Securing Your Network Environment. Software Distribution & Patch Management

Securing Your Network Environment

Securing Your Network Environment

Software Distribution & Patch Management

Software Distribution & Patch Management

Ken Conrad

Ken Conrad

Chief Strategist

Chief Strategist

Microsoft Infrastructure Solutions

Microsoft Infrastructure Solutions

Analysts International

Overview

Overview

Microsoft

Microsoft

’

’

s Patch Management

s Patch Management

Components

Components

Patch Management Practices

Patch Management Practices

Update Tools

Microsoft

Microsoft

’

’

s Patch Management

s Patch Management

Components

Exploitation is extremely difficult, or Exploitation is extremely difficult, or impact is minimal

impact is minimal

Exploitability is mitigated to a significant Exploitability is mitigated to a significant degree by factors such as default

degree by factors such as default configuration, auditing, need for user configuration, auditing, need for user action, or difficulty of exploitation action, or difficulty of exploitation

Exploitation could result in compromise of Exploitation could result in compromise of the confidentiality, integrity, or availability the confidentiality, integrity, or availability of users

of users’’ data, or of the integrity or data, or of the integrity or availability of processing resources availability of processing resources

Exploitation could allow the propagation Exploitation could allow the propagation of an Internet worm such as Code Red or of an Internet worm such as Code Red or Nimda without user action

Nimda without user action

Definition Definition

Consider applying the patch at Consider applying the patch at the next scheduled update the next scheduled update interval

interval Low

Low

Evaluate bulletin, determine Evaluate bulletin, determine applicability, proceed as applicability, proceed as appropriate appropriate Moderate Moderate

Apply patch or workaround as Apply patch or workaround as soon as is feasible

soon as is feasible Important

Important

Apply the patch or workaround Apply the patch or workaround immediately immediately Critical Critical Customer Action Customer Action Rating Rating More information at

More information at http://www.microsoft.com/http://www.microsoft.com/technet/security/policy/rating.asptechnet/security/policy/rating.asp

Improving Patching Experience

Improving Patching Experience

Security Bulletin Severity Rating System

Security Bulletin Severity Rating System

Free Security Bulletin Subscription Service

Free Security Bulletin Subscription Service

http://www.microsoft.com/

Windows Security Update

Windows Security Update

Process

Process

When a new security update is released the

When a new security update is released the

following becomes available:

following becomes available:

An associated Security Bulletin

An associated Security Bulletin

An updated

An updated

MSSecure.XML

MSSecure.XML

file for MBSA

file for MBSA

The Windows security patch via the download

The Windows security patch via the download

center and WU

center and WU

A Localized version of the security patch

A Localized version of the security patch

An updated catalog for Software Update

An updated catalog for Software Update

Services

Patch Management Practices

Security is an Ongoing Effort

Security is an Ongoing Effort

Operates within a system of People, Process, and

Operates within a system of People, Process, and

Technology

Technology

Security will fail if not focused on all four of these

Security will fail if not focused on all four of these

components

components

Prepare for Patch Management by:

Prepare for Patch Management by:

1.

1. Evaluating your Environment, Risks, and NeedsEvaluating your Environment, Risks, and Needs

2.

2. Establishing Goals and Critical Success FactorsEstablishing Goals and Critical Success Factors

3.

3. Establishing Process OwnershipEstablishing Process Ownership

4.

You must

You must

…

…

have an inventory.

have an inventory.

have a baseline.

have a baseline.

be able to determine when security patches are

be able to determine when security patches are

released.

released.

be able to determine which are applicable.

be able to determine which are applicable.

know where patches need to go and how fast.

know where patches need to go and how fast.

have a process to deploy.

have a process to deploy.

automate as much as possible.

automate as much as possible.

review and improve

Evaluating and Installing Updates

Evaluating and Installing Updates

Subscribe to Microsoft Security Notification Service

Subscribe to Microsoft Security Notification Service

Consumer: Consumer: http://www.microsoft.com/security/security_bulletins/decision.as http://www.microsoft.com/security/security_bulletins/decision.aspp ITProfessional ITProfessional: : https:// https://register.microsoft.com/regsys/pic.aspregister.microsoft.com/regsys/pic.asp

Configure test environments to expedite evaluation of

Configure test environments to expedite evaluation of

updates

updates

Create criticality matrices for specific server roles

Create criticality matrices for specific server roles

Develop accelerated release

Develop accelerated release

-

-

management processes for

management processes for

security

Prioritizing and Scheduling the

Prioritizing and Scheduling the

Tools

Third Party Tools

Third Party Tools

http://www.stbernard.com St. Bernard Software UpdateExpert http://www.shavlik.com Shavlik Technologies HFNetChkPro http://www.patchlink.com PatchLink Corp. PatchLink Update http://www.novadigm.com Novadigm, Inc.

Radia Patch Manager

http://www.landesk.com LANDesk Software, Ltd.

LANDesk Patch Manager

http://www.securitybastion.com Gravity Storm Software, LLC

Service Pack Manager 2000

http://www.gfi.com GFI Software, Ltd.

GFI LANguard Network Security Scanner

http://www.ecora.com Ecora, Inc.

Ecora Patch Manager

http://www.configuresoft.com Configuresoft, Inc

Security Update Manager

http://www.bigfix.com BigFix, Inc.

BigFix Patch Manager

http://www.altiris.com Altiris, Inc.

Altiris Patch Management

Company URL

Company Name

Microsoft Solution Components

Microsoft Solution Components

Yes No No Compliance Checking Yes No No Inventory Management Yes No No Deployment Planning

Additional Software Distribution Capabilities

Granularity of Control Advanced Basic No Patch Distribution Control

Administrator control with granular scheduling

capabilities Administrator (auto)

or user (manual) controlled

Manual, end user controlled

Patch Installation & Scheduling

Flexibility

Comprehensive (install status, result, and compliance details)

Limited (client install history & server based install logs) No Patch Installation Status Reporting Yes No No Targeting Content to Systems

Yes (for patch deployment & server synchronization)

Yes (for patch deployment)

No Network Bandwidth

Optimization

No

All patches & service packs (SPs) for the above NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 Windows Update Yes No Mobile Device Support

All patches, SPs & updates for the above + supports patch, update & app installs for MS & other apps

Only security, critical, & security rollup patches + SPs for the above

Supported Content Types NT 4.0, Win2K, WS2003, WinXP, Win98 Win2K, WS2003, WinXP Supported Platforms for Content SMS 2003 SUS 1.0 Capability

Core Patch Management Capabi

Windows Update

Windows Update

A catalog of software updates organized in

A catalog of software updates organized in

categories: categories: System drivers System drivers Security fixes Security fixes Critical updates Critical updates

Requires installation of scanning and download

Requires installation of scanning and download

software

software

Relies on

Relies on MSSecure.XMLMSSecure.XML and digitallyand digitally--signed signed updates to evaluate and install updates

updates to evaluate and install updates

Automatic Update Client released in version 2.2

Automatic Update Client released in version 2.2

Day of week and time scheduling

Day of week and time scheduling

Group Policy and Registry

Group Policy and Registry--based based configuration

configuration

Control Panel changes

Control Panel changes

Pre

Pre--install and preinstall and pre--reboot progress bars to reboot progress bars to admin

admin

Event logging

Office Update

Office Update

Support Windows NT 4.0 SP5

Support Windows NT 4.0 SP5

and above

and above

A catalog of software updates for

A catalog of software updates for

Office 2000 and Office XP

Office 2000 and Office XP

Administrators can download the

Administrators can download the

following tools:

following tools:

Office Update Inventory Tool

Office Update Inventory Tool

Office Hotfix Installer

Office Hotfix Installer

Windows Corporate Error Reporting

Windows Corporate Error Reporting

Tool

Automatic Updates

Automatic Updates

Available on Windows XP &

Available on Windows XP &

Windows 2000 Service Pack 3 and

Windows 2000 Service Pack 3 and

higher

higher

Automatic Updates to apply

Automatic Updates to apply

security updates.

security updates.

Windows XP, Automatic Updates is

Windows XP, Automatic Updates is

configured in the property pages of

configured in the property pages of

the Control Panel

the Control Panel

’

’

s System applet.

s System applet.

Windows 2000 Service Pack 3 and

Windows 2000 Service Pack 3 and

higher adds the Automatic Updates

higher adds the Automatic Updates

applet to the Control Panel

MBSA: What is Does

MBSA: What is Does

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer

Helps assess the vulnerability of Windows systems

Helps assess the vulnerability of Windows systems

Scans for missing

Scans for missing securitysecurity patches / updates and common patches / updates and common security

security miss configurationsmiss configurations

Scans local or multiple remote systems via GUI or

Scans local or multiple remote systems via GUI or

command line invocation

command line invocation

Scans various versions of Windows, IIS, IE, SQL,

Scans various versions of Windows, IIS, IE, SQL,

Exchange, and other Microsoft applications

Exchange, and other Microsoft applications

Generates XML scan reports on each scanned system

Generates XML scan reports on each scanned system

Runs on Windows Server 2003, Windows 2000 and

Runs on Windows Server 2003, Windows 2000 and

Windows XP

Windows XP

Works with SUS & SMS

Works with SUS & SMS

MBSA: Benefits

MBSA: Benefits

Automates identification of missing security

Automates identification of missing security

patches & security miss configuration

patches & security miss configuration

Allows administrator to centrally scan a large

Allows administrator to centrally scan a large

number of systems simultaneously

number of systems simultaneously

Works for broad range of Microsoft software (not

Works for broad range of Microsoft software (not

just Windows and Office)

Update Tools

Update Tools

-

-

Managed

Managed

Microsoft Software Update Services

Microsoft Software Update Services

Software Updates Services Feature Pack

SUS 1.0: What it Does

SUS 1.0: What it Does

Deploys Windows security patches, security rollups,

Deploys Windows security patches, security rollups,

updates, and service packs only

updates, and service packs only

Deploys above content for Windows 2000,

Deploys above content for Windows 2000,

Windows Server 2003 and Windows XP only

Windows Server 2003 and Windows XP only

Provides patch download, deployment, and installation

Provides patch download, deployment, and installation

configuration options

configuration options

Bandwidth optimized content deployment

Bandwidth optimized content deployment

Provides central administrative control over which patches

Provides central administrative control over which patches

can be installed on target systems

can be installed on target systems

Provides basic patch installation logging information

Provides basic patch installation logging information

SUS Benefits

SUS Benefits

Gives administrators control over patch & update

Gives administrators control over patch & update

management

management

Works with Group Policy to prevent installs of non

Works with Group Policy to prevent installs of non--approved approved updates

updates

Allows staging & testing of updates before installation

Allows staging & testing of updates before installation

Simplifies & automates key aspects of the patch

Simplifies & automates key aspects of the patch

management process

management process

Ease of use alleviates difficulty of keeping supported

Ease of use alleviates difficulty of keeping supported

systems up

Client Component: Automatic

Client Component: Automatic

Updates

Updates

Centrally configurable to get updates either from corporate SUS

Centrally configurable to get updates either from corporate SUS

server or Windows Update service

server or Windows Update service

Centrally configurable to prevent users from installing non

Centrally configurable to prevent users from installing non- -approved patches

approved patches

Can auto

Can auto--download and install patches under admin controldownload and install patches under admin control

Allows chaining of patch installations to minimize reboots

Allows chaining of patch installations to minimize reboots

Included in Windows 2000 SP3, Windows XP SP1, and Windows

Included in Windows 2000 SP3, Windows XP SP1, and Windows

Server 2003

Server 2003

Localized in 24 languages

SMS 2003 Patch Management:

SMS 2003 Patch Management:

What it does (1)

What it does (1)

System scanning & patch content download

System scanning & patch content download

Content from Microsoft download center

Content from Microsoft download center

MBSA & Office Update plug

MBSA & Office Update plug--ins scan for missing patchesins scan for missing patches Supports updating of remote & mobile devices

Supports updating of remote & mobile devices

Updates various versions of Windows, Office, SQL,

Updates various versions of Windows, Office, SQL,

Exchange, and Windows Media Player without need for

Exchange, and Windows Media Player without need for

update packaging / scripting

update packaging / scripting

Verify Deploy Acquire Assess New Update Test

Administrator control

Administrator control

Update targeting based on AD, non

Update targeting based on AD, non--AD groups, WMIAD groups, WMI properties; additional options via scripting

properties; additional options via scripting

Patches consumed only by SMS administrators via the

Patches consumed only by SMS administrators via the

deployment process (on demand)

deployment process (on demand)

Specific start and end times (change windows), rolling

Specific start and end times (change windows), rolling

change windows

change windows

Easily merge patches from testing into production

Easily merge patches from testing into production

Reference computer templates for baseline

Reference computer templates for baseline

determination / compliance

Patch download & installation

Patch download & installation

Delta replication (site

Delta replication (site--site, serversite, server--server) of patchesserver) of patches Can use BITS for mobile / remote client

Can use BITS for mobile / remote client--serverserver Can use SMB for LAN / priority situations

Can use SMB for LAN / priority situations

Reminders and rescheduling of install / reboot & enforcement dat Reminders and rescheduling of install / reboot & enforcement dateses Optimized graceful reboots, but forced when enforcement date arr Optimized graceful reboots, but forced when enforcement date arrivesives Per

Per-patch reboot-patch reboot--needed detection to reduce rebootsneeded detection to reduce reboots Status & Compliance Reporting

Status & Compliance Reporting

Deployment status as patches are attempted Deployment status as patches are attempted Standard and customized reports through read

Standard and customized reports through read-only SQL queries-only SQL queries Determine actual baselines in the environment before changing th Determine actual baselines in the environment before changing the e environment

environment

SLA measurement and rate

SMS 2003 Patch Management:

SMS 2003 Patch Management:

Benefits

Benefits

Gives administrators control over patch management

Gives administrators control over patch management

Allows staging & testing of updates before installation Allows staging & testing of updates before installation Fine

Fine--grained control of patch management optionsgrained control of patch management options

Automates key aspects of the patch management process

Automates key aspects of the patch management process

Can update a broad range of Microsoft products

Can update a broad range of Microsoft products

(not limited to Windows and Office)

(not limited to Windows and Office)

Can also be used to update third party software and deploy &

Can also be used to update third party software and deploy &

install any software update or application

install any software update or application

High level of flexibility via use of scripting

Patch Management Guidance:

Patch Management Guidance:

What it Is

What it Is

Prescriptive guidance from Microsoft for effective patch

Prescriptive guidance from Microsoft for effective patch

management in enterprises

management in enterprises

Uses Microsoft Operations Framework (MOF)

Uses Microsoft Operations Framework (MOF)

Based on ITIL* (

Based on ITIL* (defactodefactostandard for IT best practices) standard for IT best practices) Details requirements for effective patch management: Details requirements for effective patch management:

Technical & operational pre

Technical & operational pre--requisitesrequisites

Operational processes & how technology supports them

Operational processes & how technology supports them

Daily, weekly, monthly & as

Daily, weekly, monthly & as--needed tasks to be performedneeded tasks to be performed

Testing options

Testing options

Three patch management guidance offerings

Three patch management guidance offerings

Microsoft Guide to Security Patch Management** Microsoft Guide to Security Patch Management**

Patch Management using Software Update Services*** Patch Management using Software Update Services*** Patch Management using Systems Management Server*** Patch Management using Systems Management Server***

*Information Technology Infrastructure Library

*Information Technology Infrastructure Library

**Emphasizes security patching & overall security management

**Emphasizes security patching & overall security management

***Comprehensive coverage of patch management using the specifie

Resource Overview

Resource Overview

http://www.microsoft.com/technet/treeview/default.asp?url http://www.microsoft.com/technet/treeview/default.asp?url =/ =/technet/itsolutions/proddocs/default.asptechnet/itsolutions/proddocs/default.asp Contacting Microsoft Contacting Microsoft security security http://www.microsoft.com/security http://www.microsoft.com/security Microsoft Security Microsoft Security http://www.microsoft.com/technet/treeview/default.asp?url http://www.microsoft.com/technet/treeview/default.asp?url =/ =/technet/itsolutions/msm/swdist/pmsms/pmsmsog.asptechnet/itsolutions/msm/swdist/pmsms/pmsmsog.asp SMS Patch SMS Patch management Guide management Guide h https://ttps://register.microsoft.com/regsys/pic.aspregister.microsoft.com/regsys/pic.asp Microsoft Security Microsoft Security Notification Service Notification Service http://www.microsoft.com/technet/treeview/default.asp?url http://www.microsoft.com/technet/treeview/default.asp?url =/ =/technet/itsolutions/msm/default.asptechnet/itsolutions/msm/default.asp

Microsoft Solutions for Microsoft Solutions for Management

Management

http://www.microsoft.com/

http://www.microsoft.com/usa/webcastsusa/webcasts//??

©

©2003 Microsoft Corporation. All rights reserved.2003 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. MICROSOFT