Implementing Security Patch Management Steve Riley Product Manager Security Business and Technology Unit Microsoft Corporation steriley@microsoft.com The Ten Immutable Laws
Yes, immutable Distilled wisdom from successful patch management strategies worldwide About worldview and mindset Won t be discussing technologies or tools Microsoft uses these laws To protect its own network To guide parts of our Trustworthy Computing work
Patches are a fact of life Computer science is maturing rapidly, but perfection eludes us System complexity Extremely hostile threat environment Planning is the essential component of successful patch management The specifics of your plan matter less than the fact that you have a plan of some kind. Security design model Operations Documentation Implementation Policy Process Technology Start with policy Build process Apply technology
demo It does little good to patch a system that isn t secure The most dangerous security exposures don t involve code flaws Weak passwords Unattended systems Insecure configurations A sound security policy is the first line of defense Standardization Control Organizational buy-in
demo There is no patch for bad judgment There is no patch for bad judgment The most dangerous security exposures don t involve code flaws Sticky-pad syndrome Opening mail attachments Social engineering Running untrustworthy code People are part of the network Good news: properly configured, they are the most powerful security add-on you can have Bad news: people are harder to configure than software
You can t patch what you don t know you have Variables in the patch equation: Operating Systems Applications Service Packs Configuration Enumeration? OK???? Better Record of State????? Well-defined Standard Configurations Best
The most effective patch is the one you don t have to apply Turn stuff off! Code Red: IIS enabled on Windows 2000 server Internet Printing Protocol, UPnP, ISAPIs Microsoft doing more to help Smaller attack surface = better security Turn off unneeded services Install only needed applications and plug-ins Use least privilege Windows Server 2003 turns off over 20 services by default A service pack covers a multitude of patches Patches too often treated as first line of defense Product Version Can hurt reliability, slow new system rollout Understand the Quality Service Curve Testing Service Packs are Rollup extremely important Patches (Hotfixes) are interim measures Patch Pack Time
All patches are not equal Applying every patch is typically a poor strategy Irritate end users Burnout patch management team Some patches are more important than others Scrutinize the Mitigating Factors section of the bulletin Understand the risk equation and the burden curve Risk equation Risk Access * Value Difficulty Where: Access = Degree of access to an asset that an attacker could gain via the vulnerability Value = Value of the asset Difficulty = Difficulty of carrying out a successful attack
ISO-Risk chart Access Critical High Blaster with Blaster Mitigations Moderate Low Difficulty Cost curve Annualized cost Crisis deployment Burden Upgrade Upgrade +1 Maintenance Time
Never base patching decisions on whether you ve seen exploit code Published exploit code is an unreliable risk indicator Just because it hasn t been published doesn t mean it doesn t exist (or couldn t be written) Always assume that exploit code exists Defend your networking assets based on their value and the threat posed by the vulnerability What happens until you wait for exploit code Exploit Attack Patch issued Days Impact of Attack Blaster SQL Slamm er Bugbear Frethem Yaha ElKern Klez Badtrans Nimda Code Red 8/11/03 1/25/03 9/30/02 7/17/02 6/22/02 4/17/02 4/17/02 11/ 24/ 01 9/18/01 7/19/01 7/16/03 7/24/02 5/16/01 5/16/01 5/16/01 5/16/01 5/16/01 5/16/01 10/ 17/ 00 6/18/01 26 185 502 427 402 336 336 192 336 31 Shortest time to wo rm yet Infections doubled every 8.5 seconds More than 2 million affected computers 12 variants in first 2 months of activit y Intercepted in one of ever y 268 em ail s at Detected peak in more than 40 d ifferent $9 countries Billion world wide productivit y loss Messag elabs has seen 458,359 in stances Spread wo rld wid e in 30 m inutes Infections doubled every 37 minutes
Everyone has a patch strategy, whether they know it or not Famous ineffective patching strategies: Patch? What patch? We re under attack! Deploy the patches! Deploy the patch now, figure out what it s for later Your patch strategy should be part of your security policy Define your overall risk stance Document your strategy and tactics Get senior management s buy-in! Patch management is really risk management Patch management is not an end unto itself Protect the right assets Spend no more to protect them than they re worth Harmonize with other security measures Patch management is one strategy among many for protecting business value Needs to considered as part of the corporate risk management strategy Documented as part of the security policy Vetted by executive management
What s Going On? Addressing Customer Feedback There are too many v ulnerabilities and patches Improv e product quality; reduce patch frequency I need to know the right way to run a Microsoft enterprise Provide prescriptive guidance and training The patching process is inconsistent Improv e the patching experience There are too many incomplete ov erlapping tools Enhance and integrate patch management tools Patch quality is poor reduce recalls, patch size, and reboots Improv e quality of patches
Patch Management Initiative Progress to Date (December 2003) Informed and Prepared Customers Consistent and Superior Update Experience Superior Patch Quality Best Patch and Update Management Solutions Rationalized patch severity rating levels Better security bulletins and KB articles Security Readiness Kit; patch management guidance, etc. Standardized patch and update terminology Standardized patch naming and installer switch options* Installer consolidation plan in place will go from ~8 to 2 Reduced patch release frequency from 1/week to 1/month Improved patch testing process and coverage Expanded test process to include customers Reduced reboots by 10%; reduced patch size by up to 75%** Developed patch and update management tools roadmap SUS 2.0 in development: significantly enhanced capabilities Released SMS 2003, which delivers expanded patch and update management capabilities *Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0 **75% for Windows Update installs, more than 25% for other patches Patch Management Process
Security Vulnerability Life Cycle Most attacks occur here Produc t ship Vulner ability discovered Component modified Patch released Patch deployed at customer site Exploit Timeline patc h exploit code Days between patch and exploit 331 Nimda 180 SQL Slammer 151 Welchia/ Nachi 25 Blaster The average is now nine days for a patch to be reverse-engineered As this cycle keeps getting shorter, patching is a less effective defense in large organizations
Microsoft Severity Ratings Rating Critical Important Moderat e Low Def inition Exploitation could allo w the propag ation of an Intern et worm such as Code Red or Nimda without user action Exploitation could result in compromise of the confidentialit y, integrit y, or availabilit y of users d ata or of the integrit y or availabilit y of processing resources Exploitation serious but mitigated to a significant degree b y factors such as defau lt configuration, auditing, need for user action, or difficult y of exploitation Exploitation is extremely difficult, or impact is minimal TechNet Security Bulletin Search: http://www.microsoft.com/technet/security/current.asp Patching Timeframes Sev erity Rating Critical Important Moderat e Low Recommended Patching Time Frame W ithin 24 hours W ithin one month Depending on exp ected availabilit y, wait for next service pack or pat ch rollup that includes the patch or deploy the patch within four months Depending on exp ected availabilit y, wait for next service pack or pat ch rollup that includes the patch, or deploy the p atch within one year Factors Affecting Release Timeframes Maximum Recommended Time Frame W ithin two weeks W ithin two months Deplo y the software updat e within six months Deplo y the software updat e within one year, or choose not to deploy at all Factor High-value or high-exposure assets affected Assets historicall y attacked are affected Mitigating factors in place or will be quickly put in place Low risk of exposure for affected assets Potential Impact Decrease time frame Decrease time frame Increase time frame Increase time frame
Successful Patch Management Consistent and Repeatable Processes Technology People Products, tools, and automation Skills, roles, and responsibilities Patch Management Process 1. Assess Environment to be Pat ched 2. Identify New Patches Periodic Tasks A. Create/maintain baseline of sys tems B. Assess patch management architecture C. Rev iew infrastructure/ configuration 1. Assess 2. Id entif y Ongoing Tasks A. Discov er assets B. Inv entory clients Tasks A. Identify new pa tches B. Determine patch relev ance C. Verify patch authenticity and integrity 4. Deplo y the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Rev iew deployment 4. Deploy 3. Evaluate and Plan 3. Evalu ate and Pl an Patch Deplo yment Tasks A. Obtain approv al to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing
Microsoft Patch Management Guide http://www.microsoft.com/technet/security/topics/patch/secpatch/default.asp Patch Management Tools
Choosing a Patch Management Solution Customer Ty pe Consumer Small Business Medium or Large Enterprise All scenarios No Windows servers Scenario Have one to three Windows servers and one IT administrator Want patch management solution with basic level of control that updates Windows 2000 and newer versions of Windows Want single flexible patch management solution with extended level of control to patch and update (+ distribute) all software Customer Chooses Windows Update Windows Update SUS SUS SMS Patch Management Solution Customer Type Consumer Small Business Scenario All scenarios No W indows servers Patch management solution based on Protect Your PC: 1. Use an Internet firewall 2. Get computer updates Operating system updates Windows Update Application updates Office Update 3. Use up-to-date antivirus software http://www.microsoft.com/protect Customer Chooses Windows Update Windows Update
Windows Update How it Works: User-Initiated Access 1. User goes to W indows Update (WU) and selects Scan for updates 2. Client-side code (CC) in browser validates W U server and gets download catalog metadata 3. CC uses m etadata to identif y mi ssing updates 4. User sel ects updates to install 5. CC downloads, validates, and in stall s updates 6. CC updates history and statistics information Windows Update Service Windows Update How It Works: Automatic Updates 1. AU ch ecks the W U service for new updates (every 17 22 hours) Windows Update Service 2. AU validat es the W U server and gets Do wnlo ad Catalog metadata 3. AU uses metadata to identif y missing updates 4. AU either notifies user or auto-downloads using BITS and validates new updat es 5. AU either notifies user or auto-installs updates 6. AU updates history and statistics information
How to Use Windows Update Automatic 1. Open System in Control Panel 2. Select Keep my computer up to date 3. On the Automatic Updates tab, click the option you want: Notify me before downloading any updates and notify me again before installing them on my computer Download the updates automatically and notify me when they are ready to be installed Automatically download the updates and install them on the schedule that I specify Note: Administrators can also centrally configure Automatic Updates through Group Policy Manual Go to http://windowsupdate.microsoft.com, or select Windows Update from the Start menu Windows Update Considerations Windows Update does: Support all critical security updates Support all Windows versions from Windows 98 and above Windows Update does not: Allow management of network bandwidth consumption Control how patches are distributed
Office Update Single location for Office patches and updates Automates scanning and installation for critical patches and updates Easy to use for consumers and home users All security patches and service pack available in binary delta or full-file versions How to Use Office Update 1. Go to http://office.microsoft.com/officeupdate 2. Click Check for Updates 3. Install the Office Update Installation Engine (if not already installed) 4. Select the updates to install 5. Click Start Installation
Patch Management Solution Customer Type Small Business Medium or Large Enterprise Scenari o Hav e one to three Windows serv ers and one IT administrator Want patch management solution with basic lev el of control that updates Windows 2000 and newer v ersions of Windows Customer Chooses SUS SUS Patch management solution includes: MBSA Software Update Services (SUS) MBSA Benefits Automates identification of missing security patches and security configuration issues Allows administrator to centrally scan a large number of systems Works with a broad range of Microsoft software
MBSA How It Works 1. Run MBSA on Admin system; specify targets 2. Downloads CAB file with MSSecure.xml and verifies digital signature 3. Scan s target systems for OS, OS components, and applications 4. Parses MSSecure to see if updates are available Microsoft Download Center MSSecure.xml MSSecure.xml contains Security bulletin names Product-specif ic updates Version and checksum info Registry keys changed KB article numbers 5. Checks if requi red updates are missing 6. Generates time-stamped report of missing updates MBSA Computer MBSA Default Scan Options MBSA Graphical User Interface (Windows Application) Uses -baseline, -v, -nosum -baseline aligns with WU critical security updates Notes and warnings still shown by default Checksum checks not performed (to match WU) MBSA Command-Line Interface (mbsacli.exe) Uses -sum Checksum checks performed Notes and warnings still shown by default HFNetChk Scan (mbsacli.exe /hf) Uses -sum Checksum checks performed Notes and warnings still shown by default
How to Use MBSA 1. Download and install MBSA (once only) 2. Launch MBSA 3. Select the computer(s) to scan 4. Select relevant options 5. Click Start scan 6. Review the list of Windows Security Updates 7. Click the Result details link 8. Review the list of missing updates MBSA Considerations MBSA scans for potential vulnerabilities with: Passwords IIS User accounts IE zones Audit configuration Office macros Services Outlook security Anonymous enumeration Messages are displayed for patches that MBSA cannot confirm as installed MBSA checks for a registry key only to determine whether the patch is installed No patch data for non-security updates
SUS - Benefits Gives administrators control over patch and update management Works with Group Policy* to prevent installation of nonapproved updates from Windows Update Allows staging and testing of updates before installation Simplifies and automates key aspects of the patch management process Ease of use alleviates difficulty of keeping supported systems up-to-date, reducing security risks Note: Use of SUS does not require implementation of Active Directory or Group Policy SUS How It Works 1. SUS server downloads updates Windows Update Serv ice Windows Update Serv ice 2. Administrator reviews, evaluates, and approves updates Firewall 3. Approvals and updates synced with child SUS servers 4. AU gets approved updates list from SUS server Bandw idth Throttling Child SUS Server Bandw idth Throttling 5. AU downloads approved updates from SUS server or Windows Update 6. AU either notifies user or autoinstalls updates 7. AU records installation history Parent SUS Server Bandw idth Throttling Child SUS Server
SUS - Client Component SUS client is Automatic Updates Centrally configurable to get updates either from corporate SUS server or Windows Update service Can autodownload and install patches under admin control Consolidates multiple reboots to a single reboot when installing multiple patches Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003 Localized in 24 languages SUS Server Component Downloads updates from Windows Update Web-based administration GUI Security by design and default XML-based logging on Web server Supports geographically distributed organizations Localized in English and Japanese
SUS MBSA Integration MBSA can perform a security update scan against approved updates on a specified SUS server Command-line execution mbsacli.exe /sus http://mysusserver mbsacli.exe /hf /sus http://mysusserver How to Use SUS SUS Server: 1. Configure the SUS server at http://server/susadmin 2. Set SUS server synchronization schedule 3. Approve updates SUS Client: Configure Automatic Updates on client to use SUS server Performed manually, using scripts or by using Group Policy
SUS Considerations Supports operating system updates only for Windows 2000 or later No targeting of patch deployments SUS client must be configured to pull updates from SUS server Centralized install status logging to Web server, but no predefined reports Use multiple SUS servers to supply differing sets of approved updates to groups of client computers Patch Management Solution Customer Type Medium or Large Business Scenari o Want single flexible patch management solution with extended lev el of control to patch and update (+ distribute) all software Customer Chooses SMS Patch management solution includes: SMS 2003 Or SMS 2.0 with SUS Feature Pack
SMS Benefits Gives administrators control over patch management Staging and testing of updates before installation Fine-grained control of patch management options Automates key aspects of the patch management process Can update a broad range of Microsoft products Can also be used to update third-party software and deploy and install any software update or application High level of flexibility via use of scripting SMS What It Does 1. Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer 2. Scan components replicate to SMS clients 3. Clients scanned; scan results merged into SMS hardware inventory data 4. Administrator uses Distribute Software Updates Wizard to authorize updates 5. Update files downloaded; packages, programs, and advertisements created/updated; packages replicated and programs advertised to SMS clients SMS Site Server 6. Software Update Installation Agent on clients deploy updates 7. Periodically: Sync component checks for new updates, scans clients, and deploys necessary updates Microsoft Download Center SMS Distribution Point SMS Clients Firewall SMS Clients SMS Clients
SMS MBSA Integration Scans SMS clients for missing security updates using MBSA CLI Pushes mbsacli.exe to each client to do local scan (mbsacli.exe/hf) Parses textual output of patch numbers SMS administrators can centrally distribute security updates to clients SMS 2.0 and SMS 2003 use MBSA 1.1.1 How to Use SMS 1. Open the SMS Administrator Console 2. Expand the site database 3. Right-click All Windows XP Computers and select All Tasks > Distribute Software 4. Create a new package and program 5. Browse to the patch to be deployed 6. Configure options for how and when the patch should be deployed on the client
SMS Considerations Limitations in detection capabilities are same as those for MBSA and Office Inventory Tool Command-line syntax for unattended installation of each update needs to be configured Microsoft Office patches require extraction to edit a settings file for unattended installation International updates must be obtained manually (Web page) Best Practices Implement a patch management process Choose a patch management solution that meets your organization s needs Subscribe to the Microsoft Security Notification Service Make use of Microsoft guidance and resources Keep your systems up-to-date
Patch Management Solutions Selection Criteria Core Patch Management Capabilities Adopt the solution that best meets the needs of your organization Capability Supported Platforms for Content Supported Content Types Granular ity of Control Targeting Content to Systems Network Bandwidth Optimization Patch Distribution Control Patch Installation and Scheduling Flexibility Patc h Ins tall ati on Status Reporting No No No Windows Update NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 All patches, updates (including drivers), and service packs (SPs) for the above Manual, end-user c ontroll ed Assessing computer history only No Yes (for patch deployment) Basic SUS 1.0 Win2K, WS2003, WinXP Only security and security rollup patches, critical updates, and SPs for the above Admin (auto) or user (manual) controlled NT 4.0, Win2K, WS2003, WinXP, Win98 All patches, SPs, and updates for the above; supports patch, update, and installs for MS and other applications Yes Yes (for patch depl oyment an d server synchronization) Advanced SMS 2003 Administrator control with granular scheduling capabilities Limited Comprehens i ve (client install history and serverbased install logs) compliance (install status, result, and details) Patch Management Futures
Patch Quality and Experience Q1 03 Q2 03 Q3 03 Q4 03 Q1 04 Q2 04 Q3 04 Q4 04 Standard installer switches defined Standard naming and signing Up to 90% reduction in patch size* 30% reduction in patch reboots Add/Remove Programs improvements 75% reduction in patch size* Standard terminology for documentation 90% reduction in patch size Standard detection manifest MSI 3.0 2 Installers: MSI, Update.exe Patches and security bulletins Standard titles* released once a month Patch test process Standard registry includes entries participating customers MSI 3. 0 supports uninst all, binary delt a patc hing, etc. Converge t o t wo installers -- end of 2004 1/month patc h deliver y for nonemergenc y patches -- today *For Add/Remove Programs, Windows Update, and Download Center 30% reduction in patch reboots Standard property sheet Patch Management Tools Road Map Windows Update + Office Update => Microsoft Update MBSA MBSA 1.2 (Q4 2003) More products and locales Integrates Office Update Inventory Tool MBSA 2.0 (Q2 2004) Scanning now part of SUS 2.0/Microsoft Update SUS SUS 2. 0 (Q2 2004) Adds reporting, targeting, rollback, bandwidth efficiency, and scripting capabilities Single infrastructure for patch management Support for more Microsoft products SMS 2003 Update Management Feature Pack (H2 2004) Uses SUS for update scanning and download Uses SUS client (Automatic Updates) for installs Longer-term (Longhorn time frame) SUS integrated into Windows and supports all Microsoft software SUS infrastructure can be used by third parties
The Administrators Pledge I pledge attention to the patches Issued for the systems I run And to the effort that patching takes One network, now protected With services and data for all 2004 Microsoft Corporation. All rights reserved. This pr esenta tion is fo r info rmatio nal pu rpos es only. Microsof t makes no wa rran ties, exp ress o r implie d, in this s umm ary.