Best Practices. Understanding BeyondTrust Patch Management

Similar documents
Understanding BeyondTrust Patch Management

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

How To Deploy Software Updates Using SCCM 2012 R2

AV Management Dashboard

UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab

EML-09 Keeping Operating Systems and Applications up to date with Patch Management 7.1

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Shavlik Patch for Microsoft System Center

ProactiveWatch 2.0 Patch Management and Reporting

Managing Software Updates with System Center 2012 R2 Configuration Manager

System Administration Training Guide. S100 Installation and Site Management

Complete Patch Management

Troubleshooting pcanywhere plug-in Deployment

Important Notes for WinConnect Server VS Software Installation:

Macs are not directly compatible with Noetix.

Configuration Information

HDA Integration Guide. Help Desk Authority 9.0

Document Services Online Customer Guide

How To Use Senior Systems Cloud Services

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

i>clicker v7 Gradebook Integration: Blackboard Learn Instructor Guide

Hyperoo 2.0 A (Very) Quick Start

RoomWizard Synchronization Software Manual Installation Instructions

Providing Patch Management with N-central. Version 9.1

Comodo Endpoint Security Manager SME Software Version 2.1

Actualtests.C questions

Retina CS: Using Strong Certificates

OUTLOOK ANYWHERE CONNECTION GUIDE FOR USERS OF OUTLOOK 2010

[The BSD License] Copyright (c) Jaroslaw Kowalski

Getting Started Guide: Getting the most out of your Windows Intune cloud

Citrix Virtual Classroom. Deliver file sharing and synchronization services using Citrix ShareFile. Self-paced exercise guide

APNS Certificate generating and installation

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

K7 Business Lite User Manual

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

Changing Your Cameleon Server IP

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

FileMaker Server 14. FileMaker Server Help

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

Snow Inventory. Installing and Evaluating

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Providing Patch Management With N-central. Version 7.2

Audit Management Reference

Installation Guide for Pulse on Windows Server 2012

Licensing Guide BES12. Version 12.1

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

SOLARWINDS ORION. Patch Manager Evaluation Guide

Patch Manager. Overview. LabTech

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Providing Patch Management With N-central. Version 7.1

Installing and Configuring vcloud Connector

NSi Mobile Installation Guide. Version 6.2

Knowledge Base Articles

Installation Guide for Pulse on Windows Server 2008R2

Cisco TelePresence Management Suite Extension for Microsoft Exchange

Wakanda Studio Features

User Guide Online Backup

Novell ZENworks Asset Management 7.5

User Guide Novell iprint 1.1 March 2015

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

Mobile Configuration Profiles for ios Devices Technical Note

Spector 360 Deployment Guide. Version 7

BeyondInsight Version 5.6 New and Updated Features

FileMaker Server 10 Help

File Share Navigator Online 1

Guide to Using Citrix at SLU (Windows)

Citrix Access on SonicWALL SSL VPN

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Synchronization with Microsoft Team Foundation Server 2010

Administering Jive for Outlook

Mondopad v1.6. Quick Start

Panda Perimeter Management Console. Guide for Partners

SecureAnywhereTM Web Security Service

RMM/MDM. Quick Reference Guide

Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

Addressing the United States CIO Office s Cybersecurity Sprint Directives

Veeam Backup Enterprise Manager. Version 7.0

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Installation Guide. Live Maps 7.4 for System Center 2012

3. Viewing and Restoring Items and Files from the Mimosa Archive

Tenable for Google Cloud Platform

Netwrix Auditor for Exchange

Windows Server Update Services 3.0 SP2 Operations Guide

Administering Cisco ISE

HIRSCH Velocity Web Console Guide

Dell SonicWALL SRA 7.5 Secure Virtual Meeting and Secure Virtual Assist

Attix5 Pro Server Edition

Mobile Device Access Simple Application Guide

Attix5 Pro Server Edition

Blackbaud Sphere & The Raiser s Edge Integration Guide

Discovery Guide. Secret Server. Table of Contents

Best Practice Configurations for OfficeScan (OSCE) 10.6

Delegated Administration Quick Start

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

Transcription:

Best Practices Understanding BeyondTrust Patch Management February 2014

Contents Overview... 3 1 - Configure Retina CS... 4 2 - Enable Patch Management for Smart Groups... 6 3 Identify and Approve Patches... 8 Reporting... 10 Standard Patch Deployment... 11 Certificate Distribution for Third Party Patching... 12 Third Party Patch Deployment... 13 About BeyondTrust... 14 2

Overview Retina CS facilitates both Microsoft and third party patching by integrating with Microsoft Windows Server Update Services (WSUS). Retina CS utilizes WSUS as the patching engine and effectively becomes a management console to WSUS. This integration does not preclude you from using the WSUS/Update Server console plug-in independent of Retina CS; however, BeyondTrust recommends that patching be managed through Retina CS since all patch activity is recorded in the database. Familiarity with the native functions and features of WSUS is necessary to fully understand the Retina CS integration. The native WSUS client is built into the Microsoft OS, however, it needs to be enabled and configured. In typical WSUS-only environments this is accomplished through GPOs. When using Retina CS, clients are enabled and configured through Retina CS. The Retina CS configuration and patch deployment process is outlined in the following diagram: Retina CS WSUS 1 3 2 4 Client 1. Configure a Retina CS connection to an existing WSUS Server; Retina CS becomes a management 1 Retina console CS connects for WSUS. to an existing WSUS server and becomes a managem 2. Enable specific Smart Groups for patch management. This configures members of the Smart Group, i.e., the clients, for WSUS by making changes to the registry. 3. Identify and approve patches. 4. Clients periodically check WSUS for approved patches which are then subsequently downloaded and installed. These functions are detailed in the following three sections, additionally, reporting, best practices and troubleshooting tips will be provided. 3

1 - Configure Retina CS Create a Retina CS connection to an existing WSUS server by navigating to Configure Patch Management. Through a set of menus you will: Establish a connection to an existing WSUS server Determine which products and classifications to manage, including third party patches Define how often WSUS will synchronize with the Microsoft Update servers Generate a certificate necessary for 3 rd party patching WSUS Server Connection: Supply the connection and credential information to access the WSUS Server: WSUS Server Port 80 is the default; however, if WSUS is on the same machine as Retina CS, which also uses port 80, Retina CS performance can suffer while updates/patches are being applied. In this case, select one of the alternative ports, 8530 or 8531(HTTPS). Products and Classifications: Identify the patches you want to manage by selecting items from the Products (left) and Classifications (right) drop-down lists. Third party products are located at the bottom of the Products drop-down list. 4

Product Classification Synchronization Schedule: Set the Synchronization Schedule to determine how often WSUS checks with Microsoft Update servers for new patches. Per WSUS default settings, synchronization downloads the patch metadata, i.e., information about the patch, but not the patch itself. Patches are downloaded only AFTER they have been approved. When working with a new WSUS installation, the first synchronization can take up to several hours, depending on the number of items you have selected in the Products and Classifications section. If desired, you can view the synchronization progress by launching the native WSUS Update Services console. Third Party Certificates are required for third party patching to establish trust between WSUS and the client. A self-signed certificate is created by selecting the Generate button. The following screenshot shows that a certificate has been generated. 5

2 - Enable Patch Management for Smart Groups Enabling patch management for a Smart Group effectively configures all members of the Smart Group as WSUS clients and points them to the WSUS server configured in the previous section. Within Retina CS, navigate to: Assets (tab) Manage Smart Rules New Rule <or edit an existing Smart Group> Perform Actions Enable for Patch Management. If creating new rule you will need to configure your asset selection criteria and then select Show assets as a Smart Group in the Perform Actions section in addition to enabling the Smart Group for patch management. Manage Credentials: Supply credentials with sufficient privileges to access the registry and install the certificate on the endpoint. Select from credentials you have already configured using the dropdown menu or add new credentials using the Manage Credentials button to the right. These credentials are specific to patch management and are not related to credentials used for vulnerability scans or the WSUS server connection. Important Updates: The Drop-down menu provides three options. Your selection determines how Retina CS configures the client s registry and consequently, client behavior. Install updates automatically (recommended) Client computers will poll the WSUS server at the specified day and time, and download any approved and relevant updates. Once downloaded, the client will automatically install the updates. 6

Download updates but let me choose whether to install them Client computers will poll the WSUS server at regular intervals, every hour by default, and download any approved and relevant updates. Once updates are downloaded, notifications are sent to the System Log and to the notification area of the client. When a user clicks the notification icon, Automatic Updates displays the available updates. The user must then click Install to proceed. Check for updates but let me choose whether to download and install them Client computers will poll the WSUS server at regular intervals, every hour by default, and determine if there are any approved updates. If updates are available, notifications are sent to the System Log and to the notification area of the client computer. When a user clicks the notification icon, they can choose to download the updates. When downloads are complete, another notification message indicates that updates are ready to install. The user can then click the Automatic Updates icon and then Install. Every: <day> At: <time>: Select the day and time client computers will poll the WSUS server. The option to set day and time only appears for the Install updates automatically (recommended) option. Retry registration of errored Patch Management assets: Select the check box to retry the registration if the initial registration attempt fails. After selecting Save, the following occurs: Retina CS contacts the client by one of three methods, listed in priority: 1. If the client has Blink or the Retina Protection Agent (RPA), v. 4.7 or greater, registry changes are facilitated via the Central Policy connection. 2. If the client does not have Blink or the RPA, registry changes are facilitated via the Remote Registry API. Remote Registry service must be enabled on the client. The supplied credentials must have permissions for Remote Registry. 3. If 1 & 2 fail, then registry changes are facilitated via Windows Management Instrumentation (WMI), a service running on the endpoint. Retina CS uses the supplied credentials to access and edit the client s registry. The client is configured for WSUS and then pointed to the WSUS Server. All other relevant registry parameters are set, see: 7

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU If applicable, Retina CS downloads the third party certificate to the client. The client is now configured to poll WSUS for any approved updates; this is standard WSUS client behavior. Note that polling may not occur immediately and it may take up to 6 hours for WSUS clients to display as patch-enabled assets within Retina CS. For testing purposes, you can restart the Update Services service on the WSUS server; this will facilitate polling and populate WSUS with client information. Smart Groups that have been patch management-enabled are identified in the Smart Groups browser pane: Patch Management-Enabled Smart You may find it desirable to create a Smart Group for patch testing and another for patch deployment on production systems. 3 Identify and Approve Patches Once patch management is configured, patch management for Smart Groups is enabled and clients have registered with the WSUS server, you can identify and approve patches within the Retina CS interface. Approving patch updates for registered Smart Groups Navigate to the Assets tab (1), select a patch-enabled Smart Group from the Smart Groups pane (2) and then select Patch (3). By default, all assets belonging to the Smart Group that can be managed for patching are displayed. For example, UNIX or Apple assets will not be displayed. To view the patch status of an individual asset, select its information icon, i. Select the sort criteria to display the relevant patches. You can type in the filter fields to further narrow your 8

results. Optionally, you can select the View by: toggle viewing from an assets perspective to a patches perspective. to switch Filter Fields Sort Criteria Select the desired patch to deploy, multiple selections are allowed using the <CTRL> and <Shift> keys, and then select. At the Approve Updates window, select the checkbox(es) to determine the applicable assets; a single Smart Group, multiple Smart Groups or for all Smart Groups. Finally, use the dropdown menu to select the approval type. Note, if you select All Groups, and a group already has approved patches, the menu changes to Keep existing approvals. This ensures that all previously approved patches will still be deployed at the scheduled time. Not Approved vs. Decline Not Approved: Not approved for this group of assets, but keep the patch in the Not Installed list so you can select it later. Decline: Remove this patch from the Not Installed list so it is no longer an option to select for approval. The only way to see them is to sort for Declined patches. 9

Reporting Both Retina CS and Insight provide several patch report options. Reports can be patch or asset-centric and can be customized for specific Smart Groups and date ranges. Reports are navigable with built-in internal links and contain external links to resources such as relevant Microsoft KB postings. They can also be exported into several different formats such as PDF, Excel and XML. The following example is an Insight report showing all missing patches grouped by asset. Select Link to Patch reports available in Retina CS: Approved Patches Installed Patches Required Patches Patch reports available in Insight: Applied Patches by Month (Applied patches grouped by month) Patch (This report displays all the patches available for your network, which are possibly missing or not installed on your assets) 10

Standard Patch Deployment Retina Client WSUS Patch approved Check for approved Patch sent Patch installed Retrieve patch status Report patch status 1 Patches are approved through the Retina CS GUI; consequently, they are marked as approved with in WSUS. 2 The client polls WSUS for any relevant, approved patches. 3 Patches are downloaded to the client. Optionally, per the Smart Group settings, the client may be notified that approved patches are available and then prompted to download and install them. 4 Patches are automatically installed per default settings. Optionally, per the Smart Group settings, the client may be notified that patches have been downloaded and then prompted to install them. 5 The new patch status is sent to WSUS. 6 Retina CS retrieves the current patch status from WSUS. 11

Certificate Distribution for Third Party Patching Retina Client WSUS Configure Connection to WSUS Generate button Request WSUS to generate a certificate Retrieve copy of certificate Generates 3 rd party certificate Register Smart Group for Patch Edit client registry Copy of cert to client 1 From Retina CS, configure the connection to an existing WSUS server. 2 Select the Generate button. This sends a request to WSUS to create a certificate used for third party patching. 3 WSUS generates the certificate. 4 Retina CS retrieves the certificate. 5 Create or modify a Smart Group to enable patch management for the selected assets. 6 Retina CS edits the registry of each applicable asset in the smart group, configures it for WSUS and copies the third party certificate if applicable. 12

Third Party Patch Deployment Retina Client WSUS 3 rd Party patches Check for approved Patches sent with cert. Verify certificate, install patches Retrieve patch status Send patch status Third party patch deployment is nearly identical to the standard deployment of Microsoft patches with the following changes: 3 Third party patches are sent to the client with the third party certificate that was generated during the WSUS server configuration. 4 The certificate from WSUS is verified against the existing certificate on the client that it received when its associate Smart Group was enabled for patch management. Trust is now established for third party patch deployment per Microsoft requirements. 13

About BeyondTrust BeyondTrust is a global cyber security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information