Date post: | 18-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 0 times |
SAGE-AU Adelaide Windows Update Services
Michael KleefIT Pro Evangelist
Microsoft Corporation Level 200
Security Solutions Matrix
Datacenter
Business Partner
Internet Sevices
Managed Clients
Mobile Clients
Phys
ical
Net
wor
k
Iden
tity
Hos
t
App
licat
ion
Dat
a
Con
trol
s by
Env
iron
men
t
Defense in Depth
Unmanaged Clients
Security Framework
Clear security commitmentClear security commitment Full member of the security communityFull member of the security community Microsoft Security Response CenterMicrosoft Security Response Center
Secure architectureSecure architecture Security aware featuresSecurity aware features Reduce vulnerabilities in the codeReduce vulnerabilities in the code
Reduce attack surface areaReduce attack surface area Unused features off by defaultUnused features off by default Only require minimum privilegeOnly require minimum privilege
Protect, detect, defend, recover, manageProtect, detect, defend, recover, manage Process: How to’s, architecture guidesProcess: How to’s, architecture guides People: TrainingPeople: Training
SDSD33 + Communications + Communications
Secure by Secure by DesignDesign
Secure by Secure by DefaultDefault
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
SD3 At Work – MS03-007Windows Server 2003 UnaffectedThe underlying The underlying DLL (NTDLL.DLL) DLL (NTDLL.DLL) not vulnerablenot vulnerable
The underlying The underlying DLL (NTDLL.DLL) DLL (NTDLL.DLL) not vulnerablenot vulnerable
Fixed during secure code reviewFixed during secure code reviewFixed during secure code reviewFixed during secure code review
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have DAV enabled by defaultIIS 6.0 doesn’t have DAV enabled by defaultIIS 6.0 doesn’t have DAV enabled by defaultIIS 6.0 doesn’t have DAV enabled by default
EvenEven if it did have if it did have DAV enabledDAV enabledEvenEven if it did have if it did have DAV enabledDAV enabled
Maximum URL length in IIS 6.0 is 16kb Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) by default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) by default (>64kb needed)
EvenEven if it was if it was vulnerablevulnerableEvenEven if it was if it was vulnerablevulnerable
IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if it DID get this if it DID get this far and there WAS an far and there WAS an actual Buffer Overrunactual Buffer Overrun
EvenEven if it DID get this if it DID get this far and there WAS an far and there WAS an actual Buffer Overrunactual Buffer Overrun
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is now running as ‘network which is now running as ‘network service’service’
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is now running as ‘network which is now running as ‘network service’service’
Patch Management Process1. Assess Environment to be Patched1. Assess Environment to be Patched
Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems
B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)
C. Review Infrastructure/C. Review Infrastructure/ configuration configuration
Ongoing TasksOngoing TasksA. Discover AssetsA. Discover AssetsB. Inventory ClientsB. Inventory Clients
1. Assess1. Assess 2. 2. IdentifyIdentify
4. Deploy4. Deploy 3. 3. Evaluate Evaluate & Plan& Plan
2. Identify New Patches2. Identify New Patches
TasksTasksA. Identify new patchesA. Identify new patches
B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)
C. Verify patch authenticity & integrityC. Verify patch authenticity & integrity (no virus: installs on isolated (no virus: installs on isolated system) system)
3. Evaluate & Plan Patch Deployment3. Evaluate & Plan Patch Deployment
TasksTasksA. Obtain approval to deploy patchA. Obtain approval to deploy patch
B. Perform risk assessmentB. Perform risk assessment
C. Plan patch release processC. Plan patch release process
D. Complete patch acceptance testingD. Complete patch acceptance testing
4. Deploy the Patch4. Deploy the Patch
TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions
D. Review deploymentD. Review deployment
• Four step process to assess, identify, evaluate & plan, and deploy patches to their environments
• Provides best practices for implementing technology to distribute patches
• Provides best practices using SMS2003 for critical patching in a 24 hour period
• Guidelines for operational tasks required for effective patch management
• Downloadable from TechNet
Patch Management Solution Accelerator
Configuration M
anagement
Subscription
Baselining
Change Request
Change Classification
Change Authorization
Change Development
Quarantine Quarantine
Relevance
Identification
Change Review
-Rol
l-
Plan Release
Release Development
Acceptance Testing
Roll-Out Planning
Roll-Out Preparation
Release Deployment
Setup Activities
Change Initiation
Change Management
Change Management
Release Management
Setup Activities
Change Initiation
Change Management
Change Management
Release Management
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/msm/smf/default.asp
ReduceFrequency,Quantity of
Patches
InadequateCommunications,
Guidance, andTraining
InconsistentPatching
Experience
Multiple,Incomplete Patch
ManagementTools
InconsistentPatch
Quality
Customer Feedback
Patch Management InitiativeProgress to Date
Informed & Informed & Prepared CustomersPrepared Customers
Informed & Informed & Prepared CustomersPrepared Customers
Superior Patch Superior Patch QualityQuality
Superior Patch Superior Patch QualityQuality
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Readiness Kit; Patch Management guidance, Security Readiness Kit; Patch Management guidance, etc.etc.
Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Readiness Kit; Patch Management guidance, Security Readiness Kit; Patch Management guidance, etc.etc.
Developed Patch & Update Management tools Developed Patch & Update Management tools roadmaproadmapWUS 2.0 in development: significantly enhanced WUS 2.0 in development: significantly enhanced capabilitiescapabilitiesReleased SMS 2003 which delivers expanded patch Released SMS 2003 which delivers expanded patch and update management capabilitiesand update management capabilities
Developed Patch & Update Management tools Developed Patch & Update Management tools roadmaproadmapWUS 2.0 in development: significantly enhanced WUS 2.0 in development: significantly enhanced capabilitiescapabilitiesReleased SMS 2003 which delivers expanded patch Released SMS 2003 which delivers expanded patch and update management capabilitiesand update management capabilities
Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/month
Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/monthImproved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**
Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**
More on the Patch Management Initiative in the Roadmap Section of this presentation…
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0
**75% for Windows Update installs, more than 25% for other patches**75% for Windows Update installs, more than 25% for other patches
H1 2005H1 2005TodaTodayy
Windows Update And Office Update Microsoft Update
• Microsoft Update– Online service and update repository
for updating all Microsoft software
– Built on SUS infrastructure
– Includes automated scanning, update install, and reporting capabilities available in Windows Update
Office Update
SMSSMS
Windows Update
SUSSUS
Microsoft UpdateWindows Update
Patch Management Tools Direction
• Longer-term (Longhorn time frame)– WUS functionality integrated into Windows
– WUS supports updating of all Microsoft software
– WUS infrastructure can be used to build patch management solutions for 3rd party and in-house built software
– SMS patch management built on WUS infrastructure and delivers advanced patch management functionality
• Near-term– Windows Update Services 2.0 (H1 CY2005)
• Single infrastructure for patch management
• Support for additional Microsoft products
• Significant improvements in patch management functionality
– SMS 2003 Update Management Feature Pack (H1 CY2005)• Leverages SUS for update scanning & download
• Leverages SUS client (Automatic Updates) for installs
Windows Update Services 2.0 Highlights
• Support for additional Microsoft products– Office 2003, SQL Server 2000, Exchange 2000, + additional
products over time*
• Status reporting– Deployment status aggregation per machine/per update/per group– Download / install success, failure, and error info– Custom reports using read-only SQL queries
• Administrative control– Pre-deployment checks; Initiate install & uninstall – Set polling frequencies & install deadlines– Target updates to groups of machines; Policy (AD) or list based
group definitions– Rules for auto-handing of updates
• Deployment & targeting– Download subset of WU content (e.g., WinXP but not Win2K)– Automatically deploys / updates SUS clients
*Support for product versions listed here will be available when WUS 2.0 is released; support for additional versions and products *Support for product versions listed here will be available when WUS 2.0 is released; support for additional versions and products will be delivered over time without the need to upgrade or redeploy WUS 2.0 will be delivered over time without the need to upgrade or redeploy WUS 2.0
Windows Server 2003
• WS2003 Service Pack 1 – H1 2005– Defence in Depth
• Windows Server 2003 R2 – H2 2005– Feature Release
• Identity Federation• Branch Office
• Longhorn Server - 2007
Summary
• Defense in Depth– Microsoft strongly driving holistic security
model
• Windows Update Services– Point solution for patch management– Process is key
• Windows Server 2003 SP1 builds on this
Microsoft Events and Communities
Not getting event invites anymore? Don’t know what's on in your state?
Subscribe to TechNet Flash via TechNet Lounge
• http://www.microsoft.com/australia/technet
Visit MSDN Community Website and join MSDN Connections
• http://www.microsoft.com/australia/msdn
Subscribe to MSDN Flash Newsletter (events)
• http://msdn.microsoft.com/flash
Or…Visit the Profile Center and subscribe to all of them
https://profile.microsoft.com/RegSysSubscriptionCnt/SubCntDefault.aspx