Patch management with WinReporter and RemoteExec



Similar documents
UserLock vs Microsoft CConnect

Using WinReporter to perform security audits on Windows TM networks

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Securing Your Network Environment. Software Distribution & Patch Management

Windows Operating Systems. Basic Security

Northwestern University Dell Kace Patch Management

How to Make Microsoft Security Patch Testing More Efficient

Patch Management Policy

HoneyBOT User Guide A Windows based honeypot solution

GFI White Paper PCI-DSS compliance and GFI Software products

NCIRC Security Tools NIAPC Submission Summary Microsoft Baseline Security Analyzer (MBSA)

BEST PRACTICES. Systems Management.

Patch management with GFI LANguard and Microsoft WSUS

SANS Top 20 Critical Controls for Effective Cyber Defense

AdminToys Suite. Installation & Setup Guide

Patch Management for Red Hat Enterprise Linux. User s Guide

Top Desktop Management Pain Points

ALTIRIS Patch Management Solution 6.2 for Windows Help

IT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS

Windows XP Service Pack 2 Windows Firewall Group Policy Setup for Executive Software Products

Streamlining Web and Security

How to Configure Double-Take on Microsoft Exchange Server

Implementing Security Update Management

Desktop Management for the Small Enterprise

System Management. What are my options for deploying System Management on remote computers?

Using Windows Update for Windows XP

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Novell. ZENworks Patch Management Design, Deployment and Best Practices. Allen McCurdy Sr. Technical Specialist

How to Configure Windows Firewall on a Single Computer

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Keeping Up To Date with Windows Server Update Services. Bob McCoy, CISSP, MCSE Technical Account Manager Microsoft Corporation

5nine Virtual Firewall 2.1 for Microsoft Hyper-V

Vulnerability Scanning and Patch Management

SAAS MADE EASY: SERVICE LEVEL AGREEMENT

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

LESSON Windows Server Administration Fundamentals. Understand Updates

Managed Service Plans

Information Security Services

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Proactively Managing Servers with Dell KACE and Open Manage Essentials

End-user Security Analytics Strengthens Protection with ArcSight

HP Insight Diagnostics Online Edition. Featuring Survey Utility and IML Viewer

TIME TO LIVE ON THE NETWORK

Snow Inventory. Installing and Evaluating

VMware Mirage Web Manager Guide

IPLocks Vulnerability Assessment: A Database Assessment Solution

FREQUENTLY ASKED QUESTIONS

Desktop Authority and Group Policy Preferences

THE TOP 4 CONTROLS.

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

InventoryControl for use with QuoteWerks Quick Start Guide

High Availability for Exchange Server 5.5 Using Double-Take

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Computer Viruses: How to Avoid Infection

Information Technology Services

The software can be downloaded from the Spiceworks web site at:

Security Consultant Scenario INFO Term Project. Brad S. Brady. Drexel University

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Welcome to the QuickStart Guide

Audit Tools That Won t Break the Bank

Network and Host-based Vulnerability Assessment

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Upgrading Client Security and Policy Manager in 4 easy steps

VMware vcenter Update Manager Administration Guide

Patch management with GFI LanGuard and Microsoft WSUS

A Roadmap for Securing IIS 5.0

Microsoft Security Intelligence Report volume 7 (January through June 2009)

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Protecting Your Organisation from Targeted Cyber Intrusion

WHY PATCH MANAGEMENT MATTERS

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Best Practices. Understanding BeyondTrust Patch Management

XMap 7 Administration Guide. Last updated on 12/13/2009

Actualtests.C questions

How To Secure Your System From Cyber Attacks

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Using WMI Scripts with BitDefender Client Security

Countermeasures against Spyware

Controlling Desktop Software Expenditures

Critical Security Controls

Microsoft Baseline Security Analyzer (MBSA)

Patch management with GFI LANguard N.S.S. & Microsoft WSUS

LANDESK SOLUTION BRIEF. Patch Management

Patch Management. Module VMware Inc. All rights reserved

New Lab Upgrading Vista to Windows 7 Brought to you by RMRoberts.com

Transcription:

White Paper Patch management with WinReporter and RemoteExec This white paper provides an overview on how to use WinReporter and RemoteExec in conjunction to keep Windows systems updated and immune to most attacks and malicious mobile code. TECHNOPÔLE IZARBEL - CRÉATICITÉ - BÂTIMENT A - BP 12-64210 BIDART (FRANCE) TEL. : +335.59.41.42.20 - FAX : +335.59.41.42.21 - info@isdecisions.com - www.isdecisions.com

The missing patch : Windows main vulnerability Vulnerability assessment is central to network security. Even though it is good practice to restrictively grant privileges to users, enable relevant auditing events, and disable unnecessary services, these one-time measures are not sufficient. New vulnerabilities are publicly reported on a daily basis, providing attackers with new means to compromise networks security. SANS/FBI s top 20 list (1) gives the most critical internet security vulnerabilities, and most of them can simply be fixed by applying the suitable update. As a result, patch management is an ongoing process consisting of scanning machines on the network for missing patches and deploying those patches quickly & efficiently. This has therefore become a key network administration task. Experience has too often shown that administrators fail to timely apply critical patches: as a consequence, worms (Code Red, SQL/Slammer, etc.) exploit known vulnerabilities, and quickly spread, putting the corporate survivability at risk. As a matter of fact, the CERT Coordination Center (2) has published vulnerabilities and incidents reported from 1995 to 2003: Two observations: first, both charts map each other, demonstrating the link between those metrics; secondly, the number of incident-vulnerabilities is very high & spiralling upwards all the time. This situation is mainly due to the fact that patch management is a time-consuming & daunting task. According to an Aberdeen Group s survey (3), security patch deployment for operating systems cost enterprises in excess of $2 billion in 2002, and the costs will continue to increase. (1) http://www.sans.org/top20/ SANS/FBI: The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus (2) http://www.cert.org/ (3) http://www.aberdeen.com/2001/research/06030015.asp Aberdeen Group, security perspective. Surfing the Security Patch Tidal Wave. 2

WinReporter and RemoteExec patch management philosophy So, there is no question about how crucial patch management is to ensure network security, as a computer is in a far better security state once it has been updated. However, there is an issue, as some updates can introduce incompatibilities with software used in production, and this can result in severe disruption to the business process. Therefore, there are 2 distinct approaches that administrators can take: The brute-force automation of patch deployment Microsoft s Automated Update is a good example. It promptly applies all upcoming updates. Microsoft provides a convenient feature to do that - all the end user has to do is enable the automatic update option. Although this alternative is convenient, administrators have to know how far they trust Microsoft updates The approach taken by WinReporter and RemoteExec This consists of thoroughly testing the latest updates on dummy computers that mirror servers and workstations used in production before any deployment. Arguably this is more time consuming, but it is also the safer way to prevent any subsequent problems. Information security is a trade off between convenience and assurance; WinReporter and RemoteExec have clearly made their choice: assurance. The core value of this approach is the ability to separate the analysis and the deployment processes, offering meaningful reports on the analysis side with WinReporter, and hands-free automation on the deployment side with RemoteExec. Additionally, these 2 software products offer some features that Windows Automatic Update badly lacks: WinReporter : scans selected computers looking for installed (or not) Service Packs, patches, and hotfixes edits meaningful reports to find out which updates are missing edits meaningful reports to build confidence in the network security state RemoteExec : deploys patches on Windows versions older than Windows 2000, namely NT 4.0 can deploy custom patches for third party software can deploy Windows Installer packages 3

WinReporter & RemoteExec : the winning team Scanning for updates with WinReporter WinReporter is a powerful scanning and reporting administrative tool. It remotely inventories software and device configuration as well as user settings, and provides administrators with 50 out-of-the-box reports to better manage ongoing corporate-wide patching activities. Additionally, administrators can create reports for management to demonstrate what systems have been patched, where missing patches may exist, and whether systems are in compliance with corporate standards. In the patch management context, WinReporter can both spot computers with missing updates, and provide an accurate picture of the updating state of computers. To detect vulnerable computers, WinReporter provides the following functionality: Reports > Windows NT > Services Packs & hotfixes Once there, administrators can easily spot outdated computers. WinReporter will detect all computers that match the query based on OS version, Service Pack, IE Version, IE Service Pack, and finally hotfixes. The displayed report lists all computers with missing updates; administrators will use this list as an input to update these computers with RemoteExec. There are two ways to handle update analysis with WinReporter : To detect all computers which match a hotfix configuration Reports > General > Generic Query, then select the hotfix table By doing this, the administrator will get a report listing all computers matching the query. To obtain a comprehensive report with the update state of the overall network Reports > General > Global report Go to the computers part of the report, check the very beginning of each computer part to find out the Service Pack level, and hotfix subpart to find out which hotfixes have been applied. In the configuration management scheme, it is important to be able to determine the computer configuration state at a given point in time, and this statement applies to the updating configuration. If anything goes wrong, this information might be useful in discovering a missing update that could have been the reason for the disaster, and can be used to restore the system to its previous state. 4

Remote updating with RemoteExec RemoteExec is a powerful generic remote administrative tool. Its functionalities range from remote reboot to remote program execution. Just bear in mind that RemoteExec can do much more than patch application. Although RemoteExec solely relies on administrators decision to deploy updates, the deployment is swift and straightforward. The first step is to retrieve the appropriate update from the developer s Web site. Then, install and perform a thorough set of tests in order to gain assurance that the tested update will not harm in any way the patched system. It is imperative to test all patches before rolling. Once tested, it can be sent automatically with a single click. It is worth noting that there are different kinds of updates, see Microsoft Guide to Security Patch Management (page 27) (4), each with their specific deployment process. There are 5 kinds of updates that RemoteExec can deal with: Service Packs and hotfixes for Operation Systems Service Packs and hotfixes for Internet Explorer Updates for Microsoft Office, *.msp files Few unusual Microsoft updates Third party software updates RemoteExec added value What distinguishes RemoteExec from usual patch management tools is the way it deploys patches. It easily deploys typical Microsoft updates, hotfixes, Services Packs, and so forth. Additionally, it can deploy all kind of executables, including the most weird third party software updates. In the rare cases where user input is needed, administrators can sent out a net send pop up to every user at once through the RemoteExec file execution tab. This is a definitive advantage on some patch management software that can just handle regular Microsoft updates. For higher assurance, RemoteExec clearly distinguishes between Operating System and Internet Explorer updates. Internet Explorer has been involved in numerous security-related vulnerabilities since 2000. Special attention should be directed to ensuring that Internet Explorer is properly patched. Internet Explorer inventory is necessary because there are so many different versions in use, each with its own vulnerabilities. Hence, in the RemoteExec GUI, Service Packs and hotfixes have specific fields for both Operating System and Internet Explorer. Other remarkable features of RemoteExec : RemoteExec does not need an Operating System with a minimum update level to work properly. RemoteExec does not need any third party software to operate unlike a number of competitors that need Microsoft IIS to deploy updates, or a dedicated server to work. RemoteExec patch deployment saves Internet bandwidth. It downloads all updates for clients to a local mirror, thus limiting external communication to the Internet and reducing the load of valuable external access while facilitates the enforcement of network restrictions. RemoteExec allows administrators to quickly fix an announced vulnerability. Say a new worm is rapidly spreading across the Internet, and that a given update has to be applied to protect systems - the question is, which machines on the system need the update. RemoteExec, allows you to detect all computers with the missing update in just one click, the next click will deploy the update on those machines. NB : Some utilities like Microsoft Baseline Security Analyzer (MBSA), take the process at reverse, first choose the computer, then list all applied updates. To quickly fix a specific hole, this is not a very convenient approach. (4) http://microsoft.com/downloads/details.aspx?familyid=73ac38b7-5826-421d-99e8-cdcc608b8992&displaylang=en The Microsoft Guide to Security Patch Management 5

WinReporter added value WinReporter empowers diligent patch management. Accurate and current knowledge of what is present in the environment is essential for maintaining a smooth-running patch management process. WinReporter hardware and software inventory retrieves specific information by default, such as computer drive information, video card attributes, and RAM amounts, as well as details of installed software and patches and other information that is required to support the end-toend patch management process. According to Microsoft (5), the reporting capabilities of Windows Update (WU) or System Update Server (SUS) range from poor to fair. The amount of information gathered by WinReporter is massive and easy to manage. WinReporter can also make the disaster recovery process easier. Keeping the latest configuration of computers is a wealthy source of information to rebuild a similar computer in order to quickly resume the normal business process. Deploying updates with RemoteExec Let us discuss how to deploy with RemoteExec each of the earlier mentioned updates in turn. Service Packs and hotfixes Service Pack and hotfixes deployment process for both Operation System and Internet Explorer is much the same: Right click action Type then check Hotfix/Update or Service Pack installation. Browse and select the update file. Most releases automatically fill the configuration fields of both action and Filter tabs; alternatively you can choose your own settings. Go to computers tab, select the computer set to be updated. Execute the deployment. Microsoft Office update from server location The Microsoft Office update deployment is somehow different assuming that Microsoft Office is installed from server location. Administrator has to update the server location file running the msiexec command. Then synchronize with RemoteExec (Update operation off the msi installation action)all networks computers with the server location file in order to complete the update process. A fully explained example is provided by Microsoft (5) (see Administrative Update section). Unusual Microsoft updates Microsoft sometimes releases updates that do not observe the standardized structure of hotfixes or Service Packs. Nevertheless, those updates can be applied in exactly the same fashion to regular updates. Third party software updates The deployment process for third party software updates is slightly different. Right click Action Type then check File Execution. Browse and select the update file. Administrator should contact the third party software editor in order to know which parameters to type for a seamless remote execution. (5) http://support.microsoft.com/default.aspx?scid=kb;en-us;q325671 The Microsoft XP Office updates deployment from server location (page 55) 6

Conclusion New breaches that endanger corporate networks are discovered daily. They might be introduced by the Operating System itself, by a software closely binding to the Operating System, or by third party software. Networks remain not updated mainly due to the fact that it is a cumbersome task. WinReporter quickly spots the computers needing an update, while RemoteExec boosts the deployment process whatever the update. Finally, WinReporter can create useful reports to determine the updating state of the network at a given point in time. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information