Windows Update ServicesPatch Management comes of Age

David Wallis

Senior Systems Consultant

Raven Computers Ltd

Agenda

• What are patches and why do we need them?• Windows Update• Software Update Services (SUS)• Raven Update Service• Office Update and application patches• Microsoft Update and Windows Update

Services (WUS) – the future• SMS vs WUS/SUS/RUS• Conclusion and Q&A

What are Patches

• Also known as Hotfixes

• Modifications to the original program code, normally to fix a problem or vulnerability

• Quick Fix Engineering – QFE

• Not normally tested as thoroughly as normal software– May introduce new problems

Worms and Vulnerabilities

• Windows XP contains over 40 Million lines of code – Mistakes are inevitable

• Bugs may be discovered and exploited– Buffer Overflows

• Worms– Programs are written to automate the exploitation of

the bug– Like Virus’s but may not require you to open them– Can spread very quickly, causing havoc– Blaster, Nimda, SOBig

• Entire exploitation process is automated– You do not need to be specifically targeted

Consequences of being exploited

• Trojans / Spyware– Programs sneaked onto your computer– May allow complete control of computer, using your

password• Therefore whole network may be compromised by 1 pc

– Harvesting of passwords and account details• As you log into online banking, process is recorded and sent

to hacker

– Internet Activity can be logged and used to target advertisements to you or direct you to other sites

Consequences of being exploited

• Zombie/Drone PCs– Your system may be used to attack other

networks – DDoS– Your computers may be used to store and

distribute illegal material– Your computer may be used to execute illegal

or antisocial activities such as SPAM– Bandwidth, Storage and even Processing

power can be consumed and abused

Consequences of being exploited

• Loss or destruction of data– Files may be deleted, altered or corrupted– Confidential data may be shipped outside

your network– Your systems may crash as a result causing

untold amounts of downtime

The Worlds 1st JPG virus

• On September 14th Microsoft issued Security Bulletin MS04-028– Buffer Overrun in JPEG Processing (GDI+) Could Allow

Code Execution (833987)• A bug in many products allows a specially crafted JPG file to

execute malicious code simply by viewing the picture• Many MS products affected including Windows 2000/XP (prior to

SP2), Office XP, Office 2003, IE6.1, and many others• Each product must be patched separately• JPG files are ignored by most AntiVirus software as they were

previously thought to be harmless• On 26/09/04 a trojan was found on Internet news groups (Usenet)

which exploits this bug• A DIY Virus kit to automate the exploitation is now known to be

available on the Internet

Types of patch

• Critical Security fixes– Created in direct response to a newly

discovered threat– Must be applied quickly to protect against

worms written to exploit the vulnerability– Time to release is very short, so testing is

“Rapid”– Should almost always be applied if they are

relevant to your setup

Types of patch

• Non-Critical Updates– Created to fix specific bugs or to enhance

functionality– Should only be applied if the particular

problem affects your computer– Can be more thoroughly tested before release

Types of patch

• Service Packs– Combination of several hotfixes and updates– Thoroughly tested in a wide range of

environments before release– Form a new baseline for the product against

which future software will be tested– Should be applied when deemed stable

Windows Update

• Built into Windows 98, Me, 2000 and XP

• Visit web page to determine what patches should be applied

• Tries to only propose relevant patches

• Must be run manually from each computer

• Requires user to have Admin privileges on local computer

• Linked from start menu – www.windowsupdate.com

Automatic Update Agent

• Introduced with Windows XP SP1 and Win2k SP4

• Available as a download for Win2k SP3• Automates download of critical security

patches• Can automatically apply and restart computer• Can wait for approval before applying• Each computer operates separately and

fetches its own updates

Software Update Services - SUS

• Your own Windows Update server• Runs on a server on your site• Integrates into IIS• Administrator approves and downloads patches• Client agent on PCs installs approved updates

from SUS server• No admin rights needed on local PC• Can be managed through Group Policy

Microsoft Software Update Services (SUS)

WorkstationWorkstation

Laptop Laptop

SUS Server

Internet

Firewall

LAN

AdminstratorApproves Updates

SUS Client Agent

• Built into Windows XP SP1 and Win2k SP4• Can be managed and deployed through Active

Directory Group Policy• Machines can be told to install patches at

specified times• Machines can be told to reboot at specified

times if they are left on• Could use Wake on LAN to power compatible

PCs on for updates during the night

SUS Requirements

• Runs on Windows 2000 SP3 or later, or Windows 2003 Server running IIS

• Client PCs must run Windows 2000 SP3 or later, or Windows XP– Windows 9x not supported

• Installs IISLockdown, so may interfere with some Intranets

• Administrator must manually approve each update

• Typical Installation time around ½ day. May vary on some sites

SUS Capabilities

• SUS can apply all Windows critical security updates and can now deploy service packs to Windows 2000 and Windows XP

• Next version WUS (due H1 05) will allow security patches for Office, Exchange Server and SQL Server to be automatically deployed too (more shortly)

Raven Update Services

Internet

WorkstationWorkstation

Laptop Laptop

SUS Server

Firewall

LAN

Raven Update Server

RavenTechnicians

approve updates

Raven Update Services

• Subscription service - £50 per month– Requires SUS server to be installed

• Raven Engineers approve updates after testing on a representative sample of platforms

• Local SUS server pulls only approved “Safe” updates from Raven Update Server

• Requires no local administration• “Hands Free” update of client PCs

Office Patch Management

• www.officeupdate.com– Like Windows Update, but for Office– Scans your local machine and proposes

relevant updates

• Binary Patches or Full File updates?– Binary Patches are smaller but require access

to original installation files (CD or Network Share)

– Full File Updates are much bigger downloads but can be applied without the original files

Administrative Deployment of Office Patches• Either distribute patches separately to clients or update

Administrative Install Point

• Distribute separate patches to clients– Requires Admin rights on local machine unless using SMS– Patches can be shipped out in logon script, email or Intranet etc or using

SMS Server– Common baseline remains original installation

• Update Admin Install Point– Clients must be instructed to reinstall affected features or whole product– New installations are already patched– Necessary if using “Run from Network”– Clients all maintain a common baseline– Once source is patched, clients may be unable to repair or install on

demand until reinstalled so may need to maintain an unpatched copy as well

– Can use “Elevated Privileges” for installation

Microsoft Update

• Will combine and replace Windows Update and Office Update web sites

• Initially will support patching of Windows, Office, Exchange Server and SQL Server

• Over time will support all Microsoft Products• Long Overdue – Now expected H1 2005• Requires better cooperation within MS teams

– Currently there are at least 7 separate, incompatible installer programs in use for MS patches

– Will be reduced to 2 for MU

WUS – Windows Update Services

• Next version of SUS (2.0)• Will support all products covered by Microsoft

Update – Windows, Office, Exchange, SQL etc• Late again, but expected H1 2005• Many enhanced technologies and new

management features• RUS will be updated to incorporate WUS• Public Beta beginning soon

– RUS may be extended to include WUS Beta if stable

Customer Feature Requests

*Partially addressed through polling frequency control and scripts

Top Features RequestedSUS

1.0 SP1 WUS

Support for service packs Install on SBS and domain controller Support for Office and other MS products Provide reporting (e.g. deployment status) Update targeting Improve support for low bandwidth networks Allow subscriptions to only certain content Set polling frequency for downloading new updates Minimize need for end user interruption Emergency patch deployment (‘big red button’) *

NT4 support

Supported Products And Content• Updates for

– All Microsoft products over time– At RTM

• Windows 2000 SP3 and later versions of Windows• Office XP SP2 and Office 2003• SQL 2000 and MSDE 2000• Exchange 2003

• Platform support/requirements– Windows 2000 SP3 (SP4 for Server) and later– Windows XP RTM and later– Windows Server 2003 RTM and above– All localized versions (including MUI)

Administrator subscribes to update categories

< Back Finish Cancel

Windows Update ServicesWindows Update Services

Server downloads updates from Microsoft UpdateClients register themselves with the serverAdministrator puts clients in different target groupsAdministrator approves updatesAgents install administrator approved updates

< Back Finish Cancel

Windows Update ServicesWindows Update Services

Microsoft Update

WUS Server

Desktop ClientsTarget Group 1 Server

ClientsTarget Group 2

WUS Administrator

Solution Overview

Disconnected Servers

Desktop ClientsDesktop Clients

Microsoft UpdateMicrosoft Update WUS ServerWUS Server

WUS ServerWUS Server

Update Management Features• Target Groups

– Allow Administrator to manage different groups of PCs differently

– OU based policy support for AD environments

– Server-side lists for non-AD environments• Administrator control of deployment

– Initiate scan of machines for patch applicability– Approve for install and uninstall

(requires update support)– Date-based deadlines for approved updates– Deploy different updates to target groups

Update Management Features

• Agent Configurations – Polling frequency– Notification and Install behaviors– Reboot behaviors– Port configurability – Non-administrators can install updates (like

administrators)– Install at Shutdown (XP SP2 only)

Network Use Optimization Features• Resilient and transparent

– BITS* for client-server and server-server downloads

– Downloads are in the background

– Can throttle bandwidth usage

• Minimized data downloads– Update subscriptions (per product/classification)

– Support for “delta compression” technologies for client-server communications

– Option to only download approved updates

*Background Intelligent Transfer Service

Reporting Features

• Standard consolidated reports (for client activity)– Per machine/per update/per target group– Download, install success and failures with

error information

• Content synchronization status reports– What’s new, what changed – much easier for

Administrator

• Event log integration– Agent and server status events sent to

local event log

Deployment/Management Flexibility• Server deployment options

– Updates hosted on Microsoft Update• RUS server acts as a control point

– Hierarchical deployment• Independent servers (admin wishes not inherited)• “Replica” servers (admin wishes inherited)

• Manageability (and extensibility)– .NET based Server APIs (for admin tasks)– COM based Client APIs (with scripting and remoting

support)– Automatic deployment of updates– Command line options to trigger update detection

• Big Red Button!

SMS 2003

• Systems Management Server• Allows Inventory and discovery of Servers, PCs,

Print Servers, Palmtops etc on the network• Allows Targeted Software Distribution based on

many criteria– Applications, Patches and even OS’s

• Remote Control and Management of all Windows computers

• Will be updated shortly to incorporate WUS engine

Comparing WUS And SMS• Simple (WUS) versus Advanced (SMS)

– SMS not intended for small networks (<20pcs)• Client support – SMS still supports Win9x/NT4• Update / Application deployment• Reporting features – SMS far more wide ranging• WUS: Want update management-only solution

that provides simple updating for Microsoft software

• SMS: Single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OS’s and Applications, as well as an integrated asset management solution

*Customer uses Windows Update, another update tool, or manual update process for*Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by WUS or Microsoft Update OS versions & applications not supported by WUS or Microsoft Update

Customer Type

ScenarioCustomer Chooses

Large or Medium Enterprise

Want single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OSes and Applications, as well as an integrated asset management solution

SMS 2003

Want update management-only solution that provides simple updating for Microsoft software and initially supports Windows (Win2K & later versions), Office (2003 & XP), Exchange 2003, SQL Server 2000, and MSDE 2000

WUS*/RUS

Small Business

Have at least 1 Windows server and 1 IT administrator WUS* / RUS

All other scenariosRUS / Microsoft

Update*

Consumer All scenariosRUS / Microsoft

Update*

Choosing A Patch Management Solution

Typical customer decisions

Consolidated Solutions Roadmap

Manual / Script Manual / Script Based UpdatingBased Updating

WindowWindowss

UpdateUpdate

DownloDownload ad

CenterCenter WindowWindowss

UpdateUpdateMicrosMicrosoftoft

UpdateUpdate

DownloDownload ad

CenterCenter

Update Content Repositories and Online Update Content Repositories and Online ServicesServices

CurrentCurrent H1/2005H1/2005SMS 2003 FPSMS 2003 FPTime frameTime frame

LonghornLonghornTime frameTime frame

WindowWindowss

UpdateUpdateMicrosMicrosoftoft

UpdateUpdate

WUSWUS

SMS SMS 2003 2003 withwith

Feature Feature PackPack

WUS n.0WUS n.0

Windows ServerWindows ServerLonghornLonghorn

OfficeOfficeInventory Inventory

ToolTool

SUS 1.0SUS 1.0

SMS 2.0 SMS 2.0 withwith

Feature Feature PackPack

SMS 2003SMS 2003

WUS WUS ClientClient

In-houseIn-housedevelopedevelope

ddapps apps

updateupdaterepositorrepositor

yy

33rdrd party party appsapps

update update repositoryrepository

Update Management ProductsUpdate Management Products

System System CenterCenter

33rdrd Party / Party /In-house In-house

ToolsTools

OfficeOfficeUpdateUpdate

MBSA 1.2MBSA 1.2(includes OIT)(includes OIT)

MBSA 1.1.1MBSA 1.1.1

Standalone Update Scanning ToolsStandalone Update Scanning ToolsOfficeOffice

Inventory Inventory ToolTool

MBSA 1.1.1MBSA 1.1.1

MBSA 2.0MBSA 2.0

Additional Information• Sign up to receive information about the Open Evaluation

Program at http://www.microsoft.com/wus • Visit www.microsoft.com/sus for the latest information on

SUS 1.0• Join the SUS news group • Microsoft’s prescriptive guidance for patch management• For information on SMS 2003 go to

www.microsoft.com/smserver

• Or just ask your Raven Representative

Conclusions• Patch management is essential in the current computing

climate– Otherwise you Will be hacked

• SUS can automate deployment of Windows Patches, but needs managing– Contact your Raven representative to arrange installation NOW

• RUS removes the burden of approving Windows patches enabling SUS to run virtually hands free– Sign up for RUS here, today!

• Office and other products must be patched separately for now– Raven Consultants are available to assist in deployment

• WUS will improve manageability of SUS and extend it to include other products

• RUS will support WUS when it is available• For larger enterprises, consider SMS

– Speak to your Raven representative to find out if SMS is for you

Any Questions?

David WallisSenior Systems Consultant

Raven Computers Ltddavidw@raven-computers.co.uk