Madrid 12 Febrero 2004 Security Day. Francisco Monteverde Director División de Negocio de...

MadridMadrid

12 Febrero 200412 Febrero 2004

Security DaySecurity Day

Francisco MonteverdeFrancisco MonteverdeDirector División de Negocio de Servidores y Director División de Negocio de Servidores y Sistemas de Microsoft IbéricaSistemas de Microsoft Ibérica

Security DaySecurity Day

AgendaAgenda

9:30 Bienvenida9:30 Bienvenida 9:40 Trustworthy Computing9:40 Trustworthy Computing Hector Sanchez, Director Seguridad Corporativa Hector Sanchez, Director Seguridad Corporativa

10:00 Gestión de actualizaciones10:00 Gestión de actualizacionesClaudio Vacalebre, Principal Security Consultant, MS EMEAClaudio Vacalebre, Principal Security Consultant, MS EMEA

11:30 Café11:30 Café 12:00 Continuación12:00 Continuación 13:30 Cóctel13:30 Cóctel 15:00 Seguridad en la red corporativa de 15:00 Seguridad en la red corporativa de

MicrosoftMicrosoftCarlos Lacuna, IT Manager Microsoft IbéricaCarlos Lacuna, IT Manager Microsoft IbéricaChema Alonso, colaborador de MicrosoftChema Alonso, colaborador de Microsoft

IT StrategyIT StrategyProactive Patch Proactive Patch ManagementManagementPart 1Part 1

Claudio VacalebreClaudio VacalebrePrincipal Security ConsultantPrincipal Security ConsultantCISSP - ITILCISSP - ITIL

Microsoft EMEA ServicesMicrosoft EMEA [email protected]@microsoft.com

AgendaAgenda

Part 1Part 1 PM EssentialsPM Essentials PM ProcessPM Process PM Tools - On Line ServicesPM Tools - On Line Services

Part 2Part 2 Patch Management ToolsPatch Management Tools

MBSAMBSA SUSSUS SMSSMS

Beyond PatchingBeyond Patching

ReduceFrequency,Quantity of

Patches

InadequateCommunications,

Guidance, andTraining

InconsistentPatching

Experience

Multiple,Incomplete Patch

ManagementTools

InconsistentPatch

Quality

Customer FeedbackCustomer Feedback

Improving The Patching ExperienceImproving The Patching ExperiencePatch EnhancementsPatch Enhancements

May 2004: 1 installMay 2004: 1 install experience for Windows, experience for Windows, SQL, Office & Exchange 2000 & higher with SQL, Office & Exchange 2000 & higher with MSI 3.0MSI 3.0

May 2004: PatchesMay 2004: Patches behave the same behave the same including full roll-backincluding full roll-back

May 2004May 2004: 90% size reduction through : 90% size reduction through delta patchingdelta patching

H1 2004:H1 2004: 30% fewer reboots on Windows 30% fewer reboots on Windows Server 2003 through hot patching Server 2003 through hot patching

End of 2004:End of 2004: All Microsoft patches behave All Microsoft patches behave same at installation and will be available in same at installation and will be available in one placeone place

Continuous code improvementContinuous code improvement MonthlyMonthly (from weekly) distribution (except (from weekly) distribution (except in emergencies)in emergencies)

10% fewer10% fewer reboots on Windows 2000 and reboots on Windows 2000 and higher higher

ReducedReduced patch size by 35% patch size by 35%

Delivered:Delivered: SMS 2003: SMS 2003: Complete patch Complete patch managementmanagement

StandardStandard patch naming, standard patch naming, standard installer switches.installer switches.

Released updated guidance on “Patch Management Using SMS 2003” and “Patch Management Using SUS 1.0”

Integrated (multi-tool) guidance on Patch Management + technology specific prescriptive guidance on testing/patching

Patch Management Patch Management EssentialsEssentials

Security TermsSecurity Terms

TermTerm DefinitionDefinition

VulnerabilityVulnerability A software, hardware, procedural weakness, A software, hardware, procedural weakness, feature, or configuration that could be a weak feature, or configuration that could be a weak point exploited during an point exploited during an attackattack. Also called an . Also called an exposure.exposure.

AttackAttack A A threat agentthreat agent attempting to take advantage of attempting to take advantage of vulnerabilities for unwelcome purposes.vulnerabilities for unwelcome purposes.

Threat agentThreat agent The person or process attacking a system The person or process attacking a system through a vulnerability in a way that violates your through a vulnerability in a way that violates your security policy.security policy.

ThreatThreat A source of danger.A source of danger.

CountermeasureCountermeasure Software configurations, hardware, or procedures Software configurations, hardware, or procedures that reduce risk in a computer environment. Also that reduce risk in a computer environment. Also called a safeguard or mitigation.called a safeguard or mitigation.

VulnerabilitiesVulnerabilities


Buffer overrunBuffer overrun An unchecked buffer in a program that can overwrite the An unchecked buffer in a program that can overwrite the program code with new data. If the program code is program code with new data. If the program code is overwritten with new executable code, the effect is to overwritten with new executable code, the effect is to change the program's operation as dictated by the change the program's operation as dictated by the attacker.attacker.

Privilege elevationPrivilege elevation Allows users or attackers to attain higher privileges in Allows users or attackers to attain higher privileges in certain circumstances.certain circumstances.

Validation flawValidation flaw Allows malformed data to have unintended Allows malformed data to have unintended consequences.consequences.

Threat categories - Threat categories - STRIDESTRIDE model model


SSpoofing identitypoofing identity Illegally obtaining access and use of another person's Illegally obtaining access and use of another person's authentication information, such as a user name or authentication information, such as a user name or password.password.

TTampering with dataampering with data The malicious modification of data.The malicious modification of data.

RRepudiationepudiation Associated with users who deny performing an action, yet Associated with users who deny performing an action, yet there is no way to prove otherwise. there is no way to prove otherwise. NonrepudiationNonrepudiation refers to refers to the ability of a system to counter repudiation threats (such the ability of a system to counter repudiation threats (such as signing for a received parcel so that the signed receipt as signing for a received parcel so that the signed receipt can be used as evidence).can be used as evidence).

IInformation disclosurenformation disclosure The exposure of information to individuals who are not The exposure of information to individuals who are not supposed to have access to it, such as accessing files supposed to have access to it, such as accessing files without having the appropriate rights.without having the appropriate rights.

DDenial of serviceenial of service An explicit attempt to prevent legitimate users from using a An explicit attempt to prevent legitimate users from using a service or system.service or system.

EElevation of privilegelevation of privilege Where an unprivileged user gains privileged access. An Where an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators user who contrives a way to be added to the Administrators group.group.

Threat AgentsThreat Agents


VirusVirus An intrusive program that infects computer files by An intrusive program that infects computer files by inserting copies of self-replicating code and deleting inserting copies of self-replicating code and deleting critical files, makes system modifications, or performs critical files, makes system modifications, or performs some other action to cause harm to data on the computer some other action to cause harm to data on the computer or to the computer itself. A virus attaches itself to a host or to the computer itself. A virus attaches itself to a host program.program.

WormWorm A self-replicating program, often malicious like a virus, that A self-replicating program, often malicious like a virus, that can spread from computer to computer without infecting can spread from computer to computer without infecting files first.files first.

Trojan horseTrojan horse Software or e-mail that professes to be useful and benign, Software or e-mail that professes to be useful and benign, but which actually performs some destructive purpose or but which actually performs some destructive purpose or provides access to an attacker.provides access to an attacker.

Mail bombMail bomb A malicious e-mail sent to an unsuspecting recipient. When A malicious e-mail sent to an unsuspecting recipient. When the recipient opens the e-mail or runs the program, the mail the recipient opens the e-mail or runs the program, the mail bomb performs some malicious action on their computer.bomb performs some malicious action on their computer.

AttackerAttacker A person or organization carrying out an attack.A person or organization carrying out an attack.

Define a condition and consequence risk statement for

each threatThe effort represents the skills required for an attacker to take

advantage of the exploit

The criticality factor is the level of potential exploit of the threat to an

assetThe threat probability is the probability of a possible threat

agent entering your environment

Decide how big of a risk the vulnerability will be to an asset

Determine the asset priority ranking of each company asset

based on company criteriaThis is the criticality factor divided by effortDetermine the threat frequency level using the

equation (TP × RF)

Determine the impact factor (IF) using the equation (VF × AP)

Determine the exposure factor (EF) using the equation (Threat

Frequency Level × Impact Factor divided by 1,000

RelationshipsRelationships

ThreatAgent

Threat

Vulnerability

Risk

Exposure

A$$et

Countermeasures

Attack

Give rise to

Exploit

Leads to

Can damage

and cause an

Mitigated by

When a

Asset Valuation and Risk AnalysisAsset Valuation and Risk Analysis

Asset Values (AV)Asset Values (AV) Exposure Factors (EF)Exposure Factors (EF) Monetary Losses (FDI & FII)Monetary Losses (FDI & FII) Single Loss Expectancy (SLE)Single Loss Expectancy (SLE) Annualized Loss expectancy (ALE)Annualized Loss expectancy (ALE) Value of Safeguard to Company (VSC)Value of Safeguard to Company (VSC) Final ReportFinal Report

VSC - ExamplesVSC - Examples

Asset Valuation, Risk Asset Valuation, Risk Exposure and Value Exposure and Value

of Safeguardof Safeguard An ExampleAn Example

Software Update Terminology (1)Software Update Terminology (1)TermTerm DefinitionDefinition

Security Security PatchPatch

A broadly released fix for a specific product addressing A broadly released fix for a specific product addressing a security vulnerability. A security patch is often a security vulnerability. A security patch is often described as having a described as having a severityseverity, which actually refers to , which actually refers to the MSRC severity rating of the vulnerability that the the MSRC severity rating of the vulnerability that the security patch addresses.security patch addresses.

Critical Critical UpdateUpdate

A broadly released fix for a specific problem addressing A broadly released fix for a specific problem addressing a critical, non-security related bug.a critical, non-security related bug.

UpdateUpdate A broadly released fix for a specific problem addressing A broadly released fix for a specific problem addressing a non-critical, non-security related bug.a non-critical, non-security related bug.

HotfixHotfix A single package composed of one or more files used to A single package composed of one or more files used to address a problem in a product. Hotfixes address a address a problem in a product. Hotfixes address a specific customer situation, are only available through a specific customer situation, are only available through a support relationship with Microsoft, and may not be support relationship with Microsoft, and may not be distributed outside the customer organization without distributed outside the customer organization without written legal consent from Microsoft. written legal consent from Microsoft.

Software Update Terminology (2)Software Update Terminology (2)TermTerm DefinitionDefinition

Update rollupUpdate rollup A collection of security patches, critical updates, updates, A collection of security patches, critical updates, updates, and hotfixes released as a cumulative offering or targeted and hotfixes released as a cumulative offering or targeted at a single product component, such as Microsoft Internet at a single product component, such as Microsoft Internet Information Services (IIS) or Microsoft Internet Explorer. Information Services (IIS) or Microsoft Internet Explorer. Allows for easier deployment of multiple software updates.Allows for easier deployment of multiple software updates.

Service packService pack A cumulative set of hotfixes, security patches, critical A cumulative set of hotfixes, security patches, critical updates, and updates since the release of the product, updates, and updates since the release of the product, including many resolved problems that have not been including many resolved problems that have not been made available through any other software updates. made available through any other software updates. Service packs may also contain a limited number of Service packs may also contain a limited number of customer-requested design changes or features. Service customer-requested design changes or features. Service packs are broadly distributed and tested by Microsoft packs are broadly distributed and tested by Microsoft more than any other software updates.more than any other software updates.

Integrated Integrated Service PackService Pack

The combination of a product with a service pack in one The combination of a product with a service pack in one package.package.

Feature PackFeature Pack A new feature release for a product that adds functionality. A new feature release for a product that adds functionality. Usually rolled into the product at the next release.Usually rolled into the product at the next release.

Language Abbreviation Reference: http://www.microsoft.com/globaldev/reference/winxp/langtla.mspx

Naming Standards – OS (1)Naming Standards – OS (1)for Windows Software Update Packagesfor Windows Software Update Packages

It creates consistency across Microsoft It creates consistency across Microsoft hotfix packages. hotfix packages.

It makes it easier to search for hotfix It makes it easier to search for hotfix packages and Knowledge Base articles. packages and Knowledge Base articles.

It clearly identifies the language of a It clearly identifies the language of a hotfix package and the intended hotfix package and the intended operating system, when applicable.operating system, when applicable.

Naming Standards – OS (2)Naming Standards – OS (2) for Windows Software Update Packagesfor Windows Software Update Packages

ProductNameProductName-KB-KBArticleNumberArticleNumber--OptionOption--LanguageLanguage.exe.exe

WindowsXPWindowsXP--KB828035KB828035--x86x86--FRAFRA.exe.exeWindowsXPWindowsXP--KB828035KB828035--ia64ia64--DEUDEU.exe.exeWindowsNT4ServerWindowsNT4Server--KB828035KB828035--x86x86--SVESVE.exe.exeWindows2000Windows2000--KB828035KB828035--x86x86--ITAITA.exe.exeWindowsServer2003WindowsServer2003--KB828035KB828035--x86x86--ENUENU.exe.exeWindowsServer2003WindowsServer2003--KB828035KB828035--ia64ia64--JPNJPN.exe.exe

Naming Schema can be found searching for KB816915 orat http://support.microsoft.com/default.aspx?scid=kb;en-us;816915

Determining Urgency of VulnerabilitiesDetermining Urgency of Vulnerabilities

RatingRating DefinitionDefinition

CriticalCritical A vulnerability whose exploitation could allow the A vulnerability whose exploitation could allow the propagationpropagation of an Internet worm of an Internet worm without user actionwithout user action..

ImportantImportant A vulnerability whose exploitation could result in A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of users’ data, or of the integrity or availability of processing resources.availability of processing resources.

ModerateModerate Exploitability is mitigated to a significant degree by Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or factors such as default configuration, auditing, or difficulty of exploitation.difficulty of exploitation.

LowLow A vulnerability whose exploitation is extremely A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.difficult, or whose impact is minimal.

RatingRating Recommended Patching TimeframeRecommended Patching Timeframe

CriticalCritical Within 24 hoursWithin 24 hours

ImportantImportant Within 1 monthWithin 1 month

ModerateModerate Depending on expected availability, wait for next Depending on expected availability, wait for next service pack or patch rollup that includes the patch service pack or patch rollup that includes the patch or deploy the patch within 4 monthsor deploy the patch within 4 months

LowLow Depending on expected availability, wait for next Depending on expected availability, wait for next service pack or patch rollup that includes the patch service pack or patch rollup that includes the patch or deploy the patch within 1 yearor deploy the patch within 1 year

FactorFactor Potential ImpactPotential Impact

High value or high exposure assets impactedHigh value or high exposure assets impacted Decrease timeframeDecrease timeframe

Assets historically attacked are impactedAssets historically attacked are impacted Decrease timeframeDecrease timeframe

Mitigating factors in place or will be quickly put in placeMitigating factors in place or will be quickly put in place Increase timeframeIncrease timeframe

Low risk of exposure for impacted assetsLow risk of exposure for impacted assets Increase timeframeIncrease timeframe

Factors Impacting Release Timeframes

Determining Urgency of VulnerabilitiesDetermining Urgency of Vulnerabilities

The Importance of Proactive The Importance of Proactive Security Patch ManagementSecurity Patch Management

Days between patch release and exploit

210210

BlasterBlaster

NimdaNimda

SlammerSlammer

March 2001

180180

2525July 2002 July 2003

Patch RELEASED

Vulnerability EXPLOITED

August 2003

January 2003

October 2001

Usage & Quality of Security and Patch Management Processes

Use

of

Patc

h M

anagem

ent

Tools

None High

High

VeryVeryPainfulPainful

ModeratelyModeratelyPainfulPainful

LeastLeastPainfulPainful

VeryVeryPainfulPainful

Patch & Update ManagementPatch & Update ManagementGood Process is Key to Success

Security is an Ongoing EffortSecurity is an Ongoing Effort

Operates within a system of People, Process, and Operates within a system of People, Process, and Technology Technology

Security will fail if not focused on all three of these Security will fail if not focused on all three of these componentscomponents

Patch Management Patch Management ProcessProcess

Points about PatchingPoints about Patching

For successful patch management in a For successful patch management in a distributed IT environment consider: distributed IT environment consider:

How to stay aware of new patches and fixes. How to stay aware of new patches and fixes.

Whether it is necessary to apply a particular patch. Whether it is necessary to apply a particular patch.

The system-wide impact of installing a patch. The system-wide impact of installing a patch.

What specifically a patch will change. What specifically a patch will change.

If a patch can be removed, once installed. If a patch can be removed, once installed.

Dependencies between components in the production Dependencies between components in the production environment and the impact of applying a patch to one of environment and the impact of applying a patch to one of those components. those components.

How to evaluate the success of a patch installation. How to evaluate the success of a patch installation.

The possible scenarios for restoring a patched environment. The possible scenarios for restoring a patched environment.

Patch Management ProcessPatch Management Process1. Assess Environment to be Patched1. Assess Environment to be Patched

Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems

B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)

C. Review Infrastructure/C. Review Infrastructure/ configuration configuration

Ongoing TasksOngoing TasksA. Discover AssetsA. Discover Assets

B. Inventory ClientsB. Inventory Clients

1. Assess1. Assess 2. 2. IdentifyIdentify

4. Deploy4. Deploy 3. 3. Evaluate Evaluate & Plan& Plan

2. Identify New Patches2. Identify New Patches

TasksTasksA. Identify new patchesA. Identify new patches

B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)

C. Verify patch authenticity & integrityC. Verify patch authenticity & integrity (no virus: installs on isolated (no virus: installs on isolated system) system)

3. Evaluate & Plan Patch Deployment3. Evaluate & Plan Patch Deployment

TasksTasksA. Obtain approval to deploy patchA. Obtain approval to deploy patch

B. Perform risk assessmentB. Perform risk assessment

C. Plan patch release processC. Plan patch release process

D. Complete patch acceptance testingD. Complete patch acceptance testing

4. Deploy the Patch4. Deploy the Patch

TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions

D. Review deploymentD. Review deployment


Has anything changed in production?Has anything changed in production? New operating systems and applicationsNew operating systems and applications Changes to network or management Changes to network or management

infrastructureinfrastructure

How can you be notified about new How can you be notified about new patches?patches?

Accurate and up-to-date inventory Accurate and up-to-date inventory information is essential to the processinformation is essential to the process

Is the management infrastructure able Is the management infrastructure able to support patch management?to support patch management?

1. Assess1. Assess

Evaluating and Installing UpdatesEvaluating and Installing Updates

Subscribe to Microsoft Security Notification ServiceSubscribe to Microsoft Security Notification Service Consumer: Consumer:

http://www.microsoft.com/security/security_bulletins/decision.ahttp://www.microsoft.com/security/security_bulletins/decision.aspsp

ITProfessional: ITProfessional:

https://https://register.microsoft.com/regsys/pic.aspregister.microsoft.com/regsys/pic.asp

Configure test environments to expedite evaluation of Configure test environments to expedite evaluation of updatesupdates

Create criticality matrices for specific server rolesCreate criticality matrices for specific server roles Develop accelerated release-management processes for Develop accelerated release-management processes for

security-related updatessecurity-related updates


Which systems need to be patched?Which systems need to be patched?

Do all systems need to be patched with Do all systems need to be patched with the same level of priority?the same level of priority?

Which systems are most vulnerable?Which systems are most vulnerable?

Which systems need to be quarantined till Which systems need to be quarantined till the patch is applied?the patch is applied?

Which systems have additional Which systems have additional dependencies and testing requirements?dependencies and testing requirements?

2. Identify2. Identify

Patch Management ProcessPatch Management Process

Need to test the patch before deploymentNeed to test the patch before deployment Important to ensure that business critical Important to ensure that business critical

functions still workfunctions still work Amount of testing will depend on riskAmount of testing will depend on risk

Use change management process to Use change management process to ensure all parties agree with need to ensure all parties agree with need to deploydeploy If critical, use an expedited process!If critical, use an expedited process!

3. Eval &3. Eval &PlanPlan


Consider how & when to install the patchConsider how & when to install the patch Installation process may differ for server and Installation process may differ for server and

desktop devicesdesktop devices

Need to consider outage windows and Need to consider outage windows and business continuitybusiness continuity

Need to consider how to patch mobile clients Need to consider how to patch mobile clients and clients connection across slow or and clients connection across slow or unreliable networksunreliable networks

Can the patch be combined with other Can the patch be combined with other changes to minimize down time…changes to minimize down time…



Production environment needs to be Production environment needs to be prepared for new patchesprepared for new patches Administrators/users will need to be informed of Administrators/users will need to be informed of

possible downtimepossible downtime

Possible training to assist support deskPossible training to assist support desk

Program and advertisements imported from test Program and advertisements imported from test environment environment

Distribution points checked to confirm presence Distribution points checked to confirm presence of patch and associated binariesof patch and associated binaries

4. Deploy4. Deploy


Monitor patch distributionMonitor patch distribution Check progress and deal with exceptionsCheck progress and deal with exceptions

Releasing patches to mobile clients Releasing patches to mobile clients and slow connectionsand slow connections Size of patch may be a significant issueSize of patch may be a significant issue Options include forcing mobile clients Options include forcing mobile clients

into the office or distributing across the into the office or distributing across the networknetwork

4. Deploy4. Deploy

Patch Management ProcessPatch Management ProcessRoles and ResponsibilitiesRoles and Responsibilities

People need to have defined roles and People need to have defined roles and responsibilitiesresponsibilities

Perform daily, weekly, monthly, and Perform daily, weekly, monthly, and as-needed tasksas-needed tasks Audit server production environment (daily)Audit server production environment (daily) Check for new information sources (monthly)Check for new information sources (monthly) Review new patch notifications (as needed)Review new patch notifications (as needed)

Security Patch ManagementSecurity Patch Management14 High Level Steps14 High Level Steps

1.1. Define a Security Patch Management Policy Define a Security Patch Management Policy sponsored by Senior Managementsponsored by Senior Management

2.2. Build a Team responsible to manage the processBuild a Team responsible to manage the process3.3. Identify tools and architectureIdentify tools and architecture4.4. Assess environment and update CMDBAssess environment and update CMDB5.5. Stay tuned – Notification servicesStay tuned – Notification services6.6. Maintain your patch repository up to dateMaintain your patch repository up to date7.7. Test all patches - go/no go decisionsTest all patches - go/no go decisions8.8. Plan for deploymentPlan for deployment9.9. Deploy Pilot then ProductionDeploy Pilot then Production10.10. Monitor critical systemsMonitor critical systems11.11. Re-Assess environmentRe-Assess environment12.12. Report resultsReport results13.13. Update your baseline (bi-monthly)Update your baseline (bi-monthly)14.14. Go to point 4Go to point 4

New InstallationsNew Installations

New installs need full set of patches for New installs need full set of patches for protectionprotection

Slipstreaming into base imagesSlipstreaming into base images Complements other methodsComplements other methods Provides base install with needed patches Provides base install with needed patches

for new machines, rebuilds, etc.for new machines, rebuilds, etc. Must be integrated into existing OS build Must be integrated into existing OS build

processprocess

Slipstreaming PatchesSlipstreaming Patches

MS and vendors don’t ship machines MS and vendors don’t ship machines this waythis way Cost, speed, supportability issuesCost, speed, supportability issues

Result: new installs are vulnerable until Result: new installs are vulnerable until patchedpatched

Slipstreaming builds patches into the Slipstreaming builds patches into the installation imageinstallation image

Assumes that you have standard OS Assumes that you have standard OS buildbuild

Slipstreaming PatchesSlipstreaming Patches

Basic processBasic process Copy installation files from CD to sourceCopy installation files from CD to source Apply latest service pack with -s switchApply latest service pack with -s switch Prepare the post-SP patchesPrepare the post-SP patches Update the svcpack.inf and dosnet.inf filesUpdate the svcpack.inf and dosnet.inf files

Integrated Service Integrated Service PackPack

SlipstreamingSlipstreaming SPSP HotFixHotFix

Slipstreaming PatchesSlipstreaming PatchesCopy installation filesCopy installation files

Be sure to use appropriate flags to copy Be sure to use appropriate flags to copy subdirs, etc.subdirs, etc. XCOPY /E /I /V /S XCOPY /E /I /V /S is is your friendyour friend If you’re creating a bootable disk, use your If you’re creating a bootable disk, use your

favorite imaging tool to create the imagefavorite imaging tool to create the image

Slipstreaming PatchesSlipstreaming PatchesApply the latest service packApply the latest service pack Two methodsTwo methods

Extract the files manually by using Extract the files manually by using -x-x switchswitch

Extract files automatically with Extract files automatically with --s:fileDirs:fileDir

Resulting slipstreamed install can be Resulting slipstreamed install can be used for clean installationsused for clean installations Service pack cannot be removed after Service pack cannot be removed after

installationinstallation

Slipstreaming PatchesSlipstreaming PatchesPrepare the patchesPrepare the patches Inventory the set of patches you wantInventory the set of patches you want Create a directory for the patches Create a directory for the patches

beneath beneath i386 i386 in the distribution tree in the distribution tree Rename the hotfixes using 8.3 namesRename the hotfixes using 8.3 names

Q323255_WXP_SP2_x86_ENU.exe Q323255_WXP_SP2_x86_ENU.exe becomes Q323255.exebecomes Q323255.exe

Expand each hotfix to a temp dirExpand each hotfix to a temp dir Q323255.exe -x c:\tempQ323255.exe -x c:\temp

Move the hotfix filesMove the hotfix files

Slipstreaming PatchesSlipstreaming PatchesUpdate the svcpack.inf fileUpdate the svcpack.inf file Create a new file, including each hotfix Create a new file, including each hotfix

in the appropriate sectionsin the appropriate sections ProductCatalogsToInstallProductCatalogsToInstall : put .cat : put .cat

files herefiles here SetupHotfixesToRunSetupHotfixesToRun : put .exe files here : put .exe files here List the files in numerical order!List the files in numerical order!

Add Qchain.exe to the end of Add Qchain.exe to the end of SetupHotfixesToRunSetupHotfixesToRun section section

Slipstreaming PatchesSlipstreaming PatchesUpdate the dosnet.inf fileUpdate the dosnet.inf file Add your patch directory to Add your patch directory to

OptionalSrcDirsOptionalSrcDirs Just directory name, since it’s under Just directory name, since it’s under i386 i386

alreadyalready

Add names of hotfix files to Add names of hotfix files to ForceCopyDriverCabFilesForceCopyDriverCabFiles But only add files that aren’t already there!But only add files that aren’t already there!

Patch Management Patch Management ToolsTools

Solution ComponentsSolution ComponentsAnalysis Analysis

ToolsTools

Microsoft Baseline Security Analyzer (MBSA)Microsoft Baseline Security Analyzer (MBSA)

Office Inventory ToolOffice Inventory Tool

Online Update Online Update ServicesServices

Windows UpdateWindows Update

Office UpdateOffice Update

Content Content RepositoriesRepositories

Windows Update CatalogWindows Update Catalog

Office Download CatalogOffice Download Catalog

Microsoft Download CenterMicrosoft Download Center

Management Management ToolsTools

Automatic Updates (AU) feature in WindowsAutomatic Updates (AU) feature in Windows

Software Update Services (SUS)Software Update Services (SUS)

Systems Management Server (SMS)Systems Management Server (SMS)

PrescriptivePrescriptiveGuidanceGuidance

Microsoft Guide to Security Patch ManagementMicrosoft Guide to Security Patch Management

Patch Management Using SUSPatch Management Using SUS

Patch Management Using SMSPatch Management Using SMS

Patch Management Using SMS 2003Patch Management Using SMS 2003

Online Update Services:Online Update Services:Windows UpdateWindows Update

Windows Update: What it IsWindows Update: What it Is Microsoft online service Microsoft online service (windowsupdate.microsoft.com)(windowsupdate.microsoft.com)::

Identifies missing Windows OS* patches / updatesIdentifies missing Windows OS* patches / updateson accessing computeron accessing computer

Generates targeted list of missing updatesGenerates targeted list of missing updates

Installs user selected missing updatesInstalls user selected missing updates

Provides update installation historyProvides update installation history

Supplemented by Windows Update Catalog site Supplemented by Windows Update Catalog site which provides:which provides:

Comprehensive repository for all Windows and Comprehensive repository for all Windows and ‘Designed for Windows’ logo device driver updates ‘Designed for Windows’ logo device driver updates

Search – to find desired updateSearch – to find desired update

Manual download of desired updatesManual download of desired updates

Download history for accessing computerDownload history for accessing computer

*Windows 98 and later versions

1. Assess1. Assess


4. Deploy4. Deploy

Windows Update: Supported Windows Update: Supported Content & PlatformsContent & Platforms

Types of content:Types of content: Critical (including Security) UpdatesCritical (including Security) Updates

Recommended Downloads Recommended Downloads

Internet and Multimedia Updates – IE, Media Player, etc.Internet and Multimedia Updates – IE, Media Player, etc.

Windows tools & utilitiesWindows tools & utilities

Additional Windows Downloads – updates for desktop settings, Additional Windows Downloads – updates for desktop settings, other Windows features other Windows features

Multi-Language Features – menus and dialog boxes, Multi-Language Features – menus and dialog boxes, language support, Input Method Editors, etc. language support, Input Method Editors, etc.

Windows Logo hardware driversWindows Logo hardware drivers

Service PacksService Packs

Above content provided for:Above content provided for: Windows 2003Windows 2003

Windows 2000Windows 2000

Windows XPWindows XP

Windows 98 / 98SE, Windows MEWindows 98 / 98SE, Windows ME

Windows Update: How It WorksWindows Update: How It WorksScenario 1: User Initiated AccessScenario 1: User Initiated Access

Windows Update Service

2.2. Client side code (CC) in Client side code (CC) in browser validates WU browser validates WU server & gets download server & gets download catalog metadatacatalog metadata

1.1. User goes to Windows User goes to Windows Update (WU) & selects Update (WU) & selects ‘Scan for updates’‘Scan for updates’

3.3. CC uses metadata to CC uses metadata to identify missing identify missing updatesupdates4.4. User selects User selects updates to installupdates to install

5.5. CC downloads, validates, CC downloads, validates, & installs updates& installs updates

6.6. CC updates history & CC updates history & statistics information*statistics information*

*Note: No personally identifiable information is collected. *Note: No personally identifiable information is collected. See See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy

Automatic Updates Automatic Updates

Available on Windows XP & Available on Windows XP & Windows 2000 Service Pack 3 Windows 2000 Service Pack 3 and higherand higher

Automatic Updates to apply Automatic Updates to apply security updates. security updates.

Windows XP, Automatic Windows XP, Automatic Updates is configured in the Updates is configured in the property pages of the Control property pages of the Control Panel’s System applet.Panel’s System applet.

Windows 2000 Service Pack 3 Windows 2000 Service Pack 3 and higher adds the Automatic and higher adds the Automatic Updates applet to the Control Updates applet to the Control PanelPanel

Automatic UpdatesAutomatic Updates

Centrally configurable to get updates either from corporate SUS Centrally configurable to get updates either from corporate SUS server or Windows Update serviceserver or Windows Update service

Centrally configurable to prevent users from installing non-Centrally configurable to prevent users from installing non-approved patchesapproved patches

Can auto-download and install patches under admin controlCan auto-download and install patches under admin control

Allows chaining of patch installations to minimize rebootsAllows chaining of patch installations to minimize reboots

Included in Windows 2000 SP3, Windows XP SP1, and Windows Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003Server 2003

Localized in 24 languagesLocalized in 24 languages

Windows Update: How It WorksWindows Update: How It WorksScenario 2: Automatic Updates Initiated AccessScenario 2: Automatic Updates Initiated Access

Windows Update Service2.2. AU validates WU server AU validates WU server

& gets download catalog & gets download catalog metadatametadata

1.1. AU check WU service AU check WU service for new updates for new updates (every 17-22 hours)(every 17-22 hours)

3.3. AU uses metadata to AU uses metadata to identify missing identify missing updatesupdates

4.4. AU either notifies user AU either notifies user or auto-downloads or auto-downloads using BITS & validates using BITS & validates new updatesnew updates

5.5. AU either notifies user or AU either notifies user or auto-installs updatesauto-installs updates

6.6. AU updates history & AU updates history & statistics information*statistics information*


Online Update Services:Online Update Services: Office UpdateOffice Update

Office Update: What it IsOffice Update: What it Is Microsoft online service: Microsoft online service:

((http://office.microsoft.com/officeupdatehttp://office.microsoft.com/officeupdate ––> ‘Check for Updates’)> ‘Check for Updates’)

Identifies missing Microsoft Office updatesIdentifies missing Microsoft Office updates Office 2000 and later versionsOffice 2000 and later versions

Generates targeted list of missing updatesGenerates targeted list of missing updates

Installs selected missing updatesInstalls selected missing updates As selected by userAs selected by user

Provides update installation historyProvides update installation history

Supplemented by Supplemented by Office Download CatalogOffice Download Catalog site which site which provides:provides:

Comprehensive repository for Microsoft Office updatesComprehensive repository for Microsoft Office updates Office 1997 and later versionsOffice 1997 and later versions

Updates organized by product, version, and typeUpdates organized by product, version, and type

Manual download of desired updatesManual download of desired updates

Download history for accessing computerDownload history for accessing computer

1. Assess1. Assess


4. Deploy4. Deploy

Office UpdateOffice Update

Support Windows NT 4.0 SP5 Support Windows NT 4.0 SP5 and aboveand above

A catalog of software updates A catalog of software updates for Office 2000 and Office XPfor Office 2000 and Office XP

Administrators can download Administrators can download the following tools:the following tools: Office Update Inventory ToolOffice Update Inventory Tool Office Hotfix InstallerOffice Hotfix Installer Windows Corporate Error Windows Corporate Error

Reporting ToolReporting Tool

Office Update: How It WorksOffice Update: How It Works

Office Update Service

2.2. Client side code (CC) in Client side code (CC) in browser validates browser validates service & gets detection service & gets detection catalogcatalog

1.1. User goes to Office User goes to Office Update & selects Update & selects ‘Check for updates’‘Check for updates’

3.3. CC compares CC compares information in Windows information in Windows Installer DB with that in Installer DB with that in detection catalog to detection catalog to identify missing identify missing updatesupdates4.4. User selects User selects updates to installupdates to install

5.5. CC downloads, validates, CC downloads, validates, & installs updates& installs updates

6.6. CC updates history & CC updates history & statistics information*statistics information*


Windows Update/ Office UpdateWindows Update/ Office Update

BenefitsBenefits

Easy to use even for consumers / home Easy to use even for consumers / home usersusers

Single location for Windows/Office patches Single location for Windows/Office patches & updates& updates

Automates scanning and installation for Automates scanning and installation for patches & updatespatches & updates

Keeps Systems/Office up-to-date with latest Keeps Systems/Office up-to-date with latest security & critical patches and service security & critical patches and service packspacks

Microsoft Download CenterMicrosoft Download Center

Microsoft web site Microsoft web site ((www.microsoft.com/downloadswww.microsoft.com/downloads))

Comprehensive repository for all Comprehensive repository for all Microsoft software downloadsMicrosoft software downloads

Includes downloads forIncludes downloads for ‘‘Released to Web’ products, upgrades, & features;Released to Web’ products, upgrades, & features;

Patches & other updatesPatches & other updates

Other download types (documentation, etc.)Other download types (documentation, etc.)

Provides various search and search Provides various search and search results sorting optionsresults sorting options


Content Repository ComparisonContent Repository Comparison

Windows UpdateWindows Update Office UpdateOffice Update MS Download MS Download CenterCenter

Supported Supported SoftwareSoftware

Windows operating systems & Windows operating systems & components onlycomponents only

Microsoft Office & Microsoft Office & components onlycomponents only

All Microsoft All Microsoft productsproducts

Supported Supported Content Content TypesTypes

Security patches, updates, Security patches, updates, update rollups, SPsupdate rollups, SPs

Security patches, Security patches, updates, update updates, update rollups, SPs, & morerollups, SPs, & more

All types of All types of contentcontent

Scans for Scans for UpdatesUpdates

YesYes YesYes NoNo

Usage Usage OptionsOptions

Auto update install via online Auto update install via online serviceservice

Auto update download via Auto update download via programmatic access (e.g. by programmatic access (e.g. by AU)AU)

Manual update download (from Manual update download (from Windows Update Catalog)Windows Update Catalog)

Auto update install via Auto update install via online serviceonline service

Manual update Manual update download (from Office download (from Office Download Catalog)Download Catalog)

Manual content Manual content download onlydownload only

SummarySummary

TerminologyTerminology Security termsSecurity terms Patching termsPatching terms Severity RatingsSeverity Ratings

A four-phases PM ProcessA four-phases PM Process Assess, Identify, Evaluate & Plan, DeployAssess, Identify, Evaluate & Plan, Deploy

Windows and Office UpdateWindows and Office Update

MBSA: What is DoesMBSA: What is Does

Helps assess the vulnerability of Windows systemsHelps assess the vulnerability of Windows systems

Scans for missing Scans for missing securitysecurity patches / updates and patches / updates and common common securitysecurity misconfigurations misconfigurations

Scans local or multiple remote systems via GUI or Scans local or multiple remote systems via GUI or command line invocationcommand line invocation

Scans various versions of Windows, IIS, IE, SQL, Scans various versions of Windows, IIS, IE, SQL, Exchange, and other Microsoft applicationsExchange, and other Microsoft applications

Generates XML scan reports on each scanned systemGenerates XML scan reports on each scanned system

Runs on Windows Server 2003, Windows 2000 and Runs on Windows Server 2003, Windows 2000 and Windows XPWindows XP

Works with SUS & SMSWorks with SUS & SMS

1. Assess1. Assess


MSSecure.XMLMSSecure.XML

MSSecure.XML allows tool to obtain information MSSecure.XML allows tool to obtain information about the most recently released security about the most recently released security hotfixeshotfixes

XML file is updated each time a new security XML file is updated each time a new security bulletin is releasedbulletin is released

Contains data about each hotfix, including:Contains data about each hotfix, including: Operating system and service pack (SP) applicability.Operating system and service pack (SP) applicability. Details about all files in the patchDetails about all files in the patch

File versionFile version File checksumFile checksum File locationFile location

Registry key applied by the patch.Registry key applied by the patch. Patch Superseding information.Patch Superseding information.

MBSAMBSAHow It Works*How It Works*

MicrosoftDownload Center

MSSecure.xmlMSSecure.xml

MSSecure.xml containsMSSecure.xml contains• Security Bulletin namesSecurity Bulletin names• Product specific updatesProduct specific updates• Version and checksum infoVersion and checksum info• Registry keys changedRegistry keys changed• KB article numbersKB article numbers• Etc.Etc.

MSSecure.xml containsMSSecure.xml contains• Security Bulletin namesSecurity Bulletin names• Product specific updatesProduct specific updates• Version and checksum infoVersion and checksum info• Registry keys changedRegistry keys changed• KB article numbersKB article numbers• Etc.Etc.

MBSAMBSAComputerComputer

*Only covers security patch scanning capabilities, not security configuration detection issues*Only covers security patch scanning capabilities, not security configuration detection issues

2.2. Downloads CAB file Downloads CAB file with MSSecure.xml & with MSSecure.xml & verifies digital verifies digital signaturesignature

1.1. Run MBSA on Admin Run MBSA on Admin system, specify system, specify targetstargets

3.3. Scans target Scans target systems for OS, OS systems for OS, OS components, & components, & applicationsapplications4.4. Parses Parses MSSecure to MSSecure to see if updates see if updates availableavailable5.5. Checks if Checks if required required updates are updates are missingmissing6.6. Generates time Generates time stamped report of stamped report of missing updatesmissing updates

MBSA 1.2MBSA 1.2 Better international supportBetter international support

Japanese, French, German locale supportJapanese, French, German locale support

Expanded product supportExpanded product support MDAC, MSXML, JVM, Content Mgt Server, Commerce Server, MDAC, MSXML, JVM, Content Mgt Server, Commerce Server,

BizTalk, Host Integration Server and OfficeBizTalk, Host Integration Server and Office

Improved consistency of reportsImproved consistency of reports Support for alternate file versions in mssecure.xmlSupport for alternate file versions in mssecure.xml

Handle multiple patches for a product targeted at different OS versionsHandle multiple patches for a product targeted at different OS versions ““OR” logic to consider multiple sets of file details OR” logic to consider multiple sets of file details Handle uniproc/multiproc patches, QFE/GDR branch patches, etc.Handle uniproc/multiproc patches, QFE/GDR branch patches, etc.

Office Update Inventory Tool integration (local scans only)Office Update Inventory Tool integration (local scans only)

Enhanced IE security zone checksEnhanced IE security zone checks

ProductProduct MBSA 1.1.1MBSA 1.1.1 MBSA 1.2MBSA 1.2Windows 2000 Windows XP Windows NT 4.0 and higher (remote scan only) Windows Server 2003 Internet Explorer 5.01 and later Windows Media Player 6.4 and later IIS 4.0, 5.0, 5.1, and 6.0 SQL Server 7.0 and 2000 (including Microsoft Data Engine) Exchange 5.5 and 2000 (including Exchange Admin Tools) Exchange Server 2003 Microsoft Office (local scan only; see list of products) Microsoft Data Access Components (MDAC) 2.5, 2.6, 2.7, and

2.8

Microsoft Virtual Machine MSXML 2.5, 2.6, 3.0, and 4.0 BizTalk® Server 2000, 2002, and 2004 Commerce Server 2000 and 2002 Content Management Server (CMS) 2001 and 2002 Host Integration Server (HIS) 2000, 2004, and SNA Server 4.0

MBSA 1.2 Default Scan OptionsMBSA 1.2 Default Scan Options

MBSA Scan (GUI)MBSA Scan (GUI) Uses –baseline, -v, -nosumUses –baseline, -v, -nosum

-baseline aligns with WU critical security updates-baseline aligns with WU critical security updates Notes and warnings still shown by defaultNotes and warnings still shown by default Checksum checks not performed (to match WU)Checksum checks not performed (to match WU)

MBSA Scan (mbsacli.exe)MBSA Scan (mbsacli.exe) Uses –sumUses –sum

Checksum checks performedChecksum checks performed Notes and warnings still shown by defaultNotes and warnings still shown by default

HFNetChk Scan (mbsacli.exe /hf)HFNetChk Scan (mbsacli.exe /hf) Uses –sumUses –sum

Checksum checks performedChecksum checks performed Notes and warnings still shown by defaultNotes and warnings still shown by default

Ports Needed to run MBSAPorts Needed to run MBSA

8080 mssecure_mssecure_nnnnnnnn.cab.cab

139 and 445139 and 445 Remote ScanRemote Scan

139, 445, 137 and 138139, 445, 137 and 138 Multi-domain environment when networks are Multi-domain environment when networks are

separated by FW or Router filteringseparated by FW or Router filtering Remote Network Connection and Remote Network Connection and

AuthenticationAuthentication

MBSA – Additional InfoMBSA – Additional Info

NetBIOS Name ResolutionNetBIOS Name Resolution MyComputerNameMyComputerName Mydomain\MyComputerNameMydomain\MyComputerName MyWorkgroup\MyComputerNameMyWorkgroup\MyComputerName

When used with –fh or –fip switchWhen used with –fh or –fip switch Maximum of 256 machine names per scanMaximum of 256 machine names per scan

MBSA - ReportingMBSA - Reporting

XML format (MBSA.exe)XML format (MBSA.exe) Text format (MBSACLI.exe /HF)Text format (MBSACLI.exe /HF) Does not contain severity scoresDoes not contain severity scores

No default way to group patchesNo default way to group patches Ad hoc application is neededAd hoc application is needed

MBSA Severity ReporterMBSA Severity Reporter

MBSA – Parameters and MBSA – Parameters and PerformancesPerformances

For Patch Management use /HF !!!

Using MBSA with SUSUsing MBSA with SUS

Performs security update scan against Performs security update scan against specified SUS serverspecified SUS server

Reads registry for SUS server info or user specifies Reads registry for SUS server info or user specifies this infothis info

Reads Reads approveditems.txtapproveditems.txt file on SUS server via HTTP file on SUS server via HTTP Looks up approved items in mssecure.xml fileLooks up approved items in mssecure.xml file Performs scan against appropriate patches in Performs scan against appropriate patches in

mssecure.xmlmssecure.xml

CMD LINE execution:CMD LINE execution: Mbsacli.exe /susMbsacli.exe /sus mbsacli.exe /sus http://mysusservermbsacli.exe /sus http://mysusserver mbsacli.exe /hf /sus http://mysusservermbsacli.exe /hf /sus http://mysusserver

Using MBSA with SMSUsing MBSA with SMS

Scans SMS clients for missing security Scans SMS clients for missing security updates using MBSA CLIupdates using MBSA CLI

Pushes mbsacli.exe to each client to do local Pushes mbsacli.exe to each client to do local scan (mbsacli.exe /hf)scan (mbsacli.exe /hf)

Parses textual output of patch numbersParses textual output of patch numbers

SMS Administrators can centrally distribute SMS Administrators can centrally distribute security updates to clientssecurity updates to clients

SMS 2.0 uses MBSA 1.1; SMS 2003 uses SMS 2.0 uses MBSA 1.1; SMS 2003 uses MBSA 1.1.1*MBSA 1.1.1*

*Only change from MBSA 1.1 is support for Windows Server 2003

Microsoft Baseline Microsoft Baseline Security AnalyzerSecurity Analyzer

Local ScanLocal Scan Scan with SUSScan with SUS 1.1.1 vs 1.21.1.1 vs 1.2 Command lineCommand line HF modeHF mode Collecting resultsCollecting results

MYSUSPRODUCTION Windows 2000 DC

SUS 1.0 SP110.0.0.110

WINDOWS UPDATE

MYW2K3TESTWindows 2003SUS 2.0 BETA

10.0.0.200MYSUSTESTWindows 2003SUS 1.0 SP1

MBSA 1.210.0.0.100

MYSMS2003Windows 2000

SMS 2003SQL Server10.0.0.210

MYWEBPRODUCTIONWindows 2000

IIS 5.010.0.0.220

MYXPPRODUCTIONWindows XP Pro SP1

Office XPMBSA 1.1.110.0.0.130

CONTOSO.COM

MBSA Update Scanning MBSA Update Scanning FunctionalityFunctionality

Overall planOverall plan MBSA update scanning functionality integrated MBSA update scanning functionality integrated

into Windows patch management functionalityinto Windows patch management functionality

MBSA becomes Windows vulnerability MBSA becomes Windows vulnerability assessment & mitigation engineassessment & mitigation engine

Near- and Intermediate-term plans:Near- and Intermediate-term plans: MBSA 2.0 (1MBSA 2.0 (1stst Half 2004) Half 2004)

Update scanning functionality migrates to SUS 2.0 / Update scanning functionality migrates to SUS 2.0 / Microsoft UpdateMicrosoft Update

MBSA leverages SUS 2.0 update scanningMBSA leverages SUS 2.0 update scanning

MBSA & SUS 2.0 do update scanning for all Microsoft MBSA & SUS 2.0 do update scanning for all Microsoft productsproducts

Update Tools - ManagedUpdate Tools - Managed

Software Update ServicesSoftware Update Services Manual ScanManual Scan

Security Scan (MBSA)Security Scan (MBSA)

Automatic Patch DeploymentAutomatic Patch Deployment Windows PatchWindows Patch

System Management Server 2003System Management Server 2003 Automatic ScanAutomatic Scan

Security Scan and Office ScanSecurity Scan and Office Scan

Automatic Patch DeploymentAutomatic Patch Deployment Both MS and non-MS productBoth MS and non-MS product

Software Update Software Update Services Services

(SUS)(SUS)

SUS 1.0: What it DoesSUS 1.0: What it Does

Deploys Windows security patches, security rollups, Deploys Windows security patches, security rollups, updates, and service packs onlyupdates, and service packs only

Deploys above content for Windows 2000, Deploys above content for Windows 2000, Windows Server 2003 and Windows XP onlyWindows Server 2003 and Windows XP only

Provides patch download, deployment, and Provides patch download, deployment, and installation configuration options installation configuration options

Bandwidth optimized content deploymentBandwidth optimized content deployment

Provides central administrative control over which Provides central administrative control over which patches can be installed on target systemspatches can be installed on target systems

Provides basic patch installation logging informationProvides basic patch installation logging information


4. Deploy4. Deploy

SUS BenefitsSUS Benefits

Gives administrators control over patch & update Gives administrators control over patch & update managementmanagement Works with Group Policy* to prevent installs of non-approved Works with Group Policy* to prevent installs of non-approved

updates from Windows Updateupdates from Windows Update

Allows staging & testing of updates before installationAllows staging & testing of updates before installation

Simplifies & automates key aspects of the patch Simplifies & automates key aspects of the patch management processmanagement process

Ease of use alleviates difficulty of keeping Ease of use alleviates difficulty of keeping supported systems up-to-date, reducing security supported systems up-to-date, reducing security risksrisks

*Note: Use of SUS does not require implementation of Active Directory or Group Policy

SUS 1.0: How It WorksSUS 1.0: How It Works

ParentParentSUS ServerSUS Server

FirewallFirewall

ChildChildSUS ServerSUS Server

ChildChildSUS ServerSUS Server

BandwidthBandwidth

ThrottlingThrottling

WindowsUpdate Service

WindowsUpdate Service

Bandwidth

Bandwidth

Throttling

Throttling

Ban

dw

idth

Ban

dw

idth

Th

rottlin

gT

hro

ttling

2.2. Administrator Administrator reviews, evaluates, reviews, evaluates, and approves and approves updatesupdates

1.1. SUS Server check for SUS Server check for updates every 17-22 updates every 17-22 hourshours

3.3. Approvals & Approvals & updates synced updates synced with child SUS with child SUS servers*servers*

4.4. AU gets approved AU gets approved updates list from SUS updates list from SUS serverserver

6.6. AU either notifies user or AU either notifies user or auto-installs updatesauto-installs updates

7.7. AU records install historyAU records install history

5.5. AU downloads approved AU downloads approved updates from SUS server updates from SUS server or Windows Updateor Windows Update

*SUS maintains approval logs & download, sync, & install statistics*SUS maintains approval logs & download, sync, & install statistics

Best PracticeBest Practice

Software Update ServicesSoftware Update Services ServerServer

OverviewOverview SynchronizationSynchronization AutoApprovalAutoApproval

ClientClient Registry configurationRegistry configuration Group PolicyGroup Policy


SUS 1.0 SP110.0.0.110

WINDOWS UPDATE



MBSA 1.210.0.0.100




IIS 5.010.0.0.220



CONTOSO.COM

Systems Systems Management Server Management Server

(SMS)(SMS)

SMS 2003: What it DoesSMS 2003: What it Does

Identifies & deploys missing Windows and Office Identifies & deploys missing Windows and Office security patches on target systemssecurity patches on target systems

Can deploy any patch, update, or application in Can deploy any patch, update, or application in Windows environmentsWindows environments

Inventory management & inventory based targeting Inventory management & inventory based targeting of software installsof software installs

Install verification and detailed reportingInstall verification and detailed reporting

Flexible scheduling of content sync & installsFlexible scheduling of content sync & installs

Central, full administrative control over installsCentral, full administrative control over installs

Bandwidth optimized content distributionBandwidth optimized content distribution

Software metering and remote control capabilitiesSoftware metering and remote control capabilities

1. Assess1. Assess


4. Deploy4. Deploy


SMS 2003 Patch Management: SMS 2003 Patch Management: BenefitsBenefits

Gives administrators control over patch management Gives administrators control over patch management Allows staging & testing of updates before installationAllows staging & testing of updates before installation Fine-grained control of patch management optionsFine-grained control of patch management options

Automates key aspects of the patch management Automates key aspects of the patch management processprocess

Can update a broad range of Microsoft products Can update a broad range of Microsoft products (not limited to Windows and Office)(not limited to Windows and Office)

Can also be used to update third party software and Can also be used to update third party software and deploy & install any software update or applicationdeploy & install any software update or application

High level of flexibility via use of scriptingHigh level of flexibility via use of scripting

SMS 2003 Patch ManagementSMS 2003 Patch ManagementHow It WorksHow It Works

FirewallFirewall

SMS SMS Site ServerSite Server

SMS DistributionSMS DistributionPointPoint

SMS ClientsSMS Clients


MicrosoftDownload Center

SMS DistributionSMS DistributionPointPoint

2.2. Scan components Scan components replicate to SMS replicate to SMS clientsclients

1.1. Setup: Download Security Setup: Download Security Update Inventory and Office Update Inventory and Office Inventory Tools; run Inventory Tools; run inventory tool installerinventory tool installer

3.3. Clients scanned; scan Clients scanned; scan results merged into results merged into SMS hardware SMS hardware inventory datainventory data

4.4. Administrator uses Administrator uses Distribute Software Distribute Software Updates Wizard to Updates Wizard to authorize updatesauthorize updates

6.6. Software Update Installation Software Update Installation Agent on clients deploy Agent on clients deploy updatesupdates

7.7. Periodically: Sync component Periodically: Sync component checks for new updates; scans checks for new updates; scans clients; and deploys necessary clients; and deploys necessary updatesupdates

5.5. Update files downloaded; Update files downloaded; packages, programs & packages, programs & advertisements advertisements created/updated; packages created/updated; packages replicated & programs replicated & programs advertised to SMS clientsadvertised to SMS clients


SMS 2003 Patch Management: SMS 2003 Patch Management: Functionality (1)Functionality (1)

System scanning & patch content downloadSystem scanning & patch content download Content from Microsoft download centerContent from Microsoft download center

MBSA & Office Update plug-ins scan for missing patchesMBSA & Office Update plug-ins scan for missing patches

Supports updating of remote & mobile devicesSupports updating of remote & mobile devices

Updates various versions of Windows, Office, SQL, Exchange, and Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scriptingWindows Media Player without need for update packaging / scripting

Administrator controlAdministrator control Update targeting based on AD, non-AD groups, WMI properties; Update targeting based on AD, non-AD groups, WMI properties;

additional options via scriptingadditional options via scripting

Patches consumed only by SMS administrators via the deployment Patches consumed only by SMS administrators via the deployment process (on demand)process (on demand)

Specific start and end times (change windows), rolling change windowsSpecific start and end times (change windows), rolling change windows

Easily merge patches from testing into productionEasily merge patches from testing into production

Reference computer templates for baseline determination / compliance Reference computer templates for baseline determination / compliance

Patch download & installationPatch download & installation Delta replication (site-site, server-server) of patchesDelta replication (site-site, server-server) of patches

Can use BITS for mobile / remote client-serverCan use BITS for mobile / remote client-server

Can use SMB for LAN / priority situations Can use SMB for LAN / priority situations

Reminders and rescheduling of install / reboot & enforcement Reminders and rescheduling of install / reboot & enforcement datesdates

Optimized graceful reboots, but forced when enforcement date Optimized graceful reboots, but forced when enforcement date arrivesarrives

Per-patch reboot-needed detection to reduce rebootsPer-patch reboot-needed detection to reduce reboots

Status & Compliance ReportingStatus & Compliance Reporting Deployment status as patches are attemptedDeployment status as patches are attempted

Standard and customized reports through read-only SQL queriesStandard and customized reports through read-only SQL queries

Determine actual baselines in the environment before changing Determine actual baselines in the environment before changing the environmentthe environment

SMS 2003 Patch Management: SMS 2003 Patch Management: Functionality (2)Functionality (2)

SMS 2003 – SMS 2003 – Technical Technical Multimedia Presentation Multimedia Presentation SMS2003 Deployment at MicrosoftSMS2003 Deployment at Microsoft

http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=22409=22409

How Microsoft Does Patch Management How Microsoft Does Patch Management using SMS 2003 using SMS 2003 http://http://go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=22409=22409

SMS 2003 SMS 2003 Patch ManagementPatch Management

AssessAssess IdentifyIdentify DeployDeploy


SUS 1.0 SP110.0.0.110

WINDOWS UPDATE



MBSA 1.210.0.0.100




IIS 5.010.0.0.220



CONTOSO.COM

WindowsUpdate

Choosing A Patch Management SolutionChoosing A Patch Management Solution

Choose the solution that provides the best balance of functionality Choose the solution that provides the best balance of functionality versus versus

IT resource constraints for your specific needsIT resource constraints for your specific needs

IT Resources* & Administration Skill LevelIT Resources* & Administration Skill Level

Bre

ad

th o

f F

un

cti

on

alit

yB

rea

dth

of

Fu

nc

tio

na

lity

SUS

SMS

LowLow HighHigh

HighHigh

*People and budget*People and budgetNote: These slides refer to choosing a solution for updating Windows, hence they do not refer to Office UpdateNote: These slides refer to choosing a solution for updating Windows, hence they do not refer to Office Update

Customer Customer TypeType ScenarioScenario Customer Customer

ChoosesChooses

Large or Large or Medium Medium EnterpriseEnterprise

Want single flexible patch management solution with Want single flexible patch management solution with extended level of control to patch & update (+ distribute) extended level of control to patch & update (+ distribute) all softwareall software

SMSSMS

Want patch management solution with basic level of Want patch management solution with basic level of control that updates Windows 2000 and newer versions* control that updates Windows 2000 and newer versions* of Windows**of Windows**

SUSSUS

Small Small BusinessBusiness

Have at least 1 Windows server and 1 IT administrator**Have at least 1 Windows server and 1 IT administrator** SUSSUS

All other scenariosAll other scenarios Windows Windows UpdateUpdate

ConsumerConsumer All scenariosAll scenarios Windows Windows UpdateUpdate

*Windows 2000, Windows XP, Windows Server 2003*Windows 2000, Windows XP, Windows Server 2003

**Customer uses Windows Update or manual process for other OS versions & applications software**Customer uses Windows Update or manual process for other OS versions & applications software

Choosing A Patch Management SolutionChoosing A Patch Management SolutionTypical Customer DecisionsTypical Customer Decisions

CapabilityCapability Windows UpdateWindows Update SUS 1.0SUS 1.0 SMS 2003SMS 2003

Supported Supported Platforms Platforms for Contentfor Content

NT 4.0, Win2K, NT 4.0, Win2K, WS2003, WinXP, WS2003, WinXP, WinME, Win98WinME, Win98

Win2K, WS2003, Win2K, WS2003, WinXPWinXP

NT 4.0, Win2K, WS2003, NT 4.0, Win2K, WS2003, WinXP, Win98WinXP, Win98

Supported Content Supported Content TypesTypes

All patches & service All patches & service packs (SPs) for the packs (SPs) for the aboveabove

Only security, Only security, critical, & security critical, & security rollup patches + SPs rollup patches + SPs for the abovefor the above

All patches, SPs & updates All patches, SPs & updates for the above + supports for the above + supports patch, update & app installs patch, update & app installs for MS & other appsfor MS & other apps

Granularity of ControlGranularity of Control

Targeting Content Targeting Content to Systemsto Systems NoNo NoNo YesYes

Network Bandwidth Network Bandwidth OptimizationOptimization NoNo Yes Yes (for patch (for patch

deployment)deployment)Yes Yes (for patch deployment & (for patch deployment & server synchronization)server synchronization)

Patch Distribution Patch Distribution ControlControl NoNo BasicBasic AdvancedAdvanced

Patch Installation & Patch Installation & Scheduling Scheduling FlexibilityFlexibility

Manual, end user Manual, end user controlledcontrolled

Administrator (auto) Administrator (auto) or user (manual) or user (manual) controlledcontrolled

Administrator control with Administrator control with granular scheduling granular scheduling capabilitiescapabilities

ReportingReporting NoNo LimitedLimited Comprehensive Comprehensive (install status, (install status, result, and compliance details)result, and compliance details)

Additional Software Distribution CapabilitiesAdditional Software Distribution Capabilities

Deployment Deployment PlanningPlanning NoNo NoNo YesYes

Inventory MgmtInventory Mgmt NoNo NoNo YesYes

Compliance Compliance CheckingChecking NoNo NoNo YesYes

Mobile Device Mobile Device SupportSupport NoNo NoNo YesYes

Co

re P

atc

h M

ana

ge

men

t C

apab

iliti

es

Adopt a Patch Management SolutionAdopt a Patch Management Solution

*Microsoft does not endorse or recommend a specific patch management product or company*Microsoft does not endorse or recommend a specific patch management product or company

Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality may also provide patch management functionality

At Microsoft, our #1 concern is the security and At Microsoft, our #1 concern is the security and availability of your IT environmentavailability of your IT environment

If none of the Microsoft patch management solutions meet your needs If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendorconsider implementing a solution from another vendor

Partial list of available products:Partial list of available products:

Company NameCompany Name Product NameProduct Name Company URLCompany URL

Altiris, Inc. Altiris, Inc. Altiris Patch ManagementAltiris Patch Management http://www.altiris.comhttp://www.altiris.com

BigFix, Inc.BigFix, Inc. BigFix Patch ManagerBigFix Patch Manager http://www.bigfix.comhttp://www.bigfix.com

Configuresoft, Inc.Configuresoft, Inc. Security Update ManagerSecurity Update Manager http://http://www.configuresoft.comwww.configuresoft.com

Ecora, Inc.Ecora, Inc. Ecora Patch ManagerEcora Patch Manager http://www.ecora.comhttp://www.ecora.com

GFI Software, Ltd.GFI Software, Ltd. GFI LANguard Network Security GFI LANguard Network Security Scanner Scanner http://www.gfi.comhttp://www.gfi.com

Gravity Storm Software, Gravity Storm Software, LLCLLC Service Pack Manager 2000Service Pack Manager 2000 http://http://

www.securitybastion.comwww.securitybastion.com

LANDesk Software, LtdLANDesk Software, Ltd LANDesk Patch ManagerLANDesk Patch Manager http://www.landesk.comhttp://www.landesk.com

Novadigm, Inc.Novadigm, Inc. Radia Patch ManagerRadia Patch Manager http://www.novadigm.comhttp://www.novadigm.com

PatchLink Corp.PatchLink Corp. PatchLink UpdatePatchLink Update http://www.patchlink.comhttp://www.patchlink.com

Shavlik TechnologiesShavlik Technologies HFNetChk ProHFNetChk Pro http://www.shavlik.comhttp://www.shavlik.com

St. Bernard SoftwareSt. Bernard Software UpdateExpertUpdateExpert http://www.stbernard.comhttp://www.stbernard.com

RoadmapRoadmap

Manual / Script Manual / Script Based UpdatingBased Updating

WindowWindowss

UpdateUpdate

DownloDownload ad

CenterCenter WindowWindowss

UpdateUpdateMicrosMicrosoftoft

UpdateUpdate

DownloDownload ad

CenterCenter

Update Content Repositories and Online Update Content Repositories and Online ServicesServices

Q4/2003Q4/2003 Q2/2004Q2/2004SMS 2003 FPSMS 2003 FPTime frameTime frame

LonghornLonghornTime frameTime frame

WindowWindowss

UpdateUpdateMicrosMicrosoftoft

UpdateUpdate

SUS 2.0SUS 2.0

SMS SMS 2003 2003 withwith

Feature Feature PackPack

SUS N.0SUS N.0

Windows ServerWindows ServerLonghornLonghorn

OfficeOfficeInventory Inventory

ToolTool

SUS 1.0SUS 1.0

SMS 2.0 SMS 2.0 withwith

Feature Feature PackPack

SMS 2003SMS 2003

SUS SUS 2.0 2.0

Client*Client*

In-houseIn-housedevelopedevelope

ddapps apps

updateupdaterepositorrepositor

yy

33rdrd party party appsapps

update update repositoryrepository

Update Management ProductsUpdate Management Products

System System CenterCenter

33rdrd Party / Party /In-house In-house

ToolsTools

OfficeOfficeUpdateUpdate

MBSA 1.2MBSA 1.2(includes OIT)(includes OIT)

MBSA 1.1.1MBSA 1.1.1

Standalone Update Scanning ToolsStandalone Update Scanning ToolsOfficeOffice

Inventory Inventory ToolTool

MBSA 1.1.1MBSA 1.1.1

MBSA 2.0MBSA 2.0

SummarySummary Addressing the patch management issue is a top priorityAddressing the patch management issue is a top priority

Taking a comprehensive, tactical & strategic approachTaking a comprehensive, tactical & strategic approach

Made progress, but much more work to be doneMade progress, but much more work to be done

Microsoft focused on:Microsoft focused on: Reducing the number of vulnerabilities & associated patchesReducing the number of vulnerabilities & associated patches

Improving customer preparedness, training & communicationImproving customer preparedness, training & communication

Simplifying & standardizing the patching experienceSimplifying & standardizing the patching experience

Improving patch qualityImproving patch quality

Unifying and strengthening patch management offeringsUnifying and strengthening patch management offerings

Key Recommendations:Key Recommendations: Implement a good patch management process – it’s the key to Implement a good patch management process – it’s the key to

successsuccess

Adopt a patch management solution that best fits your needsAdopt a patch management solution that best fits your needs

Make use of the resources detailed in these slidesMake use of the resources detailed in these slides

Security Is Only As Strong As The Weakest Security Is Only As Strong As The Weakest LinkLink

Technology is neither the whole Technology is neither the whole problem nor the whole solutionproblem nor the whole solution

Secure systems depend upon Secure systems depend upon Technology, Processes and PeopleTechnology, Processes and People

Defense-in-Depth StrategyDefense-in-Depth Strategy

Data and Resources

Application

OS and Services

Network

Perimeter

Ass

ume

Prio

r La

yers

Fai

l

Make corporations & perimeters Make corporations & perimeters more resilient to attack, even more resilient to attack, even

when patches are not installedwhen patches are not installed

Help stop known & unknown Help stop known & unknown vulnerabilitiesvulnerabilities

Goal: Make 7 out of every 10 patches Goal: Make 7 out of every 10 patches installable on your scheduleinstallable on your schedule


Client Shielding EnhancementsClient Shielding Enhancements

Security enhancements that protect Security enhancements that protect computers, even without patches; Included in computers, even without patches; Included in Win XP SP2 (H104) with more to followWin XP SP2 (H104) with more to follow

Helps stop network-based attacks, file Helps stop network-based attacks, file attachment viruses and buffer overrunsattachment viruses and buffer overruns

Network Protection: Improved ICF Network Protection: Improved ICF protection turned on by defaultprotection turned on by default

Safer email: Improved attachment Safer email: Improved attachment blocking for Outlook Express and IMblocking for Outlook Express and IM

Safer browsing: Better user controls to Safer browsing: Better user controls to prevent malicious ActiveX controls and prevent malicious ActiveX controls and SpywareSpyware

Memory Protection: Improved compiler Memory Protection: Improved compiler checks (/GS) to reduce stack overrunschecks (/GS) to reduce stack overruns

What it isWhat it is

What it doesWhat it does

Key FeaturesKey Features

Enterprise Shielding EnhancementsEnterprise Shielding Enhancements Enterprise QuarantineEnterprise Quarantine

Only clients that meet corporate security Only clients that meet corporate security standards are allowed to connect; included in standards are allowed to connect; included in Win 2003 SP1 (H204) with more to followWin 2003 SP1 (H204) with more to follow

Protects enterprise assets from infected Protects enterprise assets from infected computerscomputers

Enforces specific corporate security Enforces specific corporate security requirements such as patch level, AV requirements such as patch level, AV signature state and firewall statesignature state and firewall state

Ensure these standards are met whenEnsure these standards are met when VPN connections are made by remote VPN connections are made by remote

clientsclients Wired or wireless connections are made Wired or wireless connections are made

by rogue and transient clientsby rogue and transient clients

What it isWhat it is

What it doesWhat it does

Key FeaturesKey Features

Continue Improving QualityContinue Improving QualityTrustworthy Computing Release ProcessTrustworthy Computing Release Process

M1

M2

Mn

Beta

DesignD

evel

op

men

t

Release

Support

SecurityReview

SecurityReview

Each component team develops threat Each component team develops threat models, ensuring that design blocks models, ensuring that design blocks applicable threatsapplicable threats

Develop & Test

Develop & Test

Apply security design & coding standardsApply security design & coding standards Tools to eliminate code flaws (PREfix & Tools to eliminate code flaws (PREfix &

PREfast)PREfast) Monitor & block new attack techniquesMonitor & block new attack techniques

Security Push

Security Push

Team-wide stand downTeam-wide stand down Threat model updates, code review, test & Threat model updates, code review, test &

documentation scrubdocumentation scrub

Security Audit

Security Audit

Analysis against current threatsAnalysis against current threats Internal & 3Internal & 3rdrd party penetration testing party penetration testing

Security ResponseSecurity

Response

Fix newly discovered issuesFix newly discovered issues Root cause analysis to proactively find Root cause analysis to proactively find

and fix related vulnerabilitiesand fix related vulnerabilities

Design docs & specifications

Development, testing &

documentation

Product

Service Packs,QFEs

2 patch 2 patch installers; installers; rollbackrollbackPatching Patching enhancemenenhancementstsSUS 2.0SUS 2.0SMS 2003SMS 2003More More guidance guidance and trainingand training

Integrated Integrated host host security security technologitechnologiesesNGSCBNGSCBWindows Windows hardeninghardeningMore More guidance guidance and trainingand training

Tools & Tools & PatchingPatching

Next-Next-Generation Generation

SecuritySecurityMonthly Monthly patch patch releasesreleasesGuidance Guidance & training& trainingHow How Microsoft Microsoft runs runs MicrosoftMicrosoftSupport for Support for W2K SP2 & W2K SP2 & NT4 SP6aNT4 SP6a

GuidanceGuidance

0 – 9 0 – 9 monthsmonths

9 – 12 9 – 12 monthsmonths FutureFuture

Security RoadmapSecurity Roadmap

TodayToday

Shield Shield technologietechnologies for client s for client and serverand server““MS Update”MS Update”

More More guidance guidance and trainingand training

ShieldsShields

Security Is Only As Strong As The Weakest Security Is Only As Strong As The Weakest LinkLink

Technology is neither the whole Technology is neither the whole problem nor the whole solutionproblem nor the whole solution

Secure systems depend upon Secure systems depend upon Technology, Processes and PeopleTechnology, Processes and People

Madrid 12 Febrero 2004 Security Day. Francisco Monteverde Director División de Negocio de...

Documents

Transcript of Madrid 12 Febrero 2004 Security Day. Francisco Monteverde Director División de Negocio de...