150 likes | 306 Views
PatchDeploy Behind the Scenes. Dardan Shkreli +41 41 748 22 04 shd@brainware.ch. Agenda. What is „Patch Day“? Benefits of Columbus Patch Deploy Supported Products The Workflow Next Steps Questions & Discussion. What is „Patch Day“?.
E N D
PatchDeployBehind the Scenes Dardan Shkreli +41 41 748 22 04 shd@brainware.ch
Agenda • What is „Patch Day“? • Benefits of Columbus Patch Deploy • Supported Products • The Workflow • Next Steps • Questions & Discussion (c) 2004 Brainware Solutions AG
What is „Patch Day“? • Microsoft products always “under construction“ • Security issues, vulnerabilities, bug fixes • Updates published 2nd Tuesday of each Month (c) 2004 Brainware Solutions AG
Benefits of Columbus Patch Deploy • Tested in advance • Correctness, Revisions, Adjustment • Management • One place to manage • Delivered like software packages through Columbus • Control and reduce risk • You decide which patches to deploy, when, and to which clients • Grouping • Make custom deployment groups: OS, SP, Severity, Clients, Sites • Efficient • Target only candidate clients, schedule deployment (c) 2004 Brainware Solutions AG
Supported Products • OS (Workstation/Server) • MS Office (XP, 2003, 2007) • Over 230 products • Five languages (c) 2004 Brainware Solutions AG
The Workflow • Analysis • OS, SP, Products, Severity • Development • ENU, DEU, JPN, etc. • Severity • Testing • Detection, Installation, Verification • Publishing • Catalogs, Encryption, Backup (c) 2004 Brainware Solutions AG
Analysis • First steps - Security Bulletin • Analysis (OS, SP, Products, Severity) • Filtering (SLA) • Infrastructure (c) 2004 Brainware Solutions AG
Development • Security Bulletins – KB Articles • Each Patch analysed • Prerequisites, Sources, File Info, Command lines (c) 2004 Brainware Solutions AG
Development • Security Bulletins – KB Articles • Each Patch analysed • Prerequisites, Sources, File Info, Command lines [Package] Description=KB 950760 / MS08-032 - Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760): SP2-SP3 Identifier=950760 - MS08-032.BWP000183.BWS000312 Language=ENU Version=01 Patch=0 Platform=XP AllowConditionalUsage=0 Usercondition=File '*.*' Clientcondition= (reserved for future use only) Servercondition= (reserved for future use only) ; When should the package be released ? ; e.g. ServerReleaseDate=19970930193000 ServerReleaseDate=00000000000000 ClientReleaseDate=00000000000000 UserReleaseDate=00000000000000 FriendlyInstallText= OrderType= Friendly=YES Category=#Microsoft Patch# Active=3 ; Repetitive Jobs ; Repeat=EachTime ; This section allows you to define, in which CCC groups the package ; automatically should be inserted [Groups] OS Patches ENU_XP__SP2 OS Patches ENU_XP__SP3 [PatchManagement] Severity=2 BrainwareID={78F07EDF-2919-432E-AAEE-984298B6FC6D} IsPatch=1 Vendor=Microsoft KBID=950760 [UserAdd] [ClientAdd] ;#STARTCRYPT# if '%_NoPatchInstallationChecks%'='1' then goto INSTALL if not '%_OSMajorVersion%.%_OSMinorVersion%' = '6.0' then exit 'Invalid operating system. Required: 6.0 - Current: %_OSMajorVersion%.%_OSMinorVersion%' 'PDW001' if not '%_OSType%' = 'NT_WORKSTATION' then Exit 'Invalid operating system. Required: NT_WORKSTATION - Current: %_OSType%' 'PDW002' if '%_64BitOS%' = '1' then Exit 'Wrong type of OS - only for 32Bit OS' 'PDW011' RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Immediate if '%_SPLevel%'='0' then goto SP0_OK if '%_SPLevel%'='256' then goto SP1_OK Exit 'The current Service pack is not supported.' 'PDW005' :SP0_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001' if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6000.16681' then goto File_OK :SP1_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001' if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6001.18063' then goto File_OK if '%_PkgReinstall%'='1' then goto File_OK Exit 'No requirements met.' 'PDW090' :File_OK :INSTALL ;#ENDCRYPT# ;SetSystemRestorePoint /Daily /NoErrors if '%_AllowPatchesUnistall%'='1' then goto AllowUninstall goto NoUninstall [Summary] This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb. [Checks] if not '%_OSMajorVersion%.%_OSMinorVersion%' = '5.1' then Exit 'Not applicable. Required: 5.1 - Current: %_OSMajorVersion%.%_OSMinorVersion%' '1' if Not FileLanguage '%_WindowsSystem%\browselc.dll' = 'ENU' then Exit 'Not applicable - wrong language.' '3' RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Machine if '%_SPLevel%'='' then Set _SPLevel='0' /Machine if '%_SPLevel%'='512' then goto SP_OK if '%_SPLevel%'='768' then goto SP_OK Exit 'The current Service pack is not supported.' '5' :SP_OK RegRead 'HKEY_LOCAL_MACHINE' 'SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB950760' 'InstalledDate' '_KB950760_InstalledDate' /Script if '%_KB950760_InstalledDate%'='' then Exit 'Registry indicates missing (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB950760\InstalledDate)' '102' Exit 'Installed' '120' • Patch creation • Methods • Snapshots (Package Maker), MSI, Copy, Combination • Architecture (c) 2004 Brainware Solutions AG
Testing/Infrastructure • Combined testing - automated/human • Analysis & Infrastructure for testing • Static test • Source check • Command lines • Severity • Description Passed! • 1 Patch = Different OS/Products (c) 2004 Brainware Solutions AG
Testing/Infrastructure • Combined testing - automated/human • Analysis & Infrastructure for testing • Static test • Source check • Command lines • Severity • Description • Live tests • Download • Recognition • Installation • Verification Passed! Passed! • Test against MBSA, Windows Update, SMS, … Patch OK! (c) 2004 Brainware Solutions AG
Publishing • Last checks (syntax, coverage) • Expand Product, Service Packs & Patch Catalogs • Encrypt files • Place created patches into web server • Test download of catalogs from web server • Backup • Inform Helpdesk about published Patches • How do the clients get their patches ? • Columbus – Patch Deploy Module • Patch Deploy Agent (c) 2004 Brainware Solutions AG
Next steps… • Microsoft (…x64) • Adobe • McAfee • Others (c) 2004 Brainware Solutions AG
Questions & Discussion ? (c) 2004 Brainware Solutions AG
Thank You Dardan Shkreli +41 41 748 22 04 shd@brainware.ch (c) 2004 Brainware Solutions AG