Leveraging Active Directory Group Policy to Patch

advertisement
LEVERAGING ACTIVE DIRECTORY
GROUP POLICY TO PATCH
COMMON WINDOWS
APPLICATIONS
Joseph Fisher
Systems Administrator
Enterprise IT Services, University of Georgia
http://www.josephpfisher.com
2012 Rock Eagle Computing Conference
About The Presenter
• Working in IT since 1996
• Started out assembling computers for free
RAM
• VMware, Linux, and Windows sysadmin at
UGA
About This Presentation
•
•
•
•
Patch Management
Windows Active Directory environment
Brief Overview of Group Policy Objects (GPOs)
Non-Microsoft Software
–
–
–
–
Java
Flash
Reader
Etc
Are You Current
on Your Patches?
Best Malware Prevention Strategy
• Limit over-privileged users
– UAC, standard user accounts
• User education
– No more free screensavers
• Anti-virus software
– Only as good as the latest definitions
• Update all software as soon as patches are
available
The Results
• Average of 18.2 malware incidents per month
in 250 PC environment prior to centralized
patch management
• Down to 1 incident in 6 months
Options
• Microsoft Systems Center
– Powerful, but complicated, and expensive
• Ninite Pro
– Simple, effective, but still requires license outside of
personal use
• LANDesk
– Like Systems Center, powerful but complicated and
expensive
• Active Directory Group Policy
– Uses existing infrastructure, intermediate difficulty
OVERVIEW OF GROUP
POLICY OBJECTS
Pre-requisites
• Active Directory
– Rights to create GPOs and link to OUs
• Repository
– Sysvol
– File server
• Need a share readable by all “Authenticated Users”
Remote Server Administration Tools
• From a domain computer, install Remote
Server Administration Tools
– http://www.microsoft.com/enus/download/details.aspx?id=7887
• Active Directory Users and Computers
• Group Policy Management Console
How to Apply GPOs
• Link to an Organizational Unit (OU)
– By default, GPOs apply to all child OUs
• Able to block inheritance on specific child
OUs
• GPOs can override “block inheritance” by
being set to “enforced”
• Can view effective GPOs on an OU
Group Policy Management Console
Group Policy Management Console
Group Policy Objects
• Policies broken down into 2 groups: Users
and Computers
• Software installation should usually be
performed at the Computer level
Software Deployment
• GPOs natively support MSI files
• You can deploy other executables, but you’ll
need to script these
– Batch files are usually effective
– Scripts deployed at the computer level are run
with “system” privileges (i.e. administrators)
Test, test, test!
• Testing strategy: start with a single machine, then test
a group, then a larger group, and finally bulk deploy
• One GPO for each function
– E.g. one GPO for Adobe Reader, another for Java, etc.
– Easier to identify problematic GPOs
• Virtual machines are handy!
– Create a local VM using Virtual Box and snapshot it in a
“clean” state
– GPOs tattoo a system, always best to start clean
SOFTWARE
DEPLOYMENT
Software Sources
• Adobe Flash:
http://www.adobe.com/products/flashplayer/distribution3.
html
• Adobe Reader: ftp://ftp.adobe.com/pub/adobe/reader/win/
– Customization Wizard:
http://www.adobe.com/support/downloads/detail.jsp?ft
pID=4950
• Firefox: http://www.frontmotion.com/Firefox/
• Chrome:
http://www.google.com/intl/en/chrome/business/browser/
• Java: Offline installer at http://java.com
Adobe Flash
• Need to apply for a free Flash distribution
license
• Create a GPO for Flash and assign the MSI file
under “Software Installation”
Adobe Flash
• Suppress update notification:
http://helpx.adobe.com/flashplayer/kb/administration-configure-autoupdate-notification.html
– Need to create a file on each workstation
– Can accomplish this via Group Policy:
• Create the file and put it in your repository (Sysvol, file
share, etc.)
• Deploy via Group Policy Preference: Computer
Configuration -> Preferences -> Windows Settings -> Files
Adobe Reader
• Obtain installer from Adobe FTP
• Customize the installation via Adobe
Customization Utility
– Suppress EULA
– Disable Update Checks
– Generates MST file
Adobe Reader
Firefox
• Mozilla doesn’t provide MSI installers
• FrontMotion Firefox Community Edition
– Different logo
– Same browser
• Administrative Templates to manage
–
–
–
–
–
Default browser checks
Update checks
Default home page
Proxy settings
etc
Firefox
Google Chrome
• MSI available directly from Google
• Google also provides administrative
templates
Java
• No MSI available directly from Oracle
• Problematic under normal conditions
• Newer versions require successful uninstallation
of most recent installed version
• Uninstallation failures prevent installation of
new versions
• Only recommended tool to remove failed
installations is no longer available (MS Office
Cleanup Utility)
– And not scriptable
Java
• We need a script:
–
–
–
–
Check if Java is the latest version
Uninstall the previous version if a new version is available
Install the new version
Check to see that the new version works
• http://josephpfisher.com/2011/11/java-wontuninstall-tips-for-end-users-and-enterprise-systemsadministrators/
• Assign the batch file as a startup script (computer
level)
Java
• Still need to obtain MSI
• Still need to generate a transform (MST)
• Need Orca MSI editor
– http://www.technipages.com/download-orca-msieditor.html
• Run offline installer and monitor App Data folder
– Start -> Run -> %APPDATA%
– MSI installer should appear while offline installer is
open
Java
• Open MSI in Orca
• Create new transform (Transform menu -> New Transform)
– Better than modifying the MSI directly
• Go to “Property” table and modify:
–
–
–
–
–
–
–
AUTOUPDATECHECK = 0
EULA = 0
Iexplorer = 1
JAVAUPDATE = 0
JU = 0
Mozilla = 1
Systray = 0
• Go to “Transform” menu and click “Generate Transform” and save
the MST file
Java
COMMON PROBLEMS
Common Problems
• Windows XP & Vista requires hotfix
– http://support.microsoft.com/kb/974266
• Latest NIC drivers for gigabit adapters
– From NIC manufacturer (i.e. not Dell)
• Flush Group Policy history
– Remove
HKLM\Software\Microsoft\Windows\CurrentVer
sion\Group Policy
• Remove from domain and re-join
Resources
• Microsoft Technet Forums
– http://social.technet.microsoft.com/Forums/enUS/categories
• EduGeek
– http://edugeek.net
• IT Ninja
– http://www.itninja.com
QUESTIONS?
Download