Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patch Management Tools. Solution Components Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows.

Published byJoshua Neal Modified over 10 years ago

Similar presentations

Presentation on theme: "Patch Management Tools. Solution Components Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows."— Presentation transcript:

1 Patch Management Tools

2 Solution Components Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows Update Office Update Content Repositories Windows Update Catalog Office Download Catalog Microsoft Download Center Management Tools Automatic Updates (AU) feature in Windows Software Update Services (SUS) Systems Management Server (SMS) Prescriptive Guidance Microsoft Guide to Security Patch Management Patch Management Using SUS Patch Management Using SMS

3 Client Patch Management Options Consumer and Small Business: Windows Update User Initiated Deployment or Automated Updates Access to all available updates Deployment from Microsoft.com Medium Business: Software Update Services User Initiated Deployment or Automated Updates Administrator approved updates only Deployment from servers behind firewalls Enterprises: SMS and SMS Software Update Services Feature Pac k User or Administrator Initiated Deployments Administrator approved updates Deployment from servers behind firewalls ReportingScheduling

4 MBSA: What It Does Helps identify vulnerable Windows systems Scans for missing security patches and common security mis-configurations Scans various versions of Windows and other Microsoft applications Scans local or multiple remote systems via GUI or command line invocation Generates XML scan reports on each scanned system Runs on Windows Server 2003, Windows 2000 and Windows XP Integrates with SUS & SMS Evaluate & Plan New Update Deploy Identify Assess

5 MBSA: How It Works* Microsoft Download Center MSSecure.xml MSSecure.xml contains Security Bulletin namesSecurity Bulletin names Product specific updatesProduct specific updates Version and checksum infoVersion and checksum info Registry keys changedRegistry keys changed KB article numbersKB article numbers Etc.Etc. MBSA Computer *Only covers security patch scanning capabilities, not security configuration detection issues SUS Server 2.Downloads CAB file with MSSecure.xml & verifies digital signature 1.Run MBSA on Admin system, specify targets 3.Scans target systems for OS, OS components, & applications 4.Parses MSSecure to see if updates available 5.Checks if required updates are missing 6.Generates time stamped report of missing updates

6 MBSA 1.1.1

7 Windows Update: How It Works Scenario 1: User Initiated Access Windows Update Service 2.Client side code (CC) in browser validates WU server & gets download catalog metadata 1.User goes to Windows Update (WU) & selects ‘Scan for updates’ 3.CC uses metadata to identify missing updates 4.User selects updates to install 5.CC downloads, validates, & installs updates 6.CC updates history & statistics information* *Note: No personally identifiable information is collected. See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy

8 Windows Update: How It Works Scenario 2: Automatic Updates Initiated Access Windows Update Service 2.AU validates WU server & gets download catalog metadata 1.AU check WU service for new updates (every 17-22 hours) 3.AU uses metadata to identify missing updates 4.AU either notifies user or auto-downloads using BITS & validates new updates 5.AU either notifies user or auto-installs updates 6.AU updates history & statistics information* *Note: No personally identifiable information is collected. See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy

9 SUS 1.0: What it Does Deploys Windows security patches, security rollups, critical updates*, and service packs only Deploys above content for Windows 2000, Windows Server 2003 and Windows XP only Provides patch download, deployment, and installation configuration options Bandwidth optimized content deployment Provides central administrative control over which patches can be installed from Windows Update Provides basic patch installation status logging *Including critical driver updates Evaluate & Plan Identify Assess New Update Deploy

10 SUS Benefits Gives administrators control over patch & update management Works with Group Policy* to prevent installs of non-approved updates from Windows Update Allows staging & testing of updates before installation Simplifies & automates key aspects of the patch management process Ease of use alleviates difficulty of keeping supported systems up-to-date, reducing security risks *Note: Use of SUS does not require implementation of Active Directory or Group Policy

11 SUS 1.0: How It Works Parent SUS Server Firewall Child SUS Server Bandwidth Throttling Windows Update Service Bandwidth Throttling 2.Administrator reviews, evaluates, and approves updates 1.SUS Server check for updates every 17-22 hours 3.Approvals & updates synced with child SUS servers* 4.AU gets approved updates list from SUS server 6.AU either notifies user or auto-installs updates 7.AU records install history 5.AU downloads approved updates from SUS server or Windows Update *SUS maintains approval logs & download, sync, & install statistics

12 Client Component: Automatic Updates Centrally configurable to get updates either from corporate SUS server or Windows Update service Can auto-download and install patches under admin control Consolidates multiple reboots to a single reboot when installing multiple patches Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003 Localized in 24 languages

13 Server Component: SUS Server Downloads updates from Windows Update Web based administration GUI Specify server & update process configuration options View downloaded updates Approve updates & view approved updates Security by design and default Requires NTFS; Installs IIS Lockdown and URL scanner* Supports secure administration over SSL Digital signatures on downloaded content validate authenticity Uses HTTP for content synchronization – only port 80 needs to be open Server side XML based logging on Web server Patch deployment & installation statistics Supports geographically distributed or scale-out deployments with centralized management for content synchronization & approvals Localized** in English & Japanese *If not already installed **Note: Delivers updates for all 24 supported client languages

14 SUS 1.0

15 SMS 2003: What it Does Identifies & deploys missing Windows and Office security patches on target systems Can deploy any patch, update, or application in Windows environments Inventory management & inventory based targeting of software installs Install verification and detailed reporting Flexible scheduling of content sync & installs Central, full administrative control over installs Bandwidth optimized content distribution Software metering and remote control capabilities Identify New Update DeployAssess Evaluate & Plan

16 SMS 2003 Patch Management: Benefits Gives administrators control over patch management Allows staging & testing of updates before installation Fine-grained control of patch management options Automates key aspects of the patch management process Can update a broad range of Microsoft products (not limited to Windows and Office) Can also be used to update third party software and deploy & install any software update or application High level of flexibility via use of scripting

17 SMS 2003 Patch Management: How It Works Firewall SMS Site Server SMS Distribution Point SMS Clients Microsoft Download Center SMS Distribution Point 2.Scan components replicate to SMS clients 1.Setup: Download Security Update Inventory and Office Inventory Tools; run inventory tool installer 3.Clients scanned; scan results merged into SMS hardware inventory data 4.Administrator uses Distribute Software Updates Wizard to authorize updates 6.Software Update Installation Agent on clients deploy updates 7.Periodically: Sync component checks for new updates; scans clients; and deploys necessary updates 5.Update files downloaded; packages, programs & advertisements created/updated; packages replicated & programs advertised to SMS clients SMS Clients

18 SMS 2003 Patch Management: Functionality System scanning & patch content download Content from Microsoft Download Center MBSA & Office Inventory plug-ins scan for missing patches Supports updating of remote & mobile devices Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scripting Administrator control Update targeting based on AD, non-AD groups, WMI properties; additional options via scripting Patches content is downloaded from a central SMS repository only when the deployment process is initiated by the SMS administrator Specific start and end times (change windows); multiple change windows Easily move patches from testing into production Reference system patch configurations can be used as a template to verify or enforce compliance of systems that must mimic reference system configuration

19 Patch download & installation Delta replication (site-site, server-server) of patches Uses BITS* for mobile / remote client-server Uses SMB* for LAN / priority situations Reminders and rescheduling of install / reboot & enforcement dates Optimized graceful reboots, but forced when enforcement date arrives Per-patch reboot-needed detection to reduce reboots Status & Compliance Reporting Deployment status as patches are attempted Standard and customized reports through read-only SQL queries Determine actual baselines in the environment before changing the environment SLA measurement and rate-of-spread SMS 2003 Patch Management: Functionality (2) *Requires SMS Advanced Client

20 SMS 2003

21 Windows Update Choosing a Patch Management Solution Functionality versus IT Resources Based Selection Choose the solution that provides the best balance of functionality versus IT resource constraints for your specific needs IT Resources & Administration Skill Level Breadth of Functionality SUS SMS LowHigh High

22 Patch Management Tools Futures

23 MBSA Update Scanning Functionality Overall direction MBSA update scanning functionality integrated into Windows patch management functionality MBSA becomes Windows vulnerability assessment & mitigation engine Near- and Intermediate-term plans MBSA 1.2 (Q4 2003) Improves report consistency, product coverage, and locale support Integrates Office Update Inventory Tool MBSA 2.0 (Q2 2004) Update scanning functionality migrates to SUS 2.0 / Microsoft Update MBSA leverages SUS 2.0 for update scanning

24 MBSA 1.2 Better international support Japanese, French, German locale support Expanded product support MDAC, MSXML, JVM, Content Mgt Server, Commerce Server, BizTalk, Host Integration Server and Office Improved consistency of reports Support for alternate file versions in mssecure.xml ( “OR” logic to consider multiple sets of file details) Handle case of non-security updates overwriting pervious security updates Handle multiple patches for a product targeted at different OS versions Handle uniproc/multiproc patches, QFE/GDR branch patches, etc. Office Update Inventory Tool integration (local scans only) Enhanced IE security zone checks

25 MBSA 2.0 Integration with SUS 2.0 / Microsoft Update Centralized report storage (SQL, net share) Configurable/pluggable engine checks (engine framework, SDK) Integrates tools like IISLockdown & SQLScan Infrastructure to support future mitigation (via MOM, SMS, etc.)

26 H2 2004 Today Windows Update And Office Update  Microsoft Update Microsoft Update Online service and update repository for updating all Microsoft software Built on SUS infrastructure Includes automated scanning, update install, and reporting capabilities available in Windows Update Office Update SMS Windows Update SUS Microsoft Update Windows Update

27 SUS 2.0 Support for additional Microsoft products Office 2003, SQL Server 2000, Exchange 2000, + additional products over time* Enhanced infrastructure for patch management Data Model - supercedence, update dependency & bundle relationships Server APIs (.NET) and remoteable Client APIs (COM) for flexibility Administrative control Pre-deployment checks; Initiate install & uninstall Set polling frequencies & install deadlines Target updates to groups of machines; Policy (AD) or list based group definitions Rules for auto-handing of updates Deployment & targeting Download subset of WU content (e.g., WinXP but not Win2K) Automatically deploys / updates SUS clients *Support for product versions listed here will be available when SUS 2.0 is released; support for additional versions and products will be delivered over time without the need to upgrade or redeploy SUS 2.0

28 SUS 2.0 (2) Bandwidth efficiency Uses BITS for client-server and server-server communication (download throttling & checkpoint restart, limit max bandwidth usage, etc.) Support for ‘delta compression’ technologies Configurable update subscriptions Configurable to only download updates at deployment time Scale out Hierarchical & replica topology Summary event roll-up Status reporting Deployment status aggregation per machine/per update/per group Download / install success, failure, and error info Custom reports using read-only SQL queries

29 Patch Management Functionality Future Direction Longer-term (Longhorn time frame) SUS functionality integrated into Windows SUS supports updating of all Microsoft software SUS infrastructure can be used to build patch management solutions for 3 rd party and in-house built software SMS patch management built on SUS infrastructure and delivers advanced patch management functionality Near-term SUS 2.0 (Spring 2004) Single infrastructure for patch management Support for additional Microsoft products Significant improvements in patch management functionality SMS 2003 Update Management Feature Pack (H2 2004) Leverages SUS for update scanning & download Leverages SUS client (Automatic Updates) for installs

30 Capability Windows Update SUS 1.0 SMS 2003 Supported Platforms for Content NT 4.0, Win2K, WS2003, WinXP, WinME, Win98 Win2K, WS2003, WinXP NT 4.0, Win2K, WS2003, WinXP, Win98 Supported Content Types All patches, updates & service packs (SPs) for the above Only security & security rollup patches, critical updates, & SPs for the above All patches, SPs & updates for the above; supports patch, update, & app installs for MS & other apps Granularity of Control Targeting Content to Systems NoNoYes Network Bandwidth Optimization No Yes (for patch deployment) Yes (for patch deployment & server sync) Patch Distribution Control NoBasicAdvanced Patch Installation & Scheduling Flexibility Manual, end user controlled Admin (auto) or user (manual) controlled Administrator control with granular scheduling capabilities Patch Installation Status Reporting No Limited (client install history & server based install logs) Comprehensive (install status, result, and compliance details) Additional Software Distribution Capabilities Deployment Planning N/AN/AYes Inventory Management N/AN/AYes Compliance Checking N/AN/AYes Adopt the solution that best meets the needs of your organization Core Patch Management Capabilities Choosing A Patch Management Solution Needs-Based Selection

31 2 patch installers; rollback Patching enhancements SUS 2.0 SMS 2003 More guidance and training Integrated host security technologies NGSCB Windows hardening More guidance and training Tools & Patching Next-Generation Security Monthly patch releases Guidance & training How Microsoft runs Microsoft Support for W2K SP2 & NT4 SP6at Guidance 0 – 9 months 9 – 12 months Future Security Roadmap Today Shield technologies for client and server “MS Update” More guidance and training Shields

32 Adopt a Patch Management Solution *Microsoft does not endorse or recommend a specific patch management product or company Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality At Microsoft, our #1 concern is the security and availability of your IT environment If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendor Partial list of available products: Company NameProduct NameCompany URL Altiris, Inc.Altiris Patch Managementhttp://www.altiris.com BigFix, Inc.BigFix Patch Managerhttp://www.bigfix.com Configuresoft, Inc.Security Update Managerhttp://www.configuresoft.com Ecora, Inc.Ecora Patch Managerhttp://www.ecora.com GFI Software, Ltd. GFI LANguard Network Security Scanner http://www.gfi.com Gravity Storm Software, LLCService Pack Manager 2000http://www.securitybastion.com LANDesk Software, LtdLANDesk Patch Managerhttp://www.landesk.com Novadigm, Inc.Radia Patch Managerhttp://www.novadigm.com PatchLink Corp.PatchLink Updatehttp://www.patchlink.com Shavlik TechnologiesHFNetChk Prohttp://www.shavlik.com St. Bernard SoftwareUpdateExperthttp://www.stbernard.com

33 Summary Addressing the patch management issue is a top priority Taking a comprehensive, tactical & strategic approach Made progress, but much more work to be done Microsoft focused on: Reducing the number of vulnerabilities & associated patches Improving customer preparedness, training & communication Simplifying & standardizing the patching experience Improving patch quality Unifying and strengthening patch management offerings Key Recommendations: Implement a good patch management process – it’s the key to success Adopt a patch management solution that best fits your needs Make use of the resources detailed in these slides

34 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Patch Management Tools. Solution Components Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows."

Similar presentations

The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
SCCM 2012 Features and Benefits

SCCM 2012 Features and Benefits
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
WSUS Windows Update Services

WSUS Windows Update Services
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
Gain the Knowledge to Avoid the Avoidable שירה קמחי מנהלת תחום שליטה ובקרה מיקרוסופט ישראל שירה קמחי מנהלת תחום שליטה ובקרה מיקרוסופט ישראל Management.

Gain the Knowledge to Avoid the Avoidable שירה קמחי מנהלת תחום שליטה ובקרה מיקרוסופט ישראל שירה קמחי מנהלת תחום שליטה ובקרה מיקרוסופט ישראל Management.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Windows Server System TM Overview IT Expectations: Do More with Less.

Windows Server System TM Overview IT Expectations: Do More with Less.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Software Distribution in Microsoft System Center Configuration Manager v.Next: Part 1.

Software Distribution in Microsoft System Center Configuration Manager v.Next: Part 1.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications

Similar presentations

Ads by Google