Practical Patch Management Solutions for Small to Enterprise Level Environments

1
Practical Patch Management Solutions for Small to
Enterprise Level Environments

• Rich Sigmund
• Senior Consultant
• Oakwood Systems Group
• RSigmund_at_oakwoodsys.com

2
Patch Management Overview

• Patch Management Overview
• Patch Management Tools
• Real World Solutions
• Future Roadmap

3
Business Case For Patch Management
When determining the potential financial impact
of poor patch management, consider

• Downtime
• Remediation time
• Questionable data integrity
• Lost credibility
• Negative public relations
• Legal defenses
• Stolen intellectual property
• Identity theft

4
Exploit Timeline
Vulnerabilityreported
Worm or viruscode created
Security bulletinand patch released
No Exploit
Exploit
Patch reverseengineered
Worm or viruslaunched infects unprotected or
unpatched systems
Patchdeveloped
5
Microsoft Patch Severity Ratings
Rating Definition
Critical Exploitation could allow the propagation of an Internet worm
Important Exploitation could result in compromise of user data or the availability of processing resources
Moderate Exploitation is serious, but is mitigated to a significant degree by default configuration, auditing, need for user action, or difficulty of exploitation
Low Exploitation is extremely difficult or impact is minimal
Security Bulletin List http//www.Microsoft.com/T
echNet/Security/Current.asp
6
Patching Time Frames
Severity rating Recommended patching time frame Recommended maximum patching time frame
Critical Within 24 hours Within two weeks
Important Within one month Within two months
Moderate Depending on expected availability, wait for next service pack or patch rollup that includes the patch, or deploy the patch within four months Deploy the patch within six months
Low Depending on expected availability, wait for next service pack or patch rollup that includes the patch, or deploy the patch within one year Deploy the patch within one year, or choose not to deploy at all
7
The Importance Of Proactive Patch Management
Attack Patch release date Attack date Number of days patch was available before the attack
Zotob.A - L Aug 9, 2005 Aug 15 -23, 2005 6-14
Trojan.Kaht Mar 17, 2003 May, 5 2003 49
SQL Slammer Jul 24, 2002 Jan 24, 2003 184
Klez-E Mar 29, 2001 Jan 17, 2002 294
Nimda Oct 17, 2000 Sept 18, 2001 336
Code Red Jun 18, 2001 Jul 16, 2001 28
8
Improving The Patching Experience
Your need Microsofts response
Reduce patch frequency Reduced frequency of non-emergency patch releases from once per week to once per month
Reduce patching complexity Reduced number of patch installer technologies
Reduce risk of patch deployment Improved patch quality and introduced patch rollback capability
Reduce patch size Developed delta patching technology to reduce patch size
Reduce downtime Reduced patch-related reboots
Improve tool consistency Developing consistent tools
Improve tool capabilities Developing more capable tools
9
Patch Management Tools

• Patch Management Overview
• Patch Management Tools
• Real World Solutions
• Future Roadmap

10
Choosing A PatchManagement Solution
Customer type Scenario Solution
Consumer All scenarios Windows Update
Small organization Has no Windows servers Windows Update
Small organization Has one to three Windows 2000or newer servers and one IT administrator WSUS
Medium-sized or large enterprise Wants a patch management solution with basic level of control that updates Windows 2000 SP3 and newer versions of Windows WSUS
Medium-sized or large enterprise Wants a single flexible patch management solution with extended level of control to patch, update, and distribute all software SMS
11
Patch Management Solution For Consumers And Small
Organizations

• Patch management solutionbased on Protect Your
  PC
• Use an Internet firewall
• Get computer updates
• Windows Update
• Office Update
• Use up-to-date antivirus software Protect Your PC
  Web site http//www.microsoft.com/protect

12
WSUS Goals

• Deliver easy to use, fully functional solution to
  address core update management scenarios for all
  Microsoft products
• Automate the update management process as much
  as possible
• Support more than just Windows patches
• Address customer requests from SUS 1.0
• Optimize administrator experience for IT
  generalist
• Build the basic patch management infrastructure
  for the Windows platform
• Leveraged by other tools (e.g., SMS and 3rd
  party products)

13
WSUS Benefits

• Gives administrators basic controls over patch
  management
• Administrators can review, test, and
  approveupdates before deployment.
• Can be set to be a fully automatic deployment
• Simplifies and automates key aspects of the patch
  management process
• Can be used with Group Policy, but Group Policy
  is not required to use WSUS
• Easy to implement
• Configurable for any environments topology
• Free tool from Microsoft

14
Examples Of Third-Party Solutions
Company Name Product Name Company URL
Altiris, Inc. Altiris Patch Management http//www.altiris.com
BigFix, Inc. BigFix Patch Manager http//www.bigfix.com
Configuresoft, Inc. Security Update Manager http//www.configuresoft.com
Ecora, Inc. Ecora Patch Manager http//www.ecora.com
GFI Software, Ltd. GFI LANguard Network Security Scanner http//www.gfi.com
Gravity Storm Software, LLC Service Pack Manager 2000 http//www.securitybastion.com
LANDesk Software, Ltd LANDesk Patch Manager http//www.landesk.com
Novadigm, Inc. Radia Patch Manager http//www.novadigm.com
PatchLink Corp. PatchLink Update http//www.patchlink.com
Shavlik Technologies HFNetChk Pro http//www.shavlik.com
St. Bernard Software UpdateExpert http//www.stbernard.com
A key component of effective Patch Management is
to deploy a solution that is appropriate for
your business needs
15
WSUS Considerations

• Can only update computers running Windows 2000
  SP3, Windows XP, and Windows Server 2003
• No method to target specific updates to specific
  computers, only specified groups
• Not push technology client must pull updates
  from the WSUS server

16
WSUS Additions

• Complete reporting by both system and by patch
• Multiple server configurations with centralized
  distribution
• BITS data transfers for updates
• Multiple database support
• MSDE
• SQL

17
WSUS How It Works
Windows Update
Firewall
ChildWSUS Server
Client Computers
ParentWSUS Server
Client Computers
18
WSUS Sample Deployment Scenario
Windows Update
Firewall
PilotWSUS Server
Pilot Client Computers
RegionalWSUS Server
Regional Client Computers
Main OfficeWSUS Server
Main Office ClientComputers
19
WSUS Client Component

• The client component of WSUS is Automatic Updates
• Can be configured to pull updates either from
  corporate WSUS server or from Windows Update
• Three ways to configure Automatic Updates
• Centrally, by using Group Policy
• Manually configure clients registry
• Use scripts to configure clients registry

20
WSUS Server Component

• The server component of WSUS is Windows Software
  Update Services
• Can pull updates from Windows Updateon a
  schedule
• Provides a Web-based administrative GUI
• Provides XML-based logging to a Web server
• Supports geographically distributed orscale-out
  deployments
• Can be centrally managed for deployment
• Uses BITS for data transfer
• More extensive reporting

21
WSUS Deployment Best Practices (1)
22
WSUS Deployment Best Practices (2)
23
WSUS Completion Definitions
Status Description
Installed The update was installed on the computer.
Needed This is the positive result of a Detect only approval or a patch has not yet been reported as installed.
Not needed Not needed means the update is not compliant with or required by that computer.
Unknown Typically, this means that since the time that the update was synchronized to the WSUS server, the computer has not contacted the WSUS server.
Failed An error occurred when either a detection or an installation was attempted on the computer for the update.
Last contacted This is the date on which the computer last contacted the WSUS server.
24
Additional Features

• Replica Mode
• Single server download and distribution to
  downstream sites.
• Single management interface for all servers
• The big red button
• Force clients to install on next report
• Gives priority to update over all others
• Multiple installation methods
• BITS file transfers
• Delta file installations

25
Additional Features (2)

• Updated Targeting
• Server-side and Client-side Methods
• Multiple target groups available per server
• Enhanced Reporting

26
WSUS Reporting

• Reports are available on the following items
• Status of Updates
• Status of Computers
• Synchronization Results
• Summary of Settings

27
WSUS Reporting (By Update)
28
The Big Red Button
29
Advanced Targeting
30
Comparing WSUS And SMS

• Simple versus Advanced
• Client support
• Update / Application deployment
• Reporting features
• WSUS Want update management-only solution that
  provides simple updating for Microsoft software
• SMS Single flexible update management solution
  with extended level of control to update (
  distribute) ALL Windows OSs and Applications, as
  well as an integrated asset management solution

31
Real World Solutions

• Patch Management Overview
• Patch Management Tools
• Real World Solutions
• Future Roadmap

32
Basic Solution Overview
Microsoft Update
WSUS Server
Desktop ClientsTarget Group 1
Server ClientsTarget Group 2
WSUS Administrator
Agents report status to server
Server downloads updates from Microsoft Update
Clients register themselves with the server
Administrator puts clients in different target
groups
Administrator approves updates
Agents install administrator approved updates
Administrator subscribes to update categories
33
Situation 1

• Client Company is made up of several separate
  companies.
• Each company is owned by the parent company.
• Each company is autonomous from all others from a
  business point of view.
• All companies are connected via a WAN and are
  sharing Mail and other resources.
• Client is looking for a single point of
  distribution for all Microsoft patches.
• Client company needs reports made available to
  Administrators at each site.
• WAN and Internet bandwidth are at a premium at
  remote sites.

34
Resolution 1

• Set up one server in each business and run in
  replica mode.
• Corporate server is the master.
• All other servers are replicas.
• Given that each site is a separate domain, local
  administrators have access to reports for the
  site.

35
Resolution 1 (overview)
Windows Update
Set-up Target Grouping
Synchronize with Microsoft
Install Main WSUS Server
Approve Updates
Updates Dispersed to Replica Servers
Install Replica Mode Servers at Sites
Clients are Updated (per Groups)
Reports Returned to Local Administrators
36
Issues and Caveats 1

• Reporting
• Each site can only get reporting on systems that
  were updated from that sites server.
• There is no single place to gather all the
  reports for the organization, no matter what
  level administrator you are.
• Domain layout
• This model works best in a single forest
  multi-domain model.
• Permissions per site are for the local admin and
  domain root admin.
• Centralized approval
• Replica mode is a single consol for approvals.
• Local Administrators only have access to reports,
  not able to approve or decline updates.

37
Situation 2

• Client Company has several remote locations.
• Each location is connected with low bandwidth
  connections.
• Mission critical data is currently taking up most
  of the bandwidth.
• Each location has its own internet connection
  that is equal to or greater than the WAN
  connection.
• Client is required to centralize patch
  management.
• Client needs reports on status of patches.
• WAN bandwidth is at a premium at remote sites.

38
Resolution 2

• Set a single WSUS server at the main location.
• Configure server to force clients to download
  updates from Microsoft directly.
• Configure clients to install patches as deployed
  from WSUS server.
• Configure clients to report to the WSUS server.

39
Resolution 2 (overview)
Windows Update
Set-up Target Grouping
Update information Dispersed
Install Main WSUS Server
Synchronize with Microsoft
Approve Updates
Clients are Updated (from Microsoft)
Reports Returned to server for access
Server configured for external download
40
Issues and Caveats 2

• Reporting
• Reports are generated on the Central server but
  can be viewed by anyone with permissions through
  a web page.
• Domain layout
• This model works best in a single domain with
  many sites with limited connectivity to the
  primary site.
• Centralized approval
• Single administrative console for deploying
  patches.

41
Future Roadmap

• Patch Management Overview
• Patch Management Tools
• Real World Solutions
• Future Roadmap

42
Supported Products And Content

• Updates for
• All Microsoft products over time
• Current Product Listing
• Windows 2000 SP3 and later versions of Windows
• Office XP SP2 and Office 2003
• SQL 2000 and MSDE
• Exchange 2000 and 2003
• Platform support/requirements for
• Windows 2000 SP3 (SP4 for Server) and later
• Windows XP RTM and later
• Windows Server 2003 RTM and above

43
Discussion, Any Questions?
Rich Sigmund RSigmund_at_oakwoodsys.com