Presentation is loading. Please wait.

Presentation is loading. Please wait.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

Published byArnold Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft."— Presentation transcript:

1 How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft

2 Questions How do I know if I’m up to date on patches? How do I know if I’m up to date on patches? How do I know when a new patch is released? How do I know when a new patch is released? How do I know that the patch is valid on my system? How do I know that the patch is valid on my system? How can I deploy patches to all my machines? How can I deploy patches to all my machines? What is Microsoft doing to make it easier to assess and deploy patches? What is Microsoft doing to make it easier to assess and deploy patches?

3 Patch Process New Patch Notification New Patch Notification Host and Network Assessment Host and Network Assessment Deployment Deployment Validation Validation

4 Notification How do I know when new security patches are available? How do I know when new security patches are available? Security Bulletin Notification Service Security Bulletin Notification Service www.microsoft.com/technet/security www.microsoft.com/technet/security www.microsoft.com/technet/security Windows Update Windows Update Client Update Notification Applet Client Update Notification Applet HFNetChk HFNetChk

5 How can I tell which machines need patches? HFNetChk HFNetChk Can be run against Windows NT 4, Windows 2000, Windows XP Can be run against Windows NT 4, Windows 2000, Windows XP Evaluates patch status for OS, IIS, IE, and a limited amount of SQL 7 and 2000. Evaluates patch status for OS, IIS, IE, and a limited amount of SQL 7 and 2000. See KB article Q303215 for more info and download location See KB article Q303215 for more info and download location

6 HFNetChk Demo

7 How Does HFNetChk Work? 1. Downloads signed CAB file (containing XML data) from microsoft.com 1. May also use a local copy of the XML file from a file or http share 2. Tool Version Check 3. Language \ OS \ SP \ Application check 4. Identifies all relevant security patches for OS \ SP \ App

8 MSSecure.XML

9 How Does HFNetChk Work? For each applicable hotfix: 5. Compare registry key from XML file to registry key on the system If reg key does NOT exist, file is determined to be NOT installed If reg key does NOT exist, file is determined to be NOT installed Reg key check can be bypassed with the –z switch Reg key check can be bypassed with the –z switch

10 How Does HFNetChk Work? 6. If registry key DOES exist*, compare file version information from XML file to files on system 7. If registry key DOES exist*, compare file checksum information from XML file to files on system * Or if registry checks were bypassed

11 MSSecure.XML

12 How Does HFNetChk Work? If either the file version and/or the checksum does NOT match for any file, the patch is considered NOT installed If either the file version and/or the checksum does NOT match for any file, the patch is considered NOT installed (a Warning is given if the fileversion is greater than expected) (a Warning is given if the fileversion is greater than expected) In every instance file versions and checksums are evaluated! In every instance file versions and checksums are evaluated!

13 New MSSecure Schema Patch details for all languages Patch details for all languages Download URL for each patch for each language Download URL for each patch for each language hotfix installer engine and related switches hotfix installer engine and related switches MD5 and SHA1 file hashes MD5 and SHA1 file hashes Specific file location (relative and/or system variable) Specific file location (relative and/or system variable) 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 32 bit vs 64 bit architecture 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 32 bit vs 64 bit architecture Severity data Severity data CVE data CVE data reboot actions reboot actions

14 Deployment How do I push patches to the machines that need them? How do I push patches to the machines that need them? SMS SMS Third party tools Third party tools Active Directory / Group Policy Active Directory / Group Policy

15 SMS

16 HFNetChkPro

17 HFNetChkPro

18 HFNetChkPro

19 Group Policy and MSI Create MSI package for hotfix Create MSI package for hotfix Future MS hotfixes may include MSI packages Future MS hotfixes may include MSI packages Use third party MSI creator Use third party MSI creator InstallShield, SMS, etc. InstallShield, SMS, etc. Create Group Policy with Computer Settings for Software Installation Create Group Policy with Computer Settings for Software Installation

20 Group Policy and MSI

21 Corporate Windows Update Allows Corporations to host their own Windows Update Server. Allows Corporations to host their own Windows Update Server. CorpWU Server downloads catalogs and patches from Microsoft CorpWU Server downloads catalogs and patches from Microsoft Administrator chooses which ones to make available on corpnet Administrator chooses which ones to make available on corpnet New WU clients are configured (via Group Policy or Reg key) to perform WU operations against CorpWU Server New WU clients are configured (via Group Policy or Reg key) to perform WU operations against CorpWU Server

22 Corporate Windows Update Clients can also be configured via Group Policy to autodownload and apply the patches within a given period of time, should the system owner not do it on their own. Clients can also be configured via Group Policy to autodownload and apply the patches within a given period of time, should the system owner not do it on their own.

23 What else is Microsoft doing? Focus on Trustworthy Computing email from BillG Focus on Trustworthy Computing email from BillG Rollup Packages Rollup Packages Cumulative Cumulative Every two months for latest Service Pack Every two months for latest Service Pack May be released as MSI May be released as MSI Increase in No-Reboot patches Increase in No-Reboot patches Additional Tools like HFNetChk Additional Tools like HFNetChk

24 Contact Info ericschu@microsoft.com ericschu@microsoft.com

Download ppt "How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft."

Similar presentations

Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:

Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:
Patch management with ZenWorks James Dore, IT Officer, New College /

Patch management with ZenWorks James Dore, IT Officer, New College /
Office 365 ProPlus: Expanding Your Deployment Skills Yoni Kirsh Ben Fletcher OSS301.

Office 365 ProPlus: Expanding Your Deployment Skills Yoni Kirsh Ben Fletcher OSS301.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.

A Tour of System Center Configuration Manager Adam Duffy Edina Public Schools.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Patch management using Microsoft Software Update Service 1.0 SP1 Chris Hughes, Systems Architect Warrington College of Business

Patch management using Microsoft Software Update Service 1.0 SP1 Chris Hughes, Systems Architect Warrington College of Business
Windows Anti-virus and Security WNUG Meeting 2-7-2002.

Windows Anti-virus and Security WNUG Meeting
Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.

Wally Mead Senior Program Manager Microsoft Corporation Session Code: MGT303.
WIN-B331 Get a consistent, personal Windows experience that matches your unique work style Easy for IT to deliver personal, user-defined experiences.

WIN-B331 Get a consistent, personal Windows experience that matches your unique work style Easy for IT to deliver personal, user-defined experiences.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
OSP219. Experience Office as it was meant to be… without the complexity of setting up servers.

OSP219. Experience Office as it was meant to be… without the complexity of setting up servers.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications

Similar presentations

Ads by Google