LD 9.5 SP1 - Patch Management Best Practices

advertisement
LANDesk Patch Management Best practices
Chris Rawlings
LANDesk Sales Engineer
3
LANDesk 9.5 SP1 Updates
•
•
•
•
•
Mobility
Patch
Security Suite
FIPS 140-2
Cloud Service
Appliance
• SmartVue
• Linux/Unix
•
•
•
•
•
•
•
•
OS X
HP Integration
Intel
Remote Control
Data Analytics
Agent
Provisioning
SWD
LANDesk Software Confidential
•
•
•
•
Inventory
Printer Management
Auditing
Flexera
PATCH MANAGEMENT BEST
PRACTICES
Clean Up The Patch Management
• Disable Replaced Rules Wizard
– Adobe Flash
– Sun Java
– Itunes
6
LANDesk Software Confidential
Clean Up The Patch Management
• Purge Distribution and Patch
Definitions
– Eliminates unnecessary
Operating Systems
– Eliminates unnecessary
languages
7
LANDesk Software Confidential
Clean Up The Patch Management
• Delete Unnecessary Patches
– Delete patches in Do Not Scan
and unassigned groups
– Delete undetected patches
8
LANDesk Software Confidential
Patching – Application EOL Detection
• Application End Of Life Detection
• Publish by Content
• Leverage LANDesk Patch Manager
• Already support
• MS Office 2000/XP
• Adobe Acrobat Pro/Sta 6.x,
7.x, 8.x
• Adobe Reader 6.x, 7.x, 8.x
• Java SE 1.3, 1.4, 5.0
9
LANDesk Software Confidential
Prepare Patch Reports
• Gather Historical Information
– Schedule to run on a daily basis
10
LANDesk Software Confidential
Avoid Impacting Users
• Configure CPU Utilization during
scan for low impact
11
LANDesk Software Confidential
New Feature
Do Not Disturb if…
• Maximize end-user
productivity
– Reduce unwanted disruptions
» Detect full screen apps
» Dynamically hide scan dialog
12
LANDesk Software Confidential
Configure Reboot options
• Change Defaults
–
–
–
–
13
Allow user to defer
Reboot if no one is logged
After Time out snooze
Increase Timeout
LANDesk Software Confidential
Patching – Application Interference
• Increased first pass success rate
– Java
– Browser plugins
– Custom applications
• Close applications prior to
patching
– Prevent / block applications from
running during the patch process
14
LANDesk Software Confidential
What you see on the client…
• Configured to
– Prompt
– Don’t allow defer or cancel
• Shows apps that must close.
– Dynamically updates list as
apps are closed by user.
1
LANDesk Software Confidential
Process to Kill are Definition Based
• Clone Vulnerability
• Edit Detection Rule
• Add Process to stop
16
LANDesk Software Confidential
Autofix by Scope
• Supports Targeted Repairs
• Fewer Scheduled Tasks to
manage
1
LANDesk Software Confidential
Create query for affected computers
Scenario: Administrator wants to quickly and easily create a vulnerability query to
represent affected computers.
• New right-click option
• The “IN” clause is not editable in the
DAL query editor.
18
LANDesk Software Confidential
New Feature 9.5 SP1
Patching – Maintenance Windows
• Controlled and Predictable
maintenance
– Autofix policies are queued
– Machine state detection
– More aggressive reboot controls
become possible
19
LANDesk Software Confidential
Patching – Application Interference
• Increased first pass success rate
– Java
– Browser plugins
– Custom applications
• Close applications prior to
patching
– Prevent / block applications from
running during the patch process
20
LANDesk Software Confidential
Patching – Application EOL Detection
• Application End Of Life Detection
• Publish by Content
• Leverage LANDesk Patch Manager
• Already support
• MS Office 2000/XP
• Adobe Acrobat Pro/Sta 6.x,
7.x, 8.x
• Adobe Reader 6.x, 7.x, 8.x
• Java SE 1.3, 1.4, 5.0
21
LANDesk Software Confidential
Vulnerability severity override
Scenario: Administrator disagrees with the predefined severity of a vulnerability
definition and/or wants to “lock down” reviewed severities.
• Right-click multi-selected definitions is allowed. The “focused” definition’s current
settings are displayed.
• For backward compatibility in the database, “Severity” still contains the current value.
• “OrigSeverity” is null if no override has been specified. Otherwise, it stores the
LANDesk-supplied severity.
2
LANDesk Software Confidential
9.5.1
Software Distribution
LANDesk Software
LANDesk Software Confidential
Desktop Manager
•
•
•
•
New interface
Customizable branding
Deliver Links, Docs & Apps
• Packages and links
can be placed in
categories
“Chrome-less” app
launching
•
•
•
24
LANDesk Software Confidential
WPF and EXE
Launchpad integrated
Task history of client
changes
Software Distribution
• Package Bundles
–
–
–
–
2
Leverages groups in distribution packages
Set the installation order (one level)
Allows for packages to be grouped and ordered (one level)
Categories are supported
LANDesk Software Confidential
Software Distribution
• New Streamed Document package type
–
–
–
–
2
Link for any file type (.txt, .pdf, .docx, .msi, etc.)
Associated application
Streamed from the portal (new portal only), not downloaded to the client
Uses the current associated shell application (by file extension) defined for the client operating system
LANDesk Software Confidential
Software Distribution
• Default Delivery Method
– New shared control to select the delivery method
– Global value
– Only enabled for Administrators
2
LANDesk Software Confidential
Software Distribution
• New package pre-cache feature
– Only downloads package files to client machines, will not perform package
installation
2
LANDesk Software Confidential
Software Distribution
• Task History
– Task history is automatically gathered and stored in the client database
• Task History Maintenance
– Enable automatic cleanup of task history in the client database
– Configured in Agent settings and must be associated with each client (Agent configuration / Agent
settings)
»
»
»
Configurable by days to keep, a value of 0 will delete all task history from the client database
If not set, all task history will continue to be stored
Settings stored in each client machine registry under
LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings
›
2
ClientDatabaseHistoryDays: Specifies days to keep history, -1 or 0xffffffff if not set (all task history will be kept)
LANDesk Software Confidential
Software Distribution
• Task History/Maintenance continued
– Inventory scanner automatically sends client task history to the core database
– Located in inventory under LANDesk Management / SWD / History
3
LANDesk Software Confidential
Software Distribution
• Automatically run inventory scanner after package installation
– Inventory settings located in Agent settings UI
– Requires an Inventory setting to be associated with each client (Agent configuration / Agent Settings)
– Creates a local scheduler task from the current time plus a delay
»
If multiple packages are installed, the local scheduled task is added/updated with the new time. Always uses
the same task id (779)
– Two delay settings
»
»
»
Initial delay, minimum of 5 minutes, maximum of 60 minutes, default 5 minutes
Additional random delay to help stagger scans (reduce the load on the core), minimum of 0 minutes and
maximum of 60 minutes, default 15 minutes (will randomize between 0 and the value set)
Settings stored in each client machine registry under
LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings
›
3
InventoryScanDelayAfterPackageInstall: High word is the initial delay, low word is the additional random delay, -1 or
0xffffffff if not set (inventory scanner will not run after package install)
LANDesk Software Confidential
QUESTIONS
Download