Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure

2 Agenda  Using Management Tools to Help with Security  SMS  Patch Management (Client, Server)  How partners can do to help customers  MOM  Monitoring your networks security  What partners can do to help  Summary / Q&A

3

4 Microsoft IT SMS 2003 Core Usage Scenarios  Asset management  Patch management  Software distribution  Software metering  Security Patches  File collection  Targeted Deployments

5 Patch Management Framework 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Access patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients 1. Assess 2. Identify 4. Deploy 3. Evaluate & Plan 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: installs on isolated system) 3. Evaluate & Plan Patch Deployment Tasks A. Complete patch acceptance testing B. Obtain approval to deploy patch C. Perform risk assessment D. Plan patch release process 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment

Desktop Patch Management

7  Overview  Benefits of SMS 2003 patch management  Best practices

8 Benefits of Using SMS Patch Management  Proactive Monthly Patching and Compliance Process  Catch security issues before they affect productivity  Minimize the cost of alternate compliance processes  Packaging is Automated  No custom scripting and testing  Faster time to market  Centralized Patch and Compliance Method  Used across the company  Leverage Existing Resources  Uses SMS server infrastructure  Uses SMS administrators

9 Weds10:00AM Thurs 5:00 AM Fri2:00PM 5:00PM 5:00PM 5:00PM 5:00PM 12%30% Vulnerable Clients 6%5%3% Microsoft IT Multiple-Prong Approach Managed and Unmanaged Environment High Client Impact Method Low Client Impact Emergency client patch timeline Windows Update (Optional) & ITWeb Notification (Optional) SMS Patch Management (Voluntary >Forced) Logon Script (Forced) Internal Scanning Tool (Forced) Port Shutdowns

10 Best Practices to Enhance Patch Management  Great technology, great processes, great people  SMS Client Health Management Plan  Manage using a scorecard  Investigate by collecting client logs  Repair thru logon script logic  SMS Client Coverage Management Plan  Boundary Management  Client Count Trending  SMS Infrastructure Management Plan  MOM Management Pack for SMS

Server Patch Management

12 Servers…  Target Key Servers  Not all Servers need all patches  A server that will not run IIS may not need to have IIS patches applied…  Know when reboot is required (Plan it)  Backup / Recovery Plan (Ready)

13 Partner Opportunities  Security is the #1 priority  Executive support is critical  The process is just as critical as the implementation of the technology  Security Assessments  What if? Planning and Recovery?  HW and SW inventory frequency increased for patch compliance reporting  Scalable Solution (Start small and grow)  Assistance with MSUS – SMS choices

14

15 Polices, Procedures & Awareness MOM and Security Management Physical Security Internal Network Perimeter Host Application Data  MOM 2005 is a platform  Monitoring vs. Administration MOM Management Packs Operational Data

16 MOM 2005 Security Features  Secure by default  Role based security  Channel security  Support for more firewall scenarios  More…

17 More Security Features  MBSA Management Pack  Scans for common security misconfigurations  Needs admin level privileges  Task execution “auditing”  What task was run  When it was run  By which user  Against which computers  Whether or not it was successful

18 Partner Opportunities  Mom Install Configuration  Security Auditing, who, what, when  Analysis  Well Managed is Secure

19 Resources   

20 © 2004 Microsoft Corporation. All rights reserved. This whitepaper presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.