Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Published byModified over 4 years ago
Presentation on theme: "Patching MIT SUS Services IS&T Network Infrastructure Services Team."— Presentation transcript:
Patching Windows @ MIT SUS Services IS&T Network Infrastructure Services Team
Security Risk Management Having a Strategic Security Program Threat: A threat is any potential danger to information or systems. Threat agent: A threat agent is the person or process attacking the network through a vulnerable port on the firewall, or a process used to access data in a way that violates your security policy. Vulnerability: A vulnerability is a software, hardware, or procedural weakness that may provide an attacker or threat agent with an opportunity to enter a computer or network and gain unauthorized access to resources within the environment Risk: A risk is the likelihood of a threat agent taking advantage of a vulnerability. It is the potential for loss or the probability that a threat will exploit a vulnerability. Exposure: An exposure occurs when a threat agent exposes a company asset to potential loss. A vulnerability can cause an organization to be exposed to possible damages. Countermeasure: A countermeasure, or safeguard, mitigates a risk. Countermeasures include software configurations, hardware, or procedures that eliminate a vulnerability or reduce the risk of a threat agent from being able to exploit a vulnerability. PROACTIVE!
Microsoft Software Update Services (SUS) The accelerating lifecycle of a security patch Introduction to Software Update Services Features/Components – SUS Server – Client
The accelerating lifecycle of a security patch Frequency between new vulnerabilities Time the vendor has to release a patch Time between publication and exploit code Time for the Administrator or End User to patch Number of products to patch
Introduction to Software Update Services Automate: Keep Windows up-to-date with the latest critical and security patches Simplify: The patch management process - MBSA Schedule Update times Deploy: Reach clients that are not part of a Windows Domain
Overview Microsoft AutoUpdates vs. SUS WindowsUpdate SUS server updates Sync Updates Automatic Updates Client Configured by Admin InternetIntranet
Features/Components SERVER: SUS – Automatic Updates on computers (desktops or servers) – An internally-hosted Windows Update server – An internally -controlled content synchronization service – Administrator control over updates – Multi-language support - Localized in 24 languages – Digital signatures on downloaded content – Server-side logging – Log of client status
Load balancing SUS at MIT Microsoft’s SUS Sync Windows Update SUS F5 (Big IP)
Features/ Components (2) CLIENT: Automatic Updates – Installed on computers on the network – Checks SUS server or public WU for updates regularly – Auto-download and install updates under admin control – Automatically download and install critical updates – Consolidate multiple reboots into a single oneNotify local administrator on the machine about pending updates – Notify logged-on users about pending reboots – Configured using Registry keys – Supports Group Policy – Downloads are done in the background using BITS technology
MBSA Free tool that scans for common security misconfigurations and missing security updates – GUI and command-line interface (CLI) – Perform security update portion of scan against local SUS server Scans for approved updates on SUS server instead of all available updates – User interface: MBSA reads registry for SUS server information, or user manually enters it – CMD LINE mbsacli.exe /sus http://mysusserver
Client Configuration – With Active Directory (using Group Policy) ADM file – WUAU.adm Client behavior and SUS server selection can be configured – Without Active Directory (but central tool) Script to deploy the registry policy keys Website Demo: http://web.mit.edu/ist/topics/windows/updates