Understanding BeyondTrust Patch Management

Similar documents
Best Practices. Understanding BeyondTrust Patch Management

Retina CS: Using Strong Certificates

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

Three Ways to Secure Virtual Applications

WHITE PAPER. Take Back Control of Your Active Directory Auditing

Shavlik Patch for Microsoft System Center

How To Deploy Software Updates Using SCCM 2012 R2

AV Management Dashboard

Managing Software Updates with System Center 2012 R2 Configuration Manager

Comodo Endpoint Security Manager SME Software Version 2.1

System Administration Training Guide. S100 Installation and Site Management

Troubleshooting pcanywhere plug-in Deployment

ProactiveWatch 2.0 Patch Management and Reporting

Important Notes for WinConnect Server VS Software Installation:

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

FileMaker Server 14. FileMaker Server Help

UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab

StarWind SMI-S Agent: Storage Provider for SCVMM April 2012

APNS Certificate generating and installation

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Simplifying the Challenges of Mobile Device Security

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

Patch Manager. Overview. LabTech

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

Hyperoo 2.0 A (Very) Quick Start

RoomWizard Synchronization Software Manual Installation Instructions

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

SecureAnywhereTM Web Security Service

Actualtests.C questions

Installing and Configuring vcloud Connector

HDA Integration Guide. Help Desk Authority 9.0

RMM/MDM. Quick Reference Guide

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Macs are not directly compatible with Noetix.

Changing Your Cameleon Server IP

Document Services Online Customer Guide

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Installation Guide. Live Maps 7.4 for System Center 2012

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Providing Patch Management with N-central. Version 9.1

Veeam Backup Enterprise Manager. Version 7.0

Audit Management Reference

Installation Guide for Pulse on Windows Server 2012

SysAid Remote Discovery Tool

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

NSi Mobile Installation Guide. Version 6.2

i>clicker v7 Gradebook Integration: Blackboard Learn Instructor Guide

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

Wakanda Studio Features

[The BSD License] Copyright (c) Jaroslaw Kowalski

User Guide Online Backup

User Guide Novell iprint 1.1 March 2015

Mobile Configuration Profiles for ios Devices Technical Note

Spector 360 Deployment Guide. Version 7

Server Installation ZENworks Mobile Management 2.7.x August 2013

How To Use Senior Systems Cloud Services

Advanced Event Viewer Manual

FileMaker Server 10 Help

File Share Navigator Online 1

Administering Jive for Outlook

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

Guide to Using Citrix at SLU (Windows)

Docufide Client Installation Guide for Windows

MultiSite Manager. User Guide

Synchronization with Microsoft Team Foundation Server 2010

StarWind iscsi SAN: Configuring Global Deduplication May 2012

Mondopad v1.6. Quick Start

VMware/Hyper-V Backup Plug-in User Guide

Installation and Configuration Guide

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Trend ScanMail. for Microsoft Exchange. Quick Start Guide

Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

FileMaker Server 13. FileMaker Server Help

Administering Parallels Desktop 7 for Mac with the Casper Suite. Technical Paper November 2012

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

OUTLOOK ANYWHERE CONNECTION GUIDE FOR USERS OF OUTLOOK 2010

Providing Patch Management With N-central. Version 7.2

How To Install Safari Antivirus On A Dv8000 Dv Recorder On A Pc Or Macbook Or Ipad (For A Pc) On A Microsoft Dv8 (For Macbook) On An Ipad Or Ipa (

3. Viewing and Restoring Items and Files from the Mimosa Archive

K7 Business Lite User Manual

Windows Server Update Services 3.0 SP2 Operations Guide

Snow Inventory. Installing and Evaluating

HIRSCH Velocity Web Console Guide

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange

Attix5 Pro Server Edition

EMC Documentum Webtop

Installation Guide for Pulse on Windows Server 2008R2

Transcription:

Best Practices WHITE PAPER Understanding BeyondTrust Patch Management February 2014

Contents Overview... 3 1 - Configure Retina CS... 4 2 - Enable Patch Management for Smart Groups... 6 3 Identify and Approve Patches... 8 Reporting... 10 Standard Patch Deployment... 11 Certificate Distribution for Third Party Patching... 12 Third Party Patch Deployment... 13 About BeyondTrust... 14 2

Overview Retina CS facilitates both Microsoft and third party patching by integrating with Microsoft Windows Server Update Services (WSUS). Retina CS utilizes WSUS as the patching engine and effectively becomes a management console to WSUS. This integration does not preclude you from using the WSUS/Update Server console plug-in independent of Retina CS; however, BeyondTrust recommends that patching be managed through Retina CS since all patch activity is recorded in the database. Familiarity with the native functions and features of WSUS is necessary to fully understand the Retina CS integration. The native WSUS client is built into the Microsoft OS, however, it needs to be enabled and configured. In typical WSUS-only environments this is accomplished through GPOs. When using Retina CS, clients are enabled and configured through Retina CS. The Retina CS configuration and patch deployment process is outlined in the following diagram: 1. Configure a Retina CS connection to an existing WSUS Server; Retina CS becomes a management console for WSUS. 2. Enable specific Smart Groups for patch management. This configures members of the Smart Group, i.e., the clients, for WSUS by making changes to the registry. 3. Identify and approve patches. 4. Clients periodically check WSUS for approved patches which are then subsequently downloaded and installed. These functions are detailed in the following three sections, additionally, reporting, best practices and troubleshooting tips will be provided. 3

1 - Configure Retina CS Create a Retina CS connection to an existing WSUS server by navigating to Configure Patch Management. Through a set of menus you will: Establish a connection to an existing WSUS server Determine which products and classifications to manage, including third party patches Define how often WSUS will synchronize with the Microsoft Update servers Generate a certificate necessary for 3 rd party patching WSUS Server Connection: Supply the connection and credential information to access the WSUS Server: WSUS Server Port 80 is the default; however, if WSUS is on the same machine as Retina CS, which also uses port 80, Retina CS performance can suffer while updates/patches are being applied. In this case, select one of the alternative ports, 8530 or 8531(HTTPS). Products and Classifications: Identify the patches you want to manage by selecting items from the Products (left) and Classifications (right) drop-down lists. Third party products are located at the bottom of the Products drop-down list. 4

Product Classification Synchronization Schedule: Set the Synchronization Schedule to determine how often WSUS checks with Microsoft Update servers for new patches. Per WSUS default settings, synchronization downloads the patch metadata, i.e., information about the patch, but not the patch itself. Patches are downloaded only AFTER they have been approved. When working with a new WSUS installation, the first synchronization can take up to several hours, depending on the number of items you have selected in the Products and Classifications section. If desired, you can view the synchronization progress by launching the native WSUS Update Services console. Third Party Certificates are required for third party patching to establish trust between WSUS and the client. A self-signed certificate is created by selecting the Generate button. The following screenshot shows that a certificate has been generated. 5

2 - Enable Patch Management for Smart Groups Enabling patch management for a Smart Group effectively configures all members of the Smart Group as WSUS clients and points them to the WSUS server configured in the previous section. Within Retina CS, navigate to: Assets (tab) Manage Smart Rules New Rule <or edit an existing Smart Group> Perform Actions Enable for Patch Management. If creating new rule you will need to configure your asset selection criteria and then select Show assets as a Smart Group in the Perform Actions section in addition to enabling the Smart Group for patch management. Manage Credentials: Supply credentials with sufficient privileges to access the registry and install the certificate on the endpoint. Select from credentials you have already configured using the dropdown menu or add new credentials using the Manage Credentials button to the right. These credentials are specific to patch management and are not related to credentials used for vulnerability scans or the WSUS server connection. Important Updates: The Drop-down menu provides three options. Your selection determines how Retina CS configures the client s registry and consequently, client behavior. Install updates automatically (recommended) Client computers will poll the WSUS server at the specified day and time, and download any approved and relevant updates. Once downloaded, the client will automatically install the updates. 6

Download updates but let me choose whether to install them Client computers will poll the WSUS server at regular intervals, every hour by default, and download any approved and relevant updates. Once updates are downloaded, notifications are sent to the System Log and to the notification area of the client. When a user clicks the notification icon, Automatic Updates displays the available updates. The user must then click Install to proceed. Check for updates but let me choose whether to download and install them Client computers will poll the WSUS server at regular intervals, every hour by default, and determine if there are any approved updates. If updates are available, notifications are sent to the System Log and to the notification area of the client computer. When a user clicks the notification icon, they can choose to download the updates. When downloads are complete, another notification message indicates that updates are ready to install. The user can then click the Automatic Updates icon and then Install. Every: <day> At: <time>: Select the day and time client computers will poll the WSUS server. The option to set day and time only appears for the Install updates automatically (recommended) option. Retry registration of errored Patch Management assets: Select the check box to retry the registration if the initial registration attempt fails. After selecting Save, the following occurs: Retina CS contacts the client by one of three methods, listed in priority: 1. If the client has Blink or the Retina Protection Agent (RPA), v. 4.7 or greater, registry changes are facilitated via the Central Policy connection. 2. If the client does not have Blink or the RPA, registry changes are facilitated via the Remote Registry API. Remote Registry service must be enabled on the client. The supplied credentials must have permissions for Remote Registry. 3. If 1 & 2 fail, then registry changes are facilitated via Windows Management Instrumentation (WMI), a service running on the endpoint. Retina CS uses the supplied credentials to access and edit the client s registry. The client is configured for WSUS and then pointed to the WSUS Server. All other relevant registry parameters are set, see: 7

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU If applicable, Retina CS downloads the third party certificate to the client. The client is now configured to poll WSUS for any approved updates; this is standard WSUS client behavior. Note that polling may not occur immediately and it may take up to 6 hours for WSUS clients to display as patch-enabled assets within Retina CS. For testing purposes, you can restart the Update Services service on the WSUS server; this will facilitate polling and populate WSUS with client information. Smart Groups that have been patch management-enabled are identified in the Smart Groups browser pane: Patch Management-Enabled Smart You may find it desirable to create a Smart Group for patch testing and another for patch deployment on production systems. 3 -- Identify and Approve Patches Once patch management is configured, patch management for Smart Groups is enabled and clients have registered with the WSUS server, you can identify and approve patches within the Retina CS interface. Approving patch updates for registered Smart Groups Navigate to the Assets tab (1), select a patch-enabled Smart Group from the Smart Groups pane (2) and then select Patch (3). By default, all assets belonging to the Smart Group that can be managed for patching are displayed. For example, UNIX or Apple assets will not be displayed. To view the patch status of an individual asset, select its information icon, i. Select the sort criteria to display the relevant patches. You can type in the filter fields to further narrow your 8

results. Optionally, you can select the View by: toggle viewing from an assets perspective to a patches perspective. to switch Filter Fields Sort Criteria Select the desired patch to deploy, multiple selections are allowed using the <CTRL> and <Shift> keys, and then select. At the Approve Updates window, select the checkbox(es) to determine the applicable assets; a single Smart Group, multiple Smart Groups or for all Smart Groups. Finally, use the dropdown menu to select the approval type. Note, if you select All Groups, and a group already has approved patches, the menu changes to Keep existing approvals. This ensures that all previously approved patches will still be deployed at the scheduled time. Not Approved vs. Decline Not Approved: Not approved for this group of assets, but keep the patch in the Not Installed list so you can select it later. Decline: Remove this patch from the Not Installed list so it is no longer an option to select for approval. The only way to see them is to sort for Declined patches. 9

Reporting Both Retina CS and Insight provide several patch report options. Reports can be patch or asset-centric and can be customized for specific Smart Groups and date ranges. Reports are navigable with built-in internal links and contain external links to resources such as relevant Microsoft KB postings. They can also be exported into several different formats such as PDF, Excel and XML. The following example is an Insight report showing all missing patches grouped by asset. Select Link to Patch reports available in Retina CS: Approved Patches Installed Patches Required Patches Patch reports available in Insight: Applied Patches by Month (Applied patches grouped by month) Patch (This report displays all the patches available for your network, which are possibly missing or not installed on your assets) 10

Standard Patch Deployment Retina Client WSUS Patch approved Check for approved Patch sent Patch installed Retrieve patch status Report patch status 1 Patches are approved through the Retina CS GUI; consequently, they are marked as approved with in WSUS. 2 The client polls WSUS for any relevant, approved patches. 3 Patches are downloaded to the client. Optionally, per the Smart Group settings, the client may be notified that approved patches are available and then prompted to download and install them. 4 Patches are automatically installed per default settings. Optionally, per the Smart Group settings, the client may be notified that patches have been downloaded and then prompted to install them. 5 The new patch status is sent to WSUS. 6 Retina CS retrieves the current patch status from WSUS. 11

Certificate Distribution for Third Party Patching Retina Client WSUS Configure Connection to WSUS Generate button Request WSUS to generate a certificate Retrieve copy of certificate Generates 3 rd party certificate Register Smart Group for Patch Edit client registry Copy of cert to client 1 From Retina CS, configure the connection to an existing WSUS server. 2 Select the Generate button. This sends a request to WSUS to create a certificate used for third party patching. 3 WSUS generates the certificate. 4 Retina CS retrieves the certificate. 5 Create or modify a Smart Group to enable patch management for the selected assets. 6 Retina CS edits the registry of each applicable asset in the smart group, configures it for WSUS and copies the third party certificate if applicable. 12

Third Party Patch Deployment Retina Client WSUS 3 rd Party patches Check for approved Patches sent with cert. Verify certificate, install patches Retrieve patch status Send patch status Third party patch deployment is nearly identical to the standard deployment of Microsoft patches with the following changes: 3 Third party patches are sent to the client with the third party certificate that was generated during the WSUS server configuration. 4 The certificate from WSUS is verified against the existing certificate on the client that it received when its associate Smart Group was enabled for patch management. Trust is now established for third party patch deployment per Microsoft requirements. 13

About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA SALES Tel: + 44 (0) 8704 586224 emeainfo@beyondtrust.com CORPORATE HEADQUARTERS 550 West C Street, Suite 1650 San Diego, CA 92101 1.800.234.9072 CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust http://www.beyondtrust.com 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information