Best Practices Understanding BeyondTrust Patch Management February 2014
Contents Overview... 3 1 - Configure Retina CS... 4 2 - Enable Patch Management for Smart Groups... 6 3 Identify and Approve Patches... 8 Reporting... 10 Standard Patch Deployment... 11 Certificate Distribution for Third Party Patching... 12 Third Party Patch Deployment... 13 About BeyondTrust... 14 2
Overview Retina CS facilitates both Microsoft and third party patching by integrating with Microsoft Windows Server Update Services (WSUS). Retina CS utilizes WSUS as the patching engine and effectively becomes a management console to WSUS. This integration does not preclude you from using the WSUS/Update Server console plug-in independent of Retina CS; however, BeyondTrust recommends that patching be managed through Retina CS since all patch activity is recorded in the database. Familiarity with the native functions and features of WSUS is necessary to fully understand the Retina CS integration. The native WSUS client is built into the Microsoft OS, however, it needs to be enabled and configured. In typical WSUS-only environments this is accomplished through GPOs. When using Retina CS, clients are enabled and configured through Retina CS. The Retina CS configuration and patch deployment process is outlined in the following diagram: Retina CS WSUS 1 3 2 4 Client 1. Configure a Retina CS connection to an existing WSUS Server; Retina CS becomes a management 1 Retina console CS connects for WSUS. to an existing WSUS server and becomes a managem 2. Enable specific Smart Groups for patch management. This configures members of the Smart Group, i.e., the clients, for WSUS by making changes to the registry. 3. Identify and approve patches. 4. Clients periodically check WSUS for approved patches which are then subsequently downloaded and installed. These functions are detailed in the following three sections, additionally, reporting, best practices and troubleshooting tips will be provided. 3
1 - Configure Retina CS Create a Retina CS connection to an existing WSUS server by navigating to Configure Patch Management. Through a set of menus you will: Establish a connection to an existing WSUS server Determine which products and classifications to manage, including third party patches Define how often WSUS will synchronize with the Microsoft Update servers Generate a certificate necessary for 3 rd party patching WSUS Server Connection: Supply the connection and credential information to access the WSUS Server: WSUS Server Port 80 is the default; however, if WSUS is on the same machine as Retina CS, which also uses port 80, Retina CS performance can suffer while updates/patches are being applied. In this case, select one of the alternative ports, 8530 or 8531(HTTPS). Products and Classifications: Identify the patches you want to manage by selecting items from the Products (left) and Classifications (right) drop-down lists. Third party products are located at the bottom of the Products drop-down list. 4
Product Classification Synchronization Schedule: Set the Synchronization Schedule to determine how often WSUS checks with Microsoft Update servers for new patches. Per WSUS default settings, synchronization downloads the patch metadata, i.e., information about the patch, but not the patch itself. Patches are downloaded only AFTER they have been approved. When working with a new WSUS installation, the first synchronization can take up to several hours, depending on the number of items you have selected in the Products and Classifications section. If desired, you can view the synchronization progress by launching the native WSUS Update Services console. Third Party Certificates are required for third party patching to establish trust between WSUS and the client. A self-signed certificate is created by selecting the Generate button. The following screenshot shows that a certificate has been generated. 5
2 - Enable Patch Management for Smart Groups Enabling patch management for a Smart Group effectively configures all members of the Smart Group as WSUS clients and points them to the WSUS server configured in the previous section. Within Retina CS, navigate to: Assets (tab) Manage Smart Rules New Rule <or edit an existing Smart Group> Perform Actions Enable for Patch Management. If creating new rule you will need to configure your asset selection criteria and then select Show assets as a Smart Group in the Perform Actions section in addition to enabling the Smart Group for patch management. Manage Credentials: Supply credentials with sufficient privileges to access the registry and install the certificate on the endpoint. Select from credentials you have already configured using the dropdown menu or add new credentials using the Manage Credentials button to the right. These credentials are specific to patch management and are not related to credentials used for vulnerability scans or the WSUS server connection. Important Updates: The Drop-down menu provides three options. Your selection determines how Retina CS configures the client s registry and consequently, client behavior. Install updates automatically (recommended) Client computers will poll the WSUS server at the specified day and time, and download any approved and relevant updates. Once downloaded, the client will automatically install the updates. 6
Download updates but let me choose whether to install them Client computers will poll the WSUS server at regular intervals, every hour by default, and download any approved and relevant updates. Once updates are downloaded, notifications are sent to the System Log and to the notification area of the client. When a user clicks the notification icon, Automatic Updates displays the available updates. The user must then click Install to proceed. Check for updates but let me choose whether to download and install them Client computers will poll the WSUS server at regular intervals, every hour by default, and determine if there are any approved updates. If updates are available, notifications are sent to the System Log and to the notification area of the client computer. When a user clicks the notification icon, they can choose to download the updates. When downloads are complete, another notification message indicates that updates are ready to install. The user can then click the Automatic Updates icon and then Install. Every: <day> At: <time>: Select the day and time client computers will poll the WSUS server. The option to set day and time only appears for the Install updates automatically (recommended) option. Retry registration of errored Patch Management assets: Select the check box to retry the registration if the initial registration attempt fails. After selecting Save, the following occurs: Retina CS contacts the client by one of three methods, listed in priority: 1. If the client has Blink or the Retina Protection Agent (RPA), v. 4.7 or greater, registry changes are facilitated via the Central Policy connection. 2. If the client does not have Blink or the RPA, registry changes are facilitated via the Remote Registry API. Remote Registry service must be enabled on the client. The supplied credentials must have permissions for Remote Registry. 3. If 1 & 2 fail, then registry changes are facilitated via Windows Management Instrumentation (WMI), a service running on the endpoint. Retina CS uses the supplied credentials to access and edit the client s registry. The client is configured for WSUS and then pointed to the WSUS Server. All other relevant registry parameters are set, see: 7
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU If applicable, Retina CS downloads the third party certificate to the client. The client is now configured to poll WSUS for any approved updates; this is standard WSUS client behavior. Note that polling may not occur immediately and it may take up to 6 hours for WSUS clients to display as patch-enabled assets within Retina CS. For testing purposes, you can restart the Update Services service on the WSUS server; this will facilitate polling and populate WSUS with client information. Smart Groups that have been patch management-enabled are identified in the Smart Groups browser pane: Patch Management-Enabled Smart You may find it desirable to create a Smart Group for patch testing and another for patch deployment on production systems. 3 Identify and Approve Patches Once patch management is configured, patch management for Smart Groups is enabled and clients have registered with the WSUS server, you can identify and approve patches within the Retina CS interface. Approving patch updates for registered Smart Groups Navigate to the Assets tab (1), select a patch-enabled Smart Group from the Smart Groups pane (2) and then select Patch (3). By default, all assets belonging to the Smart Group that can be managed for patching are displayed. For example, UNIX or Apple assets will not be displayed. To view the patch status of an individual asset, select its information icon, i. Select the sort criteria to display the relevant patches. You can type in the filter fields to further narrow your 8
results. Optionally, you can select the View by: toggle viewing from an assets perspective to a patches perspective. to switch Filter Fields Sort Criteria Select the desired patch to deploy, multiple selections are allowed using the <CTRL> and <Shift> keys, and then select. At the Approve Updates window, select the checkbox(es) to determine the applicable assets; a single Smart Group, multiple Smart Groups or for all Smart Groups. Finally, use the dropdown menu to select the approval type. Note, if you select All Groups, and a group already has approved patches, the menu changes to Keep existing approvals. This ensures that all previously approved patches will still be deployed at the scheduled time. Not Approved vs. Decline Not Approved: Not approved for this group of assets, but keep the patch in the Not Installed list so you can select it later. Decline: Remove this patch from the Not Installed list so it is no longer an option to select for approval. The only way to see them is to sort for Declined patches. 9
Reporting Both Retina CS and Insight provide several patch report options. Reports can be patch or asset-centric and can be customized for specific Smart Groups and date ranges. Reports are navigable with built-in internal links and contain external links to resources such as relevant Microsoft KB postings. They can also be exported into several different formats such as PDF, Excel and XML. The following example is an Insight report showing all missing patches grouped by asset. Select Link to Patch reports available in Retina CS: Approved Patches Installed Patches Required Patches Patch reports available in Insight: Applied Patches by Month (Applied patches grouped by month) Patch (This report displays all the patches available for your network, which are possibly missing or not installed on your assets) 10
Standard Patch Deployment Retina Client WSUS Patch approved Check for approved Patch sent Patch installed Retrieve patch status Report patch status 1 Patches are approved through the Retina CS GUI; consequently, they are marked as approved with in WSUS. 2 The client polls WSUS for any relevant, approved patches. 3 Patches are downloaded to the client. Optionally, per the Smart Group settings, the client may be notified that approved patches are available and then prompted to download and install them. 4 Patches are automatically installed per default settings. Optionally, per the Smart Group settings, the client may be notified that patches have been downloaded and then prompted to install them. 5 The new patch status is sent to WSUS. 6 Retina CS retrieves the current patch status from WSUS. 11
Certificate Distribution for Third Party Patching Retina Client WSUS Configure Connection to WSUS Generate button Request WSUS to generate a certificate Retrieve copy of certificate Generates 3 rd party certificate Register Smart Group for Patch Edit client registry Copy of cert to client 1 From Retina CS, configure the connection to an existing WSUS server. 2 Select the Generate button. This sends a request to WSUS to create a certificate used for third party patching. 3 WSUS generates the certificate. 4 Retina CS retrieves the certificate. 5 Create or modify a Smart Group to enable patch management for the selected assets. 6 Retina CS edits the registry of each applicable asset in the smart group, configures it for WSUS and copies the third party certificate if applicable. 12
Third Party Patch Deployment Retina Client WSUS 3 rd Party patches Check for approved Patches sent with cert. Verify certificate, install patches Retrieve patch status Send patch status Third party patch deployment is nearly identical to the standard deployment of Microsoft patches with the following changes: 3 Third party patches are sent to the client with the third party certificate that was generated during the WSUS server configuration. 4 The certificate from WSUS is verified against the existing certificate on the client that it received when its associate Smart Group was enabled for patch management. Trust is now established for third party patch deployment per Microsoft requirements. 13
About BeyondTrust BeyondTrust is a global cyber security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com. 14