Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Response
Microsoft Corporation
Presented by Robert Hensing - PSS Security Specialist
Agenda
Situation
Solution Components
Roadmap
Security Incident
Response
Customer Feedback
Inadequate Inconsistent
Communications, Patching
Guidance, and Experience
Training
Reduce
Frequency,
Quantity of
Patches
Multiple, Inconsistent
Incomplete Patch Patch
Management Quality
Tools
Addressing The Situation
Security and patch management
priority #1 – bar none – at Microsoft
Microsoft problem
Industry problem
Ongoing battle with malicious hackers
*Office Inventory Tool is no longer needed – MBSA 1.2 (released in January 2004) includes Office scanning functionality
Update Management Guidance
Implementing a consistent, high quality update management
process is the key to successful update management
Deploy
MBSA: How It Works*
MSSecure.xml contains
1. Run MBSA on Admin • Security Bulletin names
system, specify targets • Product specific updates
Microsoft • Version and checksum info
2. Downloads CAB file with • Registry keys changed
MSSecure.xml & verifies Download Center
digital signature
• KB article numbers
MSSecure.xml
• Etc.
3. Scans target systems for
OS, OS components, &
applications
4. Parses MSSecure to
see if updates
available
5. Checks if required
updates are missing
MBSA
6. Generates time
stamped report of Computer
missing updates
SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
Windows Update (WU)
Microsoft online update service
(windowsupdate.microsoft.com):
Identifies missing Windows OS* patches / updates
on accessing computer
Generates targeted list of missing updates
Installs user selected missing updates
Provides update installation history
WU content can be automatically downloaded via
New Automatic Updates
Update
Evaluate
& Plan
Deploy
SUS 1.0: How It Works
Windows Windows
Update Service Update Service
*Configurable 1/day or 1/week **SUS maintains approval logs & download, sync, & install statistics
SUS Client Component: Automatic
Updates
Centrally configurable to get updates either from corporate
SUS server or Windows Update service
Localized in 24 languages
SUS Server Component: SUS Server
Downloads updates from Windows Update
Web based administration GUI
Specify server & update process configuration options
View downloaded updates
Approve updates & view approved updates
Deploy
SMS 2003 Patch Management:
How It Works Microsoft
Download Center
1. Setup: Download Security Update
Inventory and Office Inventory Tools;
run inventory tool installer
Administrator control
Update targeting based on AD, non-AD groups, WMI properties; additional options
via scripting
Patches content is downloaded from a central SMS repository only when the
deployment process is initiated by the SMS administrator
Specific start and end times (change windows); multiple change windows
Easily move patches from testing into production
Reference system patch configurations can be used as a template to verify or
enforce compliance of systems that must mimic reference system configuration
SMS 2003 Patch Management:
Functionality (2)
Patch download & installation
Delta replication (site-site, server-server) of patches
Uses BITS* for mobile / remote client-server
Uses SMB* for LAN / priority situations
Reminders and rescheduling of install / reboot & enforcement dates
Optimized graceful reboots, but forced when enforcement date arrives
Per-patch reboot-needed detection to reduce reboots
Customer Customer
Scenario
Type Chooses
Want single flexible patch management solution with extended
Large or level of control to patch & update (+ distribute) all software SMS
Medium
Enterprise Want patch management solution with basic level of control that
SUS
updates Windows 2000 and newer versions* of Windows**
Add/Remove Program
Standard installer Standard Detection
improvements in XP
switches defined Manifest
SP2
Standard terminology 2 Installers:
Naming & signing for documentation
standard defined MSI 3.0 MSI, Update.exe
defined
*For Windows Update installs, more than 25% reduction for other patches
**For Windows Server 2003 patches using HotPatching (in-memory patching) technology, delivered in SP1
MBSA Update Scanning Futures
Overall direction
Microsoft will have a single scanning engine for detecting missing
updates
The scanning engine will be part of the Windows Update Services /
Automatic Updates client
MBSA and other product that need to detect or report on missing
updates will request this information from the Windows Update
Services / Automatic Updates client
MBSA becomes Windows vulnerability assessment & mitigation engine
Near-term plans
MBSA 2.0 (H1 2005)
Initial integration with Windows Update Services / Automatic
Update client for update scanning
Further deprecation of native MBSA scanning occurs on an ongoing
basis as Microsoft Update continues to add support for updating
additional Microsoft software over time
WU and XPSP2 AU Improvements
New release of Windows Update (v 5)
Improved homepage design and navigation
Implements download throttling for dial-up and low bandwidth
connections
Will not recommend updates that have already been installed
Download regulation feature reduces amount of data
transmitted per update
H1 2005
Today Update Update
Microsoft Update
Online service and update repository for updating
all Microsoft software
Microsoft Update: superset of Windows Update
Initially supports Windows XP, Windows 2000,
Windows Server 2003, Office XP, Office 2000,
SQL Server 2000, MSDE 2000, and Exchange WUS SMS
2003. Support for additional Microsoft products
will be added on an on-going basis
Built on Windows Update Services (formerly SUS
2.0) infrastructure
Includes automated scanning, update install, and
reporting capabilities
*WUS is currently in beta. Microsoft does not guarantee that all capabilities listed will be in the released version.
Datasheet and sign up for the Open Evaluation Program at: www.microsoft.com/wus
**Without the need to upgrade or redeploy WUS
Windows Update Services (2)
Expanded administrative control
Scanning: Pre-deployment scan for missing updates
Download & approval: Specify only metadata be downloaded, rules for auto-
approving updates, etc.
Targeting: Install or uninstall to systems grouped via enumerated lists or Group Policy
Scheduling: Set new update detection frequency*, specify install deadline**, etc.
Implementation: Options to use specified communication port, work with Internet
proxy, deploy in hierarchical replica or independently managed server topologies,
support update management for networks not connected to the Internet, etc.
End-user experience: Options to notify users of new updates, reboot, etc.
Status reporting
Deployment status aggregation per machine/per update/per group
Download / install success, failure, and error info
Logs statistics to SQL Server or MSDE
*Max. frequency 1/hour. Can use command line option or script to trigger new update checks on demand
**Deadlines also enable enforcement of update installs (re-installation of required updates removed from the system at a later date)
Comparing Microsoft Update, Windows
Update Services, and SMS 2003
Adopt the solution that best meets the needs of your organization
Capability Microsoft Update Windows Update Services SMS 2003
Supported Software and Content
Win2K, WS2003, WinXP Pro, Office Same as Windows Update Services +
Supported Software for Same as Windows Update
2003, Office XP, Exchange 2003, NT 4.0 & Win98* + can update any
Content Services + WinXP Home
SQL Server 2000, MSDE other Windows based software
Supported Content All software updates, critical All updates, SPs, & FPs + supports
All software updates, critical driver
Types for Supported driver updates, service packs update & app installs for any Windows
updates, SPs, & FPs
Software (SPs), and feature packs (FPs) based software
Update Management Capabilities
Targeting Content
N/A Simple Advanced
to Systems
Network Bandwidth
Yes Yes Yes
Optimization
Patch Distribution
N/A Simple Advanced
Control
Patch Installation &
Manual & end user controlled Simple Advanced
Scheduling Flexibility
Install errors reported to user.
Patch Installation Status
Lists missing updates for Simple Advanced
Reporting
accessing computer
Deployment Planning N/A Simple Advanced
Inventory Management N/A No Yes
Compliance Checking N/A No – status reporting only Advanced
*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
Choosing A Patch Management Solution
Typical Customer Decisions
Customer Customer
Scenario
Type Chooses
Want single flexible update management solution with
extended level of control to update (+ distribute) ALL
Windows OSes and Applications, as well as an integrated SMS 2003
Large or asset management solution
Medium
Enterprise Want update management-only solution that provides simple
updating for Microsoft software and initially supports Windows Update
Windows (Win2K & later versions), Office (2003 & XP), Services*
Exchange 2003, SQL Server 2000, and MSDE 2000
*Customer uses Windows Update, another update tool, or manual update process for
OS versions & applications not supported by Windows Update Services or Microsoft Update
Consolidated Solutions Roadmap
Longhorn
Q4/2003 H1/2005 Time frame
Update Content Repositories and Online Services
Download Download
Windows Center Windows Center Windows
Update Update Update
Office Microsoft Microsoft
Update Update Update
*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView
may also provide patch management functionality
Summary
Addressing the patch management issue is a top priority
Taking a comprehensive, tactical & strategic approach
Made progress, but much more work to be done
Microsoft focused on:
Reducing the number of vulnerabilities & associated patches
Improving customer preparedness, training & communication
Simplifying & standardizing the patching experience
Improving patch quality
Unifying and strengthening patch management offerings
Key Recommendations:
Implement a good patch management process – it’s the key to success
Adopt a patch management solution that best fits your needs
Make use of the resources referenced in these slides
Security Incident
Response
Trends – 2003 CSI / FBI Survey