This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Employed at Microsoft for 6+ yearsEmployed at Microsoft for 6+ years• Currently enrolled in Currently enrolled in MBA: Information AssuranceMBA: Information Assurance
program at Univ of Dallasprogram at Univ of Dallas• Former Squad Leader with the 75Former Squad Leader with the 75 thth Ranger Regiment Ranger Regiment• Over 200+ live security events and webcasts including Over 200+ live security events and webcasts including
TechEd, COMDEX, Microsoft Security Summits, etc.TechEd, COMDEX, Microsoft Security Summits, etc.
• ……and a HUGE Green Bay Packers fan!and a HUGE Green Bay Packers fan!
Session PrerequisitesSession Prerequisites
Hands-on experience with MicrosoftHands-on experience with Microsoft®® WindowsWindows®® 2000 Server 2000 Server™™ or Microsoft or Microsoft®® Windows Server 2003Windows Server 2003™™ management tools management tools
Days Between Days Between Update and Exploit Update and Exploit
NimdaNimda 331331
SQL SlammerSQL Slammer 180180
Welchia/NachiWelchia/Nachi 151151
BlasterBlaster 2525
SasserSasser 1414
Understanding the Exploit Time Understanding the Exploit Time LineLine
Microsoft Update Severity Microsoft Update Severity RatingsRatings
See “Microsoft Security Bulletin Search” on the See “Microsoft Security Bulletin Search” on the Microsoft TechNet Web siteMicrosoft TechNet Web site
RatingRating DefinitionDefinition
CriticalCritical Exploitation could allow the propagation of an Exploitation could allow the propagation of an Internet worm with user actionInternet worm with user action
ImportantImportant Exploitation could result in compromise of user Exploitation could result in compromise of user data or the availability of processing resourcesdata or the availability of processing resources
ModerateModerate
Exploitation is serious, but is mitigated to a Exploitation is serious, but is mitigated to a significant degree by default configuration, significant degree by default configuration, auditing, need for user action, or difficulty of auditing, need for user action, or difficulty of exploitationexploitation
LowLow Exploitation is extremely difficult or impact is Exploitation is extremely difficult or impact is minimalminimal
Update Time FramesUpdate Time Frames
Severity Severity RatingRating Recommended Update Time FrameRecommended Update Time Frame
RecommendedRecommendedMaximum Update Maximum Update Time FrameTime Frame
CriticalCritical Within 24 hoursWithin 24 hours Within two weeksWithin two weeks
ImportantImportant Within one monthWithin one month Within two monthsWithin two months
ModerateModerate
Depending on expected availability, wait Depending on expected availability, wait for next service pack or update rollup that for next service pack or update rollup that includes the update, or deploy the update includes the update, or deploy the update within four monthswithin four months
Deploy the update Deploy the update within six monthswithin six months
LowLow
Depending on expected availability, wait Depending on expected availability, wait for next service pack or update rollup that for next service pack or update rollup that includes the update, or deploy the update includes the update, or deploy the update within one yearwithin one year
Deploy the update Deploy the update within one year, or within one year, or choose not to deploy choose not to deploy at allat all
Improving the Updating Improving the Updating ExperienceExperience
Your NeedYour Need Microsoft ResponseMicrosoft Response
Reduce update Reduce update frequencyfrequency
Reduced frequency of non-emergency update Reduced frequency of non-emergency update releases from once per week to once per monthreleases from once per week to once per month
Reduce updating Reduce updating complexitycomplexity Reduced number of update installer technologiesReduced number of update installer technologies
Reduce risk of Reduce risk of update deploymentupdate deployment
Improved update quality and introduced Improved update quality and introduced update rollback capabilityupdate rollback capability
Reduce update sizeReduce update size Developed “delta updating” technology to Developed “delta updating” technology to reduce update sizereduce update size
MydoomMydoomBlock port 1034 Block port 1034 Update antivirus signatures Update antivirus signatures Implement application securityImplement application security
SasserSasser Block ports 445, 5554, and 9996Block ports 445, 5554, and 9996Install the latest security update Install the latest security update
BlasterBlaster
Install the latest security update Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. remote command shell. Update antivirus signatures Update antivirus signatures
SQL SlammerSQL Slammer Install the latest security update Install the latest security update Block UDP port 1434 Block UDP port 1434
Download.JectDownload.Ject Install the latest security update Install the latest security update Increase security on the Local Machine zone in Internet ExplorerIncrease security on the Local Machine zone in Internet ExplorerClean any infections related to IIS Clean any infections related to IIS
What Is Defense-in-Depth?What Is Defense-in-Depth?
Using a layered approach:Using a layered approach:• Increases an attacker’s risk of detection Increases an attacker’s risk of detection • Reduces an attacker’s chance of successReduces an attacker’s chance of success
Security policies, procedures, and Security policies, procedures, and educationeducation
People who understand People who understand their roles and their roles and responsibilitiesresponsibilities
People who understand People who understand their roles and their roles and responsibilitiesresponsibilities
Requirements for Successful Requirements for Successful Update ManagementUpdate Management
Update Management ProcessUpdate Management Process
AssessAssess
Inventory computing assets
Assess threats and vulnerabilities
Determine the best source for information about new updates
Assess your software distribution infrastructure
Assess operational effectiveness
Inventory computing assets
Assess threats and vulnerabilities
Determine the best source for information about new updates
Assess your software distribution infrastructure
Assess operational effectiveness
11 IdentifyIdentify
Discover new updates
Determine whether updates are relevant to your environment
Obtain update, confirm it is safe
Determine if update is a normal change or an emergency
Discover new updates
Determine whether updates are relevant to your environment
Obtain update, confirm it is safe
Determine if update is a normal change or an emergency
22 Evaluate and PlanEvaluate and Plan
Determine whether the update is actually required
Plan the release of the update
Build the release
Perform acceptance testing
Determine whether the update is actually required
Plan the release of the update
Build the release
Perform acceptance testing
33 DeployDeploy
Prepare for deployment
Deploy the update to targeted computers
Review the deployment
Prepare for deployment
Deploy the update to targeted computers
Review the deployment
44
4Deploy
4Deploy
1Assess
1Assess
2Identify
2Identify
3Evaluateand Plan
3Evaluateand Plan
Assess• Inventory computing assets• Assess threats and vulnerabilities• Determine the best source for
information about new updates
• Assess your software distribution infrastructure
• Assess operational effectiveness
Deploy
Prepare for deployment
Deploy the update to targeted computers
Review the deployment
Evaluate and Plan
• Determine whether the update is actually required
• Plan the release of the update
• Build the release
• Perform acceptance testing
DeployDeploy
AssessAssess IdentifyIdentify
Evaluateand PlanEvaluateand Plan
22
Identify
• Discover new updates
• Determine whether updates are relevant to your environment
• Obtain update, confirm it is safe
• Determine if update is a normal change or an emergency
44
11
22
Microsoft Update Management Microsoft Update Management GuidanceGuidance• Guide: Patch Management Process• How To: Implement Patch Management• How To: Use Microsoft Baseline Security Analyzer (MBSA)• How To: Perform Patch Management Using SMS• Microsoft Server Windows Update Services Deployment
Guide
The guide and articles are available on the Patch The guide and articles are available on the Patch Management page of the Microsoft TechNet Web siteManagement page of the Microsoft TechNet Web site
The WSUS deployment guide is available on the Microsoft The WSUS deployment guide is available on the Microsoft Windows Server Update Services Deployment Guide page of Windows Server Update Services Deployment Guide page of the Microsoft Windows Server System Web sitethe Microsoft Windows Server System Web site
ConsumerConsumer All scenariosAll scenarios Microsoft UpdateMicrosoft Update
Small Small organizationorganization
Has no Windows serversHas no Windows servers Microsoft UpdateMicrosoft Update
Has one to three Windows 2000Has one to three Windows 2000or newer servers and one IT or newer servers and one IT
administratoradministratorMBSA and WSUSMBSA and WSUS
Medium-sized or Medium-sized or large enterpriselarge enterprise
Wants an update management solution Wants an update management solution with basic control to update Windows with basic control to update Windows 2000 and newer versions of Windows2000 and newer versions of Windows
MBSA and WSUSMBSA and WSUS
Wants a single flexible update Wants a single flexible update management solution with extended management solution with extended
level of control to update and distribute level of control to update and distribute all softwareall software
Systems Management Systems Management ServerServer
Update Management Solution for Update Management Solution for Consumers and Small OrganizationsConsumers and Small Organizations
• Update management solution Update management solution based on Protect Your PC:based on Protect Your PC:
1.1. Use an Internet firewallUse an Internet firewall
2.2. Get computer updatesGet computer updates• Microsoft UpdateMicrosoft Update
3.3. Use up-to-date antivirusUse up-to-date antivirussoftwaresoftware
• Deploy MicrosoftDeploy Microsoft®® Windows Windows®® XP SP 2XP SP 2
• See the Protect Your PC page See the Protect Your PC page on the Microsoft Security at on the Microsoft Security at Home Web siteHome Web site
• Benefits: Benefits: – Single location for MicrosoftSingle location for Microsoft®® Office updates Office updates– Easy to useEasy to use– Can download delta or full-file versions of updatesCan download delta or full-file versions of updates
• Limitation:Limitation:– Does not support Automatic Updates; updating must be Does not support Automatic Updates; updating must be
initiated manuallyinitiated manually• The Microsoft Update site includes Office updates and supports The Microsoft Update site includes Office updates and supports
Automatic UpdatesAutomatic Updates• Visit the Downloads page of the Microsoft Office Visit the Downloads page of the Microsoft Office
Online Web siteOnline Web site
Size of Size of organizationorganization
ScenarioScenarioUpdate Update
management management solutionsolution
SmallSmallHas one to three servers Has one to three servers
running Windows 2000 or later running Windows 2000 or later and one IT administratorand one IT administrator
MBSA and WSUSMBSA and WSUS
Medium or Medium or largelarge
Wants an update management Wants an update management solution with basic level of solution with basic level of
control that updates computers control that updates computers running Windows 2000, running Windows 2000,
Windows XP, and Windows Windows XP, and Windows Server 2003 and some Microsoft Server 2003 and some Microsoft
applicationsapplications
MBSA and WSUSMBSA and WSUS
Update Management Solution for Small Update Management Solution for Small and Medium-Sized Organizationsand Medium-Sized Organizations
MBSA BenefitsMBSA Benefits
• Scans systems for:Scans systems for:– Missing security updatesMissing security updates
• Works with a broad range of Microsoft softwareWorks with a broad range of Microsoft software
• Allows an administrator to centrally scan multiple Allows an administrator to centrally scan multiple computers simultaneouslycomputers simultaneously
• MBSA is a free tool, and can be downloaded from the MBSA is a free tool, and can be downloaded from the Microsoft Baseline Security Analyzer page on the Microsoft Microsoft Baseline Security Analyzer page on the Microsoft TechNet Web siteTechNet Web site
MBSA ConsiderationsMBSA Considerations
• Password weaknessesPassword weaknesses• Guest account not disabledGuest account not disabled• Auditing not configuredAuditing not configured• Unnecessary services installedUnnecessary services installed• IIS security issuesIIS security issues• Internet Explorer zone settingsInternet Explorer zone settings• Automatic Updates configurationAutomatic Updates configuration• Windows XP firewall configurationWindows XP firewall configuration
MBSA – How It WorksMBSA – How It Works
Windows Windows Download CenterDownload Center
WSUSScan.cabWSUSScan.cab
MBSAMBSAComputerComputer
MBSA – Scan OptionsMBSA – Scan Options
• MBSA has two scan options:MBSA has two scan options:– MBSA graphical user interface (GUI)MBSA graphical user interface (GUI)– MBSA standard command-line interface (mbsacli.exe)MBSA standard command-line interface (mbsacli.exe)
• When scanning for security updates, you can When scanning for security updates, you can configure MBSA to:configure MBSA to:– Update the Microsoft Update Agent on all scanned Update the Microsoft Update Agent on all scanned
computerscomputers– Use a WSUS server as the update sourceUse a WSUS server as the update source– Use Microsoft Update as the update sourceUse Microsoft Update as the update source
Using the Microsoft Baseline Using the Microsoft Baseline Security AnalyzerSecurity Analyzer
Scan a computer using MBSAScan a computer using MBSA Review an MBSA reportReview an MBSA report Examine the Mbsacli.exe command-line toolExamine the Mbsacli.exe command-line tool
demonstrationdemonstration
WSUS BenefitsWSUS Benefits
• Gives administrators control over update Gives administrators control over update managementmanagement– Administrators can review, test, and approve updates Administrators can review, test, and approve updates
before deploymentbefore deployment
• Simplifies and automates key aspects of the update Simplifies and automates key aspects of the update management processmanagement process– Can be used with Group Policy, but Group Policy is not Can be used with Group Policy, but Group Policy is not
required to use WSUSrequired to use WSUS
• Easy to implementEasy to implement• Free tool from MicrosoftFree tool from Microsoft
Comparing SUS and WSUSComparing SUS and WSUS
• Common FeaturesCommon Features– Can only update computers running Windows XP, Windows 2000, or Can only update computers running Windows XP, Windows 2000, or
Windows Server 2003Windows Server 2003– No option for pushing updates – clients must pull updates from the No option for pushing updates – clients must pull updates from the
serverserver
• WSUS EnhancementsWSUS Enhancements– Expanded support for Microsoft products such as Office, SQL Server, Expanded support for Microsoft products such as Office, SQL Server,
and Exchange Serverand Exchange Server– Can create and manage computer groupsCan create and manage computer groups– More options for managing updatesMore options for managing updates– More options for configuring agentsMore options for configuring agents– More efficient use of network bandwidthMore efficient use of network bandwidth
• The client component of WSUS is Automatic The client component of WSUS is Automatic Updates:Updates:– Can be configured to pull updates either from corporate Can be configured to pull updates either from corporate
WSUS server or from Microsoft UpdateWSUS server or from Microsoft Update– Three ways to configure Automatic Updates:Three ways to configure Automatic Updates:
• Centrally, by using Group PolicyCentrally, by using Group Policy• Manually configure clientsManually configure clients• Use scripts to configure clientsUse scripts to configure clients
– WSUS requires a compatible Automatic Updates clientWSUS requires a compatible Automatic Updates client
WSUS – Server ComponentWSUS – Server Component
• The server component of WSUS is Windows Server The server component of WSUS is Windows Server Update Services (WSUS):Update Services (WSUS):– Can synchronize updates from Microsoft Update on a Can synchronize updates from Microsoft Update on a
scheduleschedule– Provides a Web-based administrative GUIProvides a Web-based administrative GUI– Has several built-in default security featuresHas several built-in default security features– Provides synchronization and update reportsProvides synchronization and update reports– Uses MSDE or SQL Server database to store update Uses MSDE or SQL Server database to store update
metadata, events, and settingsmetadata, events, and settings– Interface is localized in 17 languagesInterface is localized in 17 languages
How to Use WSUSHow to Use WSUS
• On the WSUS server:On the WSUS server:1.1. Administer the WSUS server at Administer the WSUS server at http://<http://<server server
namename>/WSUSAdmin>/WSUSAdmin
2.2. Configure the WSUS server synchronization schedule Configure the WSUS server synchronization schedule and settingsand settings
3.3. Create client computer groups and assign computersCreate client computer groups and assign computers
4.4. Review, test, and approve updatesReview, test, and approve updates
• On each WSUS client:On each WSUS client:– Configure Automatic Updates on the client to use the Configure Automatic Updates on the client to use the
WSUS serverWSUS server
Implementing Windows ServerImplementing Windows ServerUpdate ServicesUpdate Services Configure Windows Server Update ServicesConfigure Windows Server Update Services Configure Group Policy Settings for WSUS Configure Group Policy Settings for WSUS
clientsclients Distribute updates using WSUSDistribute updates using WSUS View WSUS reportsView WSUS reports
demonstrationdemonstration
Migrating from SUS to WSUSMigrating from SUS to WSUS
• You can install SUS and WSUS on the same computer• You can migrate updates and approvals• Use the WSUSUTIL.exe command-line tool• Configure the clients to use the WSUS server• Use the Automatic Update self-update feature to update the
client• For computers running Windows XP
with no Service Packs, first install the SUS Automatic Update client
CapabilityCapability WSUSWSUS SMS 2003SMS 2003
SupportedSupportedPlatforms for Platforms for ContentContent
Windows 2000 Windows 2000
Windows XP Windows XP
Windows Server 2003Windows Server 2003
Windows NTWindows NT®® 4.0 4.0
Windows 98 Windows 98
Windows 2000Windows 2000
Windows XP Windows XP
Windows Server 2003Windows Server 2003
SupportedSupportedContent Content TypesTypes
Security and security rollup Security and security rollup updates, critical updates, updates, critical updates, and service packs for the and service packs for the above operating systems above operating systems and updates for some and updates for some Microsoft applicationsMicrosoft applications
All updates, service packs, All updates, service packs, and updates for the above and updates for the above operating systems; operating systems; supports updates and supports updates and application installations for application installations for Microsoft and other Microsoft and other applicationsapplications
Update Management Solution for Update Management Solution for Medium-Sized and Large OrganizationsMedium-Sized and Large Organizations
Systems Management Server Systems Management Server BenefitsBenefits
• For a full software distribution update managementFor a full software distribution update management solution, use: solution, use:– System Management Server 2003 orSystem Management Server 2003 or– System Management Server 2.0 with SUS Feature PackSystem Management Server 2.0 with SUS Feature Pack
• Benefits of using System Management Server:Benefits of using System Management Server:– Update managementUpdate management– Automates key aspects of update managementAutomates key aspects of update management– Can update a broad range of Microsoft productsCan update a broad range of Microsoft products– Can be used to update third-party software and Can be used to update third-party software and
install other software updates or applicationsinstall other software updates or applications
Systems Management Server Systems Management Server MBSA IntegrationMBSA Integration
• MBSA integration included with SMS 2003 and MBSA integration included with SMS 2003 and the WSUS Feature Pack for SMS 2.0the WSUS Feature Pack for SMS 2.0
• Scans SMS clients for missing security updates Scans SMS clients for missing security updates using mbsacli.exe /hfusing mbsacli.exe /hf
1.1. SMS directs client to run local MBSA scanSMS directs client to run local MBSA scan
2.2. Client performs scan, returns data to SMS serverClient performs scan, returns data to SMS server
3.3. SMS server parses data to determine which computers SMS server parses data to determine which computers need which security updatesneed which security updates
4.4. Administrator pushes missing updates only to clients Administrator pushes missing updates only to clients that require themthat require them
Systems Management Server Systems Management Server LimitationsLimitations
• Command-line syntax must be configuredCommand-line syntax must be configuredfor unattended installation of each update for unattended installation of each update
• Microsoft Office updates require extraction to Microsoft Office updates require extraction to edit a settings file for unattended installationedit a settings file for unattended installation
• International updates must be manually International updates must be manually downloaded from a Web pagedownloaded from a Web page
FirewallFirewall
Microsoft UpdateMicrosoft Update
Systems Management Server Systems Management Server How It WorksHow It Works
System System Management Management
Server Site ServerServer Site Server
System Management System Management Server Distribution PointServer Distribution Point
System Management System Management Server ClientsServer Clients
System Management System Management Server ClientsServer Clients
System Management System Management Server ClientsServer Clients
System Management Server System Management Server Distribution PointDistribution Point
Best Practices for Update Best Practices for Update ManagementManagement• Implement a good update management processImplement a good update management process• Choose a update management solution that meets Choose a update management solution that meets
your organization’s needsyour organization’s needs• Subscribe to the Microsoft Security Notification Subscribe to the Microsoft Security Notification
ServiceService• Make use of Microsoft guidance and resourcesMake use of Microsoft guidance and resources• Keep your systems up to dateKeep your systems up to date
Session SummarySession Summary
• Implementing security updates promptly is a Implementing security updates promptly is a critical component in a security management critical component in a security management planplan
• Update management needs to follow your Update management needs to follow your standard network management processesstandard network management processes
• For small and medium-sized business, MBSA For small and medium-sized business, MBSA and WSUS together provide an excellent and WSUS together provide an excellent update management solutionupdate management solution
Next StepsNext Steps
1.1. Find additional security training events:Find additional security training events:– The Microsoft Security Events and Webcasts The Microsoft Security Events and Webcasts
Web siteWeb site
2.2. Sign up for security communications:Sign up for security communications:– The Microsoft TechNet Web siteThe Microsoft TechNet Web site
3.3. Order the Security Guidance Kit: Order the Security Guidance Kit: – The Microsoft TechNet Web siteThe Microsoft TechNet Web site
4.4. Get additional security tools and content:Get additional security tools and content:– The Microsoft Security Web siteThe Microsoft Security Web site
Next StepsNext Steps
1.1. Find additional security training events:Find additional security training events:http://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
2.2. Sign up for security communications:Sign up for security communications:http://www.microsoft.com/technet/security/signup/http://www.microsoft.com/technet/security/signup/ default.mspxdefault.mspx
3.3. Get additional security tools and content:Get additional security tools and content:http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
• Visit TechNet at Visit TechNet at www.microsoft.com/technetwww.microsoft.com/technet
• Visit Microsoft Security at Visit Microsoft Security at www.microsoft.com/securitywww.microsoft.com/security
Questions and AnswersQuestions and Answers
• Submit text questions using the “Ask” button. Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.Don’t forget to fill out the survey.• For upcoming and previously live webcasts: For upcoming and previously live webcasts:
www.microsoft.com/webcastswww.microsoft.com/webcasts • Got webcast content ideas? Contact us at: Got webcast content ideas? Contact us at: http://http://
go.microsoft.com/fwlink/?LinkIdgo.microsoft.com/fwlink/?LinkId=41781=41781• Today's webcast was presented using Microsoft Today's webcast was presented using Microsoft
Office Live Meeting. Get a free 14-day trial Office Live Meeting. Get a free 14-day trial http://www.microsoft.com/http://www.microsoft.com/presentlivepresentlive