Unicenter Patch Management

(1)

Best Practices for Managing Security Updates

R11

Unicenter

®

(2)

This documentation (the “Documentation”) and related computer software program (the “Software”) (hereinafter collectively referred to as the “Product”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at any time.

This Product may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Product is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the Software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Software are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the Software is limited to the period during which the license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the Product have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS PRODUCT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING

WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS PRODUCT, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of this Product and any product referenced in the Documentation is governed by the end user’s applicable license agreement.

The manufacturer of this Product is CA.

This Product is provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7013(c)(1)(ii), as applicable, or their successors.

(3)

Chapter 1: Introduction ... 1-1

Chapter 2: How Unicenter Patch Management Works... 2-1

Using Roll-up Technology ... 2-2 Unicenter Patch Management Roll-up Scripts... 2-2

Chapter 3: Evaluating Security Updates ... 3-1

The Deployment Scenario... 3-1 Evaluating Security Updates ... 3-2 Identifying Targets ... 3-2 Identify Applicable Packages... 3-3 Validate the Windows XP SP 2 Package ... 3-4 Testing Service Pack Package ... 3-8 Approve Packages ... 3-12

Chapter 4: Deploying Security Updates... 4-1

Appendix A: Additional Tips...A-1

(4)

(5)

Chapter 1: Introduction 1–1

Chapter 1: Introduction

The purpose of this document is to provide a set of best practices for managing your Windows environment, and particularly the application of all required security patches, through Unicenter® Patch Management. This document contains the following:

Overview of UNICENTER PATCH MANAGEMENT process and standard

procedures

Discussion of best practices approach to managing your Windows

environment – including installation of all necessary Microsoft Windows security patches

Sample scenario which walks through how to apply Service Packs and how

to roll up security patches

Tips for troubleshooting and customization

For more details on using Unicenter Patch Management, consult the

(6)

(7)

Chapter 2: How Unicenter Patch Management Works 2–1

Chapter 2: How Unicenter Patch

Management Works

Unicenter Patch Management (UPM) r11 is a new product offering from CA which uses the Unicenter Desktop and Server Management (DSM)

infrastructure to inventory and deploy patches across the enterprise. Patch content is prepared by the Content Management team and supplied via an online content service which details how to detect and deploy all relevant patches.

The following diagram illustrates how patches flow from CA’s content service to the client’s Unicenter DSM\UPM system.

Figure 1 – Content Flow

(8)

Using Roll-up Technology

2–2 Unicenter Patch Management Best Practices Guide

Using Roll-up Technology

Unicenter Patch Management roll-up package technology is a customized cumulative Unicenter Patch Management package designed to install all current Microsoft security hot-fixes with a single reboot. Once the package is deployed, the computer will be brought up-to-date unattended.

Roll-up technology packages are available for the following operating system releases: Windows 2000 SP4 Windows XP SP1 Windows XP SP2 Windows 2003 Gold Windows 2003 SP1

Unicenter Patch Management roll-up technology also supports popular foreign languages.

Unicenter Patch Management is scheduled to regularly release updated versions of the roll-up package following the Microsoft Security Bulletin on the second Tuesday of each month. Under this schedule, each month a new Unicenter Patch Management Roll-up script will be available for download. The naming convention for these packages is as follows:

CA - <OS> Post-SP<#> <lang> <32Bit|64Bit> <FULL> Security Hot-fix Roll-up Package vYYMM

For example the following package contains the security rollup patches for December 2005:

“CA - Windows XP Post-SP1 EN 32Bit - FULL Security Hot-fix Roll-up Package v0512”.

For information regarding the current Microsoft Security Bulletin monthly release cycle, refer to the following website:

http://www.microsoft.com/technet/security/current.aspx.

Unicenter Patch Management Roll-up Scripts

(9)

Chapter 2: How Unicenter Patch Management Works 2–3 Identify missing patches

Create a dynamic batch script to install the missing patches Execute the batch script unattended

Log vital information during the installation

Instead of installing all patches, the Unicenter Patch Management roll-up script instead identifies the required patches by querying the registry and file

timestamps, so that only those which are missing are installed.

The collection of patches included in the roll-up is defined in an INI file which is part of the roll-up package. The INI file also contains special switch settings for any patch that requires it along with a roll-up package identity tag.

Including this information in an INI file enables us to make all the necessary modification to a file without having to modify the actual script.

The roll-up script compares each patch in the package and validates that the patch is installed. Each patch that is not installed gets appended to the fixes.bat file - with the proper logic to ensure that the error code is captured if the installation of the patch fails.

Qchain.exe is included at the end of the batch job so that multiple patch installation can be installed with only one reboot.

The SD Job Output will contain the following details regarding the installation process.

The name of each patch in the package The total count of patches in the package

Indication of whether the patch was installed or not installed The total number of patches that require installation

The patches that failed to install, along with the return code

The return code of the roll-up package and if, it failed, information on

(10)

(11)

Chapter 2: How Unicenter Patch Management Works 2–5

(12)

(13)

Chapter 3: Evaluating Security Updates 3–1

Chapter 3: Evaluating Security Updates

Unicenter Patch Management provides an efficient tool for managing the patches in your environment, however, as with everything else in IT, the process is only successful if you maintain a consistent methodology.

Note: The methodology detailed in this document is considered “Best Practice”

however, when applying these best practices to your environment you may need to tailor them to adhere to your company’s policies and IT management processes.

This chapter contains a sample scenario depicting:

Application of Windows XP Service Pack 2 Application of security patches

It also provides tips on using policy to ensure that the security update

packages associated with this sample scenario are properly and automatically deployed.

The Deployment Scenario

In our sample scenario, the IT department has just received several new PC’s from a 3rd_{party vendor. Corporate policy dictates that every Windows XP}

machine connected to the corporate network must apply all post XP patches but, to save cost, the vendor ships the PC with XP Gold (no patches). It is now up to the IT department to ensure compliance with the corporate requirement and it will do so using Unicenter Patch Management. The current environment consists of the following:

Workstations: Windows 2000 Workstation Windows XP Servers: Windows 2000 Servers Windows 2003 Servers Assumptions:

New workstations are Windows XP provided by a VAR with no service

(14)

Evaluating Security Updates

Existing Windows 2000 Workstations and Server have Service Pack 4 and

IE6 SP1 is applied

Unicenter DSM Agents are applied on all managed machines

Production and test machines representing each type of machines co-exist

in the DSM environment. Corporate Policy:

All workstations must have the latest level of the service pack applied. All workstations and non critical servers must be up-to-date with security

patches by the end of each month.

Security patches for critical servers will be scheduled accordingly and

applied manually.

The first step is to identify all the machines that will be managed.

Evaluating Security Updates

Evaluation of security update packages is achieved in four basic steps:

Identifying Applicable Targets - managed machines are grouped

according to function and criticality

Identify Applicable Packages - packages and their current states are

reviewed for applicability for deployment to the target group

Testing Packages – packages are tested and evaluated for deployment

according to corporate policy

Approving Packages – successfully evaluated packages are approved

policy inclusion

Identifying Targets

(15)

Identify Applicable Packages

An example of representation of DSM groups is displayed in the DSM administrative console as follows:

In this example, machines are grouped by their function (Production vs. Test) and their type (servers vs. workstations).

Identify Applicable Packages

A package’s state identifies how the package is utilized in the environment. There are four states commonly used in Unicenter Patch Management. They are:

Pending Acceptance Testing

Approved Non Applicable

New maintenance packages periodically introduced by the CA Content Team first appear in the Pending Acceptance state, indicating that users are required to perform internal evaluation to assess the package’s applicability to their environment.

(16)

Validate the Windows XP SP 2 Package

According to the corporate policy in our sample scenario, all workstations have XP Service Pack 2. This is easily managed by utilizing the CA’s Content Team Service Packs package and Unicenter Patch Management Policies. However, it is very important to validate the package before creating a policy.

The CA Content Team provides various Service Pack configuration packages. The following steps will illustrate the testing process for the “CA – Windows XP SP2 EN 32Bit – Archive Off, Firewall Off” package.

First, select the package by doing the following:

1. From the Patches tab select the “CA Content Team Patches - Windows Service Pack – Pending User Acceptance” filter and click Go.

2. Select the package name from the list.

3. From the Patch Detail screen click the “Release Notes” link to view vital information regarding the package.

4. Click on the Internet Explorer Back button to return to Patch Details after reviewing the release notes.

5. In the Action field, select Accept from the pull down, then click Go.

(17)

7. To display the packaging status, selecting the “All Patches – Packaging” filter.

Note: It is very important to select ONLY the packages you plan to test

and use. Accepting all available packages will cause DSM to download

every download file within the package into the DSM Software Library.

8. At this point the service pack patch is being downloaded from the vendor’s download site and packaging the patch so that it can be deployed via DSM.

The above process is repeated for the Security Roll-up package.

1. From the Unicenter Patch Management’s Patches tab select the “CA – Windows Security Roll-up – Pending User Acceptance” filter and click Go. 2. Select “CA – Windows XP Post-SP2 EN 32Bit – Full Security Hot-fix Roll-up

Package v0512” from the list of packages.

(18)

4. Clicking Files in the Detailed Patch Information window displays all the patches included in the roll-up package.

NOTE: If the package fails to package after accepting the package, the

Download Status for the failed package will display in a Cancel state. This means that the download is no longer available or the CRC validation check failed.

(19)

6. Click Go to continue.

7. The package will appear in the “Patch Pending Testing” when packaging is completed. The Windows XP Post SP2 Roll-up package contain numerous downloads, therefore, increasing the time to complete task. Please be patient.

Note: If packaging fails, ensure that the proxy user id/password is correct.

See Appendix A for more details.

8. Once each file is downloaded and packaging completes the package will go into “Testing” status (Note: click the refresh button to update status).

(20)

Testing Service Pack Package

To test the Service Pack Package, do the following:

1. From the Patches tab select “All Patches – Testing” filter, and then click the service pack package name link.

2. From the Patch Details select “Test Patch” from the Advance Option box.

3. Select the appropriate test machine(s) for the package from the list of available targets and click the arrow.

Note: The test machines should represent of all the different types of

machines in your environment to ensure compatibility.

Note: The package will try to install on any selected targets regardless of

the operating system. It will NOT validate if the machine is applicable for the package when testing a package.

4. The target will be added to the Selected Targets window. Click Next to continue.

5. From the Deploy Patch: Schedule Deployment screen click Next to deploy package now.

6. From the Deploy Patch: Confirm Deployment screen click Finish to start deployment.

(21)

The initiation of the test deployment can be validated by viewing the DSM Explorer.

To validate the test, do the following:

1. The package installs unattended on the target machine which can be viewed remotely via DSM’s Remote Control.

2. Once the installation completes, Unicenter Desktop and Server Management will request a reboot.

3. Validate package was successfully installed.

(22)

4. View DSM’s Job Status for any errors.

To validate the Security Roll-up Package, do the following:

1. From the Dashboard, click on the Roll-up package name from the Patches Pending Testing portlet.

2. Click Test Patch in the Advanced Option window.

3. Select the same test machine(s) used in the deployment of the service pack test.

4. Click Next twice, then click Finish to start the test deployment. The deployment will initiate minimized on the test machine. Maximize task to see installation.

(23)

6. The Software Delivery Job Output contains a list of patches in the package, and indicates if each patch requires installation. It also contains the total patch count and the total required installation count for the package, and reports on the overall success of the installation roll-up package.

Note: A log file (C:\RUPYYMM.log) is created locally to log the patch name

and error code if any patch fails to install. 7. Patches are detected by DSM.

Note: The roll-up package signature will only be detected if all the patches

are installed successfully.

8. To view the status from Unicenter Patch Management click Status from the Dashboard, then select Patch Deployment from Status Menu.

(24)

Approve Packages

Note: The installation of subsequent roll-up packages is illustrated later

when demonstrating the process of approving packages that are already used in a policy.

Approve Packages

Now that packages have been tested successfully on the test machines the packages can be moved to “Approved” status.

1. From the Patches tab select “All Patches – Testing” filter, and then click the service pack package name link.

2. Select “Approve” in the Actions: field, then click Go, 3. Repeat the process for the Security Roll-up package. Both packages are now in Approved status.

(25)

Chapter 4: Deploying Security Updates 4–1

Chapter 4: Deploying Security Updates

This chapter details the methods necessary for using policies to ensure that all targeted network machines remain in compliance, and reflect the application of all desired maintenance.

The corporate policy used in our test case scenario requires that all Windows XP machines have SP2 installed and contain current Microsoft security patches. One way to ensure that this happens automatically is to create a Unicenter Patch Management policy.

The following example illustrates how to configure a Windows XP Service Pack2 policy in Unicenter Patch Management. This policy will ensure that Windows XP Professional Edition machines will get the Windows XP Service Pack 2 installed automatically.

1. Click the Policies tab, then click Add.

2. Insert a descriptive policy name in the Name field and click the Select button to continue.

3. Click Go in the Software List screen to display all software with approved packages.

4. Since this policy is for applying the service pack on XP Gold images, select Microsoft XP Professional x86 32 EN from the filtered list, then click OK.

Note: A separate policy will need to be created to manage machines with

Windows XP Professional SP1 or the Home Edition.

(26)

Approve Packages

6. Select the approved package, then click OK.

7. Click Target link in the Detailed Policy Information window to target the machines for this policy.

8. Select a group to apply the policy, then click the arrow icon.

To validate the package in the production environment only the West group is selected. Using groups allow you to control the deployment of the package. Once the package is validated in the production environment a broader group can be used.

9. Click OK to complete. The policy will automatically start the evaluation process.

(27)

Security Roll-up Policy

11. In the Advance Option click the Policy Compliance link in the Advance Option windows.

12. The Policy Compliance window displays the number of Violations.

To view which machine is in violation click on the folder in the Details column.

13. The deployment of the package is automatically deployed to the machines in violation.

Security Roll-up Policy

To ensure that Windows XP SP2 machines are automatically contains the latest security patches, a Roll-up policy needs to be created. The steps below

illustrate the process to create a roll-up policy.

1. From the Unicenter Patch Management Dashboard, click Policies tab, then click Add.

(28)

3. Click Go in the Software List screen to view all software with approved packages.

4. Since this policy is for applying the security roll-up package on XP Professional SP2 machines, select Microsoft Windows XP Professional SP2 x86 32 EN from the filtered list, then click the OK.

5. In the Patches section click the Add button and link the approved roll-up package to the policy, then click OK.

6. Click the Target link in the Detailed Policy Information window and select the same group used in the Service Pack 2 policy.

7. Click OK to finish generating the roll-up policy.

8. The deployment of the roll-up package is automatically deployed to the machines in violation.

The approved roll-up package is from December 2005. The test scenario policy dictates that the XP SP2 workstations be up-to-date with current security patches.

The following procedures illustrate the process for enabling a new CA provided roll-up package that will be used for the Windows XP Professional SP2 roll-up policy automatically.

Important! As always, before a new roll-up package can be used in

production and incorporated into the roll-up policy it must be validated in the test environment to ensure compatibility with the machines in your

environment. Information on performing these steps is provided in the previous chapter and in the Implementation Guide.

1. Select the “CA Content Team Patches – Windows Security Roll-up – Pending User Acceptance” filter in the Patches tab.

(29)

3. Click Go to download all the patches included in the package.

4. From the Unicenter Patch Management dashboard, click the link for the new roll-up package within the Patches Pending Testing portlet.

5. Review the Release Notes and validate the roll-up package in the test environment.

6. Once it has been successfully validated, approve the package.

7. A warning message will be displayed stating that the new package will be used in the roll-up policy.

8. Click Continue

9. Click Done to complete the task.

The roll-up policy will automatically reevaluate for violators and deploy the package to all machines in violation.

(30)

(31)

Appendix A: Additional Tips A–1

Appendix A: Additional Tips

The following topics provide additional troubleshooting and customization topics to help you make the most of your Unicenter Patch Management implementation.

Troubleshooting Failed Packaging

If a package fails, check the UPM.Log. If it includes the following entry:

UPM.Log Entry

2005-10-14 16:04:44,296 [Thread-7] INFO [com.ca.unicenter.upm.decision] - Patch CA - Windows XP Post-SP1 EN 32Bit - FULL Security Hot-fix Roll-up Package v0508

{3a905d86-ab10-4791-b13a-26b8b84d93ed} / PatchFile 5c0575f9-0daf-4619-9fa0-0280eb8eb79f download is cancelled

Consider the following fix:

Recommended Fix:

Problem resolved by inserting the proper proxy user and password.

Understanding Packages Pending Acceptance

Packages that are “Pending Acceptance” have been identified as fixing a technology which exists in the DSM/UPM infrastructure. A package will not be presented if the technology that it fixes does not exist in the DSM

infrastructure. For example, a Linux based package will not be presented if Linux is not deployed in the environment. The sorting process greatly

simplifies the package monitoring requirements by eliminating the need to sift through a large number of potentially irrelevant packages.

(32)

A–2 Unicenter Patch Management Best Practices Guide

Note: To increase the number of viewable rows in this display, modify the

“Number of Rows” value.

Select “CA Content Team Patches – All – Pending User Acceptance” from the drop down list to display only the packages applicable to your environment. For example:

Creating Custom Filters

(33)

Appendix A: Additional Tips A–3

1. Click My Profile.

2. Select Patches in the Preferences and Settings box.

3. Click Add.

4. Enter a filter name and in the Patch Name Mask field enter %roll%.

5. Click on the arrow so that the package name mask moves in the right window pane.

(34)

A–4 Unicenter Patch Management Best Practices Guide

7. Confirmation of update will be displayed. Click Done to complete the update. You will be brought back to the Dashboard.

8. To use the new filter select the Patches tab, then select the“Windows Roll-up Packages filter. Only the roll-Roll-up packages will be displayed.

Monitoring Local Roll-up Package Progress

To monitor the roll-up script progress on the target machine, do the following: 1. Open Task Manager and use notepad to open the following file:

“C:\Program Files\CA\Unicenter

DSM\Agent\units\00000001\uam\MS_Rollup\fixes.bat”

Unicenter Patch Management

Best Practices for Managing Security Updates

R11

Unicenter

®

Contents

Chapter 1: Introduction ... 1-1

Chapter 2: How Unicenter Patch Management Works... 2-1

Chapter 3: Evaluating Security Updates ... 3-1

Chapter 4: Deploying Security Updates... 4-1

Appendix A: Additional Tips...A-1

Chapter 1: Introduction

Chapter 2: How Unicenter Patch

Management Works

Using Roll-up Technology

Unicenter Patch Management Roll-up Scripts

Chapter 3: Evaluating Security Updates

The Deployment Scenario

Evaluating Security Updates

Identifying Targets

Identify Applicable Packages

Validate the Windows XP SP 2 Package

Testing Service Pack Package

Approve Packages

Chapter 4: Deploying Security Updates

Security Roll-up Policy

Appendix A: Additional Tips

Troubleshooting Failed Packaging

Understanding Packages Pending Acceptance

Creating Custom Filters

Monitoring Local Roll-up Package Progress