Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Patch Management Tools - Microsoft Center

Patch Management Tools
Solution Components
Analysis
Tools
• Microsoft Baseline Security Analyzer (MBSA)
• Office Inventory Tool
Online Update • Windows Update
Services
• Office Update
• Windows Update Catalog
Content
Repositories
• Office Download Catalog
• Microsoft Download Center
• Automatic Updates (AU) feature in Windows
Management
Tools
• Software Update Services (SUS)
• Systems Management Server (SMS)
• Microsoft Guide to Security Patch Management
Prescriptive
Guidance
• Patch Management Using SUS
• Patch Management Using SMS
Client Patch Management Options
Consumer and Small Business: Windows Update
User Initiated Deployment or Automated Updates
Access to all available updates
Deployment from Microsoft.com
Medium Business: Software Update Services
User Initiated Deployment or Automated Updates
Administrator approved updates only
Deployment from servers behind firewalls
Enterprises: SMS and SMS Software Update Services Feature Pack
User or Administrator Initiated Deployments
Administrator approved updates
Deployment from servers behind firewalls
Reporting
Scheduling
MBSA: What It Does
Helps identify vulnerable Windows systems
Scans for missing security patches and
common security mis-configurations
Scans various versions of Windows and other
Microsoft applications
New
Update
Assess
Identify
Evaluate
& Plan
Deploy
Scans local or multiple remote systems via
GUI or command line invocation
Generates XML scan reports on each scanned
system
Runs on Windows Server 2003, Windows
2000 and Windows XP
Integrates with SUS & SMS
MBSA: How It Works*
1. Run MBSA on Admin
system, specify targets
2. Downloads CAB file with
MSSecure.xml & verifies
digital signature
Microsoft
Download Center
MSSecure.xml
MSSecure.xml contains
• Security Bulletin names
• Product specific updates
• Version and checksum info
• Registry keys changed
• KB article numbers
• Etc.
3. Scans target systems for
OS, OS components, &
applications
4. Parses MSSecure
to see if updates
available
5. Checks if
required updates
are missing
6. Generates time
stamped report of
missing updates
MBSA
Computer
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
MBSA 1.1.1
Windows Update: How It Works
Scenario 1: User Initiated Access
1. User goes to Windows
Update (WU) & selects
‘Scan for updates’
Windows Update Service
2. Client side code (CC) in
browser validates WU server
& gets download catalog
metadata
3. CC uses metadata to
identify missing updates
4. User selects updates to
install
5. CC downloads, validates, &
installs updates
6. CC updates history &
statistics information*
*Note: No personally identifiable information is collected.
See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy
Windows Update: How It Works
Scenario 2: Automatic Updates Initiated Access
1. AU check WU service for
new updates (every 17-22
hours)
2. AU validates WU server &
gets download catalog
metadata
Windows Update Service
3. AU uses metadata to
identify missing updates
4. AU either notifies user or
auto-downloads using BITS
& validates new updates
5. AU either notifies user or
auto-installs updates
6. AU updates history &
statistics information*
*Note: No personally identifiable information is collected.
See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy
SUS 1.0: What it Does
Deploys Windows security patches, security rollups,
critical updates*, and service packs only
Deploys above content for Windows 2000,
Windows Server 2003 and Windows XP only
Provides patch download, deployment, and installation
configuration options
New
Update
Bandwidth optimized content deployment
Assess
Provides central administrative control over which patches
can be installed from Windows Update
Identify
Provides basic patch installation status logging
Evaluate
& Plan
Deploy
*Including critical driver updates
SUS Benefits
Gives administrators control over patch & update
management
Works with Group Policy* to prevent installs of non-approved
updates from Windows Update
Allows staging & testing of updates before installation
Simplifies & automates key aspects of the patch
management process
Ease of use alleviates difficulty of keeping supported
systems up-to-date, reducing security risks
*Note: Use of SUS does not require implementation of Active Directory or Group Policy
SUS 1.0: How It Works
Windows
Update Service
Windows
Update Service
1. SUS Server check for
updates every 17-22 hours
2. Administrator reviews,
evaluates, and
approves updates
3. Approvals &
updates synced
with child SUS
servers*
Parent
SUS Server
Child
SUS Server
4. AU gets approved
updates list from SUS server
5. AU downloads approved
updates from SUS server or
Windows Update
6. AU either notifies user or
auto-installs updates
7. AU records install history
*SUS maintains approval logs & download, sync, & install statistics
Child
SUS Server
Client Component: Automatic
Updates
Centrally configurable to get updates either from corporate
SUS server or Windows Update service
Can auto-download and install patches under admin control
Consolidates multiple reboots to a single reboot when
installing multiple patches
Included in Windows 2000 SP3, Windows XP SP1, and
Windows Server 2003
Localized in 24 languages
Server Component: SUS Server
Downloads updates from Windows Update
Web based administration GUI
Specify server & update process configuration options
View downloaded updates
Approve updates & view approved updates
Security by design and default
Requires NTFS; Installs IIS Lockdown and URL scanner*
Supports secure administration over SSL
Digital signatures on downloaded content validate authenticity
Uses HTTP for content synchronization – only port 80 needs to be open
Server side XML based logging on Web server
Patch deployment & installation statistics
Supports geographically distributed or scale-out deployments with
centralized management for content synchronization & approvals
Localized** in English & Japanese
*If not already installed
**Note: Delivers updates for all 24 supported client languages
SUS 1.0
SMS 2003: What it Does
Identifies & deploys missing Windows and Office security
patches on target systems
Can deploy any patch, update, or application in Windows
environments
Inventory management & inventory based targeting of
software installs
New
Update
Assess
Install verification and detailed reporting
Flexible scheduling of content sync & installs
Central, full administrative control over installs
Bandwidth optimized content distribution
Identify
Evaluate
& Plan
Deploy
Software metering and remote control capabilities
SMS 2003 Patch Management:
Benefits
Gives administrators control over patch management
Allows staging & testing of updates before installation
Fine-grained control of patch management options
Automates key aspects of the patch management process
Can update a broad range of Microsoft products
(not limited to Windows and Office)
Can also be used to update third party software and deploy
& install any software update or application
High level of flexibility via use of scripting
SMS 2003 Patch Management:
How It Works
Microsoft
Download Center
1. Setup: Download Security Update
Inventory and Office Inventory
Tools; run inventory tool installer
2. Scan components
replicate to SMS clients
3. Clients scanned; scan
results merged into SMS
hardware inventory data
SMS Distribution
Point
SMS
4. Administrator uses Distribute Site Server
SMS Clients
Software Updates Wizard to
authorize updates
5. Update files downloaded; packages,
programs & advertisements
created/updated; packages replicated
& programs advertised to SMS clients
SMS Distribution
Point
SMS Clients
6. Software Update Installation
Agent on clients deploy updates
7. Periodically: Sync component checks
for new updates; scans clients; and
deploys necessary updates
SMS Clients
SMS 2003 Patch Management:
Functionality
System scanning & patch content download
Content from Microsoft Download Center
MBSA & Office Inventory plug-ins scan for missing patches
Supports updating of remote & mobile devices
Updates various versions of Windows, Office, SQL, Exchange, and Windows Media
Player without need for update packaging / scripting
Administrator control
Update targeting based on AD, non-AD groups, WMI properties; additional options
via scripting
Patches content is downloaded from a central SMS repository only when the
deployment process is initiated by the SMS administrator
Specific start and end times (change windows); multiple change windows
Easily move patches from testing into production
Reference system patch configurations can be used as a template to verify or
enforce compliance of systems that must mimic reference system configuration
SMS 2003 Patch Management:
Functionality (2)
Patch download & installation
Delta replication (site-site, server-server) of patches
Uses BITS* for mobile / remote client-server
Uses SMB* for LAN / priority situations
Reminders and rescheduling of install / reboot & enforcement dates
Optimized graceful reboots, but forced when enforcement date arrives
Per-patch reboot-needed detection to reduce reboots
Status & Compliance Reporting
Deployment status as patches are attempted
Standard and customized reports through read-only SQL queries
Determine actual baselines in the environment before changing the environment
SLA measurement and rate-of-spread
*Requires SMS Advanced Client
SMS 2003
Choosing a Patch Management Solution
Functionality versus IT Resources Based Selection
Choose the solution that provides the best balance of functionality versus IT
resource constraints for your specific needs
Breadth of Functionality
High
SMS
SUS
Windows
Update
Low
IT Resources & Administration Skill Level
High
Patch Management Tools
Futures
MBSA Update Scanning Functionality
Overall direction
MBSA update scanning functionality integrated into
Windows patch management functionality
MBSA becomes Windows vulnerability assessment &
mitigation engine
Near- and Intermediate-term plans
MBSA 1.2 (Q4 2003)
Improves report consistency, product coverage, and locale support
Integrates Office Update Inventory Tool
MBSA 2.0 (Q2 2004)
Update scanning functionality migrates to SUS 2.0 / Microsoft
Update
MBSA leverages SUS 2.0 for update scanning
MBSA 1.2
Better international support
Japanese, French, German locale support
Expanded product support
MDAC, MSXML, JVM, Content Mgt Server, Commerce Server,
BizTalk, Host Integration Server and Office
Improved consistency of reports
Support for alternate file versions in mssecure.xml
(“OR” logic to consider multiple sets of file details)
Handle case of non-security updates overwriting pervious security updates
Handle multiple patches for a product targeted at different OS versions
Handle uniproc/multiproc patches, QFE/GDR branch patches, etc.
Office Update Inventory Tool integration (local scans only)
Enhanced IE security zone checks
MBSA 2.0
Integration with SUS 2.0 / Microsoft Update
Centralized report storage (SQL, net share)
Configurable/pluggable engine checks
(engine framework, SDK)
Integrates tools like IISLockdown & SQLScan
Infrastructure to support future mitigation
(via MOM, SMS, etc.)
Windows Update And Office
Update  Microsoft Update
Today
H2 2004
Microsoft Update
Online service and update repository
for updating all Microsoft software
Built on SUS infrastructure
Includes automated scanning, update
install, and reporting capabilities
available in Windows Update
Microsoft Update
Office
Windows
Update
Update
SUS
SMS
SUS 2.0
Support for additional Microsoft products
Office 2003, SQL Server 2000, Exchange 2000, + additional
products over time*
Enhanced infrastructure for patch management
Data Model - supercedence, update dependency & bundle relationships
Server APIs (.NET) and remoteable Client APIs (COM) for flexibility
Administrative control
Pre-deployment checks; Initiate install & uninstall
Set polling frequencies & install deadlines
Target updates to groups of machines; Policy (AD) or list based
group definitions
Rules for auto-handing of updates
Deployment & targeting
Download subset of WU content (e.g., WinXP but not Win2K)
Automatically deploys / updates SUS clients
*Support for product versions listed here will be available when SUS 2.0 is released; support for additional versions and products
will be delivered over time without the need to upgrade or redeploy SUS 2.0
SUS 2.0 (2)
Bandwidth efficiency
Uses BITS for client-server and server-server communication
(download throttling & checkpoint restart, limit max bandwidth usage, etc.)
Support for ‘delta compression’ technologies
Configurable update subscriptions
Configurable to only download updates at deployment time
Scale out
Hierarchical & replica topology
Summary event roll-up
Status reporting
Deployment status aggregation per machine/per update/per
group
Download / install success, failure, and error info
Custom reports using read-only SQL queries
Patch Management Functionality
Future Direction
Longer-term (Longhorn time frame)
SUS functionality integrated into Windows
SUS supports updating of all Microsoft software
SUS infrastructure can be used to build patch management
solutions for 3rd party and in-house built software
SMS patch management built on SUS infrastructure and delivers
advanced patch management functionality
Near-term
SUS 2.0 (Spring 2004)
Single infrastructure for patch management
Support for additional Microsoft products
Significant improvements in patch management functionality
SMS 2003 Update Management Feature Pack (H2 2004)
Leverages SUS for update scanning & download
Leverages SUS client (Automatic Updates) for installs
Choosing A Patch Management Solution
Needs-Based Selection
Adopt the solution that best meets the needs of your organization
Core Patch Management Capabilities
Capability
Windows Update
SUS 1.0
SMS 2003
Supported Platforms
for Content
NT 4.0, Win2K, WS2003,
Win2K, WS2003, WinXP
WinXP, WinME, Win98
NT 4.0, Win2K, WS2003, WinXP,
Win98
Supported Content Types
All patches, updates &
service packs (SPs) for
the above
Only security & security rollup All patches, SPs & updates for the
patches, critical updates, &
above; supports patch, update, &
SPs for the above
app installs for MS & other apps
Targeting Content
to Systems
No
No
Yes
Network Bandwidth
Optimization
No
Yes
Yes
Patch Distribution Control No
Basic
Advanced
Patch Installation &
Scheduling Flexibility
Manual, end user
controlled
Admin (auto) or user (manual) Administrator control with
controlled
granular scheduling capabilities
Patch Installation Status
Reporting
No
Granularity of Control
(for patch deployment)
(for patch deployment & server sync)
Limited
Comprehensive
(client install history & server
based install logs)
(install status, result, and compliance
details)
Additional Software Distribution Capabilities
Deployment Planning
N/A
N/A
Yes
Inventory Management
N/A
N/A
Yes
Compliance Checking
N/A
N/A
Yes
Security Roadmap
Today
0–9
months
Guidance
Tools &
Patching
Monthly
patch releases
Guidance
& training
How Microsoft
runs Microsoft
Support for
W2K SP2 &
NT4 SP6at
2 patch
installers;
rollback
Patching
enhancements
SUS 2.0
SMS 2003
More guidance
and training
9 – 12
months
Shields
Shield
technologies
for client
and server
“MS Update”
More
guidance and
training
Future
Next-Generation
Security
Integrated
host security
technologies
NGSCB
Windows
hardening
More
guidance
and training
Adopt a Patch Management Solution
At Microsoft, our #1 concern is the security and availability of
your IT environment
If none of the Microsoft patch management solutions meet your needs
consider implementing a solution from another vendor
Partial list of available products:
Company Name
Product Name
Company URL
Altiris, Inc.
Altiris Patch Management
http://www.altiris.com
BigFix, Inc.
BigFix Patch Manager
http://www.bigfix.com
Configuresoft, Inc.
Security Update Manager
http://www.configuresoft.com
Ecora, Inc.
Ecora Patch Manager
http://www.ecora.com
GFI Software, Ltd.
GFI LANguard Network Security
Scanner
http://www.gfi.com
Gravity Storm Software, LLC Service Pack Manager 2000
http://www.securitybastion.com
LANDesk Software, Ltd
LANDesk Patch Manager
http://www.landesk.com
Novadigm, Inc.
Radia Patch Manager
http://www.novadigm.com
PatchLink Corp.
PatchLink Update
http://www.patchlink.com
Shavlik Technologies
HFNetChk Pro
http://www.shavlik.com
St. Bernard Software
UpdateExpert
http://www.stbernard.com
*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView
may also provide patch management functionality
Summary
Addressing the patch management issue is a top priority
Taking a comprehensive, tactical & strategic approach
Made progress, but much more work to be done
Microsoft focused on:
Reducing the number of vulnerabilities & associated patches
Improving customer preparedness, training & communication
Simplifying & standardizing the patching experience
Improving patch quality
Unifying and strengthening patch management offerings
Key Recommendations:
Implement a good patch management process – it’s the key to
success
Adopt a patch management solution that best fits your needs
Make use of the resources detailed in these slides
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Related documents
Patching
Patching
Lesson plan- making the Space Shuttle
Lesson plan- making the Space Shuttle
JTFofPP Patch Testing Instruction Sheet for Patients
JTFofPP Patch Testing Instruction Sheet for Patients
POSSESSIVE ADJECTIVES
POSSESSIVE ADJECTIVES
health policy facing social inequalities and poverty in brazil
health policy facing social inequalities and poverty in brazil
Download