protect the security of the network and to keep the organization’s client computers performing optimally
The Four Phases of Patch Management • How updates are rolled out on your network requires planning and testing to ensure a successful installation • Microsoft Recommends • Assess • Identify • Evaluate and Plan • Deploy
Phase 1: Assess • The Assess phase is when you • look at your current patch management policies and procedures • collect information about the computers on your network • determine the effectiveness of your current patch management infrastructure
Phase 1: Assess • Current patch management policies and procedures • Do you have one? • Is it communicated? • To the Team • To the Users
Phase 1: Assess • Collect information • Detailed Inventory: • Hardware • O/S Versions • O/S Service Packs • Installed Software • Versions, Service Packs and customization. • Simple example - http://www.belarc.com
Phase 1: Assess • Current patch management infrastructure • What are you doing? • How are you validating? • Who is responsible?
Phase 2: Identify • This Phase has 3 parts • Update notification • Determining proper use of update • Prioritizing
Phase 2: Identify • Update notification • Staying on top of when updates are released and then determining whether an update affects computers on your network can be a daunting task • Microsoft Offers: • Email notifications • RSS Feed Subscriptions • Windows Live Alerts
Phase 2: Identify • Update notification • www.microsoft.com/technet/security/bulletin/notify.mspx
Phase 2: Identify • Update notification • Third Party Sites that offer ongoing updates of vulnerabilities (not a comprehensive list) • The United States Computer Emergency Readiness Team (US-CERT) • SANS Internet Storm diary • Full Disclosure mailing list • University of Michigan Virus Busters • Symantec Security Response
Phase 2: Identify • Determining proper use of update • Determine whether the update is applicable to computers on your network • Microsoft security updates are all accompanied by a security bulletin that includes a section titled “Affected and Non-Affected Software.” • If you find that your computers are affected, you must determine how quickly the update should be deployed on your computers
Phase 2: Identify • Prioritizing • Once you’ve determined that an update applies to computers on your network, you should decide how quickly you need to deploy the update • The security bulletin can be a good place to start to decide the priority at which the update should be deployed
Phase 3: Evaluate and Plan • Once you have determined that an update is applicable to computers on your network, you need: • To submit a change request (optional - policy dependent) to deploy the update • Prep the computers for the update • Determine how the update will be deployed
Phase 3: Evaluate and Plan • Prepping the computers for the update includes looking for anything that may block the installation of the update: • Insufficient disk space • Computers not being powered on • Software restriction policies • Group Policy objects that may block the installation
Phase 3: Evaluate and Plan • Determining how the update will be deployed: • writing scripts • Building tools – i.e. QCHAIN (command line ) • Using patch management software • Windows Server Update Services (WSUS)
Phase 4: Deploy • Key Steps of this phase: • Update is tested on a subset of computers • The specific details of the deployment are communicated to end users • Then the update is deployed to all affected computers on your network
Phase 4: Deploy • Testing the update on a subset of computers: • important to identify any unknown compatibility issues or other last-minute changes that need to be addressed. • When choosing the subset, you should pick computers that will not significantly impact your organization’s business. • Consider imaging machines for lab setting.
Phase 4: Deploy • Communicating with Users • Time at which the update will be installed • Expected downtime required to perform the update • Support channel in the event something goes wrong. (Who to call / email)
Phase 4: Deploy • Deploy and verify updates.
Windows Server Update Services • WSUS is an update-management product designed to deploy updates to Windows client computers on your network
Windows Server Update Services • Features of WSUS 3.0 • The ability to automatically download updates by product, update classification, or language • Email notification when new updates are ready • The ability to scan WSUS clients for needed updates before deploying them • Create reports on client update status • The ability to target updates to a group of computers • The ability to install the WSUS Administration Console on a computer other than the WSUS server
Software Requirements for WSUS Servers • Windows Server 2003 with Service Pack 1, Windows Server 2008, or Windows Server 2008 R2. • Internet Information Services (IIS). • Windows Installer 3.1 or newer. • .NET Framework 2.0 or newer. • SQL (optional) for high volume DB solution
WSUS Client Requirements • WSUS clients must be running one of the following operating systems: • Windows 7 • Windows Server 2008 R2 • Windows Server 2008 • Windows Server 2003 • Windows Vista • Windows XP • Windows 2000 with Service Pack 4
WSUS Deployment Scenarios • WSUS 3.0 can be broken down into three main deployments: small businesses, medium businesses, and business with limited connectivity
WSUS Deployment Scenarios • Small business: • normally comprises one WSUS server that synchronizes directly with Microsoft Update. • All WSUS clients are geographically close • All are behind the same firewall
WSUS Deployment Scenarios • Medium-size business: • Comprised of more than one WSUS server serving clients that are geographically close. • One WSUS server may synchronize with the other or they may get their updates separately from Microsoft Update Option 1 Single Server Updating
WSUS Deployment Scenarios • Medium-size business: • Comprised of more than one WSUS server serving clients that are geographically close. • One WSUS server may synchronize with the other or they may get their updates separately from Microsoft Update Option 2 Both Servers Updating
Installing WSUS • PreReq – IIS • See p.1135 of text for instructions • Step #7 is important – read it • Install the Report Viewer 2008 SP1 Redistributable • See p.1138 • Install WSUS 3.0 • See p.1138
Pointing Your Clients to the WSUS Server • Client computers use the Windows automatic updating client to receive WSUS updates and can be configured by using a Group Policy object. • This drastically reduces the administrative overhead because one GPO can be deployed to all computers in an Active Directory installation at once. • See p.1144 of text for detailed steps for GPO config
Review • The Four Phases of Patch Management • Windows Server Update Services • WSUS Deployment Scenarios • Installing WSUS • Pointing Your Clients to the WSUS Server
Hands On • Next class’s lab will involve configuring a WSUS server and client.