Patch management

Graham Titmus

Computer Laboratory

Patching and verifying

• Distribution of Patches– Group Policy– SUS server within domain

• Monitoring systems– SMS feature pack add-on for SMS 2.0– Web aggregation of status

• MBSA– Scans of domain

Group Policy

• Targeting of machines via OU– Computers (CL SUS)

• Group policy applied here

– Computers• Test machines with no group policy

• Group Policy forced onto machine– Lock out override so users can’t turn it off

• Place exceptions on another VLAN

Control by Group Policy

Group Policy Settings

SUS distribution

• Local SUS server– Collects updates via CS SUS server– Approval of updates controlled within domain

• Test updates– Several machines forced to update via

Microsoft Update Server daily– Servers tested independantly

• Approve updates after testing

SMS for patches

• Capabilities include– Monitoring and Distribution– Are independent of one another– Monitoring uses same scan engine as MBSA

• Benefits– Central point for all information– Fine grain targeting for distribution– Web based reporting

SMS Inventory

Patches outstanding

Machine status

MBSA

• Useful backstop– Machines may slip through the net– Scan address range – finds stealth systems

• Instant report of current state– Important tool for crisis situation– Useful to scan VPN connected hosts

• Poor discrimination on causes– High level of noise in a diverse world

Why so many tools?

• Basic mechanism is Group Policy + SUS– That offers limited (no) reporting– Reporting host tools added in next version

• Management in addition– SMS provides good information collection– Can be used to distribute– Summary of status needed to plan work

• Point inspection– For visitor laptops etc.