Wat is nu eigenlijk: "Windows Update" en "WSUS" Van Hecke Vincent
Microsoft Patch Management Van Hecke Vincent
Topics Terminologie Hoe Microsoft zijn software fixed. Overzicht technologiën en producten: Automatic Updates of WSUS? WSUS Extra s: MBSA,
http://technet.microsoft.com/en-us/library/cc700845.aspx http://support.microsoft.com/kb/824684 TERMINOLOGIE
Important Security Terms Term Vulnerability Threat Attack Countermeasure Definition Software, hardware, a procedural weakness, a feature, or a configuration that could be a weak point exploited during an attack. Also called an exposure. A source of danger. A threat agent attempting to take advantage of vulnerabilities for unwelcome purposes. Software configurations, hardware, or procedures that reduce risk in a computer environment. Also called a safeguard or mitigation.
Software Vulnerabilities Term Buffer overrun (overflow) Privilege elevation (escalation) Validation error (source code) Definition An unchecked buffer in a program that can overwrite the program code with new data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. Allows users or attackers to attain higher privileges in certain circumstances. Allows malformed data to have unintended consequences.
Vulnerability Severity Ratings Rating Critical Important Moderate Low Definition A vulnerability whose exploitation could allow the propagation of an Internet worm without user action. A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources. Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation. A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
STRIDE Model of Threat Categories (1/2) Term Spoofing identity Tampering with data Repudiation Definition Illegally obtaining access and use of another person's authentication information, such as a user name or password. The malicious modification of data. Associated with users who deny performing an action, yet there is no way to prove otherwise.(non-repudiation refers to the ability of a system to counter repudiation threats, and includes techniques such as signing for a received parcel so that the signed receipt can be used as evidence.)
STRIDE Model of Threat Categories (2/2) Term Information disclosure Denial of service Elevation (Escalation) of privilege Definition The exposure of information to individuals who are not supposed to have access to it, such as accessing files without having the appropriate rights. An explicit attempt to prevent legitimate users from using a service or system. Where an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators group.
Threat Agents (1/3) Term Virus Worm Trojan horse Definition An intrusive program that infects computer files by inserting copies of self-replicating code, and deletes critical files, makes system modifications, or performs some other action to cause harm to data on the computer or to the computer itself. A virus attaches itself to a host program. A self-replicating program, often malicious like a virus, that can spread from computer to computer without infecting files first. Software or e-mail that professes to be useful and benign, but which actually performs some destructive purpose or provides access to an attacker.
Threat Agents (2/3) Term Mail bomb Adware Definition A malicious e-mail sent to an unsuspecting recipient. When the recipient opens the e-mail or runs the program, the mail bomb performs some malicious action on their computer. Any software application or program in which advertising banners are displayed or Pop-up windows appear while the program is running. Adware is considered "Spyware" and is installed without the user's knowledge.
Threat Agents (3/3) Term Spyware Definition Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Once installed, the Spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of Spyware is to download certain peer-to-peer file swapping products that are available today.
Microsoft is committed to protecting customers from security vulnerabilities. As part of this effort, Microsoft makes available periodic releases of software. HOE MICROSOFT ZIJN SOFTWARE FIXED Meer info: Google "Trustworthy Computing"
MSRC Security Bulletin
OVERZICHT TECHNOLOGIEËN EN PRODUCTEN
WU: Windows Update MU: Microsoft Update MOU: Microsoft Office Update WSUS: Windows Server Update Services SCCM: System Center Configuration Manager MUC: Microsoft Update Catalog
Windows Update
Microsoft Update
Via Office toepassing
Via Windows Update
Vergelijking Microsoft Update Windows Update
De weg terug naar Windows Update Want eens de agent gekozen voor MU, blijft deze actief tot de WU agent terug wordt geïnstalleerd.
Microsoft Office Update
Via Windows Update
Het update proces
Het update proces: type updates High priority Critical updates, security updates, service packs, and update rollups. Software (optional) Non-critical fixes for Windows programs Hardware (optional) Non-critical fixes for drivers and other hardware devices
Express vs Custom Express (recommended) displays all high priority updates for your computer so that you can install them with one click. This is the quickest and easiest way to keep your computer up to date. Custom displays high priority and optional updates for your computer. You review and select the updates that you want to install, one by one.
De (ongekende?) opties
WSUS
Situering
Situering
Meerdere WSUS servers
Voordelen WSUS Beter beheer van Microsoft Updates, vooral in grotere omgevingen. Rapportering Mogelijks minder trafiek over de internetlijn, indien gebruik makend van centraal repository
SCCM
SCCM SCCM is eigenlijk grote broer van WSUS. De extra features in SCCM zijn: Inventaris management Geavanceerde rapportering Mogelijkheden om systemen te beheren vanop afstand
SCCM
Microsoft Update Catalog
Windows Update Catalog
AUTOMATIC UPDATES OF WSUS?
The Microsoft way Customer Type Large or Medium Enterprise Large or Medium Enterprise Scenario The organization wants a single, flexible update management solution with an extended level of control that enables them to update (and distribute) all Windows operating systems and applications and also includes an integrated asset management solution. The organization wants a solution for update management only that provides simple updating for Microsoft software initially supporting Windows 2000 and later supporting Office 2003, Office XP, Exchange Server 2000 and later, SQL Server 2000 and later. Customer Choice SCCM WSUS
The Microsoft way Customer Type Scenario Customer Choice Small Business Small Business Consumer The business has at least one Windows server and one IT administrator. All other scenarios All other scenarios WSUS Microsoft Update or Windows Update Microsoft Update or Windows Update
Automatic Updates
Best practise indien: Automatic Updates Installeer overal de Microsoft Update agent (zodat alle software wordt geupdate)
WSUS Meer mogelijkheden Vergt ook onderhoud Server nodig
WSUS
Over WSUS
Over WSUS BITS = Background Intelligent Transfer Service WSUS bevat rapportagemogelijkheden WSUS kan op 2 manieren werken: updates van WSUS halen updates van internet halen Command Line mogelijkheden (wsusutil.exe)
Installatie documentatie Step-by-step guide http://www.microsoft.com/downloads/details.aspx? FamilyID=C8FA2FD1-72F6-4F19-A1B0- F689DAE14BE6&displaylang=en
Installatie
Installatie Keuze poort is by default 80 maar kan 8530 zijn
Configuratie Firewall! http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com
Configuratie
Configuratie Groepen
Configuratie De keuze is aan u:
Configuratie TIP
Configuratie TIP SSL? Do not store update file locally? Remote workers
Meer documentatie Operations Guide: http://www.microsoft.com/downloads/details.aspx?f amilyid=66d250fa-670f-4a49-95ec- 2FFDA7691F55&displaylang=en
WSUS Tips
WSUS Tips: Cloning machines Als een voor WSUS geconfigureerde machine wordt gecloned (via Ghost, ) dan moet er een registry keys worden verwijderd: HKLM\Software\Policies\Microsoft\Windows\Windo wsupdate HKLM\Software\Microsoft\Windows\CurrentVersio n\windowsupdate
WSUS Tips: Forefront Forefront gebruikt WSUS voor zijn updates. Dus GPO setting bepaald frequentie voor het zoeken naar nieuwe virusdefinities. Standaard 22u, best op 1u zetten. Optie Allow automatic update immediate installation enabled. Zodat de virusdefinities worden geïnstalleerd zonder schedule in te stellen Zet wel nog een (dagelijkse?) schedule in voor de product updates.
WSUS Tips: Performantie issues svchost/msi performance issue both KB927891 and the new 3.0 client needed http://blogs.technet.com/wsus/archive/2007/04/28/ update-on.aspx
WSUS Tips: Client logging Start, then click Run, type WINDOWSUPDATE.LOG and then click OK. Logging from bottom up. WindowsUpdate.log Is the v6 version windows update.log Is the v4 version http://support.microsoft.com/kb/902093
WSUS Tips 0x80072EE2 0x80072F78 0x80072F76 0x80072EFD 836941 - You receive an "Error 0x80072EE2" or "Error 0x80072EFD" error message when you try to use Windows Update Add Windows Update Web sites to the Trusted Sites list
WSUS Tips 0x80070424 How to troubleshoot problems accessing secure Web pages with Internet Explorer 6 Service Pack 2 (870700) This Windows Update error code is caused by unregistered DLL files for Windows Update or Internet Explorer. On Windows XP SP2 and later this may be resolved using the iexplore /rereg command.
WSUS Tips 0x80244001/0x800A01AD These Windows Update error codes can be caused by a damaged Windows XP XML subsystem. The first step to take is to reregister this component using the command regsvr32 msxml3.dll. If this does not resolve the issue, check for more recently updated MSXML Parser and MSXML components from the following link: http://www.microsoft.com/downloads/results.as px?productid=&freetext=msxml&displaylang=e n
WSUS Tips When accessing the Update site, you receive the 0x800A01AE error. This issue may happen if the current session of Internet Explorer has cached an older version of Wuapi.dll Re-register the Windows Update DLL with the commands below Click Start, click Run, type cmd, and then click OK. Type the following commands. Press ENTER after each command. regsvr32 wuapi.dll regsvr32 wuaueng.dll regsvr32 wuaueng1.dll regsvr32 wucltui.dll regsvr32 wups.dll regsvr32 wups2.dll regsvr32 wuweb.dll
WSUS Tips 0x80248011 This Windows Update error code is normally related to inconsistent or damaged information in the c:\windows\softwaredistribution folder. Stopping the Automatic Updates service then renaming the c:\windows\softwaredistribution folder to SDOLD then restarting the Automatic Updates service normally is the fix for this issue. Note: Renaming this folder will clear the display of previous successful and failed updates.
WSUS Tips 0x800B0001 This Windows Update error code is related to 3 particular DLL files that are not registered in windows correctly. Registering the following files with REGSVR32 normally fixes this issue: Softpub.dll Mssip32.dll Initpki.dll
WSUS Tips 0x8024402C This Windows Update error can be caused by a damaged installation of BITS and corrupted information in the SoftwareDistribution folder. The solution is normally to re-download the BITS updates (KB883357 and KB842773) from the Microsoft.com website, then stop the Automatic Updates service and rename the SoftwareDistribution folder to SDOLD. Reboot the computer and return to Windows Update.
WSUS Tips: Client Firewalls Most third party firewalls such as Norton Personal Firewall block SVCHOST (Generic Host Process Win32) communication by default. This can cause issues with Windows Update as SVCHOST communication is required by the Windows Update client to connect to the Windows Update Servers on the internet.
WSUS Tips: Diag tools Client diag tool Server diag tool http://technet.microsoft.com/enus/wsus/bb466192.aspx
WSUS Tips To enable site tracing for a single visit to the Windows Update site, add &dev=true to the end of the URL, as in the example below: http://update.microsoft.com/windowsupdate/v6/def ault.aspx?ln=en&dev=true
WSUS Tips Backup?
WSUS Links http://technet.microsoft.com/enus/wsus/default.aspx http://www.wsus.info/ http://blogs.technet.com/wsus/default.aspx http://www.wsuswiki.com/
WSUS 3.0 SP2 Beta Overview New Windows Server and Client Version Support Integration with Windows Server 2008 R2 Support for Windows 7 client Support for the BranchCache feature on Windows Server 2008 R2
WSUS 3.0 SP2 Beta Overview WSUS Beta Feature Improvements and Fixes Auto-Approval Rules New functionality lets you specify the approval deadline date and time. You can now apply a rule to all computers or to specific computer groups. Cross-Version Compatibility The user interface is compatible between Service Pack 1 and Service Pack 2 for WSUS 3.0 on both the client and the server.
WSUS 3.0 SP2 Beta Overview Software Updates Stability and reliability fixes for the WSUS server, such as support for IPV6 addresses greater than 40 characters. The approval dialog now sorts computer groups alphabetically by group name. Computer status report sorting icons are now functional in x64 environments. Fixed setup issues with database servers running Microsoft SQL Server 2008.
EXTRA S
MBSA: Scan for vulnerabilites and look for patches Malicious Software Removal Tool Microsoft Security Assessment Tool
Microsoft Technical Security Notifications http://technet.microsoft.com/nlbe/security/dd252948(en-us).aspx
EINDE