Patch Warfare & Security Incident

Response
Microsoft Corporation
Presented by Robert Hensing - PSS Security Specialist
Agenda

Situation
Solution Components
Roadmap
Security Incident
Response
Customer Feedback
Inadequate Inconsistent
Communications, Patching
Guidance, and Experience
Training
Reduce
Frequency,
Quantity of
Patches
Multiple, Inconsistent
Incomplete Patch Patch
Management Quality
Tools
Addressing The Situation
Security and patch management
priority #1 – bar none – at Microsoft
Microsoft problem
Industry problem
Ongoing battle with malicious hackers

Microsoft taking a comprehensive,

tactical and strategic approach to
addressing the situation
Patch Management Initiative
Progress to Date (July 2004)
Rationalized patch severity rating levels
Informed & Prepared Better security bulletins and KB articles
Customers Security Guidance Kit; Patch Management guidance, etc.
Security Mobilization Initiative – 500K IT Pros trained
Standardized patch and update terminology
Consistent & Superior Standardized patch naming and installer switch options*
Update Experience Installer consolidation plan in place – will go from ~8 to 2
Reduced patch release frequency from 1/week to 1/month

Improved patch testing process and coverage

Superior Patch Quality Expanded test process to include customers
Reduced reboots by 10%; reduced patch size by up to 75%**

Released SMS 2003 which delivers expanded patch and update

Best Patch & Update management capabilities
Management Solutions Released MBSA 1.2 which integrates Office inventory scanning
Windows Update Services in development

More on the deliverables of the Patch Management Initiative

in the Roadmap Section of this presentation…
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0
**75% for Windows Update installs, more than 25% for other patches
Terminology
Name Description Distribution

An unofficial fix which may not be fully tested or packaged. It

Limited to the customer who reported the
Private Fix is released to the customer to verify that it solves the
problem.
problem before final testing & packaging.

Limited to customers who contact

A single cumulative package composed of one or more files
Hotfix used to address a defect in a platform.
Microsoft Product support services and
are experiencing the specific problem.

A broadly released fix for a specific problem addressing a

Update non-critical, non-security related bug.
Publicly available for download.

Critical A broadly released fix for a specific problem addressing a

Publicly available for download.
Update critical, non-security related bug.

Security A broadly released fix for a specific platform addressing a

Publicly available for download.
Patch security vulnerability.

A cumulative set of hotfixes, security patches, critical

Update updates and updates packaged together for easy
Publicly available for download.
Rollup deployment. A rollup targets a specific area such as
"security" or component of the platform such as "IIS".
A cumulative set of all hotfixes, security patches, critical
updates, and updates created and fixes for issues found
internally since the release of the platform. Service packs
Service Pack may also contain a limited number of customer requested
Publicly available for download.
design changes or features. Service packs are broadly
distributed and therefore tested heavily.
Naming Standards
824685 - Description of the File Names That Are Used for
Microsoft Product Updates, Tools, and Add-ins
http://support.microsoft.com/?kbid=824685
The standardized file naming schema that Microsoft is
adopting for packages that contain product updates, tools,
and add-ins uses the following format: ProductName-
KBArticleNumber-Option-Language.exe
WindowsXP-KB123456-IA64-ENU.exe - An update for the English
(US)-language version of Microsoft Windows XP for computers with
64-bit Intel processors. The update is associated with Microsoft
Knowledge Base article 123456.
OfficeXP-KB123456-Client-ENU.exe - An update for the English (US)-
language version of Microsoft Office XP. The update is associated
with Knowledge Base article 123456.

SQL2000-KB123456-8.00.0000-JPN.exe - An update for the

Japanese-language version of Microsoft SQL Server 2000 Build
8.00.000. The update is associated with Knowledge Base article
123456.
 Bulletin Severity Rating System

Rating Definition Customer Action

Exploitation could allow the propagation
Apply the patch or
Critical of an Internet worm such as Code Red or
workaround immediately
Nimda without user action
Exploitation could result in compromise of
the confidentiality, integrity, or availability Apply patch or workaround as
Important of users’ data, or of the integrity or soon as is feasible
availability of processing resources
Exploitability is mitigated to a significant
Evaluate bulletin, determine
degree by factors such as default
Moderate configuration, auditing, need for user
applicability, proceed as
appropriate
action, or difficulty of exploitation

Consider applying the patch

Exploitation is extremely difficult, or
Low impact is minimal
at the next scheduled update
interval

Revised November 2002

More information at
http://www.microsoft.com/technet/security/policy/rating.asp
Prioritizing and Scheduling the Release
A Serious Problem

Decreasing time in which to deploy

a patch
Decreasing Time To Patch (Blaster)
July 1, 2003 July 16, 2003 July 25, 2003 Aug 11, 2003
Vulnerability Bulletin & patch
reported to us / available Exploit code in Worm in the wild
Patch in progress No exploit public

Report Bulletin Exploit Worm

 Vulnerability in  MS03-026 delivered  X-focus (Chinese  Blaster worm
RPC/DDOM to customers group) published discovered –;
reported (7/16/03) exploit tool variants and other
 MS activated  Continued outreach  MS heightened viruses hit
highest level to analysts, press, efforts to get simultaneously (i.e.
emergency community, information to “SoBig”)
response process partners, customers
government
agencies

Blaster shows the complex interplay between

security researchers, software companies, and
hackers
Decreasing Time To Patch (Sasser)
April 13 April 24-29 April 30
Bulletin & patch
available Exploit code in Worm in the wild
No exploit public

Bulletin Exploit Worm

 MS03-026 delivered  Reverse shell code  Sasser worm
to customers posted to various discovered.
(7/16/03) web sites  Multiple variants hit
 Continued outreach simultaneously
to analysts, press,
community,
partners,
government
agencies

Sasser shows the continually shrinking window

between the time a patch is released, exploit code is
generally available and a worm is written to exploit it.
Solution Components
Solution Components
Microsoft Guide to Security Patch Management
Prescriptive Patch Management Using SUS
Guidance
Patch Management Using SMS

Analysis Microsoft Baseline Security Analyzer (MBSA)

Tools Office Inventory Tool*

Online Update Windows Update

Services Office Update

Windows Update Catalog

Content Office Download Catalog
Repositories
Microsoft Download Center

Automatic Updates (AU) feature in Windows

Management Software Update Services (SUS)
Tools
Systems Management Server (SMS)

*Office Inventory Tool is no longer needed – MBSA 1.2 (released in January 2004) includes Office scanning functionality
 Update Management Guidance
Implementing a consistent, high quality update management
process is the key to successful update management

Microsoft delivers best practices prescriptive guidance for

effective update management

Uses Microsoft Operations Framework (MOF)

Assess Identify
Based on ITIL* (defacto standard for IT best practices)
Details requirements for effective update management:
Technical & operational pre-requisites
Operational processes & how technology supports them
Deploy Evaluate Daily, weekly, monthly & as-needed tasks to be performed
& Plan
Testing options

Three update management guidance offerings

Microsoft Guide to Security Patch Management**
Patch Management using Software Update Services***
Patch Management using Systems Management Server***

*Information Technology Infrastructure Library

**Emphasizes security patching & overall security management
***Comprehensive coverage of patch management using the specified technology
MBSA
Helps identify vulnerable Windows systems
Scans for missing security patches and
common security mis-configurations
Scans various versions of Windows and other
Microsoft applications
Scans local or multiple remote systems via
GUI or command line invocation
New
Update Generates XML scan reports on each scanned
system
Assess
Runs on Windows Server 2003, Windows
Identify 2000 and Windows XP
Evaluate
& Plan
Integrates with SUS & SMS

Deploy
MBSA: How It Works*
MSSecure.xml contains
1. Run MBSA on Admin • Security Bulletin names
system, specify targets • Product specific updates
Microsoft • Version and checksum info
2. Downloads CAB file with • Registry keys changed
MSSecure.xml & verifies Download Center
digital signature
• KB article numbers
MSSecure.xml
• Etc.
3. Scans target systems for
OS, OS components, &
applications

4. Parses MSSecure to
see if updates
available

5. Checks if required
updates are missing
MBSA
6. Generates time
stamped report of Computer
missing updates

SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
Windows Update (WU)
Microsoft online update service
(windowsupdate.microsoft.com):
Identifies missing Windows OS* patches / updates
on accessing computer
Generates targeted list of missing updates
Installs user selected missing updates
Provides update installation history
WU content can be automatically downloaded via
New Automatic Updates
Update

Assess Supplemented by Windows Update Catalog site

which provides:
Identify Comprehensive repository for all Windows and
‘Designed for Windows’ logo device driver updates
Evaluate Search – to find desired update
& Plan Manual download of desired updates
Deploy Download history for accessing computer
*Windows 98 and later versions. Note: also updates 64-bit editions of Windows Server
 Windows Update: How It Works
Scenario 1: User Initiated Access
Scenario 2: Access via Automatic Updates (AU)
1. User points browser to WU site & selects
‘Scan for updates’ or AU automatically
checks for new updates (every 17-22 hours) Windows Update
2. Client side code (CC) in browser (or AU)
validates WU server & gets download
catalog metadata

3. CC (or AU) uses metadata to identify

missing updates

4. WU (or AU -- if so configured) lists

missing updates and user selects
updates to download

5. CC (or AU) downloads, validates, & installs

updates. AU downloads using BITS, and
can be configured to allow user to select
updates to install

6. CC (or AU) updates history &

statistics information*

*Note: No personally identifiable information is collected.

See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy
SUS 1.0
Deploys Windows security patches, security rollups,
critical updates, and service packs only

Deploys above content for Windows 2000,

Windows Server 2003 and Windows XP only

Provides patch download, deployment, and installation

configuration options
New
Update Bandwidth optimized content deployment

Assess Provides central administrative control over which patches

can be installed from Windows Update

Identify Provides basic patch installation status logging

Evaluate
& Plan

Deploy
SUS 1.0: How It Works
Windows Windows
Update Service Update Service

1. SUS Server check for updates

every 24 hours*
2. Administrator reviews,
evaluates, and approves
updates
3. Approvals & updates
synced with child Child
SUS servers** SUS Server
Parent
4. AU (the SUS client) SUS Server
gets approved updates
list from SUS server
5. AU downloads approved updates Child
from SUS server or Windows SUS Server
Update
6. AU either notifies user or auto-
installs updates
7. AU records install history

*Configurable 1/day or 1/week **SUS maintains approval logs & download, sync, & install statistics
SUS Client Component: Automatic
Updates
Centrally configurable to get updates either from corporate
SUS server or Windows Update service

Can auto-download and install patches under admin control

Consolidates multiple reboots to a single reboot when

installing multiple patches

Included in Windows 2000 SP3, Windows XP SP1, and

Windows Server 2003

Localized in 24 languages
 SUS Server Component: SUS Server
Downloads updates from Windows Update
Web based administration GUI
Specify server & update process configuration options
View downloaded updates
Approve updates & view approved updates

Security by design and default

Requires NTFS; Installs IIS Lockdown and URL scanner*
Supports secure administration over SSL
Digital signatures on downloaded content validate authenticity
Uses HTTP for content synchronization – only port 80 needs to be open

Server side XML based logging on Web server

Patch deployment & installation statistics

Supports geographically distributed or scale-out deployments with

centralized management for content synchronization & approvals
Localized** in English & Japanese

*If not already installed

**Note: Delivers updates for all 24 supported client languages
SMS 2003
Identifies & deploys missing Windows and Office security
patches on target systems
Can deploy any patch, update, or application in Windows
environments
Inventory management & inventory based targeting of
software installs
Install verification and detailed reporting
New
Update
Flexible scheduling of content sync & installs
Assess Central, full administrative control over installs
Bandwidth optimized content distribution
Identify
Software metering and remote control capabilities
Evaluate
& Plan

Deploy
SMS 2003 Patch Management:
How It Works Microsoft
Download Center
1. Setup: Download Security Update
Inventory and Office Inventory Tools;
run inventory tool installer

2. Scan components replicate

to SMS clients

3. Clients scanned; scan results

merged into SMS hardware SMS Distribution
inventory data Point
SMS
4. Administrator uses Distribute Site Server SMS Clients
Software Updates Wizard to
authorize updates

5. Update files downloaded; packages, SMS Distribution

programs & advertisements Point
created/updated; packages replicated &
programs advertised to SMS clients

6. Software Update Installation Agent on SMS Clients

clients deploy updates

7. Periodically: Sync component checks for

new updates; scans clients; and deploys
SMS Clients
necessary updates
SMS 2003 Patch Management:
Functionality
System scanning & patch content download
Content from Microsoft Download Center
MBSA & Office Inventory plug-ins scan for missing patches
Supports updating of remote & mobile devices
Updates various versions of Windows, Office, SQL, Exchange, and Windows Media
Player without need for update packaging / scripting

Administrator control
Update targeting based on AD, non-AD groups, WMI properties; additional options
via scripting
Patches content is downloaded from a central SMS repository only when the
deployment process is initiated by the SMS administrator
Specific start and end times (change windows); multiple change windows
Easily move patches from testing into production
Reference system patch configurations can be used as a template to verify or
enforce compliance of systems that must mimic reference system configuration
SMS 2003 Patch Management:
Functionality (2)
Patch download & installation
Delta replication (site-site, server-server) of patches
Uses BITS* for mobile / remote client-server
Uses SMB* for LAN / priority situations
Reminders and rescheduling of install / reboot & enforcement dates
Optimized graceful reboots, but forced when enforcement date arrives
Per-patch reboot-needed detection to reduce reboots

Status & Compliance Reporting

Deployment status as patches are attempted
Standard and customized reports through read-only SQL queries
Determine actual baselines in the environment before changing the environment
SLA measurement and rate-of-spread

*Requires SMS Advanced Client

 Choosing A Patch Management Solution
Needs-Based Selection
Adopt the solution that best meets the needs of your organization

Capability Windows Update SUS 1.0 SMS 2003

Supported Platforms NT 4.0, Win2K, WS2003, NT 4.0, Win2K, WS2003, WinXP,
Win2K, WS2003, WinXP
for Content WinXP, WinME, Win98 Win98*
Core Patch Management Capabilities

All patches, updates

Only security & security rollup All patches, SPs & updates for the
(including drivers), &
Supported Content Types patches, critical updates, & above; supports patch, update, &
service packs (SPs) for
SPs for the above app installs for MS & other apps
the above
Granularity of Control
Targeting Content
No No Yes
to Systems
Network Bandwidth Yes Yes
No
Optimization (for patch deployment) (for patch deployment & server sync)
Patch Distribution Control No Basic Advanced
Patch Installation & Manual, end user Admin (auto) or user (manual) Administrator control with
Scheduling Flexibility controlled controlled granular scheduling capabilities
Patch Installation Status Assessing computer Limited Comprehensive
(client install history & server (install status, result, and compliance
Reporting history only based install logs) details)
Additional Software Distribution Capabilities
Deployment Planning N/A N/A Yes
Inventory Management N/A N/A Yes
Compliance Checking N/A N/A Yes
*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
 Choosing A Patch Management Solution
Typical Customer Decisions

Customer Customer
Scenario
Type Chooses
Want single flexible patch management solution with extended
Large or level of control to patch & update (+ distribute) all software SMS
Medium
Enterprise Want patch management solution with basic level of control that
SUS
updates Windows 2000 and newer versions* of Windows**

Have at least 1 Windows server and 1 IT administrator** SUS

Small
Business All other scenarios
Windows
Update
Windows
Consumer All scenarios
Update

*Windows 2000, Windows XP, Windows Server 2003

**Customer uses Windows Update or manual process for other OS versions & applications software
What could be better than
patching?

Not having to patch . . . Introducing

Slipstreaming!
Slipstreaming
“Slipstreaming” – Integrating a patch into a
product installation directory
Windows, Internet Explorer, and Office
support “Slipstreaming”
It’s so simple! An example . . .
Copy Windows 2000 CD to network share
“Slipstream” Service Pack 4 into the share
“Slipstream” all post-SP4 critical security
updates into the share
Perform network / RIS installation of Windows
2000 from that share
Fully patched after setup completes!
Slipstreaming
For instructions on “slipstreaming” service
packs – consult the deployment guide for
the service pack you are deploying
http://www.microsoft.com/windows2000/dow
nloads/servicepacks/sp4/default.asp
For instructions on “slipstreaming” hotfixes
and udpates – consult the hotfix
deployment guide
http://www.microsoft.com/windows2000/dow
nloads/servicepacks/SP4/HFDeploy.htm
Finding critical security updates to
slipstream
Subscribe to the Security Alert Notification Service
We’ll tell you when critical updates are available!
http://www.microsoft.com/security/security_bulletins/alerts2.asp

Visit the Security Bulletin Search site to view

security bulletins for all products
http://www.microsoft.com/technet/security/current.aspx
Under Product/Technology choose the product you are
interested in finding updates for
Under Service Pack choose the SP level you are using
Check “Show only bulletins that have not been
superseded” and press ‘Go’
Roadmap
Informed & Prepared Customers
New Security & Patch Management workshops
Regular web casts on security patch management*
Updated roadmap, whitepapers, and guidance
Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 H2 ‘04 H1 ‘05

Updated Patch Management

Guidance for SMS 2003 SP1
Patch Management Bulletin
Improved KB Articles Guides Search Page Patch Management
Workshops
Security Bulletin GTM Partnership
Teleconferences Deliverables Revised Patch
Management Guides

Informed and Prepared Customers

Clearer Severity Security
Patch Management
Rating Levels Guidance Kit
Roadmap
Patch Management Patch Management
Guides Sustaining Engineering
Practices White Paper Guidance for Windows
Update Services
Security Readiness Kit
Patch Management
(Guides, Tools, Best Practices)
White Paper

*See http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts

 Consistent & Superior Update
Experience
Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04 Q4 ‘04

Add/Remove Program
Standard installer Standard Detection
improvements in XP
switches defined Manifest
SP2
Standard terminology 2 Installers:
Naming & signing for documentation
standard defined MSI 3.0 MSI, Update.exe
defined

Consistent & Superior Update Experience

Patches & Security Bulletins Standard Titles*
released once a month defined
Standard Product teams
Registry Entries compliant with
defined SE Baseline
standards
MSI 3.0 supports uninstall, binary delta patching, etc.
Converge to two installers -- end of 2004
Consistency standards implemented in all new updates -- end of 2004
*For Add/Remove Programs, Windows Update, and Download Center
 Superior Patch Quality
Up to 75% reduction in patch size*
10% reduction in patch reboots
Patch test process extended to include customers
Q1 ‘03 Q2 ‘03 Q3 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 H2 ‘04 H1 ‘05

Installer restarts services

when possible

75% Reduction 90% Reduction

in Patch Size* in Patch Size
25% Reduction
in Patch Size

Superior Patch Quality

Patch test process 30+% Reduction
10% Reduction
includes in Patch Reboots**
in Patch Reboots
participating
customers

*For Windows Update installs, more than 25% reduction for other patches
**For Windows Server 2003 patches using HotPatching (in-memory patching) technology, delivered in SP1
MBSA Update Scanning Futures
Overall direction
Microsoft will have a single scanning engine for detecting missing
updates
The scanning engine will be part of the Windows Update Services /
Automatic Updates client
MBSA and other product that need to detect or report on missing
updates will request this information from the Windows Update
Services / Automatic Updates client
MBSA becomes Windows vulnerability assessment & mitigation engine

Near-term plans
MBSA 2.0 (H1 2005)
Initial integration with Windows Update Services / Automatic
Update client for update scanning
Further deprecation of native MBSA scanning occurs on an ongoing
basis as Microsoft Update continues to add support for updating
additional Microsoft software over time
WU and XPSP2 AU Improvements
New release of Windows Update (v 5)
Improved homepage design and navigation
Implements download throttling for dial-up and low bandwidth
connections
Will not recommend updates that have already been installed
Download regulation feature reduces amount of data
transmitted per update

Improved ability to update systems with latest critical

updates
Customer offered choice during Windows XP SP2 install to have
AU automatically download and install critical updates
New version of Automatic Update client
Uses BITS 2.0 to enable restart of interrupted download and
improved bandwidth throttling
Ability to delay reboot to next system shutdown
Microsoft Hosted Update Services
Microsoft Update
Download
Microsoft Update Center
Office Windows

H1 2005
Today Update Update

Microsoft Update
Online service and update repository for updating
all Microsoft software
Microsoft Update: superset of Windows Update
Initially supports Windows XP, Windows 2000,
Windows Server 2003, Office XP, Office 2000,
SQL Server 2000, MSDE 2000, and Exchange WUS SMS
2003. Support for additional Microsoft products
will be added on an on-going basis
Built on Windows Update Services (formerly SUS
2.0) infrastructure
Includes automated scanning, update install, and
reporting capabilities

Windows Update maintained for legacy

reasons
Patch Management Products
Future Direction
Near-term milestones
Windows Update Services (H1 2005)
SMS 2003 / WUS Phase 1 Integration (H1 2005)
Leverages Windows Update Services for update scanning

Longer-term (Longhorn time frame)

Windows Update Services (WUS) becomes core update
management component of Windows Server
WUS updates all Microsoft corporate software
SMS / WUS Phase 2 integration – SMS builds on WUS
infrastructure to deliver advanced patch management
WUS infrastructure can be used to build patch management
solutions for 3rd party and in-house built software
Windows Update Services*
The update management component of Windows Server that
enables IT administrators to more easily assess, control and
automate the deployment of Microsoft software updates
Update management solution for all Microsoft products
Initially supports Windows XP Pro, Windows 2000 Pro, Windows 2000 Server,
Windows Server 2003, Office XP, Office 2003, SQL Server 2000, MSDE 2000,
Exchange 2003, + additional products over time**
Support for additional update types – security, critical and non-critical updates, update
rollups, service packs, feature packs, and critical driver updates

Core update management infrastructure in Windows

Data Model - supersedence, update dependency & bundle relationships
Built-in update scanning engine to detect missing updates
Server APIs (.NET) and remoteable Client APIs (COM)

Enhanced bandwidth optimization

Uses BITS for client-server and server-server communication
‘Binary delta compression’ technologies dramatically reduce data transfer needs
Configurable update subscriptions -- specify subset of content to be downloaded

*WUS is currently in beta. Microsoft does not guarantee that all capabilities listed will be in the released version.
Datasheet and sign up for the Open Evaluation Program at: www.microsoft.com/wus
**Without the need to upgrade or redeploy WUS
Windows Update Services (2)
Expanded administrative control
Scanning: Pre-deployment scan for missing updates
Download & approval: Specify only metadata be downloaded, rules for auto-
approving updates, etc.
Targeting: Install or uninstall to systems grouped via enumerated lists or Group Policy
Scheduling: Set new update detection frequency*, specify install deadline**, etc.
Implementation: Options to use specified communication port, work with Internet
proxy, deploy in hierarchical replica or independently managed server topologies,
support update management for networks not connected to the Internet, etc.
End-user experience: Options to notify users of new updates, reboot, etc.

Status reporting
Deployment status aggregation per machine/per update/per group
Download / install success, failure, and error info
Logs statistics to SQL Server or MSDE

Improved ease of administration

New, intuitive Web administration console simplifies ongoing administration and
provides detailed information on new updates
Command line utilities and scriptability to enable scalable, efficient administration

*Max. frequency 1/hour. Can use command line option or script to trigger new update checks on demand
**Deadlines also enable enforcement of update installs (re-installation of required updates removed from the system at a later date)
 Comparing Microsoft Update, Windows
Update Services, and SMS 2003
Adopt the solution that best meets the needs of your organization
Capability Microsoft Update Windows Update Services SMS 2003
Supported Software and Content
Win2K, WS2003, WinXP Pro, Office Same as Windows Update Services +
Supported Software for Same as Windows Update
2003, Office XP, Exchange 2003, NT 4.0 & Win98* + can update any
Content Services + WinXP Home
SQL Server 2000, MSDE other Windows based software
Supported Content All software updates, critical All updates, SPs, & FPs + supports
All software updates, critical driver
Types for Supported driver updates, service packs update & app installs for any Windows
updates, SPs, & FPs
Software (SPs), and feature packs (FPs) based software
Update Management Capabilities
Targeting Content
N/A Simple Advanced
to Systems
Network Bandwidth
Yes Yes Yes
Optimization
Patch Distribution
N/A Simple Advanced
Control
Patch Installation &
Manual & end user controlled Simple Advanced
Scheduling Flexibility
Install errors reported to user.
Patch Installation Status
Lists missing updates for Simple Advanced
Reporting
accessing computer
Deployment Planning N/A Simple Advanced
Inventory Management N/A No Yes
Compliance Checking N/A No – status reporting only Advanced

*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
 Choosing A Patch Management Solution
Typical Customer Decisions

Customer Customer
Scenario
Type Chooses
Want single flexible update management solution with
extended level of control to update (+ distribute) ALL
Windows OSes and Applications, as well as an integrated SMS 2003
Large or asset management solution
Medium
Enterprise Want update management-only solution that provides simple
updating for Microsoft software and initially supports Windows Update
Windows (Win2K & later versions), Office (2003 & XP), Services*
Exchange 2003, SQL Server 2000, and MSDE 2000

Have at least 1 Windows server and 1 IT administrator

Windows Update
Small Services*
Business
All other scenarios Microsoft Update*

Consumer All scenarios Microsoft Update*

*Customer uses Windows Update, another update tool, or manual update process for
OS versions & applications not supported by Windows Update Services or Microsoft Update
 Consolidated Solutions Roadmap
Longhorn
Q4/2003 H1/2005 Time frame
Update Content Repositories and Online Services

Download Download
Windows Center Windows Center Windows
Update Update Update
Office Microsoft Microsoft
Update Update Update

Standalone Update Scanning Tools 3rd party apps

Office update repository
Inventory
Tool MBSA 1.2 MBSA 2.0 In-house
(includes OIT) developed
MBSA 1.1.1 apps update
repository

SMS 2.0 with SMS 2003/ SMS v4 3rd Party /

Feature Pack WUS phase In-house Tools
1 integration WUS N.0
SMS 2003
Windows Server
WUS WUS Longhorn
SUS 1.0 Server Client Update Management Products
Manual / Script
Based Updating
Adopt a Patch Management Solution
At Microsoft, our #1 concern is the security and
availability of your IT environment
If none of the Microsoft patch management solutions meet your needs
consider implementing a solution from another vendor
Partial list* of available products:

Company Name Product Name Company URL

Altiris, Inc.
BigFix, Inc.
Configuresoft, Inc.
Ecora, Inc.
GFI Software, Ltd.
Gravity Storm Software, LLC
LANDesk Software, Ltd
Novadigm, Inc.
PatchLink Corp.
Shavlik Technologies
St. Bernard Software
Altiris Patch Management http://www.altiris.com
BigFix Patch Manager http://www.bigfix.com
Security Update Manager http://www.configuresoft.com
Ecora Patch Manager http://www.ecora.com
GFI LANguard Network Security Scanner http://www.gfi.com
Service Pack Manager 2000 http://www.securitybastion.com
LANDesk Patch Manager http://www.landesk.com
Radia Patch Manager http://www.novadigm.com
PatchLink Update http://www.patchlink.com
HFNetChk Pro http://www.shavlik.com
UpdateExpert http://www.stbernard.com

*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView
may also provide patch management functionality
Summary
Addressing the patch management issue is a top priority
Taking a comprehensive, tactical & strategic approach
Made progress, but much more work to be done
Microsoft focused on:
Reducing the number of vulnerabilities & associated patches
Improving customer preparedness, training & communication
Simplifying & standardizing the patching experience
Improving patch quality
Unifying and strengthening patch management offerings
Key Recommendations:
Implement a good patch management process – it’s the key to success
Adopt a patch management solution that best fits your needs
Make use of the resources referenced in these slides
Security Incident
Response
Trends – 2003 CSI / FBI Survey

Of 532 respondents, 92% detected attacks

Only 251 organizations were able to
quantify losses
25% of respondents suffered attacks on
WWW servers
Only 50% of intrusions were reported to law
enforcement
www.gocsi.com for complete results
Case Study – Edge Server
Symptoms
Admin shares deleted repeatedly
New service / security patch installed
Server reboots unexpectedly
Bandwidth consumption / server sluggish
Low disk space
Findings
Malware “hidden” (+H) in subdir of system32
Malware “hidden” (+H) in c:\recycler
Malware really hidden in “c:\System Volume
Information” directory
FTP / Backdoor Server installed to run as SYSTEM
service
Case Study – Intranet DoS
Symptoms
High CPU utilization on affected systems (DC’s
may have high CPU in LSASS)
Account lockouts
Increased TCP 139/445 network traffic
RPC / LSASS crashing, machines rebooting
AV stops working on some machines
Can’t access AV web sites on some machines
Findings
You’ve got bot like Gaobot.AFW or Agobot.JF,
Phatbot, SDBot, Randex
There is no spoon . . .
In the last century, organizations relied upon
firewalls / perimeter defense as the basis for
protecting the Intranet
This has created a hard crunchy shell with a soft chewy
center for most organizations
In the 21st century with blended threats, firewalls
alone do not effectively stop worms
Did your firewall stop Slammer or Blaster?
Will it stop bots like Gaobot / Phatbot / Agobot?
VPN connections from home machines blur the
‘perimeter’ and increase the threat of automated
attacks
Threats – Modus Operandi
Fact: Most intrusions are not accomplished via
awe-inspiring skill.
Fact: It is much harder to secure than it is to
hack.
Most intrusions involve:
Weak administrator passwords!!!
Un-patched security vulnerabilities in underlying
software products (OS and applications)
Weak out of box security settings that were never
hardened
Lack of secure coding in custom applications
Recommendations
Normal operations staff trained to
recognize symptoms of security incidents
Escalate cases to security incident response
team to:
Determine time / date intrusion occurred
Determine how the intrusion occurred
Develop ‘signature’ for the intrusion
Scan nearby machines for ‘signature’
Make changes to security posture to prevent
future incidents
Preparing a Security Incident
Response Plan
Processes should be put in place before an
incident has occurred that will facilitate:
Detection
Determining whether an incident has occurred
Investigation
Determining how an incident has occurred
Containment
Isolating affected hosts
Resolution
Restoring service / lessons learned
Escalating the Incident
Define symptoms or behaviors that become
triggers that will kick off an investigation
Ensure admins and helpdesk staff understand and can
recognize them!
Security Incident Response team should
Compare current ‘state’ to previous ‘state’
Look for new processes, files, folders, network
connections, listening ports, services
Not possible if you don’t know what the previous state was
Baseline and catalog your servers!
Run a live response IR toolkit to collect data
Have trained IR specialist analyze output
Suspicious Symptoms, Behaviors
Suspicious event log data
Suspicious server reboot (no admins remember
rebooting)
Admin shares disappearing
Security patches installed mysteriously
News processes / services / files / folders
Abnormal process termination (i.e. IIS crashes)
A blue-screen occurs
Sluggish system performance
Suspicious network traffic to/from an IP address
Things You Need To Know

Why you need an Incident Response team

within your organization
Because it’s not a matter of ‘if’ but ‘when’
Auditing is everything
Sufficient auditing is not usually enabled by
default!
Proper business continuity planning
facilitates successful incident response
If business isn’t down – more likely to have
time to do a proper investigation
Building the Security Incident
Response Team
Overview
Training – Staying Current
Tracking Security Incidents
Live Response vs. Offline Response
Assembling a Live Response Toolkit
Microsoft PSS Security Incident Response
Toolkit
Training
Know your adversary
Strongly recommend reading security and hacking
related books
Attend security conferences (Blackhat, RSA etc.)
Subscribe to managed security service (ISS, TruSecure,
LUHRQ etc.)
Learn Incident Response
Read books
Attend specialized incident response training
Training
Recommended resources
Hacking Knowledge
Hacking Exposed series of books
Security Warrior
Stay abreast of security vulnerabilities and exploits as they are
released by subscribing to managed security services and monitoring
Full-Disclosure mailing list
Exploit web sites
Incident Response Knowledge
Windows Security Resource Kit:
http://www.microsoft.com/mspress/books/6418.asp
Foundstone: Ultimate Hacking Incident Response / Forensics
Incident Response & Computer Forensics 2nd Ed.
SANS: Track 4 – Incident Handling
CERT Incident Response Handbook:
http://www.cert.org/archive/pdf/csirt-handbook.pdf
Tracking Incidents
Tracking incidents is extremely important
Historical data can be used to spot trends
Central repository for keeping case notes during an
investigation (encrypted?)
Can be used for reporting progress to upper level
management as incidents are resolved
Options
Literally Hundreds of Help Desk software solutions
Request Tracker IR (Best Practical)
Request Tracking software specifically for CERT teams
Track-IT! (Intuit)
CRM / CIM Solutions – Not always a great fit here
Home grown solution may be best?
Live Response vs. Offline Response
Live Response vs. Offline Response
Two different approaches to IR
Offline response involves imaging disks and
using specialized software to look for clues
and evidence
ProDiscover IR
EnCase
NOT mutually exclusive
Create disk image first for use with ProDiscover /
EnCase if necessary
Then perform live response using automated IR
toolkit
Live Response: Risks
Rootkits
Introduced for Windows, publicly, circa 1997
They modify operating system behavior to hide files,
folders, processes, registry entries, and network
connections to avoid detection by live response tools
Kernel mode drivers, usermode processes
By observing the system, you alter its state
Sort of like Schroedinger’s cat theorem. 
Placing output on target system overwrites free space
/ slack space etc.
Altering time stamps and files may invalidate collected
evidence if pursuing litigation
Assembling a Live Response Toolkit
Purpose
Offline forensic analysis not always possible, needed
or timely
Technical barriers, unacceptable downtime etc.
Not always able to respond, in person to remote locations
Live response toolkit facilitates consistent data
collection from remote systems for offline analysis by
an IR specialist
Can be used as a first response tool to triage and
investigate reported security incidents
Systems can remain online during investigation
Very important when an intrusion has not been confirmed
positively
Microsoft Incident Response Toolkit
Design Goals
Trustworthiness (anticipate that a rootkit is installed)
Run in automated fashion on NT4 or later
Collect volatile data from a live system
Compress collected data into a .CAB file for
submission to an IR specialist
Not designed to
Create or preserve evidence for use by law
enforcement for use in legal proceedings
Image a drive for offline analysis and response
Microsoft Incident Response Toolkit
Two tools
Data collection agent (The “IR toolkit”)
Batch file that automates dozens of .EXE’s zipped up in a zip
file with a readme.txt
Data analysis tool (The “IR Viewer”)
C# application, runs on examiners workstation
Utilizes custom-built tools designed for incident
response
Utilizes free 3rd party tools
Had to work with legal team and get written
permission from authors to redistribute their tools!
Be aware of EULA’s and licensing fee’s associated with
‘free’ tools when used in a business environment
Microsoft Incident Response Toolkit
Randomized filenames
Gets local system / Internet
time
kernel profiler
Netstat / arp / ipconfig /
routing table
DIR commands (hidden,
modified, accessed, created)
Rootkit detection
Dumps registry as text
Saves event logs as TSV
Enumerate NULL session
information
Get patch status
Scan for ADS’s
Enumerate running processes
Get file versions of all loaded
modules / key directories
Get audit policy
Dump security policy
information (policy, users,
rights, etc.)
Map processes  Ports
Enumerate installed services
several ways
Enumerate ACL’s (if specified)
Generate hashes for
executables (if specified)
Run ‘net’ commands
Dump scheduled tasks
Copies all .log, .bat, .cmd, .vbs,
.js files from system32
Microsoft Incident Response Toolkit
Takes anywhere from 10 to 20 minutes to run
Can be used to identify signs of an intrusion
(some rootkits, suspicious processes, services,
files, folders, registry entries, event log entries,
suspicious accounts in the administrator group,
missing security patches etc.
Areas for improvement
Better approach to rootkit detection (in progress)
Run file system commands as SYSTEM (in progress)
Registry last write times (in progress)
Security Incident Response
Team Objectives
Incident Response Objectives
Confirm whether an intrusion has actually occurred
By analyzing the contents of the IR toolkit output for a specific
server(s)
Determine when the intrusion occurred
Based on a lead like an event ID or a suspicious files or folders
creation date
Determine how the intrusion occurred
Based on implicit or explicit evidence (absence of a critical
security update at the time the intrusion occurred etc.)
Identifies weakness in security posture and leads to corrective
action being taken
If new malware identified – submit samples to the
antivirus partners
PSS Security team in partnership with most leading antivirus
vendors
To rebuild or not, that is the question!
Microsoft’s stance
It’s a risk assessment really
We provide evidence (or lack thereof) of an
intrusion.
Sometimes we find no evidence of a compromise
Most of the time it’s pretty straightforward
We provide case notes for malware we’ve
identified
Submit to the AV partners so they can update
signatures
Customer usually cleans manually or waits for
new sigs
Other times, when a rootkit is known to be installed
and hiding software, who knows what else is on the
machine
Facilitating Effective Incident
Response
How to avoid common mistakes . . .
Common Mistakes Companies Make

When helping organizations investigate

security incidents we see the same
mistakes being made over and over again.
The following slides detail the most common
mistakes that are usually made and give
guidance on how to avoid making these
mistakes.
Common Mistakes Companies Make
No formal, documented policies
Server security hardening policy
Acceptable Use policy
Auditing policy
Password complexity requirements
Secure operating system builds
Security patch deployment policy
No formal change management process
Many systems are shared between groups with many
user accounts in the administrators group
No process for tracking changes to the system back to a group
or person
No documentation about what should be installed on a
system vs. what actually is installed on a system
Common Mistakes Companies Make
No baseline data
If you don’t know what ‘normal’ looks like – how can
you spot abnormal behavior
Perform software inventory updates
Perform period port-scans of the network
Know the normal operating thresholds for your servers
Know the normal traffic patterns for your network
Inability to ‘scale out’ during an investigation
Suppose after the initial response you confirm that a
group of servers were successfully attacked?
How do you scale out the investigation to the neighboring
servers / networks?
Common Mistakes Companies Make
No formal security incident response team
Why? Usually lack of budget and planning?
Use some form of risk assessment and threat modeling to
make a business case for a team! (STRIDE / DREAD)
Incident Response team is old-school
So you have an IR team but they aren’t up to date?
Do they know about rootkits? Do they know about the latest
worms and bots?
Consider performing a penetration test of the environment to
see how they do.
Play with malware and study it in undoable isolated virtual
machines!
Common Mistakes Companies Make
Lack of a business continuity plan
Some security incidents can be investigated
while the systems are on-line, others require
off-line analysis
How long can you afford to be down?
Lack of a trusted IR toolkit
An automated toolkit should be created to
facilitate the process of gathering information
off of live systems
The output of the toolkit should be known and
well understood!
Tips for Responding To Security
Incidents
Advice from the front line . . .
Incident Response Tips
Decide as quickly as possible whether or not to involve law
enforcement
They have their own evidence collection process and
procedures
Anything you do before law enforcement is involved
potentially hinders the investigation and collection of
evidence
Interview the person reporting the incident thoroughly
What’s the behavior being reported, how are things
different?
What day / time did you first notice something was wrong?
Write everything down and keep accurate time / date
stamps
Identify Symptoms of a Rootkit
If a rootkit is installed, the output of the IR
toolkit should be considered trustworthy
It is imperative to identify whether a rootkit
is possibly installed right away
Consider using rootkit detection tools like
VICE
http://www.rootkit.com/vault/fuzen_op/VICE_
Bin.zip
Identify Symptoms of a Rootkit
Port scan the server remotely from a known good
machine (all TCP and UDP ports)
Look for any ports that show up on the network but not
in local netstat, portqry or fport output
Sure sign that a rootkit is hiding a backdoor listening on a port
Boot the system into safe mode and examine
installed services
Look for services that show up in safe mode but not
normal mode (rootkit may not load in safe mode)
Locally list the files in the %windir% directory and
all subdirectories and then do it again from a
mapped network drive
Look for files that don’t show up locally but that do
remotely (again, rootkit)
Identify Symptoms of a Rootkit

Configure Device Manager to show ‘hidden’

devices and view them
Look for suspicious device drivers under ‘Non-
Plug and Play Drivers’
IR Toolkit Data Analysis
Determining a Date / Time gives you
something to search on
Look for leads that will yield a date or a time
Suspicious processes, services, event log entries or
files created on or around the date / time of the
reported incident
Once you have a ‘lead’ (i.e. a suspicious
process or service) get the creation date of the
file on the file system
Perform a search for other files created on or
around that time
Build a Time-Line of Events
Once you have found some ‘leads’ build a
chain of events that paint the picture
Example leads from the System Event log
System mysteriously rebooted on 4/20/2004
at 2:41am
Just before that a Microsoft Security update
was installed by the ‘SYSTEM’ account
Could be a remote-shell, attackers often install the
security patch they used to compromise a system to
prevent others from stealing it
Look for files created on that date / time
Build a Time-Line of Events
Example
Suspicious service identified in Services snap-in
That’s your ‘lead’
Identify the process backing that service (double click
the service)
Find the creation date of that file
Look for other files created on that date
Look for account logons on that date at around that
time
Determine when security patches were installed
relative to that date time (before or after?)
Look In The Right Places
Miscreants often hide their malware in the
c:\recycler\<SID> folder (where SID is a
real or fictitious security identifier)
Miscreants are increasingly turning to
hiding their malware in the hidden SYSTEM-
only “c:\system volume information” folder
Grant admins access to the folder and look in
there as well.
Laws and Legal Issues
What you don’t know can hurt you . . .
Laws and Legal Issues
Decide early on whether you might want to
prosecute or not
There are usually laws surrounding the
collection of evidence and surveillance
In litigious investigations you will be much
more successful if you involve law enforcement
immediately
Laws and Legal Issues
Most companies have a lack of knowledge about
“Cyber crime” laws
Acceptable Use Policies
Search and Seizure Laws
Reasonable Expectation of Privacy
Is it lawful to monitor an employees e-mail / network traffic /
or search their hard drive?
Due Diligence Laws
Can you be held liable for personally identifiable information
that was stolen?
Always involve proper legal counsel at the onset
of a security related incident response
investigation!
Laws and Legal Issues
List of Worldwide Cyber Crime Law Links
http://www.ccmostwanted.com/LL/global.htm
U.S. Laws
www.cybercrime.gov
European Laws
http://conventions.coe.int/
http://www.epic.org/privacy/intl/
http://www.europa.eu.int/index_en.htm
Australian Laws
http://www.aph.gov.au/house/
http://parlinfoweb.aph.gov.au/piweb/search_main.as
px
http://www.ntu.edu.au/faculties/lba/schools/Law/apl
/Cyberspace_Law/articles1.htm
 © 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.