Add to collection(s) Add to saved
  1. Business
  2. Management

High level overview of patch managment improvements at MS.

Security Patch Management
Brodie Desimone, CISSP
Senior Technology Specialist
BrodieD@microsoft.com
Michael Nowacki, CISSP
Senior Security Technology Specialist
mnowacki@microsoft.com
Microsoft Solutions for Security
Customer Feedback
Inadequate
Communications,
Guidance, and
Training
Inconsistent
Patching
Experience
Reduce
Frequency,
Quantity of
Patches
Multiple,
Incomplete Patch
Management
Tools
Inconsistent
Patch
Quality
Addressing The Situation
• Security and patch management
priority #1 – bar none – at Microsoft
• Microsoft problem
• Industry problem
• Ongoing battle with malicious hackers
• Need comprehensive, tactical and
strategic approach to addressing the
situation
• Trustworthy Computing Initiative
• Security framework and focus
• Patch Management Initiative
Microsoft Solutions for Security
TWC Overview
Microsoft Solutions for Security
Microsoft’s Security Framework
SD3 + Communications
Secure by
Design
Secure by
Default
Secure in
Deployment









Reduce attack surface area
Unused features off by default
Only require minimum privilege
Protect, detect, defend, recover, manage
Process: How to’s, architecture guides
People: Training
Clear security commitment
 Full member of the security community
 Microsoft
Security Response Center
Microsoft
Solutions for Security

Communications
Secure architecture
Security aware features
Reduce vulnerabilities in the code
Patch Management Initiative
Goals
Informed & Prepared
Customers
Accurate, effective, easily discoverable, and
timely information
Process and best practice guidance; training
Consistent & Superior
Update Experience
Consistent formats and mechanisms for
discovery, applicability evaluation, uninstallation, etc. of patches and updates
Superior Patch Quality
Consistently high quality
Consistently small patch sizes
Minimize reboots on patch installation
Best Patch & Update
Management Solutions
The right set of functionality
Easy to deploy, administer, use
Interoperability with third party solutions
Cross divisional team with mission to resolve key
patch management issues
Improve the Patching Experience
New Patch Policies
• Extending support to June 2004
• Windows 2000 SP2
• Windows NT SP6a
• Non-emergency security patches on a monthly
release schedule
• Allows for planning a predictable
monthly test and deployment cycle
• Packaged as individual patches that
can be deployed together
• Achieves benefits of security rollup
with increased flexibility
Patches for emergency issues will still release immediately
Improve the Patching Experience
Patch Enhancements
Your Need
Our Response
Reduce patch
complexity
By late 2004: Consolidation to 2 patch installers for W2k and
later, SQL 2000, Office & Exchange 2003; all patches will
behave the same way (update.exe, MSI 3.0)
Reduce risk of
patch deployment
Now: Increased internal testing; customer testing of patches
before release
By mid-2004: Rollback capability for W2k generation products
and later (MSI 3.0 patches)
Reduce patch size
By late 2004: Substantially smaller patches for W2k generation
and later OS & applications (Delta patching technology, next
generation patching installers)
Reduce downtime
Now: Continued focus on reducing reboots
By late 2004: 30% of critical updates on Windows Server 2003
SP1 installed w/o rebooting (“hot patching”)
Improved tools
consistency
By mid-2004: Consistent results from MBSA, SUS, SMS,
Windows Update (will all use SUS 2.0 engine for detection)
Improved tools
capabilities
May 2004: Microsoft Update (MU) hosts patches for W2k
server, and over time SQL 2000, Office & Exchange 2003
By mid-2004: SUS 2.0 receives content from MU & adds
Microsoftfor
Solutions
for Security
capabilities
targeting,
basic reporting and rollback
Solution Components
Analysis
Tools
• Microsoft Baseline Security Analyzer (MBSA)
• Office Inventory Tool
Online Update • Windows Update
Services
• Office Update
Content
Repositories
Management
Tools
Prescriptive
Guidance
• Windows Update Catalog
• Office Download Catalog
• Microsoft Download Center
• Automatic Updates (AU) feature in Windows
• Software Update Services (SUS)
• Systems Management Server (SMS)
• Microsoft Guide to Security Patch Management
• Patch Management Using SUS
• Patch Management Using SMS
Patch Management Guidance
• Prescriptive guidance from Microsoft for effective
patch management
• Uses Microsoft Operations Framework (MOF)
• Based on ITIL* (defacto standard for IT best practices)
• Details requirements for effective patch management:
•
•
•
•
Technical & operational pre-requisites
Operational processes & how technology supports them
Daily, weekly, monthly & as-needed tasks to be performed
Testing options
• Three patch management guidance offerings
• Microsoft Guide to Security Patch Management**
• Patch Management using Software Update Services***
• Patch Management using Systems Management Server***
*Information Technology Infrastructure Library
**Emphasizes security patching & overall security management
***Comprehensive coverage of patch management using the specified technology
Delivering
Security Technologies
• Windows XP SP2
•
•
•
•
Improved network protection
Safer email and Web browsing
Enhanced memory protection
Beta by end of 2003, RTM based on customer feedback
• Windows Server 2003 SP1
•
•
•
•
Role-based security configuration
Inspected remote computers
Inspected internal environment
RTM H2 CY04
Microsoft Solutions for Security
Client Shielding Enhancements
What it is
Security enhancements that protect
computers, even without patches;
Included in Win XP SP2 (H104) with more
to follow
What it does
Helps stop network-based attacks, file
attachment viruses and buffer overruns
Key Features
• Network Protection: Improved ICF
protection turned on by default
• Safer email: Improved attachment
blocking for Outlook Express and IM
• Safer browsing: Better user controls
to prevent malicious ActiveX controls
and Spyware
• Memory Protection: Improved
compiler checks (/GS) to reduce
stack overruns
Enterprise Shielding Enhancements
Enterprise Quarantine
What it is
What it does
Key Features
Only clients that meet corporate security
standards are allowed to connect; included
in Win 2003 SP1 (H204) with more to follow
Protects enterprise assets from infected
computers
• Enforces specific corporate security
requirements such as patch level, AV
signature state and firewall state
• Ensure these standards are met when
• VPN connections are made by remote clients
• Wired or wireless connections are made by
rogue and transient clients
Today
Extended
support
Monthly
patch
releases
Baseline
guidance
Community
Investments
H1 04
Windows XP
SP2
Patching
enhancements
SMS 2003
SUS 2.0
Microsoft
Update
Broad training
H2 04
Windows
Server 2003
SP1
Security
technologies
Next
generation
inspection
Microsoft Solutions for Security
Future
NGSCB
Windows
hardening
Continued
OS-level
security
technologies
Security Resources
• New: IT Pro Security Zone
• http://www.microsoft.com/technet/security/community
• New: Security Guidance for the Enterprise
• http://www.microsoft.com/technet/security/bestprac
• Subscribe to MSRC notifications:
• http://www.microsoft.com/securitynotification
• Trustworthy Computing:
• http://www.microsoft.com/mscorp/innovation/twc/
• Hot Fix & Security Bulletin Search:
• http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/current.asp
Microsoft Solutions for Security
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Microsoft Solutions for Security
Related documents
Application software assignment
Application software assignment
Chapter 1Computer Concept
Chapter 1Computer Concept
Activities 1-5 - Classroom Websites
Activities 1-5 - Classroom Websites
MET 1103 Introduction to Computing
MET 1103 Introduction to Computing
Nichole Klocke de Rodriguez
Nichole Klocke de Rodriguez
Lecture Assignment 5 - Oakton Community College
Lecture Assignment 5 - Oakton Community College
Download