Patch management Graham Titmus Computer Laboratory.
-
Upload
lily-powers -
Category
Documents
-
view
212 -
download
0
Transcript of Patch management Graham Titmus Computer Laboratory.
Patch management
Graham Titmus
Computer Laboratory
Patching and verifying
• Distribution of Patches– Group Policy– SUS server within domain
• Monitoring systems– SMS feature pack add-on for SMS 2.0– Web aggregation of status
• MBSA– Scans of domain
Group Policy
• Targeting of machines via OU– Computers (CL SUS)
• Group policy applied here
– Computers• Test machines with no group policy
• Group Policy forced onto machine– Lock out override so users can’t turn it off
• Place exceptions on another VLAN
Control by Group Policy
Group Policy Settings
SUS distribution
• Local SUS server– Collects updates via CS SUS server– Approval of updates controlled within domain
• Test updates– Several machines forced to update via
Microsoft Update Server daily– Servers tested independantly
• Approve updates after testing
SMS for patches
• Capabilities include– Monitoring and Distribution– Are independent of one another– Monitoring uses same scan engine as MBSA
• Benefits– Central point for all information– Fine grain targeting for distribution– Web based reporting
SMS Inventory
Patches outstanding
Machine status
MBSA
• Useful backstop– Machines may slip through the net– Scan address range – finds stealth systems
• Instant report of current state– Important tool for crisis situation– Useful to scan VPN connected hosts
• Poor discrimination on causes– High level of noise in a diverse world
Why so many tools?
• Basic mechanism is Group Policy + SUS– That offers limited (no) reporting– Reporting host tools added in next version
• Management in addition– SMS provides good information collection– Can be used to distribute– Summary of status needed to plan work
• Point inspection– For visitor laptops etc.