How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft
Questions How do I know if I’m up to date on patches? How do I know if I’m up to date on patches? How do I know when a new patch is released? How do I know when a new patch is released? How do I know that the patch is valid on my system? How do I know that the patch is valid on my system? How can I deploy patches to all my machines? How can I deploy patches to all my machines? What is Microsoft doing to make it easier to assess and deploy patches? What is Microsoft doing to make it easier to assess and deploy patches?
Patch Process New Patch Notification New Patch Notification Host and Network Assessment Host and Network Assessment Deployment Deployment Validation Validation
Notification How do I know when new security patches are available? How do I know when new security patches are available? Security Bulletin Notification Service Security Bulletin Notification Service Windows Update Windows Update Client Update Notification Applet Client Update Notification Applet HFNetChk HFNetChk
How can I tell which machines need patches? HFNetChk HFNetChk Can be run against Windows NT 4, Windows 2000, Windows XP Can be run against Windows NT 4, Windows 2000, Windows XP Evaluates patch status for OS, IIS, IE, and a limited amount of SQL 7 and Evaluates patch status for OS, IIS, IE, and a limited amount of SQL 7 and See KB article Q for more info and download location See KB article Q for more info and download location
HFNetChk Demo
How Does HFNetChk Work? 1. Downloads signed CAB file (containing XML data) from microsoft.com 1. May also use a local copy of the XML file from a file or http share 2. Tool Version Check 3. Language \ OS \ SP \ Application check 4. Identifies all relevant security patches for OS \ SP \ App
MSSecure.XML
How Does HFNetChk Work? For each applicable hotfix: 5. Compare registry key from XML file to registry key on the system If reg key does NOT exist, file is determined to be NOT installed If reg key does NOT exist, file is determined to be NOT installed Reg key check can be bypassed with the –z switch Reg key check can be bypassed with the –z switch
How Does HFNetChk Work? 6. If registry key DOES exist*, compare file version information from XML file to files on system 7. If registry key DOES exist*, compare file checksum information from XML file to files on system * Or if registry checks were bypassed
MSSecure.XML
How Does HFNetChk Work? If either the file version and/or the checksum does NOT match for any file, the patch is considered NOT installed If either the file version and/or the checksum does NOT match for any file, the patch is considered NOT installed (a Warning is given if the fileversion is greater than expected) (a Warning is given if the fileversion is greater than expected) In every instance file versions and checksums are evaluated! In every instance file versions and checksums are evaluated!
New MSSecure Schema Patch details for all languages Patch details for all languages Download URL for each patch for each language Download URL for each patch for each language hotfix installer engine and related switches hotfix installer engine and related switches MD5 and SHA1 file hashes MD5 and SHA1 file hashes Specific file location (relative and/or system variable) Specific file location (relative and/or system variable) 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 32 bit vs 64 bit architecture 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 32 bit vs 64 bit architecture Severity data Severity data CVE data CVE data reboot actions reboot actions
Deployment How do I push patches to the machines that need them? How do I push patches to the machines that need them? SMS SMS Third party tools Third party tools Active Directory / Group Policy Active Directory / Group Policy
SMS
HFNetChkPro
HFNetChkPro
HFNetChkPro
Group Policy and MSI Create MSI package for hotfix Create MSI package for hotfix Future MS hotfixes may include MSI packages Future MS hotfixes may include MSI packages Use third party MSI creator Use third party MSI creator InstallShield, SMS, etc. InstallShield, SMS, etc. Create Group Policy with Computer Settings for Software Installation Create Group Policy with Computer Settings for Software Installation
Group Policy and MSI
Corporate Windows Update Allows Corporations to host their own Windows Update Server. Allows Corporations to host their own Windows Update Server. CorpWU Server downloads catalogs and patches from Microsoft CorpWU Server downloads catalogs and patches from Microsoft Administrator chooses which ones to make available on corpnet Administrator chooses which ones to make available on corpnet New WU clients are configured (via Group Policy or Reg key) to perform WU operations against CorpWU Server New WU clients are configured (via Group Policy or Reg key) to perform WU operations against CorpWU Server
Corporate Windows Update Clients can also be configured via Group Policy to autodownload and apply the patches within a given period of time, should the system owner not do it on their own. Clients can also be configured via Group Policy to autodownload and apply the patches within a given period of time, should the system owner not do it on their own.
What else is Microsoft doing? Focus on Trustworthy Computing from BillG Focus on Trustworthy Computing from BillG Rollup Packages Rollup Packages Cumulative Cumulative Every two months for latest Service Pack Every two months for latest Service Pack May be released as MSI May be released as MSI Increase in No-Reboot patches Increase in No-Reboot patches Additional Tools like HFNetChk Additional Tools like HFNetChk
Contact Info