Securing Your Network Environment Software Distribution & Patch Management Ken Conrad Chief Strategist Microsoft Infrastructure Solutions Analysts International
Overview Microsoft s s Patch Management Components Patch Management Practices Update Tools Manual vs. Managed
Customer Issues Poor Customer Communications, Guidance, and Training Inconsistent Patching Experience Too Many Patches!! Multiple, Incomplete Patch Management Tools Inconsistent Patch Quality
Microsoft s s Patch Management Components
Improving Patching Experience Security Bulletin Severity Rating System Free Security Bulletin Subscription Service http://www.microsoft.com/technet/security/bulletin/notify.asp technet/security/bulletin/notify.asp Rating Definition Customer Action Critical Exploitation could allow the propagation Apply of an Internet worm such as Code Red or the patch or workaround immediately Nimda without user action Important Exploitation could result in compromise of the confidentiality, integrity, or availability Apply patch or workaround as of users data, or of the integrity or soon as is feasible availability of processing resources Moderate Exploitability is mitigated to a significant Evaluate degree by factors such as default bulletin, determine applicability, configuration, auditing, need for user proceed as appropriate action, or difficulty of exploitation Low Consider Exploitation is extremely difficult, or applying the patch at the impact is minimal next scheduled update interval More information at http://www.microsoft.com/technet/security/policy/rating.asp technet/security/policy/rating.asp
Windows Security Update Process When a new security update is released the following becomes available: An associated Security Bulletin An updated MSSecure.XML file for MBSA The Windows security patch via the download center and WU A Localized version of the security patch An updated catalog for Software Update Services
Patch Management Practices
Security is an Ongoing Effort Operates within a system of People, Process, and Technology Security will fail if not focused on all four of these components Prepare for Patch Management by: 1. Evaluating your Environment, Risks, and Needs 2. Establishing Goals and Critical Success Factors 3. Establishing Process Ownership 4. Preparing for an Emergency Security Response
You must have an inventory. have a baseline. be able to determine when security patches are released. be able to determine which are applicable. know where patches need to go and how fast. have a process to deploy. automate as much as possible. review and improve
Evaluating and Installing Updates Subscribe to Microsoft Security Notification Service Consumer: http://www.microsoft.com/security/security_bulletins/decision.asp ITProfessional: https://register.microsoft.com/regsys/pic.asp Configure test environments to expedite evaluation of updates Create criticality matrices for specific server roles Develop accelerated release-management processes for security-related related updates
Environment Update Process
Prioritizing and Scheduling the Release
Tools
Third Party Tools Product Name Altiris Patch Management BigFix Patch Manager Security Update Manager Ecora Patch Manager GFI LANguard Network Security Scanner Service Pack Manager 2000 LANDesk Patch Manager Radia Patch Manager PatchLink Update HFNetChkPro UpdateExpert Company Name Altiris, Inc. BigFix, Inc. Configuresoft, Inc Ecora, Inc. GFI Software, Ltd. Gravity Storm Software, LLC LANDesk Software, Ltd. Novadigm, Inc. PatchLink Corp. Shavlik Technologies St. Bernard Software Company URL http://www.altiris.com http://www.bigfix.com http://www.configuresoft.com http://www.ecora.com http://www.gfi.com http://www.securitybastion.com http://www.landesk.com http://www.novadigm.com http://www.patchlink.com http://www.shavlik.com http://www.stbernard.com
Microsoft Solution Components Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Windows Update Content Repositories Windows Update Catalog Office Download Catalog Management Tools Automatic Updates (AU) feature in Windows Software Update Services (SUS) Prescriptive Guidance Patch Management Process Guidance Patch Management Using SUS Office Update Microsoft Download Center Systems Management Server (SMS) Patch Management Using SMS
Core Patch Management Capabilities Capability Supported Platforms for Content Supported Content Types Granularity of Control Targeting Content to Systems Network Bandwidth Optimization Patch Distribution Control Patch Installation & Scheduling Flexibility Patch Installation Status Reporting Additional Software Distribution Capabilities Deployment Planning No Inventory Management No Compliance Checking Mobile Device Support No No No Manual, end user controlled No No No Windows Update NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 All patches & service packs (SPs) for the above No Yes (for patch deployment) Basic Administrator (auto) or user (manual) controlled Limited (client install history & server based install logs) No No No No SUS 1.0 Win2K, WS2003, WinXP Only security, critical, & security rollup patches + SPs for the above NT 4.0, Win2K, WS2003, WinXP, Win98 All patches, SPs & updates for the above + supports patch, update & app installs for MS & other apps Yes Yes (for patch deployment & server synchronization) Advanced Administrator control with granular scheduling capabilities Comprehensive (install status, result, and compliance details) Yes Yes Yes Yes SMS 2003
Windows Update A catalog of software updates organized in categories: System drivers Security fixes Critical updates Requires installation of scanning and download software Relies on MSSecure.XML and digitally-signed updates to evaluate and install updates Automatic Update Client released in version 2.2 Day of week and time scheduling Group Policy and Registry-based configuration Control Panel changes Pre-install and pre-reboot reboot progress bars to admin Event logging
Office Update Support Windows NT 4.0 SP5 and above A catalog of software updates for Office 2000 and Office XP Administrators can download the following tools: Office Update Inventory Tool Office Hotfix Installer Windows Corporate Error Reporting Tool
Automatic Updates Available on Windows XP & Windows 2000 Service Pack 3 and higher Automatic Updates to apply security updates. Windows XP, Automatic Updates is configured in the property pages of the Control Panel s s System applet. Windows 2000 Service Pack 3 and higher adds the Automatic Updates applet to the Control Panel
MBSA: What is Does Microsoft Baseline Security Analyzer Helps assess the vulnerability of Windows systems New Update Assess Acquire Test Deploy Verify Scans for missing security patches / updates and common security miss configurations Scans local or multiple remote systems via GUI or command line invocation Scans various versions of Windows, IIS, IE, SQL, Exchange, and other Microsoft applications Generates XML scan reports on each scanned system Runs on Windows Server 2003, Windows 2000 and Windows XP Works with SUS & SMS
MBSA: Benefits Automates identification of missing security patches & security miss configuration Allows administrator to centrally scan a large number of systems simultaneously Works for broad range of Microsoft software (not just Windows and Office)
Update Tools - Managed Microsoft Software Update Services Software Updates Services Feature Pack
SUS 1.0: What it Does New Update Assess Acquire Test Deploy Verify Deploys Windows security patches, security rollups, updates, and service packs only Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only Provides patch download, deployment, and installation configuration options Bandwidth optimized content deployment Provides central administrative control over which patches can be installed on target systems Provides basic patch installation logging information
SUS Benefits Gives administrators control over patch & update management Works with Group Policy to prevent installs of non-approved updates Allows staging & testing of updates before installation Simplifies & automates key aspects of the patch management process Ease of use alleviates difficulty of keeping supported systems up-to to-date, reducing security risks
Client Component: Automatic Updates Centrally configurable to get updates either from corporate SUS server or Windows Update service Centrally configurable to prevent users from installing non- approved patches Can auto-download and install patches under admin control Allows chaining of patch installations to minimize reboots Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003 Localized in 24 languages
SMS 2003 Patch Management: What it does (1) New Update Assess Acquire Test Deploy Verify System scanning & patch content download Content from Microsoft download center MBSA & Office Update plug-ins scan for missing patches Supports updating of remote & mobile devices Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scripting Administrator control Update targeting based on AD, non-ad groups, WMI properties; additional options via scripting Patches consumed only by SMS administrators via the deployment process (on demand) Specific start and end times (change windows), rolling change windows Easily merge patches from testing into production Reference computer templates for baseline determination / compliance
SMS 2003 Patch Management: What it does (2) New Update Assess Acquire Test Deploy Verify Patch download & installation Delta replication (site-site, site, server-server) server) of patches Can use BITS for mobile / remote client-server Can use SMB for LAN / priority situations Reminders and rescheduling of install / reboot & enforcement dates Optimized graceful reboots, but forced when enforcement date arrives Per-patch reboot-needed detection to reduce reboots Status & Compliance Reporting Deployment status as patches are attempted Standard and customized reports through read-only SQL queries Determine actual baselines in the environment before changing the environment SLA measurement and rate-of of-spread for what s s my ETA for this patch?
SMS 2003 Patch Management: Benefits Gives administrators control over patch management Allows staging & testing of updates before installation Fine-grained control of patch management options Automates key aspects of the patch management process Can update a broad range of Microsoft products (not limited to Windows and Office) Can also be used to update third party software and deploy & install any software update or application High level of flexibility via use of scripting
Patch Management Guidance: What it Is Prescriptive guidance from Microsoft for effective patch management in enterprises Uses Microsoft Operations Framework (MOF) Based on ITIL* (defacto( standard for IT best practices) Details requirements for effective patch management: Technical & operational pre-requisites requisites Operational processes & how technology supports them Daily, weekly, monthly & as-needed tasks to be performed Testing options Three patch management guidance offerings Microsoft Guide to Security Patch Management** Patch Management using Software Update Services*** Patch Management using Systems Management Server*** *Information Technology Infrastructure Library **Emphasizes security patching & overall security management ***Comprehensive coverage of patch management using the specified d technology
Resource Overview Microsoft Security SUS patch management Guide http://www.microsoft.com/security http://www.microsoft.com/technet/treeview/default.asp?url =/technet/itsolutions/msm/swdist/pmsus/pmsusog.asp SMS Patch management Guide http://www.microsoft.com/technet/treeview/default.asp?url =/technet/itsolutions/msm/swdist/pmsms/pmsmsog.asp Microsoft Webcast Microsoft Solutions for Management http://www.microsoft.com/usa/webcasts usa/webcasts/? http://www.microsoft.com/technet/treeview/default.asp?url =/technet/itsolutions/msm/default.asp Contacting Microsoft security http://www.microsoft.com/technet/treeview/default.asp?url =/technet/itsolutions/proddocs/default.asp Microsoft Security Notification Service https:// ttps://register.microsoft.com/regsys/pic.asp
2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.