Software Updating: Hitting the Mark

Ravi Sankar

Technology Evangelist | Microsoft Corporation [email protected] Agenda

Update Management Overview

Update Management Process

Update Management Tools The Business Case

• While determining the financial impact of poor update management consider the following –Downtime –Remediation time –Data integrity –Lost credibility with customers and partners –Negative public relations –Legal defenses –Stolen Intellectual Property Understanding the Vulnerability Timeline Most Attacks occur here

Update Product Vulnerability Vulnerability Update Discovered Disclosed Made Shipped Available Deployed

Malware Attack Days between (Year) update and exploit Nimda (2000) 336 Days between update and exploit have decreased SQLP (2002) 185 MSBLAST(2003) 26 SASSER(2004) 17 ZOTOB(2005) 5 Agenda

Update Management Overview

Update Management Process

Update Management Tools Requirements for Successful Update Management Project management, four-phase update management process

Effective Processes People who understand their roles and responsibilities

Tools and Effective Technologies Operations

Products, tools, automation Update Management Process

Assess Identify • Inventory computing assets 1234 AssessIdentifyEvaluateDeploy and Plan • Discover new updates • Assess threats and vulnerabilities • Determine whether updates are relevant to • DetermineInventoryDiscoverDeterminePrepare the best forsource computingnew whether deployment forupdates theassets your environment information about new update is actually required • Obtain update, confirm it is safe updatesAssessDetermineDeploy threatsthe whetherupdate and to updates vulnerabilitiesarePlantargeted relevant the releasecomputers to your of the • Determine if update is a normal change or • Assess your software an emergency distributionDetermineReviewenvironmentupdate infrastructure the the deployment best source1 for 2 Assess Identify • Assess operationalinformationObtainBuild the update, release about confirm new it is 1 2 effectiveness Performupdatessafe acceptance testing Assess Identify AssessDetermine your if software update is a Evaluate Deploy normal change or anDeploy Evaluate and Plan distribution infrastructure and Plan Prepare emergencyfor deployment 4 • Determine whether the 3 3 Deploy theAssess update operationalto targeted 4 update is actually required Evaluate computers • Plan theDeploy release of the update effectiveness and Plan Review the deployment • Build the release • Perform acceptance testing Choosing an Update Management Solution Customer Scenario Solution type

Consumer All scenarios Microsoft Update

Has no Windows servers Microsoft Update Small organization Has one to three Windows 2000 or newer servers and one IT MBSA and WSUS administrator

Wants an update management solution with basic control to update Windows 2000 and newer versions of MBSA and WSUS Windows Medium-sized or large enterprise Wants a single flexible update management solution with extended System Center level of control to update and Configuration Manager distribute all software Update Management Solution for Consumers and Small Organizations

Update management solution based on Protect Your PC: 1. Use an Internet firewall 2. Get computer updates from Microsoft Update 3. Use up-to-date antivirus software 4. Deploy Windows XP SP 2 5. See the Protect Your PC page on the Microsoft Security at Home Web site MBSA Benefits • Scans systems for: – Missing security updates – Potential configuration issues • Works with a broad range of Microsoft software • Allows an administrator to centrally scan multiple computers simultaneously

MBSA is a free tool, and can be downloaded from the Microsoft Baseline Security Analyzer page on the Microsoft TechNet Web site MBSA Considerations • MBSA reports important security issues:

–Password weaknesses –Guest account not disabled –Auditing not configured –Unnecessary services installed –IIS security issues –Internet Explorer zone settings –Automatic Updates configuration –Windows firewall configuration MBSA – How It Works

Windows Download Center WSUSScan.cab

MBSA Computer MBSA – Scan Options

MBSA has two scan options:

MBSA graphical user interface (GUI) MBSA standard command-line interface (mbsacli.exe)

When scanning for security updates, you can configure MBSA to: Update the Microsoft Update Agent on all scanned computers Use a WSUS server as the update source Use Microsoft Update as the update source Now you can Integrate it with new MBSA Visio Connector Windows Server Update Services (WSUS) Benefits

• Gives administrators control over update management –Administrators can review, test, and approve updates before deployment • Simplifies and automates key aspects of the update management process –Can be used with Group Policy, but Group Policy is not required to use WSUS • Easy to implement • Free tool from Microsoft WSUS – How It Works

Microsoft Update Firewall

Pilot Computers Group

WSUS Server Client Computers Group

WSUS Windows Servers Administrator Group WSUS –Deployment Scenarios

Microsoft Update Firewall

Regional Client Computers Independent WSUS Server

Remote Office Client Computers Main Office Disconnected WSUS Server WSUS Server

Main Office Client Replica Computers WSUS Server WSUS – Client Component

• The client component of WSUS is Automatic Updates • Can be configured to pull updates either from corporate WSUS server or from Microsoft Update • Three ways to configure Automatic Updates:

– Centrally, by using Group Policy – Manually configure clients – Use scripts to configure clients WSUS – Server Component

• The server component of WSUS is Windows Server Update Services • Can synchronize updates from Microsoft Update on a schedule • Provides a Web-based administrative GUI • Has several built-in default security features • Provides synchronization and update reports • Uses MSDE or SQL Server database to store update metadata, events, and settings • Interface is localized in 17 languages How to Use WSUS

On the WSUS server: Administer the WSUS server at 1 http:///WSUSAdmin

Configure the WSUS server synchronization schedule 2 and settings

3 Create client computer groups and assign computers

4 Review, test, and approve updates

On each WSUS client: Configure Automatic Updates on the client to use the WSUS server Systems Management Server Benefits •For a full software distribution update management solution, use: –System Management Server 2003 or –System Center Configuration Manager 2007

•Benefits of using System Management Server: –Gives administrators comprehensive control over update management –Automates key aspects of update management –Can update a broad range of Microsoft products –Can be used to update third-party software and install other software updates or applications Systems Management Server – How It Works

Microsoft Update Firewall

System Management System Management Server Server Distribution Point Clients

System Management Server Distribution Point

System Management Server Site Server System Management Server Clients System Management Server Clients Best Practices for Update Management

Implement a good update management process

Choose a update management solution that meets your organization’s needs

Subscribe to the Microsoft Security Notification Service

Make use of Microsoft guidance and resources

Keep your systems up to date Session Summary

Implementing security updates promptly is a critical component in a security management plan

Update management needs to follow your standard network management processes

For small and medium-sized business, MBSA and WSUS together provide an excellent update management solution