340 likes | 476 Views
Leveraging Active Directory Group Policy to Patch Common Windows Applications. Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http:// www.josephpfisher.com 2012 Rock Eagle Computing Conference. About The Presenter. Working in IT since 1996
E N D
Leveraging Active Directory Group Policy to Patch Common Windows Applications Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http://www.josephpfisher.com 2012 Rock Eagle Computing Conference
About The Presenter • Working in IT since 1996 • Started out assembling computers for free RAM • VMware, Linux, and Windows sysadmin at UGA
About This Presentation • Patch Management • Windows Active Directory environment • Brief Overview of Group Policy Objects (GPOs) • Non-Microsoft Software • Java • Flash • Reader • Etc
Best Malware Prevention Strategy • Limit over-privileged users • UAC, standard user accounts • User education • No more free screensavers • Anti-virus software • Only as good as the latest definitions • Update all software as soon as patches are available
The Results • Average of 18.2 malware incidents per month in 250 PC environment prior to centralized patch management • Down to 1 incident in 6 months
Options • Microsoft Systems Center • Powerful, but complicated, and expensive • Ninite Pro • Simple, effective, but still requires license outside of personal use • LANDesk • Like Systems Center, powerful but complicated and expensive • Active Directory Group Policy • Uses existing infrastructure, intermediate difficulty
Pre-requisites • Active Directory • Rights to create GPOs and link to OUs • Repository • Sysvol • File server • Need a share readable by all “Authenticated Users”
Remote Server Administration Tools • From a domain computer, install Remote Server Administration Tools • http://www.microsoft.com/en-us/download/details.aspx?id=7887 • Active Directory Users and Computers • Group Policy Management Console
How to Apply GPOs • Link to an Organizational Unit (OU) • By default, GPOs apply to all child OUs • Able to block inheritance on specific child OUs • GPOs can override “block inheritance” by being set to “enforced” • Can view effective GPOs on an OU
Group Policy Objects • Policies broken down into 2 groups: Users and Computers • Software installation should usually be performed at the Computer level
Software Deployment • GPOs natively support MSI files • You can deploy other executables, but you’ll need to script these • Batch files are usually effective • Scripts deployed at the computer level are run with “system” privileges (i.e. administrators)
Test, test, test! • Testing strategy: start with a single machine, then test a group, then a larger group, and finally bulk deploy • One GPO for each function • E.g. one GPO for Adobe Reader, another for Java, etc. • Easier to identify problematic GPOs • Virtual machines are handy! • Create a local VM using Virtual Box and snapshot it in a “clean” state • GPOs tattoo a system, always best to start clean
Software Sources • AdobeFlash: http://www.adobe.com/products/flashplayer/distribution3.html • Adobe Reader: ftp://ftp.adobe.com/pub/adobe/reader/win/ • Customization Wizard: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4950 • Firefox: http://www.frontmotion.com/Firefox/ • Chrome: http://www.google.com/intl/en/chrome/business/browser/ • Java: Offline installer at http://java.com
Adobe Flash • Need to apply for a free Flash distribution license • Create a GPO for Flash and assign the MSI file under “Software Installation”
Adobe Flash • Suppress update notification: http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html • Need to create a file on each workstation • Can accomplish this via Group Policy: • Create the file and put it in your repository (Sysvol, file share, etc.) • Deploy via Group Policy Preference: Computer Configuration -> Preferences -> Windows Settings -> Files
Adobe Reader • Obtain installer from Adobe FTP • Customize the installation via Adobe Customization Utility • Suppress EULA • Disable Update Checks • Generates MST file
Firefox • Mozilla doesn’t provide MSI installers • FrontMotionFirefox Community Edition • Different logo • Same browser • Administrative Templates to manage • Default browser checks • Update checks • Default home page • Proxy settings • etc
Google Chrome • MSI available directly from Google • Google also provides administrative templates
Java • No MSI available directly from Oracle • Problematic under normal conditions • Newer versions require successful uninstallation of most recent installed version • Uninstallation failures prevent installation of new versions • Only recommended tool to remove failed installations is no longer available (MS Office Cleanup Utility) • And not scriptable
Java • We need a script: • Check if Java is the latest version • Uninstall the previous version if a new version is available • Install the new version • Check to see that the new version works • http://josephpfisher.com/2011/11/java-wont-uninstall-tips-for-end-users-and-enterprise-systems-administrators/ • Assign the batch file as a startup script (computer level)
Java • Still need to obtain MSI • Still need to generate a transform (MST) • Need Orca MSI editor • http://www.technipages.com/download-orca-msi-editor.html • Run offline installer and monitor App Data folder • Start -> Run -> %APPDATA% • MSI installer should appear while offline installer is open
Java • Open MSI in Orca • Create new transform (Transform menu -> New Transform) • Better than modifying the MSI directly • Go to “Property” table and modify: • AUTOUPDATECHECK = 0 • EULA = 0 • Iexplorer = 1 • JAVAUPDATE = 0 • JU = 0 • Mozilla = 1 • Systray = 0 • Go to “Transform” menu and click “Generate Transform” and save the MST file
Common Problems • Windows XP & Vista requires hotfix • http://support.microsoft.com/kb/974266 • Latest NIC drivers for gigabit adapters • From NIC manufacturer (i.e. not Dell) • Flush Group Policy history • Remove HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy • Remove from domain and re-join
Resources • Microsoft Technet Forums • http://social.technet.microsoft.com/Forums/en-US/categories • EduGeek • http://edugeek.net • IT Ninja • http://www.itninja.com