Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patch Management –Pedro Carrasquilla –Sean Garrett –Jeni Li Arizona State University East Information Technology October 2, 2003 By Presented to WNUG/CCC.

Published byRobert Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "Patch Management –Pedro Carrasquilla –Sean Garrett –Jeni Li Arizona State University East Information Technology October 2, 2003 By Presented to WNUG/CCC."— Presentation transcript:

1 Patch Management –Pedro Carrasquilla –Sean Garrett –Jeni Li Arizona State University East Information Technology October 2, 2003 By Presented to WNUG/CCC

2  GOAL: prevent client downtime due to critical patch issues  OUTCOME: patch management for domain clients

3 METHODS  GPO / MSI Packages – Script out, use existing server (GPO) – Potential for hiccups with different models – More background time for building package(s)  SUS server – Requires W2k server and IIS – Ease, point and click – Less admin time overall unless (until ?) compromised

4

5

6

7

8 HARDWARE  Dell Power Edge 4300  6 drives  2 Raid Containers  -RAID 1 mirrored (2 drives), OS only (C)  -RAID 5 (4 drives), SUS installation (F)

9 SOFTWARE  Windows 2000 server with SP3  IIS 5.0  SUS 1.0  Upgrade to SP4 + critical patches  AV (Netshield)

10 SUS setup  Setup for weekly downloads from Microsoft  Approved only the post SP4 updates  Set client to request reboot after downloading updates from SUS server  Client will apply update next time computer reboots in 24 hr period

11

12 Client GPO

13

14 WINDOWS LOCKDOWN  Windows Security – CIS Gold Standard template – How Get it from cisecurity.org Security Configuration & Analysis snap-in Review changes before applying!!! – Afterward, clean up the gotchas Set LSA_RestrictAnonymous as required if you have Backup Exec or some other reason it can’t be set to 2 Remove Web anonymous users (IUSR, IWAM) from Guests group Ensure Web anonymous users have permission to logon as batch jobs Ensure Web services are Started and set to Automatic (CIS template disables them) – IIS Admin Service – World Wide Web Publishing Service

15 WINDOWS LOCKDOWN  Other Security issues – IIS components not installed FTP, SMTP, NNTP, Internet Services Manager (HTML) – IIS tweaks: delete default IIS sites removed directory c:\inetpub\ Bind site to eastsus1.east.ad.asu.edu Allow only ASU subnet to see site Auto-update / administration: no indexing, server IP only Edit URLScan.ini, change RemoveServerHeader to 1 Shared: no indexing, no read, no execute (global.asp, used only by other ASP scripts Modified ACLs for the e:\ Changed encryption level to high (128) LSA restrict anonymous to 1

16 SUS LOCKDOWN Special IIS Lockdown template for SUS 1. Built in to SUS installation 2. Better than standard IIS Lockdown  What it does – Disallows Web service userid’s from running key system commands – Sets reasonable default settings in URLscan.ini  Caution 1. May break existing Web services on multifunction servers

17 IIS LOCKDOWN CONT…  Bind Web service to host name – How IIS snap-in Properties, Web Site Identification, Advanced Specify IP address and host header name (FQDN) – Why Keeps IIS from responding to requests without HTTP Host request header Makes your server less vulnerable to worms which find targets by generating random IP addresses Even unpatched Web servers, with this one setting, would have been invulnerable to Code Red, Code Blue, and Nimda worms  Set directory permissions on Web home directory

18 Deployment  -Testing Production Environment with test OU and several 2000 & XP clients  -Communication with our users. (email)  -GPO Applied WUAU.ADM to production OU for domain PCs

19 Future Updates  SUS 2.0 system & application (Office, SQL, and Exchange) patching In Beta, but posponed  Staging second server for testing patches initialy  Restricting IPs  Firewall

20 Web Resources  SUS10sp1.exe http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4- 6E41-4F54-972C-AE66A4E4BF6C&displaylang=en  CIS Gold Standard Template http://www.cisecurity.org  Client GPO wuau.adm http://www.microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA- D274-42E6-8025-8C667B4C94E9&displaylang=en  Microsoft Solutions for Management: Patch Management Using Microsoft Systems Management Server (SMS) and Microsoft Software Update Services (SUS) http://www.microsoft.com/downloads/details.aspx?displaylang=en&famil yid=7d8999af-7e88-416c-8404-56912f886e8d  Microsofts Software Update Services http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp  Software Update Services Deployment White Paper http://www.microsoft.com/windows2000/windowsupdate/sus/susdeploy ment.asp  SUS with SP1 Release Notes and Installation Instructions http://www.microsoft.com/windows2000/windowsupdate/sus/sp1relnotes.asp

Download ppt "Patch Management –Pedro Carrasquilla –Sean Garrett –Jeni Li Arizona State University East Information Technology October 2, 2003 By Presented to WNUG/CCC."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) Chapter 2 Installing Windows Server 2008.

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646) Chapter 2 Installing Windows Server 2008.
Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer

Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Patch management using Microsoft Software Update Service 1.0 SP1 Chris Hughes, Systems Architect Warrington College of Business

Patch management using Microsoft Software Update Service 1.0 SP1 Chris Hughes, Systems Architect Warrington College of Business
Reliability and Performance Application protection IIS Reliable Restart Socket pooling Multisite hosting Process throttling Bandwidth throttling.

Reliability and Performance Application protection IIS Reliable Restart Socket pooling Multisite hosting Process throttling Bandwidth throttling.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
SUS Services ECE Computer Facilities. SUS Services Software Update Services Microsoft Security And Critical Update Service Microsoft Security And Critical.

SUS Services ECE Computer Facilities. SUS Services Software Update Services Microsoft Security And Critical Update Service Microsoft Security And Critical.

Similar presentations

Ads by Google