Microsoft Security Update Guide Second Edition Helping IT Professionals Better Understand and Maximize Microsoft Security Update Release Information, Processes, Communications and Tools Microsoft Security Update Guide, Second Edition 2 i Microsoft Security Update Guide, Second Edition © 2011 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including any URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Microsoft Security Update Guide, Second Edition Contents Welcome ................................................................................................................................. 1 How to Use the Microsoft Security Update Guide ....................................................... 2 Introduction ........................................................................................................................... 2 Managing Vulnerabilities ...................................................................................................... 6 Purpose of this Guide ...................................................................................... 6 Vulnerability Management at Microsoft ............................................................ 7 Managing Security Updates by Using Microsoft Solutions ....................................... 9 Three Approaches to Security Updates ......................................................... 10 The Microsoft Security Update Release Process ........................................................ 15 How Microsoft Tests Security Updates .......................................................... 16 Application Compatibility Testing ................................................................. 17 Rootkit Detection.......................................................................................... 18 Security Test Pass ....................................................................................... 18 Security Update Validation Program............................................................ 19 Microsoft Security Release Communications ................................................ 19 Security Bulletin Advance Notification ......................................................... 19 Security Bulletin Summary ........................................................................... 20 Security Bulletin ........................................................................................... 20 Security Update ........................................................................................... 20 Knowledge Base (KB) Articles ..................................................................... 21 Security Advisory ......................................................................................... 21 Predictable Security Update Release Process ............................................ 21 Fraudulent Notifications That Target Microsoft Security Updates ................. 23 Customer Risk Management Framework ...................................................... 23 ii Microsoft Security Update Guide, Second Edition Stage 1: Receive Microsoft Security Release Communications ............................. 25 Microsoft Security Release Communications ................................................25 Receiving Microsoft Security Release Communications ...............................26 Stage 2: Evaluate Risk ....................................................................................................... 28 Determinations in the Risk Management Framework ....................................30 Does Your Organization Lack an Existing Risk Management Process? .......31 Identify Whether the Vulnerability Applies .....................................................31 Gathering Security Vulnerability Intelligence ...............................................32 Determining the Vulnerability Risk .................................................................35 The Microsoft Severity Rating System .........................................................36 Risk Evaluation Resources ..........................................................................38 Example: Applying Microsoft Guidance to Evaluate Risk ..............................46 Example: Applying Intelligence to Determine Risk Rating ...........................47 Security Update Deployment Considerations ................................................48 Stage 3: Evaluate Mitigation ........................................................................................... 54 A Viable Short-Term Security Control ............................................................55 Stage 4: Deploy Updates ................................................................................................. 59 The Deploying Microsoft Windows Server Update Services Guide ...............62 Standard and Urgent Deployments ................................................................62 Standard Package Application Process .........................................................62 Planning the Deployment ...............................................................................63 Example: Planning Security Update Deployment ........................................64 Is a Security Update Available for Download? ...............................................66 Obtaining the Required Security Update Files from a Trusted Source ..........67 Creating Update Packages ............................................................................68 Testing Update Packages ..............................................................................70 iii Microsoft Security Update Guide, Second Edition Test Environment ......................................................................................... 70 Pilot Deployment .......................................................................................... 72 Test Process Steps ...................................................................................... 72 Deploying Update Packages .......................................................................... 83 Submitting a Change Request ..................................................................... 86 Communicating the Rollout Schedule to the Organization .......................... 86 Installing the Update .................................................................................... 87 Accelerating Security Update Deployment .................................................... 89 Creating Update Packages .......................................................................... 89 Testing Packages ........................................................................................ 89 Deploying Packages .................................................................................... 89 Stage 5: Monitor Systems ................................................................................................ 90 Successful Update Deployment ..................................................................... 91 Confirming Update Installation ..................................................................... 92 Uninstalling Security Updates ...................................................................... 94 Post-Implementation Review ....................................................................... 96 Short-Term Mitigation Removal ................................................................... 96 Stage 6: Use Microsoft Resources to Track Security Developments .................... 97 Major and Minor Security Bulletin and Advisory Revisions ........................... 98 The Constant Threat from Malicious Software .............................................. 99 Other Security Resources ............................................................................ 101 Summary ............................................................................................................................ 102 Feedback ..................................................................................................... 102 Appendix ............................................................................................................................ 104 The Microsoft Security Update Release and Deployment Process Diagram104 Microsoft Security Update Terminology ....................................................... 106 iv Microsoft Security Update Guide, Second Edition Microsoft Security Updates ........................................................................107 Windows Update or Microsoft Update? .......................................................109 Security Update Policy for Non-Genuine Software ....................................110 Glossary and Commonly Used Terms .........................................................111 v Microsoft Security Update Guide, Second Edition Welcome A Message from Trustworthy Computing Security General Manager, Matt Thomlinson Welcome to the Microsoft Security Update Guide, Second Edition. Our aim with the Guide is to help you manage the process of deploying Microsoft security updates within your environment. Microsoft produces a lot of information and guidance about our security updates, and the Guide describes how to use these resources effectively to help make your
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages124 Page
-
File Size-