Presentation on theme: "Patch Management Patch Management in a Windows based environment"— Presentation transcript:
1Patch Management Patch Management in a Windows based environment Personal Solutionsvs.Enterprise SolutionsBy Maurice KirkmanbeySystem AdministratorCISSP, MCSE/MCSA/MCITP14 Jun 2008
2Overview Windows update service is an online resource that provides updates to its Windows operating system over time. Asvulnerabilities are discovered and other weakness in the OS areexposed, patch management (PM) along with other protectionstrategies are integrated in providing a defensive perimeter to protectthe personal or enterprise network.
3ObjectivesUnderstand Patch Management in a personal/enterprise environmentDiscuss Microsoft’s terminologyDesign a personal solution for PMDesign an enterprise solution for PMDemonstrate basic concepts and strategies in PM
4PM DefinedPatch management maintains the OS while improving performance,stability and providing enhancements over the lifecycle of theoperating system. Maintaining system integrity, availability, andwhen possible accountability is essential for personal and enterprisecomputing. However, enterprise systems rely heavily onaccountability and confidentiality as an integral part of its computingenvironment.+Note: Although, it’s not as common as it once was, but the famous Windows blue screen of death cause many sleepless nights for home users and systems administrators. The Windows ME version often left the use saying, “Why Me?”Early OS versioning allowed direct calls to system memory to the exclusion of other program which caused problem within itself. Some programs where poorly written without safeguards and software protection methods in use today.Caveats:The focus of this presentation is Windows operating systems, but patch management may be applied to other Operating systems such as MAC, UNIX and Linux. Furthermore, software management is all seen in routers IOS, custom and commercial applications, intrusion protection signature files and AV/Malware signature files.
5PM Strategy PM is a foundation Strategy Blaster worm released 26 days after Microsoft reported the vulnerability*From Microsoft This Week:MS08-030: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)- Rating: Critical- Impact of Vulnerability: Remote Code ExecutionMS08-031: Cumulative Security Update for Internet Explorer (950759)- Impact of Vulnerability: Remote Code Execution *Source: Fontana, John. (2003). How to Handle Patch Management. Network World. Retrieved from the world wide web on 13 Jun 2008 fromMS08-030: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)- Rating: Critical- Impact of Vulnerability: Remote Code ExecutionMS08-031: Cumulative Security Update for Internet Explorer (950759)- Impact of Vulnerability: Remote Code Execution MS08-032: Cumulative Security Update of ActiveX Kill Bits (950760) - Rating: ModerateMS08-033: Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) MS08-034: Vulnerability in WINS Could Allow Elevation of Privilege (948745)- Rating: Important- Impact of Vulnerability: Elevation of PrivilegeMS08-035: Vulnerability in Active Directory Could Allow Denial of Service (953235)- Impact of Vulnerability: Denial of ServiceMS08-036: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)- Impact of Vulnerability: Denial of Service We also re-released MS and MS with a detection only changes.
6Defense in Depth Defending your OS Passive vs. active attacks Denial of servicePrivilege escalationVersions of Buffer overflow attacksRemote code Execution+ One brick vs. home foundation analogy+ PM is part of a layered approach in defending your system architecture. PM alone will not save you from the numerous security threats. However, when PM is integrated into your security protection perimeter; AV, IDS, Malware protection and server/PC hardening and User education, you can rest easier knowing you are not relying on a single entity for protection.
7Defense in Depth PM alone will not defend against: A person who has physical access to system in your home or office.Establish covert communications channel authorized on the systemCyber terrorismMalicious code/Malware/Malicious SoftwareWormsVirusesBuffer overflow attackvulnerabilitySpam definitions, junk mail optionsDefault enabled functionality+ Routine OS updates are needed because discoveries are exposed routinely from Microsoft, security firms, or users during the course of OS operations.
8Terminology Security Updates Critical Updates Hot fixes Service Packs Critical Update Definition: A critical update is a broadly released fix for a specific problem that addresses a critical, non-security-related bug. Additional Information: Critical updates are available for customers to download and are accompanied by a Microsoft Knowledge Base article.Hotfix Definition: A hotfix is a single, cumulative package that includes one or more files that are used to address a problem in a product and are cumulative at the binary and file level. A hotfix addresses a specific customer situation and may not be distributed outside the customer's organization. Additional Information: Hotfixes are distributed by Microsoft Product Support Services. Customers may not redistribute hotfixes without written, legal consent from Microsoft.Security Update Definition: A security update is a broadly released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated based on their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. Additional Information: Microsoft security updates are available for customers to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article. For more information about the format of Microsoft Knowledge Base articles for Microsoft security updates, click the following article number to view the article in the Microsoft Knowledge Base:Service Pack Definition: A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Service packs may also contain additional fixes for problems that are found internally since the release of the product and a limited number of customer-requested design changes or features. Additional Information: Microsoft service packs are available for download and are accompanied by Microsoft Knowledge Base articles.Update Rollup Definition: An update rollup is a tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).Microsoft Reference:
9ConsiderationsBandwidth IssuesTopology issuesVersioning control
10Admin Tools Windows Update (online) WSUS (Enterprise Tool) Microsoft Baseline Security AnalyzerWindows Update is a convenient online place provides updates in a single place. Some major companies are responsible for the OS and various licensed products that they sell, the processes are disjointedHigh priority Updates, Service packs and security updatesOptional Hardware updates including device drivesOptional Software to enhance the Windows OS
11The Online Windows Update Access Windows UpdateScan, Select and download updates: Express or CustomFollow Prompts to install updatesConfigures the updates you install
12Personal Patch management: Configuring an individual ComputerSTART>Control Panel >Automatic UpdatesFour Choices:Automatic (and Install) Frequency and TimeDownload Updates, but let me choose when to install (auto restart may still occur)Notify Me, but don’t automatically installTurn off automatic updates (not recommended)+ Individual computer and computers in a workgroup typically use this setup. As an additional measure MSBA can be used to assess security needs of all clientsDetermining Updates on an individual computerView history onlineRolling back a Patch:Command line - Run: cmd /c systeminfo > my systeminfo.txt
13BASE CONCEPT of PM Four Choices: Automatic (and Install) Frequency and TimeDownload Updates, but let me choose when to install (auto restart may still occur)Notify Me, but don’t automatically installTurn off automatic updates (not recommended)
17Windows Update Summary This document is an introduction to the Background Intelligent Transfer Service. It is intended for IT professionals who are interested in using BITS from within a software application.BITS transfers files using leftover bandwidth. For example, if you are currently using 60 percent of your bandwidth, BITS will only use the remaining 40 percent. BITS also maintains file transfers when a network disconnection occurs, or a computer needs to be restarted: When the network connection is re-established, BITS will continue where it left off.Note: BITS version 1.0 is included with Windows XP and supports only downloads. BITS version 1.5 is included with Windows Server 2003 and supports both downloads and uploads. Version 1.5 will be available as a redistributable for Windows 2000 and Windows XP following the release of Windows Server Uploads require Internet Information Services (IIS) server with the BITS server extension installed.Source Microsoft:
24Summary Patch management Automated tools Layered defense strategy Centralized controlClient auditingInformation AssuranceUsed as a larger Defense in Depth strategy, updated AV software and definitions, Anti-spyware, firewalls, intrusion detection, physical security, security strategy, Password policy, and Business continuity strategy, personal security.