1 / 11

Patching Windows @ MIT

Patching Windows @ MIT. SUS Services IS&T Network Infrastructure Services Team. Security Risk Management. Having a Strategic Security Program Threat: A threat is any potential danger to information or systems.

fancy
Download Presentation

Patching Windows @ MIT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Patching Windows @ MIT SUS Services IS&T Network Infrastructure Services Team

  2. Security Risk Management Having a Strategic Security Program • Threat: A threat is any potential danger to information or systems. • Threat agent: A threat agent is the person or process attacking the network through a vulnerable port on the firewall, or a process used to access data in a way that violates your security policy. • Vulnerability: A vulnerability is a software, hardware, or procedural weakness that may provide an attacker or threat agent with an opportunity to enter a computer or network and gain unauthorized access to resources within the environment • Risk: A risk is the likelihood of a threat agent taking advantage of a vulnerability. It is the potential for loss or the probability that a threat will exploit a vulnerability. • Exposure: An exposure occurs when a threat agent exposes a company asset to potential loss. A vulnerability can cause an organization to be exposed to possible damages. • Countermeasure: A countermeasure, or safeguard, mitigates a risk. Countermeasures include software configurations, hardware, or procedures that eliminate a vulnerability or reduce the risk of a threat agent from being able to exploit a vulnerability. PROACTIVE!

  3. Microsoft Software Update Services (SUS) • The acceleratinglifecycle of a security patch • Introduction to Software Update Services • Features/Components • SUS Server • Client

  4. The accelerating lifecycle of a security patch • Frequency between new vulnerabilities • Time the vendor has to release a patch • Time between publication and exploit code • Time for the Administrator or End User to patch • Number of products to patch

  5. Introduction to Software Update Services • Automate: Keep Windows up-to-date with the latest critical and security patches • Simplify: The patch management process - MBSA • Schedule Update times • Deploy: Reach clients that are not part of a Windows Domain

  6. Internet Intranet SUS server Overview updates Microsoft AutoUpdates vs. SUS WindowsUpdate Sync Updates Configured by Admin Automatic Updates Client

  7. Features/Components • SERVER: SUS • Automatic Updates on computers (desktops or servers) • An internally-hosted Windows Update server • An internally -controlled content synchronization service • Administrator control over updates • Multi-language support - Localized in 24 languages • Digital signatures on downloaded content • Server-side logging • Log of client status

  8. Sync SUS SUS Load balancing SUS at MIT Microsoft’s Windows Update F5 (Big IP)

  9. Features/Components (2) • CLIENT: Automatic Updates • Installed on computers on the network • Checks SUS server or public WU for updates regularly • Auto-download and install updates under admin control • Automatically download and install critical updates • Consolidate multiple reboots into a single oneNotify local administrator on the machine about pending updates • Notify logged-on users about pending reboots • Configured using Registry keys • Supports Group Policy • Downloads are done in the background using BITS technology

  10. MBSA • Free tool that scans for common security misconfigurations and missing security updates • GUI and command-line interface (CLI) • Perform security update portion of scan against local SUS server • Scans for approved updates on SUS server instead of all available updates • User interface: MBSA reads registry for SUS server information, or user manually enters it • CMD LINE • mbsacli.exe /sus http://mysusserver

  11. Client Configuration • With Active Directory (using Group Policy) • ADM file – WUAU.adm • Client behavior and SUS server selection can be configured • Without Active Directory (but central tool) • Script to deploy the registry policy keys Website Demo: http://web.mit.edu/ist/topics/windows/updates

More Related