Patch Warfare & Security Incident Response
Microsoft CorporationPresented by Robert Hensing - PSS Security Specialist
AgendaAgenda
SituationSituation
Solution Solution ComponentsComponents
RoadmapRoadmap
Security Incident Security Incident ResponseResponse
ReduceFrequency,Quantity of
Patches
InadequateCommunications,
Guidance, andTraining
InconsistentPatching
Experience
Multiple,Incomplete Patch
ManagementTools
InconsistentPatch
Quality
Customer FeedbackCustomer Feedback
Addressing The SituationAddressing The Situation
Security and patch Security and patch management management priority #1 priority #1 –– bar bar nonenone – at Microsoft– at Microsoft
Microsoft problemMicrosoft problemIndustry problemIndustry problemOngoing battle with malicious Ongoing battle with malicious hackershackers
Microsoft taking a Microsoft taking a comprehensive, tactical comprehensive, tactical and and strategic approach to strategic approach to addressing the situationaddressing the situation
Patch Management InitiativePatch Management Initiative
Progress to Date (July 2004)Progress to Date (July 2004)
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0
**75% for Windows Update installs, more than 25% for other patches**75% for Windows Update installs, more than 25% for other patches
More on the deliverables of the Patch Management Initiative More on the deliverables of the Patch Management Initiative in the Roadmap Section of this presentation…in the Roadmap Section of this presentation…
Informed & Informed & Prepared Prepared
CustomersCustomers
Informed & Informed & Prepared Prepared
CustomersCustomers
Superior Patch Superior Patch QualityQuality
Superior Patch Superior Patch QualityQuality
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Consistent & Consistent & Superior Update Superior Update
ExperienceExperience
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Best Patch & Best Patch & Update Update
Management Management SolutionsSolutions
Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Guidance Kit; Patch Management guidance, Security Guidance Kit; Patch Management guidance, etc.etc.Security Mobilization Initiative – 500K IT Pros trainedSecurity Mobilization Initiative – 500K IT Pros trained
Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Guidance Kit; Patch Management guidance, Security Guidance Kit; Patch Management guidance, etc.etc.Security Mobilization Initiative – 500K IT Pros trainedSecurity Mobilization Initiative – 500K IT Pros trained
Released SMS 2003 which delivers expanded patch Released SMS 2003 which delivers expanded patch and update management capabilities and update management capabilities Released MBSA 1.2 which integrates Office inventory Released MBSA 1.2 which integrates Office inventory scanningscanningWindows Update Services in developmentWindows Update Services in development
Released SMS 2003 which delivers expanded patch Released SMS 2003 which delivers expanded patch and update management capabilities and update management capabilities Released MBSA 1.2 which integrates Office inventory Released MBSA 1.2 which integrates Office inventory scanningscanningWindows Update Services in developmentWindows Update Services in development
Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/month
Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/monthImproved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**
Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**
NameName DescriptionDescription DistributionDistribution
Private FixPrivate FixAn unofficial fix which may not be fully tested or An unofficial fix which may not be fully tested or packaged. It is released to the customer to verify packaged. It is released to the customer to verify that it solves the problem before final testing & that it solves the problem before final testing & packaging.packaging.
Limited to the customer who Limited to the customer who reported the problem.reported the problem.
HotfixHotfix A single cumulative package composed of one or A single cumulative package composed of one or more files used to address a defect in a platform.more files used to address a defect in a platform.
Limited to customers who contact Limited to customers who contact Microsoft Product support services Microsoft Product support services and are experiencing the specific and are experiencing the specific problem.problem.
UpdateUpdate A broadly released fix for a specific problem A broadly released fix for a specific problem addressing a non-critical, non-security related bug.addressing a non-critical, non-security related bug. Publicly available for download.Publicly available for download.
Critical Critical UpdateUpdate
A broadly released fix for a specific problem A broadly released fix for a specific problem addressing a critical, non-security related bug.addressing a critical, non-security related bug. Publicly available for download.Publicly available for download.
Security Security PatchPatch
A broadly released fix for a specific platform A broadly released fix for a specific platform addressing a security vulnerability.addressing a security vulnerability. Publicly available for download.Publicly available for download.
Update Update RollupRollup
A cumulative set of hotfixes, security patches, A cumulative set of hotfixes, security patches, critical updates and updates packaged together for critical updates and updates packaged together for easy deployment. A rollup targets a specific area easy deployment. A rollup targets a specific area such as "security" or component of the platform such as "security" or component of the platform such as "IIS". such as "IIS".
Publicly available for download.Publicly available for download.
Service Service PackPack
A cumulative set of all hotfixes, security patches, A cumulative set of all hotfixes, security patches, critical updates, and updates created and fixes for critical updates, and updates created and fixes for issues found internally since the release of the issues found internally since the release of the platform. Service packs may also contain a limited platform. Service packs may also contain a limited number of customer requested design changes or number of customer requested design changes or features. Service packs are broadly distributed and features. Service packs are broadly distributed and therefore tested heavily. therefore tested heavily.
Publicly available for download.Publicly available for download.
TerminologyTerminology
Naming StandardsNaming Standards824685 - Description of the File Names That Are 824685 - Description of the File Names That Are Used for Microsoft Product Updates, Tools, and Add-Used for Microsoft Product Updates, Tools, and Add-insins
http://support.microsoft.com/?kbid=824685http://support.microsoft.com/?kbid=824685
The standardized file naming schema that Microsoft The standardized file naming schema that Microsoft is adopting for packages that contain product is adopting for packages that contain product updates, tools, and add-ins uses the following updates, tools, and add-ins uses the following format: format: ProductNameProductName-KB-KBArticleNumberArticleNumber--OptionOption--LanguageLanguage.exe.exe
WindowsXP-KB123456-IA64-ENU.exeWindowsXP-KB123456-IA64-ENU.exe - An update for - An update for the English (US)-language version of Microsoft Windows XP the English (US)-language version of Microsoft Windows XP for computers with 64-bit Intel processors. The update is for computers with 64-bit Intel processors. The update is associated with Microsoft Knowledge Base article 123456.associated with Microsoft Knowledge Base article 123456.
OfficeXP-KB123456-Client-ENU.exeOfficeXP-KB123456-Client-ENU.exe - An update for the - An update for the English (US)-language version of Microsoft Office XP. The English (US)-language version of Microsoft Office XP. The update is associated with Knowledge Base article 123456. update is associated with Knowledge Base article 123456.
SQL2000-KB123456-8.00.0000-JPN.exeSQL2000-KB123456-8.00.0000-JPN.exe - An update - An update for the Japanese-language version of Microsoft SQL Server for the Japanese-language version of Microsoft SQL Server 2000 Build 8.00.000. The update is associated with 2000 Build 8.00.000. The update is associated with Knowledge Base article 123456.Knowledge Base article 123456.
RatingRating DefinitionDefinition Customer ActionCustomer Action
CriticalCriticalExploitation could allow the Exploitation could allow the propagation of an Internet worm propagation of an Internet worm such as Code Red or Nimda without such as Code Red or Nimda without user actionuser action
Apply the patch or Apply the patch or workaround immediatelyworkaround immediately
ImportanImportantt
Exploitation could result in Exploitation could result in compromise of the confidentiality, compromise of the confidentiality, integrity, or availability of users’ integrity, or availability of users’ data, or of the integrity or data, or of the integrity or availability of processing resourcesavailability of processing resources
Apply patch or Apply patch or workaround as soon as is workaround as soon as is feasiblefeasible
ModeratModeratee
Exploitability is mitigated to a Exploitability is mitigated to a significant degree by factors such significant degree by factors such as default configuration, auditing, as default configuration, auditing, need for user action, or difficulty of need for user action, or difficulty of exploitationexploitation
Evaluate bulletin, Evaluate bulletin, determine applicability, determine applicability, proceed as appropriateproceed as appropriate
LowLow Exploitation is extremely difficult, Exploitation is extremely difficult, or impact is minimalor impact is minimal
Consider applying the Consider applying the patch at the next patch at the next scheduled update scheduled update intervalinterval
Revised November 2002Revised November 2002
More information at More information at http://www.microsoft.com/technet/security/policy/rating.asphttp://www.microsoft.com/technet/security/policy/rating.asp
Bulletin Severity Rating SystemBulletin Severity Rating System
Decreasing Time To Patch Decreasing Time To Patch (Blaster)(Blaster)
Vulnerability reported to us /
Patch in progress
Bulletin & patch available
No exploitExploit code in
publicWorm in the wild
July 1, 2003 July 16, 2003 July 25, 2003 Aug 11, 2003
ReportReport Vulnerability in Vulnerability in
RPC/DDOM RPC/DDOM reportedreported
MS activated MS activated highest level highest level emergency emergency response processresponse process
BulletinBulletin MS03-026 delivered MS03-026 delivered
to customers to customers (7/16/03)(7/16/03)
Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies
ExploitExploit X-focus (Chinese X-focus (Chinese
group) published group) published exploit toolexploit tool
MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers
WormWorm Blaster worm Blaster worm
discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)
Blaster shows the complex interplay between Blaster shows the complex interplay between security researchers, software companies, and security researchers, software companies, and hackershackers
Decreasing Time To Patch Decreasing Time To Patch (Sasser)(Sasser)
Bulletin & patch available
No exploitExploit code in
publicWorm in the wild
April 13 April 24-29 April 30
BulletinBulletin MS03-026 delivered MS03-026 delivered
to customers to customers (7/16/03)(7/16/03)
Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies
ExploitExploit Reverse shell code Reverse shell code
posted to various posted to various web sitesweb sites
WormWorm Sasser worm Sasser worm
discovered.discovered. Multiple variants hit Multiple variants hit
simultaneouslysimultaneously
Sasser shows the continually shrinking window Sasser shows the continually shrinking window between the time a patch is released, exploit code is between the time a patch is released, exploit code is generally available and a worm is written to exploit it.generally available and a worm is written to exploit it.
Solution ComponentsSolution Components
PrescriptivePrescriptiveGuidanceGuidance
Microsoft Guide to Security Patch Microsoft Guide to Security Patch ManagementManagement
Patch Management Using SUSPatch Management Using SUS
Patch Management Using SMSPatch Management Using SMS
Analysis Analysis ToolsTools
Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA)(MBSA)
Office Inventory Tool*Office Inventory Tool*
Online Online Update Update ServicesServices
Windows UpdateWindows Update
Office UpdateOffice Update
Content Content RepositoriesRepositories
Windows Update CatalogWindows Update Catalog
Office Download CatalogOffice Download Catalog
Microsoft Download CenterMicrosoft Download Center
ManagemenManagement Toolst Tools
Automatic Updates (AU) feature in Automatic Updates (AU) feature in WindowsWindows
Software Update Services (SUS)Software Update Services (SUS)
Systems Management Server (SMS)Systems Management Server (SMS)*Office Inventory Tool is no longer needed – MBSA 1.2 (released in January 2004) includes Office scanning functionality*Office Inventory Tool is no longer needed – MBSA 1.2 (released in January 2004) includes Office scanning functionality
Update Management Update Management GuidanceGuidanceImplementing a consistent, high quality update Implementing a consistent, high quality update
management process is the key to successful management process is the key to successful update managementupdate management
Microsoft delivers best practices prescriptive Microsoft delivers best practices prescriptive guidance for effective update managementguidance for effective update management
Uses Microsoft Operations Framework (MOF)Uses Microsoft Operations Framework (MOF)Based on ITIL* (defacto standard for IT best Based on ITIL* (defacto standard for IT best practices) practices)
Details requirements for effective update Details requirements for effective update management:management:
Technical & operational pre-requisitesTechnical & operational pre-requisites
Operational processes & how technology supports themOperational processes & how technology supports them
Daily, weekly, monthly & as-needed tasks to be Daily, weekly, monthly & as-needed tasks to be performedperformed
Testing optionsTesting options
Three update management guidance offeringsThree update management guidance offeringsMicrosoft Guide to Security Patch ManagementMicrosoft Guide to Security Patch Management****Patch Management using Software Update ServicesPatch Management using Software Update Services*** *** Patch Management using Systems Management ServPatch Management using Systems Management Serverer******
*Information Technology Infrastructure Library*Information Technology Infrastructure Library
**Emphasizes security patching & overall security management**Emphasizes security patching & overall security management
***Comprehensive coverage of patch management using the specified technology***Comprehensive coverage of patch management using the specified technology
AssessAssess IdentifyIdentify
EvaluatEvaluate & e & PlanPlan
DeployDeploy
MBSAMBSA
Helps identify vulnerable Windows Helps identify vulnerable Windows systemssystems
Scans for missing Scans for missing securitysecurity patches and patches and common common securitysecurity mis-configurations mis-configurations
Scans various versions of Windows and Scans various versions of Windows and other Microsoft applicationsother Microsoft applications
Scans local or multiple remote systems via Scans local or multiple remote systems via
GUI or command line invocationGUI or command line invocation
Generates XML scan reports on each Generates XML scan reports on each scanned systemscanned system
Runs on Windows Server 2003, Runs on Windows Server 2003, Windows 2000 and Windows XPWindows 2000 and Windows XP
Integrates with SUS & SMSIntegrates with SUS & SMS
Evaluate & Plan
New Update
Deploy
Identify
Assess
MBSA: How It Works*MBSA: How It Works*
MicrosoftDownload Center
MSSecure.xmlMSSecure.xml
MSSecure.xml containsMSSecure.xml contains• Security Bulletin namesSecurity Bulletin names• Product specific updatesProduct specific updates• Version and checksum infoVersion and checksum info• Registry keys changedRegistry keys changed• KB article numbersKB article numbers• Etc.Etc.
MSSecure.xml containsMSSecure.xml contains• Security Bulletin namesSecurity Bulletin names• Product specific updatesProduct specific updates• Version and checksum infoVersion and checksum info• Registry keys changedRegistry keys changed• KB article numbersKB article numbers• Etc.Etc.
MBSAMBSAComputerComputer
*Only covers security patch scanning capabilities, not security configuration detection issues*Only covers security patch scanning capabilities, not security configuration detection issues
SUS ServerSUS Server
2.2. Downloads CAB file with Downloads CAB file with MSSecure.xml & verifies MSSecure.xml & verifies digital signaturedigital signature
1.1. Run MBSA on Admin Run MBSA on Admin system, specify targetssystem, specify targets
3.3. Scans target systems Scans target systems for OS, OS components, for OS, OS components, & applications& applications
4.4. Parses MSSecure Parses MSSecure to see if updates to see if updates availableavailable
5.5. Checks if Checks if required updates required updates are missingare missing
6.6. Generates time Generates time stamped report of stamped report of missing updatesmissing updates
Windows Update (WU)Windows Update (WU)Microsoft online update service Microsoft online update service ((windowsupdate.microsoft.comwindowsupdate.microsoft.com))::
Identifies missing Windows OS* patches / Identifies missing Windows OS* patches / updatesupdateson accessing computeron accessing computer
Generates targeted list of missing updatesGenerates targeted list of missing updates
Installs user selected missing updatesInstalls user selected missing updates
Provides update installation historyProvides update installation history
WU content can be automatically WU content can be automatically downloaded via Automatic Updatesdownloaded via Automatic Updates
Supplemented by Windows Update Catalog Supplemented by Windows Update Catalog site site which provides:which provides:
Comprehensive repository for all Windows Comprehensive repository for all Windows and and ‘Designed for Windows’ logo device driver ‘Designed for Windows’ logo device driver updates updates
Search – to find desired updateSearch – to find desired update
Manual download of desired updatesManual download of desired updates
Download history for accessing computerDownload history for accessing computer
*Windows 98 and later versions. Note: also updates 64-bit editions of Windows Server*Windows 98 and later versions. Note: also updates 64-bit editions of Windows Server
Evaluate & Plan
Identify
Assess
New Update
Deploy
Windows Update: How It Windows Update: How It WorksWorksScenario 1: User Initiated AccessScenario 1: User Initiated AccessScenario 2: Access via Automatic Updates Scenario 2: Access via Automatic Updates (AU)(AU) Windows Update
2.2. Client side code (CC) in browser (Client side code (CC) in browser (oror AU) validates WU server & gets AU) validates WU server & gets download catalog metadatadownload catalog metadata
1.1. User points browser to WU site & User points browser to WU site & selects ‘Scan for updates’ selects ‘Scan for updates’ oror AU AU automatically checks for new automatically checks for new updates (every 17-22 hours)updates (every 17-22 hours)
3.3. CC (CC (oror AU) uses metadata to AU) uses metadata to identify missing updatesidentify missing updates
4.4. WU (WU (oror AU -- if so configured) AU -- if so configured) lists missing updates and user lists missing updates and user selects updates to downloadselects updates to download
5.5. CC (CC (oror AU) downloads, validates, & AU) downloads, validates, & installs updates. AU downloads installs updates. AU downloads using BITS, and can be configured using BITS, and can be configured to allow user to select updates to to allow user to select updates to installinstall
6.6. CC (CC (oror AU) updates history & AU) updates history & statistics information*statistics information*
*Note: No personally identifiable information is collected. *Note: No personally identifiable information is collected. See See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy
SUS 1.0SUS 1.0
Deploys Windows security patches, security Deploys Windows security patches, security rollups, rollups, critical updates, and service packs onlycritical updates, and service packs only
Deploys above content for Windows 2000, Deploys above content for Windows 2000, Windows Server 2003 and Windows XP onlyWindows Server 2003 and Windows XP only
Provides patch download, deployment, and Provides patch download, deployment, and installation configuration options installation configuration options
Bandwidth optimized content deploymentBandwidth optimized content deployment
Provides central administrative control over which Provides central administrative control over which patches can be installed from Windows Updatepatches can be installed from Windows Update
Provides basic patch installation status loggingProvides basic patch installation status loggingEvaluate & Plan
Identify
Assess
New Update
Deploy
SUS 1.0: How It WorksSUS 1.0: How It Works
ParentParentSUS ServerSUS Server
FirewallFirewall
ChildChildSUS ServerSUS Server
ChildChildSUS ServerSUS Server
BandwidthBandwidth
ThrottlingThrottling
WindowsUpdate Service
WindowsUpdate Service
Bandwidth
Bandwidth
Throttling
Throttling
Ban
dw
idth
Ban
dw
idth
Th
rottlin
gT
hro
ttling
2.2. Administrator Administrator reviews, evaluates, reviews, evaluates, and approves and approves updatesupdates
1.1. SUS Server check for SUS Server check for updates every 24 hours*updates every 24 hours*
3.3. Approvals & Approvals & updates synced updates synced with child SUS with child SUS servers**servers**
4.4. AU (the SUS client) AU (the SUS client) gets approved gets approved updates list from updates list from SUS serverSUS server
6.6. AU either notifies user or AU either notifies user or auto-installs updatesauto-installs updates
7.7. AU records install historyAU records install history
5.5. AU downloads approved AU downloads approved updates from SUS server or updates from SUS server or Windows UpdateWindows Update
**SUS maintains approval logs & download, sync, & install statistics**SUS maintains approval logs & download, sync, & install statistics*Configurable 1/day or 1/week*Configurable 1/day or 1/week
SUS Client Component: SUS Client Component: Automatic UpdatesAutomatic Updates
Centrally configurable to get updates either from Centrally configurable to get updates either from corporate SUS server or Windows Update servicecorporate SUS server or Windows Update service
Can auto-download and install patches under Can auto-download and install patches under admin controladmin control
Consolidates multiple reboots to a single reboot Consolidates multiple reboots to a single reboot when installing multiple patcheswhen installing multiple patches
Included in Windows 2000 SP3, Windows XP SP1, Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003and Windows Server 2003
Localized in 24 languagesLocalized in 24 languages
SUS Server Component: SUS SUS Server Component: SUS ServerServerDownloads updates from Windows UpdateDownloads updates from Windows Update
Web based administration GUIWeb based administration GUISpecify server & update process configuration optionsSpecify server & update process configuration optionsView downloaded updatesView downloaded updatesApprove updates & view approved updatesApprove updates & view approved updates
Security by design and defaultSecurity by design and defaultRequires NTFS; Installs IIS Lockdown and URL scanner*Requires NTFS; Installs IIS Lockdown and URL scanner*Supports secure administration over SSLSupports secure administration over SSLDigital signatures on downloaded content validate authenticityDigital signatures on downloaded content validate authenticityUses HTTP for content synchronization – only port 80 needs to be Uses HTTP for content synchronization – only port 80 needs to be openopen
Server side XML based logging on Web serverServer side XML based logging on Web serverPatch deployment & installation statisticsPatch deployment & installation statistics
Supports geographically distributed or scale-out deployments Supports geographically distributed or scale-out deployments with centralized management for content synchronization & with centralized management for content synchronization & approvalsapprovals
Localized** in English & JapaneseLocalized** in English & Japanese*If not already installed*If not already installed
**Note: Delivers updates for all 24 supported client languages**Note: Delivers updates for all 24 supported client languages
SMS 2003SMS 2003
Identifies & deploys missing Windows and Office Identifies & deploys missing Windows and Office security patches on target systemssecurity patches on target systems
Can deploy any patch, update, or application in Can deploy any patch, update, or application in Windows environmentsWindows environments
Inventory management & inventory based Inventory management & inventory based targeting of software installstargeting of software installs
Install verification and detailed reportingInstall verification and detailed reporting
Flexible scheduling of content sync & installsFlexible scheduling of content sync & installs
Central, full administrative control over installsCentral, full administrative control over installs
Bandwidth optimized content distributionBandwidth optimized content distribution
Software metering and remote control capabilitiesSoftware metering and remote control capabilitiesIdentify
New Update
Deploy
Assess
Evaluate & Plan
SMS 2003 Patch SMS 2003 Patch Management: How It WorksManagement: How It Works
FirewallFirewall
SMS SMS Site ServerSite Server
SMS DistributionSMS DistributionPointPoint
SMS ClientsSMS Clients
SMS ClientsSMS Clients
MicrosoftDownload Center
SMS DistributionSMS DistributionPointPoint
2.2. Scan components Scan components replicate to SMS clientsreplicate to SMS clients
1.1. Setup: Download Security Setup: Download Security Update Inventory and Office Update Inventory and Office Inventory Tools; run inventory Inventory Tools; run inventory tool installertool installer
3.3. Clients scanned; scan Clients scanned; scan results merged into SMS results merged into SMS hardware inventory datahardware inventory data
4.4. Administrator uses Administrator uses Distribute Software Updates Distribute Software Updates Wizard to authorize updatesWizard to authorize updates
6.6. Software Update Installation Software Update Installation Agent on clients deploy updatesAgent on clients deploy updates
7.7. Periodically: Sync component Periodically: Sync component checks for new updates; scans checks for new updates; scans clients; and deploys necessary clients; and deploys necessary updatesupdates
5.5. Update files downloaded; packages, Update files downloaded; packages, programs & advertisements programs & advertisements created/updated; packages created/updated; packages replicated & programs advertised to replicated & programs advertised to SMS clientsSMS clients
SMS ClientsSMS Clients
SMS 2003 Patch SMS 2003 Patch Management: FunctionalityManagement: Functionality
System scanning & patch content downloadSystem scanning & patch content downloadContent from Microsoft Download CenterContent from Microsoft Download Center
MBSA & Office Inventory plug-ins scan for missing patchesMBSA & Office Inventory plug-ins scan for missing patches
Supports updating of remote & mobile devicesSupports updating of remote & mobile devices
Updates various versions of Windows, Office, SQL, Exchange, and Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scriptingWindows Media Player without need for update packaging / scripting
Administrator controlAdministrator controlUpdate targeting based on AD, non-AD groups, WMI properties; Update targeting based on AD, non-AD groups, WMI properties; additional options via scriptingadditional options via scripting
Patches content is downloaded from a central SMS repository only Patches content is downloaded from a central SMS repository only when the deployment process is initiated by the SMS administrator when the deployment process is initiated by the SMS administrator
Specific start and end times (change windows); multiple change Specific start and end times (change windows); multiple change windowswindows
Easily move patches from testing into productionEasily move patches from testing into production
Reference system patch configurations can be used as a template to Reference system patch configurations can be used as a template to verify or enforce compliance of systems that must mimic reference verify or enforce compliance of systems that must mimic reference system configurationsystem configuration
Patch download & installationPatch download & installationDelta replication (site-site, server-server) of patchesDelta replication (site-site, server-server) of patches
Uses BITS* for mobile / remote client-serverUses BITS* for mobile / remote client-server
Uses SMB* for LAN / priority situations Uses SMB* for LAN / priority situations
Reminders and rescheduling of install / reboot & enforcement datesReminders and rescheduling of install / reboot & enforcement dates
Optimized graceful reboots, but forced when enforcement date Optimized graceful reboots, but forced when enforcement date arrivesarrives
Per-patch reboot-needed detection to reduce rebootsPer-patch reboot-needed detection to reduce reboots
Status & Compliance ReportingStatus & Compliance ReportingDeployment status as patches are attemptedDeployment status as patches are attempted
Standard and customized reports through read-only SQL queriesStandard and customized reports through read-only SQL queries
Determine actual baselines in the environment before changing the Determine actual baselines in the environment before changing the environmentenvironment
SLA measurement and rate-of-spreadSLA measurement and rate-of-spread
SMS 2003 Patch SMS 2003 Patch Management: Functionality Management: Functionality (2)(2)
*Requires SMS Advanced Client*Requires SMS Advanced Client
CapabilityCapability Windows Windows UpdateUpdate SUS 1.0SUS 1.0 SMS 2003SMS 2003
Supported Platforms Supported Platforms for Contentfor Content
NT 4.0, Win2K, NT 4.0, Win2K, WS2003, WinXP, WS2003, WinXP, WinME, Win98WinME, Win98
Win2K, WS2003, WinXPWin2K, WS2003, WinXP NT 4.0, Win2K, WS2003, NT 4.0, Win2K, WS2003, WinXP, Win98*WinXP, Win98*
Supported Content Supported Content TypesTypes
All patches, updates All patches, updates (including drivers), & (including drivers), & service packs (SPs) service packs (SPs) for the abovefor the above
Only security & security Only security & security rollup patches, critical rollup patches, critical updates, & SPs for the updates, & SPs for the aboveabove
All patches, SPs & updates All patches, SPs & updates for the above; supports for the above; supports patch, update, & app installs patch, update, & app installs for MS & other appsfor MS & other apps
Granularity of Control
Targeting Content Targeting Content to Systemsto Systems NoNo NoNo YesYes
Network Bandwidth Network Bandwidth OptimizationOptimization NoNo Yes Yes
(for patch deployment)(for patch deployment)
Yes Yes (for patch deployment & server (for patch deployment & server sync)sync)
Patch Distribution Patch Distribution ControlControl NoNo BasicBasic AdvancedAdvanced
Patch Installation & Patch Installation & Scheduling FlexibilityScheduling Flexibility
Manual, end user Manual, end user controlledcontrolled
Admin (auto) or user Admin (auto) or user (manual) controlled(manual) controlled
Administrator control with Administrator control with granular scheduling granular scheduling capabilitiescapabilities
Patch Installation Patch Installation Status ReportingStatus Reporting
Assessing computer Assessing computer history onlyhistory only
Limited Limited (client install history & server (client install history & server based install logs) based install logs)
Comprehensive Comprehensive (install status, result, and (install status, result, and compliance compliance details) details)
Additional Software Distribution Capabilities
Deployment PlanningDeployment Planning N/AN/A N/AN/A YesYes
Inventory Inventory ManagementManagement N/AN/A N/AN/A YesYes
Compliance CheckingCompliance Checking N/AN/A N/AN/A YesYes
Adopt the solution that Adopt the solution that best meets the needsbest meets the needs of your of your organizationorganization
Co
re P
atch
Man
agem
ent
Cap
abili
ties
Choosing A Patch Management Choosing A Patch Management SolutionSolutionNeeds-Based SelectionNeeds-Based Selection
*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
CustomCustomer Typeer Type ScenarioScenario
CustomCustomer er
ChooseChoosess
Large or Large or Medium Medium EnterpriEnterprisese
Want single flexible patch management solution with Want single flexible patch management solution with extended level of control to patch & update (+ extended level of control to patch & update (+ distribute) all softwaredistribute) all software
SMSSMS
Want patch management solution with basic level of Want patch management solution with basic level of control that updates Windows 2000 and newer control that updates Windows 2000 and newer versions* of Windows**versions* of Windows**
SUSSUS
Small Small BusinessBusiness
Have at least 1 Windows server and 1 IT Have at least 1 Windows server and 1 IT administrator**administrator** SUSSUS
All other scenariosAll other scenariosWindowWindow
s s UpdateUpdate
ConsumConsumerer All scenariosAll scenarios
WindowWindows s
UpdateUpdate
*Windows 2000, Windows XP, Windows Server 2003*Windows 2000, Windows XP, Windows Server 2003
**Customer uses Windows Update or manual process for other OS versions & applications software**Customer uses Windows Update or manual process for other OS versions & applications software
Choosing A Patch Management Choosing A Patch Management SolutionSolutionTypical Customer DecisionsTypical Customer Decisions
What could be better than What could be better than patching?patching?
Not having to patch . . . Introducing Slipstreaming!
SlipstreamingSlipstreaming““Slipstreaming” – Integrating a patch Slipstreaming” – Integrating a patch into a product installation directoryinto a product installation directoryWindows, Internet Explorer, and Windows, Internet Explorer, and Office support “Slipstreaming”Office support “Slipstreaming”It’s so simple! An example . . .It’s so simple! An example . . .
Copy Windows 2000 CD to network Copy Windows 2000 CD to network shareshare““Slipstream” Service Pack 4 into the Slipstream” Service Pack 4 into the shareshare““Slipstream” all post-SP4 critical Slipstream” all post-SP4 critical security updates into the sharesecurity updates into the sharePerform network / RIS installation of Perform network / RIS installation of Windows 2000 from that shareWindows 2000 from that share
Fully patched after setup completes!Fully patched after setup completes!
SlipstreamingSlipstreaming
For instructions on “slipstreaming” For instructions on “slipstreaming” service packs – consult the service packs – consult the deployment guide for the service deployment guide for the service pack you are deployingpack you are deploying
http://www.microsoft.com/windows2000http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.as/downloads/servicepacks/sp4/default.aspp
For instructions on “slipstreaming” For instructions on “slipstreaming” hotfixes and udpates – consult the hotfixes and udpates – consult the hotfix deployment guidehotfix deployment guide
http://www.microsoft.com/windows2000http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/HFDeploy/downloads/servicepacks/SP4/HFDeploy.htm.htm
Finding critical security updates Finding critical security updates to slipstreamto slipstream
Subscribe to the Security Alert Notification Subscribe to the Security Alert Notification ServiceService
We’ll tell you when critical updates are We’ll tell you when critical updates are available!available!http://www.microsoft.com/security/security_bulletins/alerts2.ahttp://www.microsoft.com/security/security_bulletins/alerts2.aspsp
Visit the Security Bulletin Search site to Visit the Security Bulletin Search site to view security bulletins for all productsview security bulletins for all products
http://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/technet/security/current.aspx
Under Product/Technology choose the product Under Product/Technology choose the product you are interested in finding updates foryou are interested in finding updates forUnder Service Pack choose the SP level you Under Service Pack choose the SP level you are usingare usingCheck “Show only bulletins that have not been Check “Show only bulletins that have not been superseded” and press ‘Go’superseded” and press ‘Go’
Informed & Prepared Informed & Prepared CustomersCustomers
Q3 ‘03Q2 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04
Security Bulletin Teleconferences
Improved KB Articles
Patch Management Guides
Bulletin Search Page
Q1 ‘03 H2 ‘04
Clearer SeverityRating Levels
Patch Management
GuidesSecurity Readiness Kit
(Guides, Tools, Best Practices)
Revised Patch Management Guides
Patch ManagementRoadmap
Informed and Prepared CustomersInformed and Prepared Customers
Patch Management White Paper
Sustaining EngineeringPractices White Paper
*See *See http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts
New Security & Patch Management workshopsNew Security & Patch Management workshopsRegular web casts on security patch management*Regular web casts on security patch management*Updated roadmap, whitepapers, and guidanceUpdated roadmap, whitepapers, and guidance
Security Guidance Kit
GTM Partnership Deliverables
Patch Management Workshops
Patch ManagementGuidance for Windows Update Services
Updated Patch ManagementGuidance for SMS 2003 SP1
H1 ‘05
Consistent & Superior Consistent & Superior Update ExperienceUpdate Experience
Q4 ‘03Q3 ‘03 Q1 ‘04 Q2 ‘04 Q3 ‘04Q1 ‘03 Q2 ‘03 Q4 ‘04
Consistent & Superior Update ExperienceConsistent & Superior Update ExperienceConsistent & Superior Update ExperienceConsistent & Superior Update Experience
MSI 3.0
2 Installers: MSI, Update.exe
Naming & signing standard defined
Standard terminology for documentation defined
Standard installer switches defined
MSI 3.0 supports uninstall, binary delta patching, etc. MSI 3.0 supports uninstall, binary delta patching, etc. Converge to two installers -- end of 2004 Converge to two installers -- end of 2004 Consistency standards implemented in all new updates -- end of 2004Consistency standards implemented in all new updates -- end of 2004
Patches & Security Bulletins released
once a month
Standard Titles* defined Standard
Registry Entries defined
Standard Detection Manifest
*For Add/Remove Programs, Windows Update, and Download Center*For Add/Remove Programs, Windows Update, and Download Center
Add/Remove Program improvements in XP SP2
Product teams compliant with SE Baseline standards
Superior Patch QualitySuperior Patch Quality
Q3 ‘03Q2 ‘03 Q4 ‘03 Q1 ‘04 Q2 ‘04 H1 ‘05
Q1 ‘03 H2 ‘04
Superior Patch QualitySuperior Patch Quality
25% Reductionin Patch Size
10% Reductionin Patch Reboots
75% Reduction in Patch Size*
90% Reduction in Patch Size
30+% Reductionin Patch Reboots**
*For Windows Update installs, more than 25% reduction for other patches*For Windows Update installs, more than 25% reduction for other patches**For Windows Server 2003 patches using HotPatching (in-memory patching) technology, delivered in SP1**For Windows Server 2003 patches using HotPatching (in-memory patching) technology, delivered in SP1
Patch test process includes participatingcustomers
Up to 75% reduction in patch size* Up to 75% reduction in patch size* 10% reduction in patch reboots 10% reduction in patch reboots Patch test process extended to include customersPatch test process extended to include customers
Installer restarts services when possible
MBSA Update Scanning FuturesMBSA Update Scanning Futures
Overall directionOverall directionMicrosoft will have a single scanning engine for detecting Microsoft will have a single scanning engine for detecting missing updatesmissing updates
The scanning engine will be part of the Windows Update The scanning engine will be part of the Windows Update Services / Automatic Updates client Services / Automatic Updates client
MBSA and other product that need to detect or report on MBSA and other product that need to detect or report on missing updates will request this information from the missing updates will request this information from the Windows Update Services / Automatic Updates clientWindows Update Services / Automatic Updates client
MBSA becomes Windows vulnerability assessment & MBSA becomes Windows vulnerability assessment & mitigation enginemitigation engine
Near-term plansNear-term plansMBSA 2.0 (H1 2005)MBSA 2.0 (H1 2005)
Initial integration with Windows Update Services / Initial integration with Windows Update Services / Automatic Update client for update scanningAutomatic Update client for update scanning
Further deprecation of native MBSA scanning occurs on Further deprecation of native MBSA scanning occurs on an ongoing basis as Microsoft Update continues to add an ongoing basis as Microsoft Update continues to add support for updating additional Microsoft software over support for updating additional Microsoft software over timetime
WU and XPSP2 AU WU and XPSP2 AU ImprovementsImprovementsNew release of Windows Update (v 5)New release of Windows Update (v 5)
Improved homepage design and navigationImproved homepage design and navigationImplements download throttling for dial-up and low Implements download throttling for dial-up and low bandwidth connectionsbandwidth connectionsWill not recommend updates that have already been Will not recommend updates that have already been installedinstalledDownload regulation feature reduces amount of data Download regulation feature reduces amount of data transmitted per updatetransmitted per update
Improved ability to update systems with latest Improved ability to update systems with latest critical updatescritical updates
Customer offered choice during Windows XP SP2 Customer offered choice during Windows XP SP2 install to have AU automatically download and install install to have AU automatically download and install critical updatescritical updatesNew version of Automatic Update clientNew version of Automatic Update client
Uses BITS 2.0 to enable restart of interrupted download Uses BITS 2.0 to enable restart of interrupted download and improved bandwidth throttlingand improved bandwidth throttlingAbility to delay reboot to next system shutdownAbility to delay reboot to next system shutdown
H1 2005H1 2005TodaTodayy
Microsoft Hosted Update Microsoft Hosted Update ServicesServices Microsoft UpdateMicrosoft Update
Microsoft UpdateMicrosoft UpdateOnline service and update repository for Online service and update repository for updating updating allall Microsoft software Microsoft software
Microsoft Update: superset of Windows Microsoft Update: superset of Windows UpdateUpdate
Initially supports Windows XP, Windows Initially supports Windows XP, Windows 2000, Windows Server 2003, Office XP, 2000, Windows Server 2003, Office XP, Office 2000, SQL Server 2000, MSDE Office 2000, SQL Server 2000, MSDE 2000, and Exchange 2003. Support for 2000, and Exchange 2003. Support for additional Microsoft products will be additional Microsoft products will be added on an on-going basisadded on an on-going basis
Built on Windows Update Services Built on Windows Update Services (formerly SUS 2.0) infrastructure(formerly SUS 2.0) infrastructure
Includes automated scanning, update Includes automated scanning, update install, and reporting capabilities install, and reporting capabilities
Windows Update maintained for legacy Windows Update maintained for legacy reasonsreasons
Office Update
SMSSMS
Windows Update
WUSWUS
Microsoft UpdateWindows Update
DownloadCenter
Near-term milestonesNear-term milestonesWindows Update Services (H1 2005)Windows Update Services (H1 2005)
SMS 2003 / WUS Phase 1 Integration (H1 2005)SMS 2003 / WUS Phase 1 Integration (H1 2005)Leverages Windows Update Services for update Leverages Windows Update Services for update scanningscanning
Longer-term (Longhorn time frame)Longer-term (Longhorn time frame)Windows Update Services (WUS) becomes core Windows Update Services (WUS) becomes core update management component of Windows update management component of Windows ServerServer
WUS updates all Microsoft corporate softwareWUS updates all Microsoft corporate software
SMS / WUS Phase 2 integration – SMS builds on SMS / WUS Phase 2 integration – SMS builds on WUS infrastructure to deliver advanced patch WUS infrastructure to deliver advanced patch managementmanagement
WUS infrastructure can be used to build patch WUS infrastructure can be used to build patch management solutions for 3management solutions for 3rdrd party and in-house party and in-house built softwarebuilt software
Patch Management ProductsPatch Management ProductsFuture DirectionFuture Direction
Windows Update Windows Update Services*Services*
Update management solution for all Microsoft productsUpdate management solution for all Microsoft productsInitially supports Windows XP Pro, Windows 2000 Pro, Windows 2000 Server, Windows Server 2003, Office XP, Office 2003, SQL Server 2000, MSDE 2000, Exchange 2003, + additional products over time**
Support for additional update types – security, critical and non-critical updates, update rollups, service packs, feature packs, and critical driver updates
Core update management infrastructure in WindowsCore update management infrastructure in WindowsData Model - supersedence, update dependency & bundle relationshipsData Model - supersedence, update dependency & bundle relationships
Built-in update scanning engine to detect missing updatesBuilt-in update scanning engine to detect missing updates
Server APIs (.NET) and remoteable Client APIs (COM)Server APIs (.NET) and remoteable Client APIs (COM)
Enhanced bandwidth optimizationEnhanced bandwidth optimizationUses BITS for client-server and server-server communicationUses BITS for client-server and server-server communication
‘‘Binary delta compression’ technologies dramatically reduce data Binary delta compression’ technologies dramatically reduce data transfer needstransfer needs
Configurable update subscriptions -- specify subset of content to be Configurable update subscriptions -- specify subset of content to be downloadeddownloaded
*WUS is currently in beta. Microsoft does not guarantee that all capabilities listed will be in the released version. *WUS is currently in beta. Microsoft does not guarantee that all capabilities listed will be in the released version. Datasheet and sign up for the Open Evaluation Program at: Datasheet and sign up for the Open Evaluation Program at: www.microsoft.com/wus **Without the need to upgrade or redeploy WUS**Without the need to upgrade or redeploy WUS
The update management component of Windows Server The update management component of Windows Server that enables IT administrators to more easily assess, that enables IT administrators to more easily assess, control and automate the deployment of Microsoft control and automate the deployment of Microsoft
software updatessoftware updates
Windows Update Services Windows Update Services (2)(2)Expanded administrative controlExpanded administrative control
Scanning: Pre-deployment scan for missing updatesScanning: Pre-deployment scan for missing updates
Download & approval: Specify only metadata be downloaded, rules for Download & approval: Specify only metadata be downloaded, rules for auto-approving updates, etc.auto-approving updates, etc.
Targeting: Install or uninstall to systems grouped via enumerated lists or Targeting: Install or uninstall to systems grouped via enumerated lists or Group PolicyGroup Policy
Scheduling: Set new update detection frequency*, specify install Scheduling: Set new update detection frequency*, specify install deadline**, etc.deadline**, etc.
Implementation: Options to use specified communication port, work with Implementation: Options to use specified communication port, work with Internet proxy, deploy in hierarchical replica or independently managed Internet proxy, deploy in hierarchical replica or independently managed server topologies, support update management for networks not server topologies, support update management for networks not connected to the Internet, etc.connected to the Internet, etc.
End-user experience: Options to notify users of new updates, reboot, End-user experience: Options to notify users of new updates, reboot, etc. etc.
Status reportingStatus reportingDeployment status aggregation per machine/per update/per groupDeployment status aggregation per machine/per update/per group
Download / install success, failure, and error infoDownload / install success, failure, and error info
Logs statistics to SQL Server or MSDELogs statistics to SQL Server or MSDE
Improved ease of administrationImproved ease of administrationNew, intuitive Web administration console simplifies ongoing New, intuitive Web administration console simplifies ongoing administration and provides detailed information on new updatesadministration and provides detailed information on new updates
Command line utilities and scriptability to enable scalable, efficient Command line utilities and scriptability to enable scalable, efficient administrationadministration
*Max. frequency 1/hour. Can use command line option or script to trigger new update checks on demand *Max. frequency 1/hour. Can use command line option or script to trigger new update checks on demand **Deadlines also enable enforcement of update installs (re-installation of required updates removed from the system at a later date) **Deadlines also enable enforcement of update installs (re-installation of required updates removed from the system at a later date)
Adopt the solution that Adopt the solution that best meets the needsbest meets the needs of your of your organizationorganization
Comparing Microsoft Update, Comparing Microsoft Update, Windows Update Services, and SMS Windows Update Services, and SMS 20032003CapabilityCapability Microsoft UpdateMicrosoft Update Windows Update Windows Update
ServicesServices SMS 2003SMS 2003
Supported Software and ContentSupported Software and Content
Supported Software Supported Software for Contentfor Content
Same as Windows Update Same as Windows Update Services + WinXP HomeServices + WinXP Home
Win2K, WS2003, WinXP Pro, Win2K, WS2003, WinXP Pro, Office 2003, Office XP, Office 2003, Office XP, Exchange 2003, SQL Server Exchange 2003, SQL Server 2000, MSDE2000, MSDE
Same as Windows Update Same as Windows Update Services + NT 4.0 & Win98* + Services + NT 4.0 & Win98* + can update any other Windows can update any other Windows based softwarebased software
Supported Content Supported Content Types for Supported Types for Supported SoftwareSoftware
All software updates, All software updates, critical driver updates, critical driver updates, service packs (SPs), and service packs (SPs), and feature packs (FPs)feature packs (FPs)
All software updates, critical All software updates, critical driver updates, SPs, & FPsdriver updates, SPs, & FPs
All updates, SPs, & FPs + All updates, SPs, & FPs + supports update & app installs supports update & app installs for any Windows based softwarefor any Windows based software
Update Management CapabilitiesUpdate Management Capabilities
Targeting Content Targeting Content to Systemsto Systems N/AN/A SimpleSimple AdvancedAdvanced
Network Bandwidth Network Bandwidth OptimizationOptimization YesYes YesYes Yes Yes
Patch Distribution Patch Distribution ControlControl N/AN/A SimpleSimple AdvancedAdvanced
Patch Installation & Patch Installation & Scheduling FlexibilityScheduling Flexibility
Manual & end user Manual & end user controlledcontrolled SimpleSimple AdvancedAdvanced
Patch Installation Patch Installation Status ReportingStatus Reporting
Install errors reported to Install errors reported to user. Lists missing updates user. Lists missing updates for accessing computerfor accessing computer
SimpleSimple AdvancedAdvanced
Deployment Deployment PlanningPlanning N/AN/A SimpleSimple AdvancedAdvanced
Inventory Inventory ManagementManagement N/AN/A NoNo YesYes
Compliance Compliance CheckingChecking N/AN/A No – status reporting onlyNo – status reporting only AdvancedAdvanced
*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
*Customer uses Windows Update, another update tool, or manual update process for*Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by Windows Update Services or Microsoft Update OS versions & applications not supported by Windows Update Services or Microsoft Update
Choosing A Patch Management Choosing A Patch Management SolutionSolutionTypical Customer DecisionsTypical Customer Decisions
CustomeCustomer Typer Type ScenarioScenario Customer Customer
ChoosesChooses
Large or Large or Medium Medium EnterprisEnterprisee
Want single flexible update management solution Want single flexible update management solution with extended level of control to update (+ with extended level of control to update (+ distribute) ALL Windows OSes and Applications, as distribute) ALL Windows OSes and Applications, as well as an integrated asset management solutionwell as an integrated asset management solution
SMS 2003SMS 2003
Want update management-only solution that Want update management-only solution that provides simple updating for Microsoft software and provides simple updating for Microsoft software and initially supports Windows (Win2K & later versions), initially supports Windows (Win2K & later versions), Office (2003 & XP), Exchange 2003, SQL Server Office (2003 & XP), Exchange 2003, SQL Server 2000, and MSDE 20002000, and MSDE 2000
Windows Windows Update Update
ServicesServices**
Small Small BusinessBusiness
Have at least 1 Windows server and 1 IT Have at least 1 Windows server and 1 IT administratoradministrator
Windows Windows Update Update
ServicesServices**
All other scenariosAll other scenarios Microsoft Microsoft UpdateUpdate**
ConsumerConsumer All scenariosAll scenarios Microsoft Microsoft UpdateUpdate**
Consolidated Solutions RoadmapConsolidated Solutions Roadmap
Manual / Script Manual / Script Based UpdatingBased Updating
WindowWindowss
UpdateUpdate
DownloDownload ad
CenterCenter WindowWindowss
UpdateUpdateMicrosMicrosoftoft
UpdateUpdate
DownloDownload ad
CenterCenter
Update Content Repositories and Online Update Content Repositories and Online ServicesServices
Q4/2003Q4/2003 H1/2005H1/2005LonghornLonghorn
Time frameTime frame
WindowWindowss
UpdateUpdateMicrosMicrosoftoft
UpdateUpdate
WUS WUS ServerServer
SMS 2003/ SMS 2003/ WUS WUS
phase 1 phase 1 integrationintegration WUS N.0WUS N.0
Windows ServerWindows ServerLonghornLonghorn
OfficeOfficeInventory Inventory
ToolTool
SUS 1.0SUS 1.0
SMS 2.0 SMS 2.0 withwith
Feature Feature PackPack
SMS 2003SMS 2003
WUS WUS ClientClient
In-houseIn-housedevelopedevelope
ddapps apps
updateupdaterepositorrepositor
yy
33rdrd party party appsapps
update update repositoryrepository
Update Management ProductsUpdate Management Products
SMS v4SMS v433rdrd Party / Party /In-house In-house
ToolsTools
OfficeOfficeUpdateUpdate
MBSA 1.2MBSA 1.2(includes OIT)(includes OIT)
MBSA 1.1.1MBSA 1.1.1
Standalone Update Scanning ToolsStandalone Update Scanning ToolsOfficeOffice
Inventory Inventory ToolTool
MBSA 1.1.1MBSA 1.1.1
MBSA 2.0MBSA 2.0
Adopt a Patch Management Adopt a Patch Management SolutionSolution
*Microsoft does not endorse or recommend a specific patch management product or company*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality may also provide patch management functionality
At Microsoft, our #1 concern is the security and At Microsoft, our #1 concern is the security and availability of your IT environmentavailability of your IT environment
If none of the Microsoft patch management solutions meet your needs If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendorconsider implementing a solution from another vendor
Partial list* of available products:Partial list* of available products:
Company Company NameName Product NameProduct Name Company URLCompany URL
Altiris, Inc. Altiris Patch Management http://www.altiris.com
BigFix, Inc. BigFix Patch Manager http://www.bigfix.com
Configuresoft, Inc. Security Update Manager http://www.configuresoft.com
Ecora, Inc. Ecora Patch Manager http://www.ecora.com
GFI Software, Ltd. GFI LANguard Network Security Scanner http://www.gfi.com
Gravity Storm Software, LLC Service Pack Manager 2000 http://www.securitybastion.
comLANDesk Software, Ltd LANDesk Patch Manager http://www.landesk.com
Novadigm, Inc. Radia Patch Manager http://www.novadigm.com
PatchLink Corp. PatchLink Update http://www.patchlink.com
Shavlik Technologies HFNetChk Pro http://www.shavlik.com
St. Bernard Software UpdateExpert http://www.stbernard.com
SummarySummaryAddressing the patch management issue is a top priorityAddressing the patch management issue is a top priority
Taking a comprehensive, tactical & strategic approachTaking a comprehensive, tactical & strategic approach
Made progress, but much more work to be doneMade progress, but much more work to be done
Microsoft focused on:Microsoft focused on:Reducing the number of vulnerabilities & associated patchesReducing the number of vulnerabilities & associated patches
Improving customer preparedness, training & communicationImproving customer preparedness, training & communication
Simplifying & standardizing the patching experienceSimplifying & standardizing the patching experience
Improving patch qualityImproving patch quality
Unifying and strengthening patch management offeringsUnifying and strengthening patch management offerings
Key Recommendations:Key Recommendations:Implement a good patch management process – it’s the key to Implement a good patch management process – it’s the key to successsuccess
Adopt a patch management solution that best fits your needsAdopt a patch management solution that best fits your needs
Make use of the resources referenced in these slidesMake use of the resources referenced in these slides
Trends – 2003 CSI / FBI Trends – 2003 CSI / FBI SurveySurvey
Of 532 respondents, 92% detected Of 532 respondents, 92% detected attacksattacksOnly 251 organizations were able to Only 251 organizations were able to quantify lossesquantify losses25% of respondents suffered attacks 25% of respondents suffered attacks on WWW serverson WWW serversOnly 50% of intrusions were reported Only 50% of intrusions were reported to law enforcementto law enforcementwww.gocsi.comwww.gocsi.com for complete results for complete results
Case Study – Edge ServerCase Study – Edge ServerSymptomsSymptoms
Admin shares deleted repeatedlyAdmin shares deleted repeatedlyNew service / security patch installedNew service / security patch installedServer reboots unexpectedlyServer reboots unexpectedlyBandwidth consumption / server sluggishBandwidth consumption / server sluggishLow disk spaceLow disk space
FindingsFindingsMalware “hidden” (+H) in subdir of system32Malware “hidden” (+H) in subdir of system32Malware “hidden” (+H) in c:\recyclerMalware “hidden” (+H) in c:\recyclerMalware really hidden in “c:\System Volume Malware really hidden in “c:\System Volume Information” directoryInformation” directoryFTP / Backdoor Server installed to run as FTP / Backdoor Server installed to run as SYSTEM serviceSYSTEM service
Case Study – Intranet DoSCase Study – Intranet DoSSymptomsSymptoms
High CPU utilization on affected High CPU utilization on affected systems (DC’s may have high CPU in systems (DC’s may have high CPU in LSASS)LSASS)Account lockoutsAccount lockoutsIncreased TCP 139/445 network trafficIncreased TCP 139/445 network trafficRPC / LSASS crashing, machines RPC / LSASS crashing, machines rebootingrebootingAV stops working on some machinesAV stops working on some machinesCan’t access AV web sites on some Can’t access AV web sites on some machinesmachines
FindingsFindingsYou’ve got bot like You’ve got bot like Gaobot.AFWGaobot.AFW or or Agobot.JFAgobot.JF, Phatbot, SDBot, , Phatbot, SDBot, RandexRandex
There There isis no spoon . . . no spoon . . . In the last century, organizations relied In the last century, organizations relied upon firewalls / perimeter defense as the upon firewalls / perimeter defense as the basis for protecting the Intranetbasis for protecting the Intranet
This has created a hard crunchy shell with a This has created a hard crunchy shell with a soft chewy center for most organizationssoft chewy center for most organizations
In the 21In the 21stst century with blended threats, century with blended threats, firewalls alone do not effectively stop firewalls alone do not effectively stop wormsworms
Did your firewall stop Slammer or Blaster?Did your firewall stop Slammer or Blaster?Will it stop bots like Gaobot / Phatbot / Agobot?Will it stop bots like Gaobot / Phatbot / Agobot?
VPN connections from home machines blur VPN connections from home machines blur the ‘perimeter’ and increase the threat of the ‘perimeter’ and increase the threat of automated attacksautomated attacks
Threats – Modus OperandiThreats – Modus Operandi
Fact: Most intrusions are not Fact: Most intrusions are not accomplished via awe-inspiring skill.accomplished via awe-inspiring skill.Fact: It is much harder to secure than it is Fact: It is much harder to secure than it is to hack.to hack.Most intrusions involve:Most intrusions involve:
Weak administrator passwords!!!Weak administrator passwords!!!Un-patched security vulnerabilities in Un-patched security vulnerabilities in underlying software products (OS underlying software products (OS and and applications)applications)Weak out of box security settings that were Weak out of box security settings that were never hardenednever hardenedLack of secure coding in custom applicationsLack of secure coding in custom applications
RecommendationsRecommendations
Normal operations staff trained to Normal operations staff trained to recognize symptoms of security recognize symptoms of security incidentsincidentsEscalate cases to security incident Escalate cases to security incident response team to:response team to:
Determine time / date intrusion Determine time / date intrusion occurredoccurredDetermine how the intrusion occurredDetermine how the intrusion occurredDevelop ‘signature’ for the intrusionDevelop ‘signature’ for the intrusion
Scan nearby machines for ‘signature’Scan nearby machines for ‘signature’
Make changes to security posture to Make changes to security posture to prevent future incidentsprevent future incidents
Preparing a Security Incident Preparing a Security Incident Response PlanResponse Plan
ProcessesProcesses should be put in place should be put in place before an incident has occurred that before an incident has occurred that will facilitate:will facilitate:
DetectionDetectionDetermining whether an incident has Determining whether an incident has occurredoccurred
InvestigationInvestigationDetermining how an incident has occurredDetermining how an incident has occurred
ContainmentContainmentIsolating affected hostsIsolating affected hosts
ResolutionResolutionRestoring service / lessons learnedRestoring service / lessons learned
Escalating the IncidentEscalating the IncidentDefine symptoms or behaviors that Define symptoms or behaviors that become triggers that will kick off an become triggers that will kick off an investigationinvestigation
Ensure admins and helpdesk staff understand Ensure admins and helpdesk staff understand and can recognize them!and can recognize them!
Security Incident Response team shouldSecurity Incident Response team shouldCompare current ‘state’ to previous ‘state’Compare current ‘state’ to previous ‘state’Look for new processes, files, folders, network Look for new processes, files, folders, network connections, listening ports, servicesconnections, listening ports, services
Not possible if you don’t know what the previous Not possible if you don’t know what the previous state wasstate wasBaseline and catalog your servers!Baseline and catalog your servers!
Run a live response IR toolkit to collect dataRun a live response IR toolkit to collect dataHave trained IR specialist analyze outputHave trained IR specialist analyze output
Suspicious Symptoms, Suspicious Symptoms, BehaviorsBehaviors
Suspicious event log dataSuspicious event log dataSuspicious server reboot (no admins Suspicious server reboot (no admins remember rebooting)remember rebooting)Admin shares disappearingAdmin shares disappearingSecurity patches installed mysteriouslySecurity patches installed mysteriouslyNews processes / services / files / foldersNews processes / services / files / foldersAbnormal process termination (i.e. IIS Abnormal process termination (i.e. IIS crashes)crashes)A blue-screen occursA blue-screen occursSluggish system performanceSluggish system performanceSuspicious network traffic to/from an IP Suspicious network traffic to/from an IP addressaddress
Things You Need To KnowThings You Need To Know
Why you need an Incident Response Why you need an Incident Response team within your organizationteam within your organization
Because it’s not a matter of ‘if’ but Because it’s not a matter of ‘if’ but ‘when’‘when’
Auditing is Auditing is everythingeverythingSufficient auditing is not usually Sufficient auditing is not usually enabled by default!enabled by default!
Proper business continuity planning Proper business continuity planning facilitates successful incident facilitates successful incident responseresponse
If business isn’t down – more likely to If business isn’t down – more likely to have time to do a proper investigationhave time to do a proper investigation
OverviewOverview
Training – Staying CurrentTraining – Staying CurrentTracking Security IncidentsTracking Security IncidentsLive Response vs. Offline ResponseLive Response vs. Offline ResponseAssembling a Live Response ToolkitAssembling a Live Response ToolkitMicrosoft PSS Security Incident Microsoft PSS Security Incident Response ToolkitResponse Toolkit
TrainingTraining
Know your adversaryKnow your adversaryStrongly recommend reading security and Strongly recommend reading security and hacking related bookshacking related booksAttend security conferences (Blackhat, RSA Attend security conferences (Blackhat, RSA etc.)etc.)Subscribe to managed security service (Subscribe to managed security service (ISSISS, , TruSecureTruSecure, , LUHRQ LUHRQ etc.)etc.)
Learn Incident ResponseLearn Incident ResponseRead booksRead booksAttend specialized incident response trainingAttend specialized incident response training
TrainingTrainingRecommended resourcesRecommended resources
Hacking KnowledgeHacking KnowledgeHacking Exposed Hacking Exposed series of booksseries of booksSecurity WarriorSecurity WarriorStay abreast of security vulnerabilities and exploits as Stay abreast of security vulnerabilities and exploits as they are released by subscribing to managed security they are released by subscribing to managed security services and monitoringservices and monitoring
Full-Disclosure mailing listFull-Disclosure mailing listExploit web sitesExploit web sites
Incident Response KnowledgeIncident Response KnowledgeWindows Security Resource Kit:Windows Security Resource Kit:http://www.microsoft.com/mspress/books/6418.asphttp://www.microsoft.com/mspress/books/6418.aspFoundstone: Foundstone: Ultimate Hacking Incident Response / ForensicsUltimate Hacking Incident Response / ForensicsIncident Response & Computer Forensics 2Incident Response & Computer Forensics 2ndnd Ed Ed..SANS: Track 4 – Incident HandlingSANS: Track 4 – Incident HandlingCERT Incident Response Handbook: CERT Incident Response Handbook: http://www.cert.org/archive/pdf/csirt-handbook.pdfhttp://www.cert.org/archive/pdf/csirt-handbook.pdf
Tracking IncidentsTracking IncidentsTracking incidents is extremely importantTracking incidents is extremely important
Historical data can be used to spot trendsHistorical data can be used to spot trendsCentral repository for keeping case notes Central repository for keeping case notes during an investigation (encrypted?)during an investigation (encrypted?)Can be used for reporting progress to upper Can be used for reporting progress to upper level management as incidents are resolvedlevel management as incidents are resolved
OptionsOptionsLiterally Hundreds of Help Desk software Literally Hundreds of Help Desk software solutionssolutions
Request Tracker IR (Best Practical)Request Tracker IR (Best Practical)Request Tracking software specifically for CERT Request Tracking software specifically for CERT teamsteams
Track-IT! (Intuit)Track-IT! (Intuit)CRM / CIM Solutions – Not always a great fit hereCRM / CIM Solutions – Not always a great fit here
Home grown solution may be best?Home grown solution may be best?
Live Response vs. Offline Live Response vs. Offline ResponseResponse
Live Response vs. Offline ResponseLive Response vs. Offline ResponseTwo different approaches to IRTwo different approaches to IROffline response involves imaging disks Offline response involves imaging disks and using specialized software to look and using specialized software to look for clues and evidencefor clues and evidence
ProDiscover IRProDiscover IREnCaseEnCase
NOT mutually exclusiveNOT mutually exclusiveCreate disk image Create disk image firstfirst for use with for use with ProDiscover / EnCase if necessaryProDiscover / EnCase if necessaryThen perform live response using Then perform live response using automated IR toolkitautomated IR toolkit
Live Response: RisksLive Response: RisksRootkitsRootkits
Introduced for Windows, publicly, circa 1997Introduced for Windows, publicly, circa 1997They modify operating system behavior to They modify operating system behavior to hide files, folders, processes, registry entries, hide files, folders, processes, registry entries, and network connections to avoid detection and network connections to avoid detection by live response toolsby live response tools
Kernel mode drivers, usermode processesKernel mode drivers, usermode processes
By observing the system, you alter its By observing the system, you alter its statestate
Sort of like Schroedinger’s cat theorem. Sort of like Schroedinger’s cat theorem. Placing output on target system overwrites Placing output on target system overwrites free space / slack space etc.free space / slack space etc.Altering time stamps and files may invalidate Altering time stamps and files may invalidate collected evidence if pursuing litigationcollected evidence if pursuing litigation
Assembling a Live Response Assembling a Live Response ToolkitToolkit
PurposePurposeOffline forensic analysis not always possible, Offline forensic analysis not always possible, needed or timelyneeded or timely
Technical barriers, unacceptable downtime etc.Technical barriers, unacceptable downtime etc.Not always able to respond, in person to remote Not always able to respond, in person to remote locationslocations
Live response toolkit facilitates consistent Live response toolkit facilitates consistent data collection from remote systems for offline data collection from remote systems for offline analysis by an IR specialistanalysis by an IR specialistCan be used as a first response tool to triage Can be used as a first response tool to triage and investigate reported security incidentsand investigate reported security incidentsSystems can remain online during Systems can remain online during investigationinvestigation
Very important when an intrusion has not been Very important when an intrusion has not been confirmed positivelyconfirmed positively
Microsoft Incident Response Microsoft Incident Response ToolkitToolkit
Design GoalsDesign GoalsTrustworthiness (anticipate that a rootkit is Trustworthiness (anticipate that a rootkit is installed)installed)Run in automated fashion on NT4 or laterRun in automated fashion on NT4 or laterCollect volatile data from a live systemCollect volatile data from a live systemCompress collected data into a .CAB file for Compress collected data into a .CAB file for submission to an IR specialistsubmission to an IR specialist
Not designed toNot designed toCreate or preserve evidence for use by law Create or preserve evidence for use by law enforcement for use in legal proceedingsenforcement for use in legal proceedingsImage a drive for offline analysis and responseImage a drive for offline analysis and response
Microsoft Incident Response Microsoft Incident Response ToolkitToolkit
Two toolsTwo toolsData collection agent (The “IR toolkit”)Data collection agent (The “IR toolkit”)
Batch file that automates dozens of .EXE’s zipped up Batch file that automates dozens of .EXE’s zipped up in a zip file with a readme.txtin a zip file with a readme.txt
Data analysis tool (The “IR Viewer”)Data analysis tool (The “IR Viewer”)C# application, runs on examiners workstationC# application, runs on examiners workstation
Utilizes custom-built tools designed for Utilizes custom-built tools designed for incident responseincident responseUtilizes free 3Utilizes free 3rdrd party tools party tools
Had to work with legal team and get written Had to work with legal team and get written permission from authors to redistribute their permission from authors to redistribute their tools!tools!Be aware of EULA’s and licensing fee’s Be aware of EULA’s and licensing fee’s associated with ‘free’ tools when used in a associated with ‘free’ tools when used in a business environmentbusiness environment
Microsoft Incident Response Microsoft Incident Response ToolkitToolkit
Randomized filenamesRandomized filenamesGets local system / Gets local system / Internet timeInternet timekernel profilerkernel profilerNetstat / arp / ipconfig / Netstat / arp / ipconfig / routing tablerouting tableDIR commands (hidden, DIR commands (hidden, modified, accessed, modified, accessed, created)created)Rootkit detectionRootkit detectionDumps registry as textDumps registry as textSaves event logs as TSVSaves event logs as TSVEnumerate NULL session Enumerate NULL session informationinformationGet patch statusGet patch statusScan for ADS’sScan for ADS’sEnumerate running Enumerate running processesprocesses
Get file versions of all Get file versions of all loaded modules / key loaded modules / key directoriesdirectoriesGet audit policyGet audit policyDump security policy Dump security policy information (policy, users, information (policy, users, rights, etc.)rights, etc.)Map processes Map processes Ports PortsEnumerate installed Enumerate installed services several waysservices several waysEnumerate ACL’s (if Enumerate ACL’s (if specified)specified)Generate hashes for Generate hashes for executables (if specified)executables (if specified)Run ‘net’ commandsRun ‘net’ commandsDump scheduled tasksDump scheduled tasksCopies all .log, .bat, .cmd, Copies all .log, .bat, .cmd, .vbs, .js files from .vbs, .js files from system32system32
Microsoft Incident Response Microsoft Incident Response ToolkitToolkitTakes anywhere from 10 to 20 minutes to Takes anywhere from 10 to 20 minutes to
runrunCan be used to identify signs of an Can be used to identify signs of an intrusion (intrusion (somesome rootkits, suspicious rootkits, suspicious processes, services, files, folders, registry processes, services, files, folders, registry entries, event log entries, suspicious entries, event log entries, suspicious accounts in the administrator group, accounts in the administrator group, missing security patches etc.missing security patches etc.Areas for improvementAreas for improvement
Better approach to rootkit detection (in Better approach to rootkit detection (in progress)progress)Run file system commands as SYSTEM (in Run file system commands as SYSTEM (in progress)progress)Registry last write times (in progress)Registry last write times (in progress)
Incident Response Incident Response ObjectivesObjectivesConfirm whether an intrusion has actually Confirm whether an intrusion has actually
occurredoccurredBy analyzing the contents of the IR toolkit output for a By analyzing the contents of the IR toolkit output for a specific server(s)specific server(s)
Determine Determine whenwhen the intrusion occurred the intrusion occurredBased on a lead like an event ID or a suspicious files or Based on a lead like an event ID or a suspicious files or folders creation datefolders creation date
Determine Determine howhow the intrusion occurred the intrusion occurredBased on implicit or explicit evidence (absence of a Based on implicit or explicit evidence (absence of a critical security update at the time the intrusion critical security update at the time the intrusion occurred etc.)occurred etc.)Identifies weakness in security posture and leads to Identifies weakness in security posture and leads to corrective action being takencorrective action being taken
If new malware identified – submit samples to the If new malware identified – submit samples to the antivirus partnersantivirus partners
PSS Security team in partnership with most leading PSS Security team in partnership with most leading antivirus vendorsantivirus vendors
To rebuild or not, To rebuild or not, thatthat is the is the question!question!
Microsoft’s stanceMicrosoft’s stanceIt’s a risk assessment reallyIt’s a risk assessment reallyWe provide evidence (or lack thereof) We provide evidence (or lack thereof) of an intrusion.of an intrusion.
Sometimes we find no evidence of a Sometimes we find no evidence of a compromisecompromiseMost of the time it’s pretty straightforwardMost of the time it’s pretty straightforward
We provide case notes for malware We provide case notes for malware we’ve identifiedwe’ve identifiedSubmit to the AV partners so they can Submit to the AV partners so they can update signaturesupdate signaturesCustomer usually cleans manually or Customer usually cleans manually or waits for new sigswaits for new sigs
Other times, when a rootkit is known to be Other times, when a rootkit is known to be installed and hiding software, who knows installed and hiding software, who knows what else is on the machinewhat else is on the machine
We recommend formatting and We recommend formatting and rebuilding the machine to a known good rebuilding the machine to a known good statestate
Common Mistakes Companies Common Mistakes Companies MakeMake
When helping organizations When helping organizations investigate security incidents we see investigate security incidents we see the same mistakes being made over the same mistakes being made over and over again.and over again.
The following slides detail the most The following slides detail the most common mistakes that are usually common mistakes that are usually made and give guidance on how to made and give guidance on how to avoid making these mistakes.avoid making these mistakes.
Common Mistakes Companies MakeCommon Mistakes Companies MakeNo formal, documented policiesNo formal, documented policies
Server security hardening policyServer security hardening policyAcceptable Use policyAcceptable Use policyAuditing policyAuditing policyPassword complexity requirementsPassword complexity requirementsSecure operating system buildsSecure operating system buildsSecurity patch deployment policySecurity patch deployment policy
No formal change management processNo formal change management processMany systems are shared between groups with Many systems are shared between groups with many user accounts in the administrators many user accounts in the administrators groupgroup
No process for tracking changes to the system back No process for tracking changes to the system back to a group or personto a group or person
No documentation about what should be No documentation about what should be installed on a system vs. what actually is installed on a system vs. what actually is installed on a systeminstalled on a system
Common Mistakes Companies Common Mistakes Companies MakeMake
No baseline dataNo baseline dataIf you don’t know what ‘normal’ looks like – If you don’t know what ‘normal’ looks like – how can you spot abnormal behaviorhow can you spot abnormal behavior
Perform software inventory updatesPerform software inventory updatesPerform period port-scans of the networkPerform period port-scans of the networkKnow the normal operating thresholds for your Know the normal operating thresholds for your serversserversKnow the normal traffic patterns for your networkKnow the normal traffic patterns for your network
Inability to ‘scale out’ during an Inability to ‘scale out’ during an investigationinvestigation
Suppose after the initial response you confirm Suppose after the initial response you confirm that a group of servers were successfully that a group of servers were successfully attacked?attacked?
How do you scale out the investigation to the How do you scale out the investigation to the neighboring servers / networks?neighboring servers / networks?
Common Mistakes Companies Common Mistakes Companies MakeMake
No formal security incident response teamNo formal security incident response teamWhy? Usually lack of budget and planning?Why? Usually lack of budget and planning?
Use some form of risk assessment and threat Use some form of risk assessment and threat modeling to make a business case for a team! modeling to make a business case for a team! (STRIDE / DREAD)(STRIDE / DREAD)
Incident Response team is old-schoolIncident Response team is old-schoolSo you So you havehave an IR team but they aren’t up to an IR team but they aren’t up to date?date?
Do they know about rootkits? Do they know about Do they know about rootkits? Do they know about the latest worms and bots?the latest worms and bots?Consider performing a penetration test of the Consider performing a penetration test of the environment to see how they do.environment to see how they do.Play with malware and study it in undoable isolated Play with malware and study it in undoable isolated virtual machines!virtual machines!
Common Mistakes Companies MakeCommon Mistakes Companies Make
Lack of a business continuity planLack of a business continuity planSome security incidents can be Some security incidents can be investigated while the systems are on-investigated while the systems are on-line, others require off-line analysisline, others require off-line analysisHow long can you afford to be down?How long can you afford to be down?
Lack of a trusted IR toolkitLack of a trusted IR toolkitAn automated toolkit should be created An automated toolkit should be created to facilitate the process of gathering to facilitate the process of gathering information off of live systemsinformation off of live systemsThe output of the toolkit should be The output of the toolkit should be known and well understood!known and well understood!
Incident Response TipsIncident Response TipsDecide as quickly as possible whether or not to Decide as quickly as possible whether or not to involve law enforcementinvolve law enforcement
They have their own evidence collection process They have their own evidence collection process and proceduresand proceduresAnything you do before law enforcement is Anything you do before law enforcement is involved potentially hinders the investigation and involved potentially hinders the investigation and collection of evidencecollection of evidence
Interview the person reporting the incident thoroughlyInterview the person reporting the incident thoroughlyWhat’s the behavior being reported, how are What’s the behavior being reported, how are things different?things different?What day / time did you first notice something was What day / time did you first notice something was wrong?wrong?Write Write everythingeverything down and keep accurate time / down and keep accurate time / date stampsdate stamps
Identify Symptoms of a Identify Symptoms of a RootkitRootkit
If a rootkit is installed, the output of If a rootkit is installed, the output of the IR toolkit should be considered the IR toolkit should be considered trustworthytrustworthyIt is imperative to identify whether a It is imperative to identify whether a rootkit is possibly installed right rootkit is possibly installed right awayawayConsider using rootkit detection tools Consider using rootkit detection tools like VICElike VICE
http://www.rootkit.com/vault/http://www.rootkit.com/vault/fuzen_op/VICE_Bin.zip fuzen_op/VICE_Bin.zip
Identify Symptoms of a Identify Symptoms of a RootkitRootkitPort scan the server remotely from a Port scan the server remotely from a
known good machine (all TCP and UDP known good machine (all TCP and UDP ports)ports)
Look for any ports that show up on the Look for any ports that show up on the network but not in local netstat, portqry or network but not in local netstat, portqry or fport outputfport output
Sure sign that a rootkit is hiding a backdoor listening Sure sign that a rootkit is hiding a backdoor listening on a porton a port
Boot the system into safe mode and Boot the system into safe mode and examine installed servicesexamine installed services
Look for services that show up in safe mode Look for services that show up in safe mode but not normal mode (rootkit may not load in but not normal mode (rootkit may not load in safe mode)safe mode)
Locally list the files in the %windir% Locally list the files in the %windir% directory and all subdirectories and then directory and all subdirectories and then do it again from a mapped network drivedo it again from a mapped network drive
Look for files that don’t show up locally but Look for files that don’t show up locally but that do remotely (again, rootkit)that do remotely (again, rootkit)
Identify Symptoms of a Identify Symptoms of a RootkitRootkit
Configure Device Manager to show Configure Device Manager to show ‘hidden’ devices and view them‘hidden’ devices and view them
Look for suspicious device drivers under Look for suspicious device drivers under ‘Non-Plug and Play Drivers’‘Non-Plug and Play Drivers’
IR Toolkit Data AnalysisIR Toolkit Data AnalysisDetermining a Date / Time gives you Determining a Date / Time gives you something to search onsomething to search on
Look for leads that will yield a date or a Look for leads that will yield a date or a timetime
Suspicious processes, services, event log Suspicious processes, services, event log entries or files created on or around the entries or files created on or around the date / time of the reported incidentdate / time of the reported incident
Once you have a ‘lead’ (i.e. a suspicious Once you have a ‘lead’ (i.e. a suspicious process or service) get the creation process or service) get the creation date of the file on the file systemdate of the file on the file systemPerform a search for Perform a search for otherother files created files created on or around that timeon or around that time
Build a Time-Line of Build a Time-Line of EventsEventsOnce you have found some ‘leads’ Once you have found some ‘leads’
build a chain of events that paint the build a chain of events that paint the picturepictureExample leads from the System Example leads from the System Event logEvent log
System mysteriously rebooted on System mysteriously rebooted on 4/20/2004 at 2:41am4/20/2004 at 2:41amJust before that a Microsoft Security Just before that a Microsoft Security update was installed by the ‘SYSTEM’ update was installed by the ‘SYSTEM’ accountaccount
Could be a remote-shell, attackers often Could be a remote-shell, attackers often install the security patch they used to install the security patch they used to compromise a system to prevent others compromise a system to prevent others from stealing itfrom stealing it
Look for files created on that date / Look for files created on that date / timetime
Build a Time-Line of Build a Time-Line of EventsEventsExampleExample
Suspicious service identified in Services snap-Suspicious service identified in Services snap-inin
That’s your ‘lead’That’s your ‘lead’
Identify the process backing that service Identify the process backing that service (double click the service)(double click the service)Find the creation date of that fileFind the creation date of that fileLook for other files created on that dateLook for other files created on that dateLook for account logons on that date at Look for account logons on that date at around that timearound that timeDetermine when security patches were Determine when security patches were installed relative to that date time (before or installed relative to that date time (before or after?)after?)
Look In The Right PlacesLook In The Right Places
Miscreants often hide their malware Miscreants often hide their malware in the c:\recycler\<SID> folder in the c:\recycler\<SID> folder (where SID is a real or fictitious (where SID is a real or fictitious security identifier)security identifier)Miscreants are increasingly turning Miscreants are increasingly turning to hiding their malware in the hidden to hiding their malware in the hidden SYSTEM-only “c:\system volume SYSTEM-only “c:\system volume information” folderinformation” folder
Grant admins access to the folder and Grant admins access to the folder and look in there as well.look in there as well.
Laws and Legal IssuesLaws and Legal Issues
Decide early on whether you might Decide early on whether you might want to prosecute or notwant to prosecute or not
There are usually laws surrounding the There are usually laws surrounding the collection of evidence and surveillancecollection of evidence and surveillanceIn litigious investigations you will be In litigious investigations you will be much more successful if you involve much more successful if you involve law enforcement immediatelylaw enforcement immediately
Laws and Legal IssuesLaws and Legal Issues
Most companies have a lack of knowledge Most companies have a lack of knowledge about “Cyber crime” lawsabout “Cyber crime” laws
Acceptable Use PoliciesAcceptable Use PoliciesSearch and Seizure LawsSearch and Seizure LawsReasonable Expectation of PrivacyReasonable Expectation of Privacy
Is it lawful to monitor an employees e-mail / network Is it lawful to monitor an employees e-mail / network traffic / or search their hard drive?traffic / or search their hard drive?
Due Diligence LawsDue Diligence LawsCan you be held liable for personally identifiable Can you be held liable for personally identifiable information that was stolen?information that was stolen?
Always involve proper legal counsel at the Always involve proper legal counsel at the onset of a security related incident onset of a security related incident response investigation!response investigation!
Laws and Legal IssuesLaws and Legal IssuesList of Worldwide Cyber Crime Law LinksList of Worldwide Cyber Crime Law Links
http://www.ccmostwanted.com/LL/global.htm http://www.ccmostwanted.com/LL/global.htm U.S. LawsU.S. Laws
www.cybercrime.govwww.cybercrime.govEuropean LawsEuropean Laws
http://conventions.coe.int/ http://conventions.coe.int/ http://www.epic.org/privacy/intl/http://www.epic.org/privacy/intl/http://www.europa.eu.int/index_en.htmhttp://www.europa.eu.int/index_en.htm
Australian LawsAustralian Lawshttp://www.aph.gov.au/house/ http://www.aph.gov.au/house/ http://parlinfoweb.aph.gov.au/piweb/http://parlinfoweb.aph.gov.au/piweb/search_main.aspxsearch_main.aspxhttp://www.ntu.edu.au/faculties/lba/schools/http://www.ntu.edu.au/faculties/lba/schools/Law/apl/Cyberspace_Law/articles1.htm Law/apl/Cyberspace_Law/articles1.htm
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.