Patch Management drill down
Steven Hope
Lead Technical Security Specialist steven@microsoft.com

Welcome to this TechNet Event
We would like to bring your attention to the key elements of the
TechNet programme; the central information and community resource for IT professionals in the UK:
FREE bi-weekly technical newsletter
FREE regular technical events hosted across the UK
FREE weekly UK & US led technical webcasts
FREE comprehensive technical web site
Monthly CD / DVD subscription with the latest technical tools & resources
FREE quarterly technical magazine
To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

This is true for you right?
We live in a world of plenty…
–
High bandwidth links everywhere
–
Low cost & reliable connectivity
–
We all have an efficient patch process…
–
Testing is quick
–
The process is clear and repeatable
–
Deployment is easy

Patch Management – The Rude Awakening
Humans write software, therefore software will
ALWAYS have bugs!
Utopia = not having to deploy a patch , not that patches no longer exist.
Patching should be the LAST line of defence, not the first! And should be avoid wherever possible.
Patching is NOT all about tools and scripts.
Cleaver system / network designs can significantly reduce the requirement to patch, e.g.:
–
Use IPSEC to reduce access to services
–
Use Layer 7 firewalls like ISA Server 2004 to protect core assets.
–
Reduce the attack surface on machines
Monthly controlled releases and responsible disclosure are GOOD things!

Organization for Internet Safety
Mission: To develop and promote processes for effectively handling security vulnerabilities.
Industry-leading vendors, security research firms www.oisafety.org

Successful Patch Management
Ingredients
Tools &
Technologies
Consistent & repeatable
Processes

Patch Management
Best Practices Process
1. Assess Environment to be Patched
Periodic Tasks
A. Create/maintain baseline of systems
B. Assess patch management architecture (is it fit for purpose)
C. Review Infrastructure/ configuration
1. Assess
Ongoing Tasks
A. Discover Assets
B. Inventory Clients
2. Identify
2. Identify New Patches
Tasks
A. Identify new patches
B. Determine patch relevance
(includes threat assessment)
C. Verify patch authenticity & integrity
(no virus: install on isolated system
4. Deploy the Patch
Tasks
A. Distribute and install patch
B. Report on progress
C. Handle exceptions
D. Review deployment
4. Deploy
3. Evaluate
& Plan
3. Evaluate & Plan
Patch Deployment
Tasks
A. Obtain approval to deploy patch
B. Perform risk assessment
C. Plan patch release process
D. Complete patch acceptance testing http://www.microsoft.com/msm

Updating: Roadmap “Microsoft Update”
(Windows Update)
Windows
Update
Download
Center VS Update
AutoUpdate
Windows only
Exchange, Office…
Windows only
Exchange, Office…
Windows
SUS
Services
SMS
Windows, SQL,
Exchange, Office…

Security Update Management Today
Disparate sources, limited product support
Windows Update/Office Update
–
Consumer focused web based solutions
Software Update Services (SUS) 1.0
–
Intermediary between Windows Update and Automatic Updates (globally control updates)
Microsoft Baseline Security Analyzer (MBSA) 1.2.1
–
Detects security updates for 16 products
–
Detects configuration vulnerabilities for 7 products
Systems Management Server 2003
–
SUS Feature Pack (Windows Updates only)
–
MBSA 1.2.1 for other security update detection
–
Enterprise Update Scan Tool (EST)
–
Detects critical and important security updates that MBSA does not
–
Compatible with SMS

Security Update Management Tomorrow
Consistent results, extending product support
Microsoft Update (MU)
– “Hosted” version of Windows Server Update Services
–
Consumer focused web based solution
Windows Server Update Services (WSUS)
–
Infrastructure for all other updating products and tools
–
Update management solution with targeting for Microsoft platform
Microsoft Baseline Security Analyzer (MBSA) 2.0
–
Security focused scanning without the need for a server
Systems Management Server 2003
–
Inventory Tool for Microsoft Update
–
Integrated MBSA 2.0 security configuration checks

Microsoft Baseline Security Analyser
Now and next

MBSA – Analysis and reporting tool
Scans missing security updates and security configuration settings
Born of HFnetchk, now at 1.2.1
Requires up to date reference file (mssecure.xml)
GUI and command line versions
“Read only” tool - user context requires local admin rights on each target machine
Scans:
–
Windows 2000, Windows XP, Windows Server 2003
–
IIS, SQL Server, Internet Explorer, Office, Exchange Server, Windows
Media Player,
–
Microsoft Data Access Components (MDAC), MSXML
–
Microsoft Virtual Machine, Commerce Server, Content Management
Server, BizTalk Server, Host Integration Server

MBSA 1.2.1 / MBSA 2.0 Delta
MBSA 2.0 shares with MBSA 1.2.1
–
Security configuration and update scanning
–
Command Line scripting
–
Simple, easy to use interface
–
Integration with SMS and MOM
MBSA 2.0 introduces:
–
WSUS scan parity
–
WSUS compliance
–
Expanding security update product support
–
Security update install history
–
CAN/CVE ID when they become available
MBSA 2.0 RTW = End of Q2 2005

MBSA 2.0 : How It Works*
1. Run MBSA on Admin system, specify targets
2. Downloads CAB file from MU
& verifies digital signature
3. Scans target systems for
OS, OS components, & applications using WUA
Microsoft
Update
All content is shared with MU
4.
Generates time stamped report of missing updates
MBSA
Computer
WSUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues

Windows Server Update Services
WSUS The software formally knows as SUS and WUS…

Windows Server Update Services
Successor to SUS (Software Update Services)
Automates centralized download, distribution and installation of updates
Gets its content from Microsoft Update (MU)
Free download
–
Free to Windows Server (2000 and above) licensees
–
Requires Windows Server / Core CAL for target systems
Does not change currently available offerings
–
SUS 1.0 continues to get content from WU
Core component of Microsoft’s Update Management solutions & roadmap
WSUS RTW = Q2 2005

WSUS - Supported Products And Content
Critical Updates for
–
All Microsoft products over time
–
At RTM
–
Windows 2000 SP3 and later versions of Windows
–
Office XP SP2 and Office 2003
–
SQL 2000 and MSDE 2000
–
Exchange 2003
–
Critical drivers
Platform support/requirements for
–
Windows 2000 SP3 (SP4 for WSUS Server) and later
–
Windows XP RTM and later
–
Windows Server 2003 RTM and above
–
All localized versions (including MUI)

WSUS - Solution Overview
Microsoft Update
WSUS Server
WSUS Administrator
Desktop Clients
Target Group 1
Server Clients
Target Group 2

WSUS Scalability
Microsoft Update
Replica
Child
WSUS Server
Desktop Clients Desktop Clients
Parent
WSUS Server
Autonomous
Child
WSUS Server

WSUS & disconnected Networks
Microsoft Update WSUS Server
WSUS Server
Desktop Clients

WSUS – Client Deployment & Configuration
Client Deployment
–
Only required for Windows XP Gold (without SP)
–
Windows XP SP2 and Windows Server 2003 SP1 include the WSUS client binaries
– All other WSUS supported OS’s include AUv2.2
–
Automatically self-updates to WSUS client version
Client Configuration
–
Active Directory = via GPO
–
NT4.0 = Wuau.adm in System Policy
–
Registry keys via script

WSUS Features
Administrator control of deployment
–
Initiate scan of machines for patch applicability
–
Approve for install and uninstall
(requires update support)
–
Date-based deadlines for approved updates
–
Deploy different updates to target groups
WSUS GUI based reports
–
Per machine/per update/per target group
–
Needed, Pending Reboot, Install success and failures with error information

WSUS Features (continued)…
Target Groups
–
Client-side targeting using AD GPO
–
Server-side targeting on WSUS server
Client Configurations
–
Polling frequency
–
Notification and Install behaviors
–
Reboot behaviors
–
Port configurability
–
Non-administrators can install updates (like administrators)
–
Install at Shutdown (XP SP2 only)

Network Use Optimization Features
Resilient and transparent
–
BITS* for client-server and server-server downloads
–
Downloads are in the background
Minimized data downloads
–
Update subscriptions (per product/classification)
– Support for “delta compression” technologies for client-server communications
–
Option to only download approved updates
*Background Intelligent Transfer Service

Customer Feature Requests
Top Features Requested
Support for service packs
Install on SBS and domain controller
Support for Office and other MS products
Support additional update content types
Update uninstall
Update targeting
Improve support for low bandwidth networks
Reduce amount of data that needs to be downloaded
Set polling frequency for downloading new updates
Minimize need for end user interruption
Emergency patch deployment (‘big red button’)
Deploy update for ISV and custom apps
NT4 support
*Partially addressed through polling frequency control and scripts
SUS 1.0 SP1





*




WSUS




Systems Management Server 2003
Patching the Enterprise

Systems Management Server 2003
Premium Change and Configuration Management Offering
Scalable, global enterprise solution for client and server management
–
Software Distribution
–
OS Deployment
–
Mobile Device Management
–
Hardware Inventory
–
Software Inventory
–
Application Usage Tracking
–
Remote Help Desk Functionality
Visit http://www.microsoft.com/sms for more infomation

SMS 2003 & Patch Management
Supports critical updates for Windows and Office
Vulnerability Assessment
–
Leverages existing tools like MBSA
–
Collects MBSA results for storage in a central repository
–
Rich reporting provides detailed vulnerability analysis and enables mitigation planning
Status and Compliance Reporting
–
Deployment status as patches are delivered using built-in reports and client status messaging
–
Determine actual baselines in the environment before changing the environment
–
Report on clients not compliant to baseline
–
Automatically deploy updates to get compliant

SMS 2003 Patch Management: How It Works
1. Setup: Download Security Update
Inventory and Office Inventory
Tools; run inventory tool installer
2. Scan components replicate to SMS clients
3. Clients scanned; scan results merged into SMS hardware inventory data
SMS
Site Server
4. Administrator uses Distribute
Software Updates Wizard to authorize updates
5. Update files downloaded; packages, programs & advertisements created/updated; packages replicated
& programs advertised to SMS clients
6. Software Update Installation
Agent on clients deploy updates
7. Periodically: Sync component checks for new updates; scans clients; and deploys necessary updates
Microsoft
Download Center
SMS Distribution
Point
SMS Distribution
Point
SMS Clients
SMS Clients
SMS Clients

SMS 2003 - SP1
Ability to authorize critical updates immediately without waiting for inventory scans. Allows deployment of a critical update as soon as it is released.
Prior to sp1 = needed to wait for the scans to happen and the data to be returned to the SMS site server and the update would then be available to deploy through the Distribute
Software Update wizard .

SMS Inventory Tool for Microsoft Updates
SMS Inventory Tool for Microsoft Updates (ITMU)
–
Uses Windows Update Agent for scanning and installation of updates
–
WUA included with Windows XP SP2 & Windows Server 2003 SP1
–
Distributed as a stand-alone install by SMS for older operating systems
Provides consistency with content provided on Microsoft
Update
Non-critical updates are not included in v1.0 of the scan tool
Can be used side-by-side with legacy scan tools for additional product coverage
Expected Release Date = July 2005

Patch Management Client Experience

Background Intelligent Transfer Service - BITS
Downloads file using Hypertext Transfer Protocol (HTTP)
Checkpoint mechanism
–
Allows for network connectivity interruptions
Automatic network throttling
–
Only uses idle bandwidth
NEW!
BITS v2.0
–
Included in Windows XP SP2 & Windows Server 2003 SP1
–
Downloadable for Windows 2000, XP and Server 2003

How does Microsoft manage patches?
Patching by MSIT

How MS does it: Patch process flow
Corporate Security
(CorpSecIT) monitors vulnerability information
CorpSecIT finds & analyzes vulnerability
Wait for service pack
Critical
Vulnerability?
yes
CorpSecIT determines enforcement schedule no
Global Client
Software (GCS) tests patch
GCS creates SMS package
14 Days
GCS distributes package
GCS enforces patch
7 days
(or immediate if critical)

How MS does it: The technology
Low
Client Impact
Method
Patch timeline
Vulnerable Clients 30%
High
Client Impact
Windows Update; Email & ITWeb Notification (Optional)
SMS Patch Management (Voluntary > Forced)
Internal Scanning & Scripts (Forced)
Port Shutdowns
12% 6% 5% 3%