1 / 34

Patch Management Tools

Patch Management Tools. Solution Components. Client Patch Management Options. Consumer and Small Business: Windows Update User Initiated Deployment or Automated Updates Access to all available updates Deployment from Microsoft.com Medium Business: Software Update Services

macario
Download Presentation

Patch Management Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Patch Management Tools

  2. Solution Components

  3. Client Patch Management Options • Consumer and Small Business:Windows Update • User Initiated Deployment or Automated Updates • Access to all available updates • Deployment from Microsoft.com • Medium Business:Software Update Services • User Initiated Deployment or Automated Updates • Administrator approved updates only • Deployment from servers behind firewalls • Enterprises:SMS and SMS Software Update Services Feature Pack • User or Administrator Initiated Deployments • Administrator approved updates • Deployment from servers behind firewalls • Reporting • Scheduling

  4. New Update Assess Identify Evaluate & Plan Deploy MBSA: What It Does • Helps identify vulnerable Windows systems • Scans for missing security patches and common security mis-configurations • Scans various versions of Windows and other Microsoft applications • Scans local or multiple remote systems via GUI or command line invocation • Generates XML scan reports on each scanned system • Runs on Windows Server 2003, Windows 2000 and Windows XP • Integrates with SUS & SMS

  5. MBSA: How It Works* • MSSecure.xml contains • Security Bulletin names • Product specific updates • Version and checksum info • Registry keys changed • KB article numbers • Etc. • Run MBSA on Admin system, specify targets MicrosoftDownload Center • Downloads CAB file with MSSecure.xml & verifies digital signature MSSecure.xml • Scans target systems for OS, OS components, & applications • Parses MSSecure to see if updates available • Checks if required updates are missing MBSAComputer • Generates time stamped report of missing updates SUS Server *Only covers security patch scanning capabilities, not security configuration detection issues

  6. MBSA 1.1.1

  7. Windows Update: How It WorksScenario 1: User Initiated Access • User goes to Windows Update (WU) & selects ‘Scan for updates’ Windows Update Service • Client side code (CC) in browser validates WU server & gets download catalog metadata • CC uses metadata to identify missing updates • User selects updates to install • CC downloads, validates, & installs updates • CC updates history & statistics information* *Note: No personally identifiable information is collected. See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy

  8. Windows Update: How It WorksScenario 2: Automatic Updates Initiated Access • AU check WU service for new updates (every 17-22 hours) Windows Update Service • AU validates WU server & gets download catalog metadata • AU uses metadata to identify missing updates • AU either notifies user or auto-downloads using BITS & validates new updates • AU either notifies user or auto-installs updates • AU updates history & statistics information* *Note: No personally identifiable information is collected. See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy

  9. Assess New Update Identify Deploy Evaluate & Plan SUS 1.0: What it Does • Deploys Windows security patches, security rollups, critical updates*, and service packs only • Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only • Provides patch download, deployment, and installation configuration options • Bandwidth optimized content deployment • Provides central administrative control over which patches can be installed from Windows Update • Provides basic patch installation status logging *Including critical driver updates

  10. SUS Benefits • Gives administrators control over patch & update management • Works with Group Policy* to prevent installs of non-approved updates from Windows Update • Allows staging & testing of updates before installation • Simplifies & automates key aspects of the patch management process • Ease of use alleviates difficulty of keeping supported systems up-to-date, reducing security risks *Note: Use of SUS does not require implementation of Active Directory or Group Policy

  11. SUS 1.0: How It Works WindowsUpdate Service WindowsUpdate Service Firewall • SUS Server check for updates every 17-22 hours • Administrator reviews, evaluates, and approves updates BandwidthThrottling BandwidthThrottling • Approvals & updates synced with child SUS servers* ChildSUS Server ParentSUS Server • AU gets approved updates list from SUS server BandwidthThrottling • AU downloads approved updates from SUS server or Windows Update ChildSUS Server • AU either notifies user or auto-installs updates • AU records install history *SUS maintains approval logs & download, sync, & install statistics

  12. Client Component: Automatic Updates • Centrally configurable to get updates either from corporate SUS server or Windows Update service • Can auto-download and install patches under admin control • Consolidates multiple reboots to a single reboot when installing multiple patches • Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003 • Localized in 24 languages

  13. Server Component: SUS Server • Downloads updates from Windows Update • Web based administration GUI • Specify server & update process configuration options • View downloaded updates • Approve updates & view approved updates • Security by design and default • Requires NTFS; Installs IIS Lockdown and URL scanner* • Supports secure administration over SSL • Digital signatures on downloaded content validate authenticity • Uses HTTP for content synchronization – only port 80 needs to be open • Server side XML based logging on Web server • Patch deployment & installation statistics • Supports geographically distributed or scale-out deployments with centralized management for content synchronization & approvals • Localized** in English & Japanese *If not already installed **Note: Delivers updates for all 24 supported client languages

  14. SUS 1.0

  15. New Update Identify Deploy Assess Evaluate & Plan SMS 2003: What it Does • Identifies & deploys missing Windows and Office security patches on target systems • Can deploy any patch, update, or application in Windows environments • Inventory management & inventory based targeting of software installs • Install verification and detailed reporting • Flexible scheduling of content sync & installs • Central, full administrative control over installs • Bandwidth optimized content distribution • Software metering and remote control capabilities

  16. SMS 2003 Patch Management: Benefits • Gives administrators control over patch management • Allows staging & testing of updates before installation • Fine-grained control of patch management options • Automates key aspects of the patch management process • Can update a broad range of Microsoft products (not limited to Windows and Office) • Can also be used to update third party software and deploy & install any software update or application • High level of flexibility via use of scripting

  17. SMS 2003 Patch Management: How It Works MicrosoftDownload Center • Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer Firewall • Scan components replicate to SMS clients • Clients scanned; scan results merged into SMS hardware inventory data SMS DistributionPoint SMS Site Server • Administrator uses Distribute Software Updates Wizard to authorize updates SMS Clients • Update files downloaded; packages, programs & advertisements created/updated; packages replicated & programs advertised to SMS clients SMS DistributionPoint SMS Clients • Software Update Installation Agent on clients deploy updates • Periodically: Sync component checks for new updates; scans clients; and deploys necessary updates SMS Clients

  18. SMS 2003 Patch Management: Functionality • System scanning & patch content download • Content from Microsoft Download Center • MBSA & Office Inventory plug-ins scan for missing patches • Supports updating of remote & mobile devices • Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scripting • Administrator control • Update targeting based on AD, non-AD groups, WMI properties; additional options via scripting • Patches content is downloaded from a central SMS repository only when the deployment process is initiated by the SMS administrator • Specific start and end times (change windows); multiple change windows • Easily move patches from testing into production • Reference system patch configurations can be used as a template to verify or enforce compliance of systems that must mimic reference system configuration

  19. SMS 2003 Patch Management: Functionality (2) • Patch download & installation • Delta replication (site-site, server-server) of patches • Uses BITS* for mobile / remote client-server • Uses SMB* for LAN / priority situations • Reminders and rescheduling of install / reboot & enforcement dates • Optimized graceful reboots, but forced when enforcement date arrives • Per-patch reboot-needed detection to reduce reboots • Status & Compliance Reporting • Deployment status as patches are attempted • Standard and customized reports through read-only SQL queries • Determine actual baselines in the environment before changing the environment • SLA measurement and rate-of-spread *Requires SMS Advanced Client

  20. SMS 2003

  21. Choosing a Patch Management SolutionFunctionality versusIT Resources Based Selection Choose the solution that provides the best balance of functionality versus IT resource constraints for your specific needs High SMS Breadth of Functionality SUS WindowsUpdate Low High IT Resources & Administration Skill Level

  22. Patch Management Tools Futures

  23. MBSA Update Scanning Functionality • Overall direction • MBSA update scanning functionality integrated into Windows patch management functionality • MBSA becomes Windows vulnerability assessment & mitigation engine • Near- and Intermediate-term plans • MBSA 1.2 (Q4 2003) • Improves report consistency, product coverage, and locale support • Integrates Office Update Inventory Tool • MBSA 2.0 (Q2 2004) • Update scanning functionality migrates to SUS 2.0 / Microsoft Update • MBSA leverages SUS 2.0 for update scanning

  24. MBSA 1.2 • Better international support • Japanese, French, German locale support • Expanded product support • MDAC, MSXML, JVM, Content Mgt Server, Commerce Server, BizTalk, Host Integration Server and Office • Improved consistency of reports • Support for alternate file versions in mssecure.xml(“OR” logic to consider multiple sets of file details) • Handle case of non-security updates overwriting pervious security updates • Handle multiple patches for a product targeted at different OS versions • Handle uniproc/multiproc patches, QFE/GDR branch patches, etc. • Office Update Inventory Tool integration (local scans only) • Enhanced IE security zone checks

  25. MBSA 2.0 • Integration with SUS 2.0 / Microsoft Update • Centralized report storage (SQL, net share) • Configurable/pluggable engine checks (engine framework, SDK) • Integrates tools like IISLockdown & SQLScan • Infrastructure to support future mitigation (via MOM, SMS, etc.)

  26. Microsoft Update Online service and update repository for updating all Microsoft software Built on SUS infrastructure Includes automated scanning, update install, and reporting capabilities available in Windows Update Windows Update And Office Update  Microsoft Update Microsoft Update Today Office Update Windows Update Windows Update H2 2004 SMS SUS

  27. SUS 2.0 • Support for additional Microsoft products • Office 2003, SQL Server 2000, Exchange 2000, + additional products over time* • Enhanced infrastructure for patch management • Data Model - supercedence, update dependency & bundle relationships • Server APIs (.NET) and remoteable Client APIs (COM) for flexibility • Administrative control • Pre-deployment checks; Initiate install & uninstall • Set polling frequencies & install deadlines • Target updates to groups of machines; Policy (AD) or list based group definitions • Rules for auto-handing of updates • Deployment & targeting • Download subset of WU content (e.g., WinXP but not Win2K) • Automatically deploys / updates SUS clients *Support for product versions listed here will be available when SUS 2.0 is released; support for additional versions and products will be delivered over time without the need to upgrade or redeploy SUS 2.0

  28. SUS 2.0 (2) • Bandwidth efficiency • Uses BITS for client-server and server-server communication(download throttling & checkpoint restart, limit max bandwidth usage, etc.) • Support for ‘delta compression’ technologies • Configurable update subscriptions • Configurable to only download updates at deployment time • Scale out • Hierarchical & replica topology • Summary event roll-up • Status reporting • Deployment status aggregation per machine/per update/per group • Download / install success, failure, and error info • Custom reports using read-only SQL queries

  29. Patch Management FunctionalityFuture Direction • Longer-term (Longhorn time frame) • SUS functionality integrated into Windows • SUS supports updating of all Microsoft software • SUS infrastructure can be used to build patch management solutions for 3rd party and in-house built software • SMS patch management built on SUS infrastructure and delivers advanced patch management functionality • Near-term • SUS 2.0 (Spring 2004) • Single infrastructure for patch management • Support for additional Microsoft products • Significant improvements in patch management functionality • SMS 2003 Update Management Feature Pack (H2 2004) • Leverages SUS for update scanning & download • Leverages SUS client (Automatic Updates) for installs

  30. Choosing A Patch Management SolutionNeeds-Based Selection Adopt the solution that best meets the needs of your organization Core Patch Management Capabilities

  31. Security Roadmap 0 – 9 months 9 – 12 months Today Future Next-Generation Security Tools & Patching Guidance Shields Monthly patch releases Guidance & training How Microsoft runs Microsoft Support for W2K SP2 & NT4 SP6at 2 patch installers; rollback Patching enhancements SUS 2.0 SMS 2003 More guidance and training Shield technologies for client and server “MS Update” More guidance and training Integrated host security technologies NGSCBWindows hardening More guidance and training

  32. Adopt a Patch Management Solution At Microsoft, our #1 concern is the security and availability of your IT environment If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendor Partial list of available products: *Microsoft does not endorse or recommend a specific patch management product or company Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality

  33. Summary • Addressing the patch management issue is a top priority • Taking a comprehensive, tactical & strategic approach • Made progress, but much more work to be done • Microsoft focused on: • Reducing the number of vulnerabilities & associated patches • Improving customer preparedness, training & communication • Simplifying & standardizing the patching experience • Improving patch quality • Unifying and strengthening patch management offerings • Key Recommendations: • Implement a good patch management process – it’s the key to success • Adopt a patch management solution that best fits your needs • Make use of the resources detailed in these slides

  34. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

More Related