Planning and Implementing Software Updates
advertisement
3/20/2008 Overview Introduction to Software Update Management Implementing Microsoft Baseline Security Analyzer Planning and Implementing Software Updates Lesson: Introduction to Software Update Management Benefits of Update Management Installing Windows Server Update Services Managing a WSUS Infrastructure Benefits of Update Management Benefits of effective update management include: Software Vulnerability and Exploit Timelines Reduced down time Microsoft Update Severity Ratings Reduced cost Components for Successful Update Management Reduced data loss Update U d t Management M t Process P Increased protection of intellectual property Overview of the Update Management Tools Guidelines for Choosing an Update Management Solution Software Vulnerability and Exploit Timelines Most attacks occur here Product shipped Vulnerability Vulnerability discovered disclosed Malicious software attack Welchia/Nachi 151 Blaster 25 Sasser 14 Rating Definition Critical Exploitation could allow the propagation of an Internet worm with user action Update made deployed Most attacks Update occur here available by customer Important Exploitation could result in compromise of user data or the availability of processing resources Days between update and exploit have Update made decreased Update deployed Moderate Exploitation is serious but is mitigated to a significant degree by default configuration, auditing, need for user action, or difficulty of exploitation Low Exploitation is extremely difficult, or impact is minimal Days between update and exploit Nimda Vulnerability Vulnerability 331 Product shipped discovered disclosed SQL Slammer 180 Microsoft Update Severity Ratings available by customer See “Microsoft Security Bulletin Search” on the Microsoft TechNet Web site 1 3/20/2008 Components for Successful Update Management Update Management Process Assess Project management, four-phase update management process • Discover new updates Assess threats and vulnerabilities • • Inventory computing assets Discover Determine Prepare new whether deployment updates the Determine the best for source for information about is newactually updates required update Determine whether updates are relevant to your environment • Obtain update, confirm that it is safe • Effective Processes People who understand their roles and responsibilities Tools and Technologies Effective Operations Identify 4132 • • IdentifyDeploy computing assets Assess Identify Evaluate and Plan Assess threats andtoupdates Determine Deploy the whether update Assess your software vulnerabilities are targeted relevant computers to your Plan the release of distribution infrastructure 1 environment the update deployment best source Review • Assess Determine operationalthethe Assess effectiveness for information about Obtain Build the update, release confirm updates itnew is safe Perform acceptance testing Determine if update is a Assess your software Deploy normal change or an Deploy distribution infrastructure • Prepare emergency for deployment 4 Assess • Deploy the update operational to targeted computers effectiveness • Review the deployment Products, tools, automation Overview of the Update Management Tools Tools Description Microsoft Update An online catalog of all updates Automatic Updates Client A service that connects to Microsoft Update, or a server running WSUS, to download all critical updates MBSA A security vulnerability scanning tool that informs you of the status of client computers and servers WSUS A version of Microsoft Update that can be run on a corporate network Systems Management Server Software that can deploy software updates to client computers in highly managed enterprise environments Lesson: Implementing Microsoft Baseline Security Analyzer What Is MBSA? Requirements for Installing and Using MBSA How MBSA Works MBSA Scan Options P ti Implementing I l ti MBSA Practice: • Determine whether update is a normal change or an emergency 2 Identify 1 Assess 2 Identify Evaluate Evaluate and Plan and Plan • Determine whether the 3 4 update is actually required 3 • Evaluate Deploy Plan the release of the update and Plan • Build the release • Perform acceptance testing Guidelines for Choosing an Update Management Solution Customer type Consumer Small organization i ti Medium size or large enterprise Scenario Solution All scenarios Microsoft Update Has no servers running Windows Microsoft Update Has one to three servers running Windows 2000 or later and one IT administrator MBSA and WSUS Needs a solution with basic control to update Windows 2000 and later MBSA and WSUS Needs a single flexible solution with extended level of control Systems Management Server What Is MBSA? Scans systems for: Missing security updates Potential configuration issues Works with a broad range g of Microsoft software Allows an administrator to centrally scan multiple computers simultaneously MBSA is a free tool and can be downloaded from the Microsoft Web site 2 3/20/2008 Requirements for Installing and Using MBSA How MBSA Works To install and run MBSA, the computer must: Microsoft Download Center Be running Microsoft Windows Server 2003, Windows 2000 Service Pack 3 or later, or Windows XP Wsusscan.cab Have Internet Explorer 5.01 or later installed Have XML p parser installed Have the World Wide Web Service and IIS 6.0 Common Files installed to scan IIS vulnerabilities Have the Windows Update Agent 2.0 installed Have the following enabled: Workstation service MBSA Computer Server service MBSA Scan Options Lesson: Installing Windows Server Update Services MBSA has two scan options: What Is Windows Server Update Services? What Is Automatic Updates? The graphical user interface A standard command-line interface (mbsacli.exe) WSUS Process WSUS Deployment Scenarios Installation Requirements I t ll ti R i t for f WSUS You can configure MBSA to: Update the Microsoft Update Agent on scanned computers Guidelines for Planning a WSUS Infrastructure Practice: Installing WSUS Use a WSUS server as the update source Use Microsoft Update as the update source What Is Windows Server Update Services? What Is Automatic Updates? Automatic Updates is client software that: Microsoft Update Web Site Communicates with Microsoft Update or WSUS Downloads and installs updates Automatic Updates Server Running Windows Server Update Services Test Clients Configuration g option p LAN Internet Automatic Updates Description p Notify for download and notify for install User is notified when updates are ready to be downloaded Auto download and notify for install User is notified when updates are ready to be installed Auto download and schedule the install Provides the ability to schedule the install 3 3/20/2008 WSUS Process WSUS Deployment Scenarios Server-Side Process Client-Side Process Microsoft Update Firewall 1. Automatic Updates on client checks WSUS 1. WSUS runs scheduled synch Regional Client Computers 2. Is Administrator logged on? Yes? Administrator sees status balloon, can defer installation No? 2. Testing? Yes? Test new packages No? Independent WSUS Server 3. Scheduled install job begins 4. Do any packages require a restart? No? 3. Admin approves new packages Yes? 5. Automatic Updates waits for next scheduled check Installation Requirements for WSUS Hardware requirements z Pentium III 1GHz or higher z 1 GB of RAM z 6—30 GB of hard disk space System restart Software requirements z Windows 2000 Server or Windows Server 2003 z IIS 5.0 or later z BITS z Microsoft .NET Framework 1.1 SP1 z Internet Explorer 6.0 SP1 or later Lesson: Managing a WSUS Infrastructure Main Office WSUS Server Disconnected WSUS Server Replica WSUS Server Remote Office Client Computers Main Office Client Computers Guidelines for Planning a WSUS Infrastructure When planning the number and placement of WSUS servers: Connect one WSUS server to the Internet Chain WSUS servers Place servers close to client computers When planning the configuration of WSUS servers: Download updates in the languages required Use a local database or Microsoft Update Create a synchronization schedule Computer Group Management Computer Group Management Group Policy Settings for Automatic Updates Synchronization Management Update Management R t WSUS Reports Backing Up and Restoring WSUS Best Practices for Update Management Practice: Managing a WSUS Infrastructure Computers are automatically added to the default computer groups: All Computers Computers Unassigned g p Create additional computer groups to manage update distribution Computers are added to new computer groups manually or by using client-side targeting 4 3/20/2008 Group Policy Settings for Automatic Updates Synchronization Management Microsoft Update Web Site Configure Automatic Updates by using Group Policy Requires updated Wuau.adm administrative template Requires one of the following: Corporate Headquarters Cli t Client Windows 2000 SP3 Windows XP SP1 WSUS Server Internet LAN Windows Server 2003 Automatic Synchronization Administrator Update Management Approve updates to initiate an action Detection Installation Removal Decline updates Manual Synchronization WSUS Reports The Reports page offers: Status of Updates Status of Computers Synchronization Results Settings Summary Automate approvals Backing Up and Restoring WSUS Best Practices for Update Management Subscribe to Microsoft security bulletins Use the Windows Backup utility or a third-party backup product Back up the WSUS database Stopp the MSSQL$WSUS service Q $ Contains metadata, configuration information, and client computer information Back up the folder containing updates Maintain a test environment for testing updates Use computer groups for target and pilot deployments Configure WSUS to store content in a local database for clients that are on the local network Configure WSUS to maintain updates on Windows Update for clients that have Internet connections Ensure that only administrators can control the Automatic Updates service Deploy updates one department at a time 5
