Implementing Security
Patch Management
Steve Riley
Product Manager
Security Business and Technology Unit Microsoft Corporation
[email protected]
Yes, immutable
Distilled wisdom from successful patch
management strategies worldwide
About worldview and mindset
¾ Won’t be discussing technologies or tools
Microsoft uses these laws
¾ To protect its own network
¾ To guide parts of our Trustworthy Computing
n
Patches are a fact of life
Computer science is maturing rapidly, but
perfection eludes us
¾ System complexity
¾ Extremely hostile threat environment
Planning is the essential component of
successful patch management
¾ The specifics of your plan matter less than
the fact that you have a plan of some kind.
Security design model
Operations Process Implementation DocumentationPolicy
Technology Start with policy
demo
o
It does little good to patch a
system that isn’t secure
The most dangerous security exposures
don’t involve code flaws
¾ Weak passwords
¾ Unattended systems
¾ Insecure configurations
A sound security policy is the first line of
defense
¾ Standardization
p
There is
no patch
for bad
judgment
demo
p
There is no patch for bad
judgment
The most dangerous security exposures don’t
involve code flaws
¾ Sticky-pad syndrome
¾ Opening mail attachments
¾ Social engineering
¾ Running untrustworthy code
People are part of the network
¾ Good news: properly “configured”, they are the
most powerful security add-on you can have
q
You can’t patch what
you don’t know you have
Variables in the patch equation:
Operating Systems Configuration Service Packs Applications Enumeration “OK” ? ? ? ? ? Record of State “Better” ? ? ? ? ?
Well-defined Standard Configurations
r
The most effective patch is
the one you don’t have to apply
Turn stuff off!
¾ Code Red: IIS enabled on Windows 2000 server ¾ Internet Printing Protocol, UPnP, ISAPIs… ¾ Microsoft doing more to help
Smaller attack surface = better security
¾ Turn off unneeded services
¾ Install only needed applications and plug-ins ¾ Use least privilege
¾ Windows Server 2003 turns off over 20 services by
default
s
A service pack covers
a multitude of patches
Patches too often treated as first line of
defense
¾ Can hurt reliability, slow new system rollout
¾ Understand the Quality Curve
¾ Service Packs are extremely important ¾ Patches (Hotfixes) are interim measures
t
All patches are not equal
Applying every patch is typically a poor
strategy
¾ Irritate end users
¾ Burnout patch management team
Some patches are more important than
others
¾ Scrutinize the Mitigating Factors section of the
bulletin
¾ Understand the risk equation and the burden
curve
Risk equation
Risk ≈
Access * Value
Difficulty
Where:
Access = Degree of access to an asset that
an attacker could gain via the vulnerability
Value = Value of the asset
Difficulty = Difficulty of carrying out a
u
Never base patching
decisions on whether
you’ve seen exploit code
Published exploit code is an unreliable
risk indicator
¾ Just because it hasn’t been published doesn’t
mean it doesn’t exist (or couldn’t be written)
Always assume that exploit code exists
¾ Defend your networking assets based on
their value and the threat posed by the vulnerability
What happens until
you wait for exploit code
Shortest time to wo rm yet 26 7/16/03 8/11/03 Blaster Impact of Attack Days Patch issued Attack Exploit
Infections doubled every 37 minutes 31
6/18/01 7/19/01
Code Red
Spread wo rld wid e in 30 minutes 336
10/17/00 9/18/01
Nimda
Messag eLabs has seen 458,359 in stances 192
5/16/01 11/24/01
Badtrans
$9 Billion world wide productivit y loss 336
5/16/01 4/17/02
Klez
Detected in more than 40 d ifferent countries
336 5/16/01 4/17/02
ElKern
Intercepted in one of every 268 emails at peak
402 5/16/01 6/22/02
Yaha
12 variants in first 2 months of activit y 427
5/16/01 7/17/02
Frethem
More than 2 million affected computers 502
5/16/01 9/30/02
Bugbear
Infections doubled every 8.5 seconds 185
7/24/02 1/25/03
v
Everyone has a patch strategy,
whether they know it or not
Famous ineffective patching strategies:
¾ “Patch? What patch?”
¾ “We’re under attack! Deploy the patches!”
¾ “Deploy the patch now, figure out what it’s for
later”
Your patch strategy should be part of your
security policy
¾ Define your overall risk stance
¾ Document your strategy and tactics
¾ Get senior management’s buy-in!
w
Patch management
is really risk management
Patch management is not an end unto itself
¾ Protect the right assets
¾ Spend no more to protect them than they’re worth ¾ Harmonize with other security measures
Patch management is one strategy among many
for protecting business value
¾ Needs to considered as part of the corporate risk
management strategy
What’s Going On?
Addressing Customer Feedback
“I need to know the right way to run a Microsoft enterprise” “There are too many v ulnerabilities and patches”
Prov ide prescriptive guidance and training Improv e the patching experience
Improv e product quality; reduce patch frequency
“The patching process is inconsistent”
“There are too many incomplete ov erlapping tools”
“Patch quality is poor – reduce recalls, patch size, and reboots”
Patch Management Initiative
Progress to Date (December 2003)
Informed and Prepared Customers
Superior Patch Quality Consistent and Superior Update
Experience
Best Patch and Update Management
Solutions
Rationalized patch severity rating levels Better security bulletins and KB articles
Security Readiness Kit; patch management guidance, etc.
Developed patch and update management tools roadmap SUS 2.0 in development: significantly enhanced capabilities Released SMS 2003, which delivers expanded patch and update management capabilities
Standardized patch and update terminology
Standardized patch naming and installer switch options* Installer consolidation plan in place – will go from ~8 to 2 Reduced patch release frequency from 1/week to 1/month Improved patch testing process and coverage
Expanded test process to include customers
Reduced reboots by 10%; reduced patch size by up to 75%**
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0 **75% for Windows Update installs, more than 25% for other patches
Most attacks occur here
Security Vulnerability Life
Cycle
Produc t
ship Vulner abilitydiscovered Componentmodified releasedPatch at cus tomer sitePatch deployed
Exploit Timeline
¾ The average is now nine days for
a patch to be reverse-engineered
¾ As this cycle keeps getting
shorter, patching is a less effective defense in large organizations 151 180 331 Blaster Welchia/ Nimda 25 SQL exploit code patc h
Microsoft Severity Ratings
TechNet Security Bulletin Search:
http://www.microsoft.com/technet/security/current.asp Exploitation is extremely difficult, or impact is minimal Low
Exploitation seriou s but mitigated to a significant degree b y factors su ch as defau lt configuration, auditing, need for user action, or difficult y of exploitation
Moderate
Exploitation could result in compromise of the confidentialit y, integrit y, or availabilit y of users’ d ata or of the integrit y or availabilit y of processing resources
Important
Exploitation could allo w the propag ation of an Intern et worm such as Code Red or Nimda without user action
Critical
Def inition Rating
Patching Timeframes
Deplo y the software updat e within one year, or choose not to deploy at all
Deplo y the software updat e within six months
W ithin two months W ithin two weeks
Maximum Recommended Time Frame Low Moderate Important Critical Sev erity Rating
Depending on exp ected availabilit y, wait for next service p ack or pat ch rollup that includes the patch , or deplo y the p atch within one year
Depending on exp ected availabilit y, wait for next service p ack or pat ch rollup that includes the patch or deplo y the patch within four months
W ithin one month W ithin 24 hours
Recommended Patching Time Frame
Mitigating factors in place or will be quic kl y put in plac e Assets historicall y attac ked are affec ted
High-value or high-exposure ass ets affec ted Factor
Increase time frame Decrease time frame Decrease time frame
Potential Impact
Products, tools, and automation Consistent and Repeatable Skills, roles, and responsibilities Processes People Technology
Successful Patch Management
Patch Management Process
1. Assess Environment to be Pat ched
Periodic Tasks
A. Create/maintain baseline of sys tems B. Assess patch management
architecture C. Rev iew infrastructure/
configuration Ongoing Tasks A. Discov er assets B. Inv entory clients
1. Assess 2. Id entif y
4. Dep lo y
3. Evaluate and Plan
2. Id entify New Patch es
Tasks
A. Identify new pa tches B. Determine patch relev ance C. Verify patch authenticity and
integrity
3. Evalu ate and Plan Patch Deplo yment
Tasks
A. Obtain approv al to deploy patch
B. Perform risk assessment C. Plan patch release process
4. Deplo y the Patch
Tasks
Microsoft Patch Management Guide
http://www.microsoft.com/technet/security/topics/patch/secpatch/default.asp
Windows Update All scenarios Consumer Windows Update No Windows servers Small Business SUS
Have one to three Windows servers and one IT administrator Medium or Large Enterprise Customer Ty pe SMS
Want single flexible patch management solution with extended level of control to patch and update (+ distribute) all software
SUS
Want patch management solution with basic level of control that updates Windows 2000 and newer versions of Windows
Customer Chooses Scenario
Choosing a
Patch Management Solution
Patch management solution based
on Protect Your PC:
1. Use an Internet firewall 2. Get computer updates
¾ Operating system updates ¾ Windows Update ¾ Application updates
¾ Office Update
3. Use up-to-date antivirus software
http://www.microsoft.com/protect
Patch Management Solution
Windows Update – How it
Works: User-Initiated Access
Windows Update Service
2. Client-side code (CC) in browser validates W U server and gets do wn load catalog metadata
1. User goes to W indows Update (WU) and selects ‘Scan for updates’
3. CC uses metadata to identif y missing updates 4. User selects updates to install 5. CC download s, validates, and in stalls updates
6. CC updates history and statistics information
Windows Update – How It
Works: Automatic Updates
2. AU validat es the W U server and gets Do wnlo ad Catalog metad ata
1. AU ch ecks the W U service for new updates (every 17−22 hours)
3. AU uses metadata to identif y missing updates
4. AU either notifies user or auto-download s using BITS and validates new updat es
5. AU either notifies user or auto-installs updates
6. AU updates history and
How to Use Windows Update
Automatic
1. Open System in Control Panel
2. Select “Keep my computer up to date”
3. On the Automatic Updates tab, click the option you
want:
¾ Notify me before downloading any updates and notify me
again before installing them on my computer
¾ Download the updates automatically and notify me when
they are ready to be installed
¾ Automatically download the updates and install them on the
schedule that I specify
Note: Administrators can also centrally configure Automatic Updates through Group Policy
Manual
¾ Go to http://windowsupdate.microsoft.com, or select
Windows Update from the Start menu
Windows Update Considerations
Windows Update does:
¾ Support all critical security updates
¾ Support all Windows versions from Windows 98
and above
Windows Update does not:
¾ Allow management of network bandwidth
consumption
Office Update
Single location for Office patches and
updates
Automates scanning and installation for
critical patches and updates
Easy to use for consumers and home users
All security patches and service pack
available in binary delta or full-file versions
How to Use Office Update
1.
Go to
http://office.microsoft.com/officeupdate2.
Click Check for Updates
3.
Install the Office Update Installation
Engine (if not already installed)
Patch Management Solution
Patch management solution includes:
¾ MBSA
¾ Software Update Services (SUS)
Medium or Large
Enterprise SUS Want patch management solution with basic
lev el of control that updates Windows 2000 and newer v ersions of Windows
Small Business Hav e one to three Windows serv ers and one IT SUS
administrator
Customer Chooses Scenario
Customer Type
MBSA
− Benefits
Automates identification of missing security
patches and security configuration issues
Allows administrator to centrally scan a large
number of systems
Works with a broad range of Microsoft
MBSA – How It Works
MSSecure.xml contains
Security bulletin names Product-specif ic updates Version and checksum info Registry keys changed KB article numbers
Microsoft Download Center
MSSecure.xml
2.Download s CAB file with MSSecure.xml and verifies digital signature
1.Run MBSA on Admin system; specif y targets
3.Scan s target systems for OS, OS components, and applications 4.Parses MSSecure to see if updates are available 5.Checks if required updates are missing
6.Generates time-stamp ed report of missing updates
MBSA Computer
MBSA – Default Scan Options
MBSA Graphical User Interface (Windows
Application)
¾ Uses -baseline, -v, -nosum
¾ -baseline aligns with WU critical security updates ¾ Notes and warnings still shown by default ¾ Checksum checks not performed (to match WU)
MBSA Command-Line Interface (mbsacli.exe)
¾ Uses -sum
¾Checksum checks performed
¾Notes and warnings still shown by default
HFNetChk Scan (mbsacli.exe /hf)
¾ Uses -sum
¾Checksum checks performed
How to Use MBSA
1.
Download and install MBSA (once only)
2.
Launch MBSA
3.
Select the computer(s) to scan
4.
Select relevant options
5.
Click Start scan
6.
Review the list of Windows Security Updates
7.
Click the Result details link
8.
Review the list of missing updates
MBSA Considerations
MBSA scans for potential vulnerabilities with:
¾ Passwords ¾ User accounts ¾ Audit configuration ¾ Services
¾ Anonymous enumeration
Messages are displayed for patches that MBSA
cannot confirm as installed
MBSA checks for a registry key only to determine
whether the patch is installed
No patch data for non-security updates
¾ IIS
¾ IE zones
¾ Office macros
SUS - Benefits
Gives administrators control over patch and update
management
¾ Works with Group Policy* to prevent installation of
nonapproved updates from Windows Update
¾ Allows staging and testing of updates before installation
Simplifies and automates key aspects of the patch
management process
Ease of use alleviates difficulty of keeping
supported systems up-to-date, reducing security risks
Note: Use of SUS does not require implementation of Active Directory or Group Policy
SUS – How It Works
Parent SUS Server 1. SUS server downloads
updates
3. Approvals and updates synced with child SUS servers
4. AU gets approved updates list from SUS server
6. AU either notifies user or auto-installs updates
7.
5. AU downloads approved updates from SUS server or Windows Update
Windows Update Serv ice
Child SUS Server Child SUS Server Bandwidth Throttling Bandwidth Throttling Bandwidth Throttling Windows Update Serv ice
2. Administrator reviews, evaluates, and approves updates
SUS - Client Component
SUS client is Automatic Updates
¾ Centrally configurable to get updates either from
corporate SUS server or Windows Update service
¾ Can autodownload and install patches under
admin control
¾ Consolidates multiple reboots to a single reboot
when installing multiple patches
¾ Included in Windows 2000 SP3, Windows XP
SP1, and Windows Server 2003
¾ Localized in 24 languages
SUS – Server Component
Downloads updates from Windows Update
Web-based administration GUI
Security by design and default
XML-based logging on Web server
Supports geographically distributed
organizations
SUS – MBSA Integration
MBSA can perform a security update scan
against approved updates on a specified
SUS server
Command-line execution
¾ mbsacli.exe /sus http://mysusserver
¾ mbsacli.exe /hf /sus http://mysusserver
How to Use SUS
SUS Server:
1. Configure the SUS server at
http://server/SUSAdmin
2. Set SUS server synchronization schedule
3. Approve updates
SUS Client:
¾ Configure Automatic Updates on client to use
SUS server
¾ Performed manually, using scripts or by using Group
SUS Considerations
Supports operating system updates only for
Windows 2000 or later
No targeting of patch deployments
SUS client must be configured to “pull” updates
from SUS server
Centralized install status logging to Web server, but
no predefined reports
Use multiple SUS servers to supply differing sets of
approved updates to groups of client computers
Patch Management Solution
Patch management solution includes:
¾ SMS 2003
Or
SMS 2.0 with SUS Feature Pack
Medium or Large Business
SMS
Want single flexible patch management solution with extended lev el of control to patch and update (+ distribute) all software
Customer Chooses Scenario
SMS – Benefits
Gives administrators control over patch
management
¾ Staging and testing of updates before installation ¾ Fine-grained control of patch management options
Automates key aspects of the patch management
process
Can update a broad range of Microsoft products
Can also be used to update third-party software
and deploy and install any software update or application
High level of flexibility via use of scripting
SMS – What It Does
2. Scan components replicate to SMS clients
1. Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer
3. Clients scanned; scan results merged into SMS hardware inventory data
4. Administrator uses Distribute Software Updates Wizard to authorize updates
6. Software Update Installation Agent on clients deploy updates
7.
5. Update files downloaded; packages, programs, and advertisements
SMS – MBSA Integration
Scans SMS clients for missing security
updates using MBSA CLI
¾ Pushes mbsacli.exe to each client to do local
scan (mbsacli.exe/hf)
¾ Parses textual output of patch numbers
SMS administrators can centrally distribute
security updates to clients
SMS 2.0 and SMS 2003 use MBSA 1.1.1
How to Use SMS
1.
Open the SMS Administrator Console
2.
Expand the site database
3.
Right-click All Windows XP Computers and
select All Tasks > Distribute Software
4.
Create a new package and program
5.
Browse to the patch to be deployed
6.
Configure options for how and when the
SMS Considerations
Limitations in detection capabilities are same as
those for MBSA and Office Inventory Tool
Command-line syntax for unattended installation of
each update needs to be configured
Microsoft Office patches require extraction to edit a
settings file for unattended installation
International updates must be obtained manually
(Web page)
Best Practices
Implement a patch management process
Choose a patch management solution that meets your organization’s needs
Subscribe to the Microsoft Security Notification Service
Granular ity of Control Advanced Basic No Patch Distribution Control
Administrator control with granular scheduling capabilities Admin (auto) or user
(manual) controlled Manual, end-user
controlled Patch Installation and
Scheduling Flexibility
Comprehensive
(install status, result, and compliance details)
Limited
(client install history and server-based install logs)
Assessing computer history only Patch Installation Status
Reporting Yes No No Targeting Content to Systems Yes
(for patch deployment and server synchronization)
Yes
(for patch deployment)
No Network Bandwidth Optimization
All patches, updates (including drivers), and service packs (SPs) for the above
NT 4.0, Win2K, WS2003, WinXP, WinME, Win98
Windows Update
All patches, SPs, and updates for the above; supports patch, update, and installs for MS and other applications
Only security and security rollup patches, critical updates, and SPs for the above Supported Content Types NT 4.0, Win2K, WS2003, WinXP, Win98 Win2K, WS2003, WinXP Supported Platforms for Content SMS 2003 SUS 1.0 Capability
Patch Management Solutions –
Selection Criteria
Adopt the solution that best meets the needs of your organization
C o re P a tc h M a na ge m e nt C a pa bi li ti e s
Patch Quality and Experience
MSI 3.0 supports uninstall, binary delta patc hing, etc.
Converge to two installers -- end of 2004
1/month patc h deliver y for nonemergenc y patches -- today
*For Add/Remove Programs, Windows Update, and Download Center
Q4 ‘03 Q3 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 Q1 ‘03 Q2 ‘03 Q4 ‘04 2 Installers: MSI, Update.exe Add/Remove Programs improvements MSI 3.0 Standard naming
and signing Standard terminology for documentation
Standard installer switches defined
Patches and security bulletins
released once a month Standard titles*
Standard registry
entries Standard property
sheet Standard detection manifest 75% reduction in patch size* 90% reduction in patch size 30% reduction in patch reboots Patch test process
includes participating customers
Up to 90% reduction in patch size* 30% reduction in patch reboots
Patch Management Tools
Road Map
Windows Update + Office Update => Microsoft Update
MBSA
¾ MBSA 1.2 (Q4 2003)
¾More products and locales
¾Integrates Office Update Inventory Tool
¾ MBSA 2.0 (Q2 2004)
¾Scanning now part of SUS 2.0/Microsoft Update
SUS
¾ SUS 2.0 (Q2 2004)
¾Adds reporting, targeting, rollback, bandwidth efficiency, and scripting capabilities
¾Single infrastructure for patch management
¾Support for more Microsoft products
¾ SMS 2003 Update Management Feature Pac k (H2 2004)
¾Uses SUS for update scanning and download
¾Uses SUS client (Automatic Updates) for installs
¾ Longer-term (Longhorn time frame)
¾SUS integrated into Windows and supports all Microsoft software