Software Updating: Hitting the Mark
Total Page:16
File Type:pdf, Size:1020Kb
Software Updating: Hitting the Mark Ravi Sankar Technology Evangelist | Microsoft Corporation [email protected] Agenda Update Management Overview Update Management Process Update Management Tools The Business Case • While determining the financial impact of poor update management consider the following –Downtime –Remediation time –Data integrity –Lost credibility with customers and partners –Negative public relations –Legal defenses –Stolen Intellectual Property Understanding the Vulnerability Timeline Most Attacks occur here Update Product Vulnerability Vulnerability Update Discovered Disclosed Made Shipped Available Deployed Malware Attack Days between (Year) update and exploit Nimda (2000) 336 Days between update and exploit have decreased SQLP (2002) 185 MSBLAST(2003) 26 SASSER(2004) 17 ZOTOB(2005) 5 Agenda Update Management Overview Update Management Process Update Management Tools Requirements for Successful Update Management Project management, four-phase update management process Effective Processes People who understand their roles and responsibilities Tools and Effective Technologies Operations Products, tools, automation Update Management Process Assess Identify • Inventory computing assets 1234 AssessIdentifyEvaluateDeploy and Plan • Discover new updates • Assess threats and vulnerabilities • Determine whether updates are relevant to • DetermineInventoryDiscoverDeterminePrepare the best forsource computingnew whether deployment forupdates theassets your environment information about new update is actually required • Obtain update, confirm it is safe updatesAssessDetermineDeploy threatsthe whetherupdate and to updates vulnerabilitiesarePlantargeted relevant the releasecomputers to your of the • Determine if update is a normal change or • Assess your software an emergency distributionDetermineReviewenvironmentupdate infrastructure the the deployment best source1 for 2 Assess Identify • Assess operationalinformationObtainBuild the update, release about confirm new it is 1 2 effectiveness Performupdatessafe acceptance testing Assess Identify AssessDetermine your if software update is a Evaluate Deploy normal change or anDeploy Evaluate and Plan distribution infrastructure and Plan Prepare emergencyfor deployment 4 • Determine whether the 3 3 Deploy theAssess update operationalto targeted 4 update is actually required Evaluate computers • Plan theDeploy release of the update effectiveness and Plan Review the deployment • Build the release • Perform acceptance testing Choosing an Update Management Solution Customer Scenario Solution type Consumer All scenarios Microsoft Update Has no Windows servers Microsoft Update Small organization Has one to three Windows 2000 or newer servers and one IT MBSA and WSUS administrator Wants an update management solution with basic control to update Windows 2000 and newer versions of MBSA and WSUS Windows Medium-sized or large enterprise Wants a single flexible update management solution with extended System Center level of control to update and Configuration Manager distribute all software Update Management Solution for Consumers and Small Organizations Update management solution based on Protect Your PC: 1. Use an Internet firewall 2. Get computer updates from Microsoft Update 3. Use up-to-date antivirus software 4. Deploy Windows XP SP 2 5. See the Protect Your PC page on the Microsoft Security at Home Web site MBSA Benefits • Scans systems for: – Missing security updates – Potential configuration issues • Works with a broad range of Microsoft software • Allows an administrator to centrally scan multiple computers simultaneously MBSA is a free tool, and can be downloaded from the Microsoft Baseline Security Analyzer page on the Microsoft TechNet Web site MBSA Considerations • MBSA reports important security issues: –Password weaknesses –Guest account not disabled –Auditing not configured –Unnecessary services installed –IIS security issues –Internet Explorer zone settings –Automatic Updates configuration –Windows firewall configuration MBSA – How It Works Windows Download Center WSUSScan.cab MBSA Computer MBSA – Scan Options MBSA has two scan options: MBSA graphical user interface (GUI) MBSA standard command-line interface (mbsacli.exe) When scanning for security updates, you can configure MBSA to: Update the Microsoft Update Agent on all scanned computers Use a WSUS server as the update source Use Microsoft Update as the update source Now you can Integrate it with new MBSA Visio Connector Windows Server Update Services (WSUS) Benefits • Gives administrators control over update management –Administrators can review, test, and approve updates before deployment • Simplifies and automates key aspects of the update management process –Can be used with Group Policy, but Group Policy is not required to use WSUS • Easy to implement • Free tool from Microsoft WSUS – How It Works Microsoft Update Firewall Pilot Computers Group WSUS Server Client Computers Group WSUS Windows Servers Administrator Group WSUS –Deployment Scenarios Microsoft Update Firewall Regional Client Computers Independent WSUS Server Remote Office Client Computers Main Office Disconnected WSUS Server WSUS Server Main Office Client Replica Computers WSUS Server WSUS – Client Component • The client component of WSUS is Automatic Updates • Can be configured to pull updates either from corporate WSUS server or from Microsoft Update • Three ways to configure Automatic Updates: – Centrally, by using Group Policy – Manually configure clients – Use scripts to configure clients WSUS – Server Component • The server component of WSUS is Windows Server Update Services • Can synchronize updates from Microsoft Update on a schedule • Provides a Web-based administrative GUI • Has several built-in default security features • Provides synchronization and update reports • Uses MSDE or SQL Server database to store update metadata, events, and settings • Interface is localized in 17 languages How to Use WSUS On the WSUS server: Administer the WSUS server at 1 http://<server name>/WSUSAdmin Configure the WSUS server synchronization schedule 2 and settings 3 Create client computer groups and assign computers 4 Review, test, and approve updates On each WSUS client: Configure Automatic Updates on the client to use the WSUS server Systems Management Server Benefits •For a full software distribution update management solution, use: –System Management Server 2003 or –System Center Configuration Manager 2007 •Benefits of using System Management Server: –Gives administrators comprehensive control over update management –Automates key aspects of update management –Can update a broad range of Microsoft products –Can be used to update third-party software and install other software updates or applications Systems Management Server – How It Works Microsoft Update Firewall System Management System Management Server Server Distribution Point Clients System Management Server Distribution Point System Management Server Site Server System Management Server Clients System Management Server Clients Best Practices for Update Management Implement a good update management process Choose a update management solution that meets your organization’s needs Subscribe to the Microsoft Security Notification Service Make use of Microsoft guidance and resources Keep your systems up to date Session Summary Implementing security updates promptly is a critical component in a security management plan Update management needs to follow your standard network management processes For small and medium-sized business, MBSA and WSUS together provide an excellent update management solution.