Raven Services Update
Download
Report
Transcript Raven Services Update
Windows Update Services
Patch Management comes of Age
David Wallis
Senior Systems Consultant
Raven Computers Ltd
Agenda
•
•
•
•
•
•
What are patches and why do we need them?
Windows Update
Software Update Services (SUS)
Raven Update Service
Office Update and application patches
Microsoft Update and Windows Update
Services (WUS) – the future
• SMS vs WUS/SUS/RUS
• Conclusion and Q&A
What are Patches
• Also known as Hotfixes
• Modifications to the original program code,
normally to fix a problem or vulnerability
• Quick Fix Engineering – QFE
• Not normally tested as thoroughly as
normal software
– May introduce new problems
Worms and Vulnerabilities
• Windows XP contains over 40 Million lines of
code – Mistakes are inevitable
• Bugs may be discovered and exploited
– Buffer Overflows
• Worms
– Programs are written to automate the exploitation of
the bug
– Like Virus’s but may not require you to open them
– Can spread very quickly, causing havoc
– Blaster, Nimda, SOBig
• Entire exploitation process is automated
– You do not need to be specifically targeted
Consequences of being exploited
• Trojans / Spyware
– Programs sneaked onto your computer
– May allow complete control of computer, using your
password
• Therefore whole network may be compromised by 1 pc
– Harvesting of passwords and account details
• As you log into online banking, process is recorded and sent
to hacker
– Internet Activity can be logged and used to target
advertisements to you or direct you to other sites
Consequences of being exploited
• Zombie/Drone PCs
– Your system may be used to attack other
networks – DDoS
– Your computers may be used to store and
distribute illegal material
– Your computer may be used to execute illegal
or antisocial activities such as SPAM
– Bandwidth, Storage and even Processing
power can be consumed and abused
Consequences of being exploited
• Loss or destruction of data
– Files may be deleted, altered or corrupted
– Confidential data may be shipped outside
your network
– Your systems may crash as a result causing
untold amounts of downtime
The Worlds 1st JPG virus
• On September 14th Microsoft issued Security Bulletin MS04-028
– Buffer Overrun in JPEG Processing (GDI+) Could Allow
Code Execution (833987)
• A bug in many products allows a specially crafted JPG file to
execute malicious code simply by viewing the picture
• Many MS products affected including Windows 2000/XP (prior to
SP2), Office XP, Office 2003, IE6.1, and many others
• Each product must be patched separately
• JPG files are ignored by most AntiVirus software as they were
previously thought to be harmless
• On 26/09/04 a trojan was found on Internet news groups (Usenet)
which exploits this bug
• A DIY Virus kit to automate the exploitation is now known to be
available on the Internet
Types of patch
• Critical Security fixes
– Created in direct response to a newly
discovered threat
– Must be applied quickly to protect against
worms written to exploit the vulnerability
– Time to release is very short, so testing is
“Rapid”
– Should almost always be applied if they are
relevant to your setup
Types of patch
• Non-Critical Updates
– Created to fix specific bugs or to enhance
functionality
– Should only be applied if the particular
problem affects your computer
– Can be more thoroughly tested before release
Types of patch
• Service Packs
– Combination of several hotfixes and updates
– Thoroughly tested in a wide range of
environments before release
– Form a new baseline for the product against
which future software will be tested
– Should be applied when deemed stable
Windows Update
• Built into Windows 98, Me,
2000 and XP
• Visit web page to determine
what patches should be
applied
• Tries to only propose relevant
patches
• Must be run manually from
each computer
• Requires user to have Admin
privileges on local computer
• Linked from start menu –
www.windowsupdate.com
Automatic Update Agent
• Introduced with Windows XP SP1 and Win2k
SP4
• Available as a download for Win2k SP3
• Automates download of critical security
patches
• Can automatically apply and restart computer
• Can wait for approval before applying
• Each computer operates separately and
fetches its own updates
Software Update Services - SUS
•
•
•
•
•
Your own Windows Update server
Runs on a server on your site
Integrates into IIS
Administrator approves and downloads patches
Client agent on PCs installs approved updates
from SUS server
• No admin rights needed on local PC
• Can be managed through Group Policy
Microsoft Software Update
Services (SUS)
SUS Server
Adminstrator
Approves Updates
Internet
LAN
Firewall
Workstation
Laptop
Laptop
Workstation
SUS Client Agent
• Built into Windows XP SP1 and Win2k SP4
• Can be managed and deployed through Active
Directory Group Policy
• Machines can be told to install patches at
specified times
• Machines can be told to reboot at specified
times if they are left on
• Could use Wake on LAN to power compatible
PCs on for updates during the night
SUS Requirements
• Runs on Windows 2000 SP3 or later, or
Windows 2003 Server running IIS
• Client PCs must run Windows 2000 SP3 or later,
or Windows XP
– Windows 9x not supported
• Installs IISLockdown, so may interfere with some
Intranets
• Administrator must manually approve each
update
• Typical Installation time around ½ day. May vary
on some sites
SUS Capabilities
• SUS can apply all Windows critical
security updates and can now deploy
service packs to Windows 2000 and
Windows XP
• Next version WUS (due H1 05) will allow
security patches for Office, Exchange
Server and SQL Server to be automatically
deployed too (more shortly)
Raven Update Services
SUS Server
Internet
Raven
Technicians
approve updates
LAN
Raven Update Server
Firewall
Workstation
Laptop
Laptop
Workstation
Raven Update Services
• Subscription service - £50 per month
– Requires SUS server to be installed
• Raven Engineers approve updates after
testing on a representative sample of
platforms
• Local SUS server pulls only approved
“Safe” updates from Raven Update Server
• Requires no local administration
• “Hands Free” update of client PCs
Office Patch Management
• www.officeupdate.com
– Like Windows Update, but for Office
– Scans your local machine and proposes
relevant updates
• Binary Patches or Full File updates?
– Binary Patches are smaller but require access
to original installation files (CD or Network
Share)
– Full File Updates are much bigger downloads
but can be applied without the original files
Administrative Deployment of Office Patches
• Either distribute patches separately to clients or update
Administrative Install Point
• Distribute separate patches to clients
– Requires Admin rights on local machine unless using SMS
– Patches can be shipped out in logon script, email or Intranet etc or
using SMS Server
– Common baseline remains original installation
• Update Admin Install Point
–
–
–
–
–
Clients must be instructed to reinstall affected features or whole product
New installations are already patched
Necessary if using “Run from Network”
Clients all maintain a common baseline
Once source is patched, clients may be unable to repair or install on
demand until reinstalled so may need to maintain an unpatched copy as
well
– Can use “Elevated Privileges” for installation
Microsoft Update
• Will combine and replace Windows Update and
Office Update web sites
• Initially will support patching of Windows, Office,
Exchange Server and SQL Server
• Over time will support all Microsoft Products
• Long Overdue – Now expected H1 2005
• Requires better cooperation within MS teams
– Currently there are at least 7 separate, incompatible
installer programs in use for MS patches
– Will be reduced to 2 for MU
WUS – Windows Update Services
• Next version of SUS (2.0)
• Will support all products covered by Microsoft
Update – Windows, Office, Exchange, SQL etc
• Late again, but expected H1 2005
• Many enhanced technologies and new
management features
• RUS will be updated to incorporate WUS
• Public Beta beginning soon
– RUS may be extended to include WUS Beta if stable
Customer Feature Requests
SUS
1.0 SP1
WUS
Support for service packs
Install on SBS and domain controller
Top Features Requested
Support for Office and other MS products
Provide reporting (e.g. deployment status)
Update targeting
Improve support for low bandwidth networks
Allow subscriptions to only certain content
Set polling frequency for downloading new updates
Minimize need for end user interruption
Emergency patch deployment (‘big red button’)
*
NT4 support
*Partially addressed through polling frequency control and scripts
Supported Products And Content
• Updates for
– All Microsoft products over time
– At RTM
•
•
•
•
Windows 2000 SP3 and later versions of Windows
Office XP SP2 and Office 2003
SQL 2000 and MSDE 2000
Exchange 2003
• Platform support/requirements
–
–
–
–
Windows 2000 SP3 (SP4 for Server) and later
Windows XP RTM and later
Windows Server 2003 RTM and above
All localized versions (including MUI)
Solution Overview
Microsoft Update
WUS Server
Windows
WindowsUpdate
UpdateServices
Services
<<Back
Back
Finish
Finish
Cancel
Cancel
Desktop Clients
Target Group 1
WUS Administrator
Administrator
updates
puts
clients
in
different
target
groups
Server
Clients
register
subscribes
themselves
updates
to
from
with
update
Microsoft
the categories
server
Update
Agentsdownloads
install approves
administrator
approved
updates
Server Clients
Target Group 2
Disconnected Servers
Microsoft Update
WUS Server
WUS Server
Desktop Clients
Update Management Features
• Target Groups
– Allow Administrator to manage different groups of PCs
differently
– OU based policy support for
AD environments
– Server-side lists for non-AD environments
• Administrator control of deployment
– Initiate scan of machines for patch applicability
– Approve for install and uninstall
(requires update support)
– Date-based deadlines for approved updates
– Deploy different updates to target groups
Update Management Features
• Agent Configurations
– Polling frequency
– Notification and Install behaviors
– Reboot behaviors
– Port configurability
– Non-administrators can install updates (like
administrators)
– Install at Shutdown (XP SP2 only)
Network Use Optimization Features
• Resilient and transparent
– BITS* for client-server and
server-server downloads
– Downloads are in the background
– Can throttle bandwidth usage
• Minimized data downloads
– Update subscriptions (per product/classification)
– Support for “delta compression” technologies for
client-server communications
– Option to only download approved updates
*Background Intelligent Transfer Service
Reporting Features
• Standard consolidated reports
(for client activity)
– Per machine/per update/per target group
– Download, install success and failures with
error information
• Content synchronization status reports
– What’s new, what changed – much easier for
Administrator
• Event log integration
– Agent and server status events sent to
local event log
Deployment/Management Flexibility
• Server deployment options
– Updates hosted on Microsoft Update
•
RUS server acts as a control point
– Hierarchical deployment
•
•
Independent servers (admin wishes not inherited)
“Replica” servers (admin wishes inherited)
• Manageability (and extensibility)
– .NET based Server APIs (for admin tasks)
– COM based Client APIs (with scripting and remoting
support)
– Automatic deployment of updates
– Command line options to trigger update detection
•
Big Red Button!
SMS 2003
• Systems Management Server
• Allows Inventory and discovery of Servers, PCs,
Print Servers, Palmtops etc on the network
• Allows Targeted Software Distribution based on
many criteria
– Applications, Patches and even OS’s
• Remote Control and Management of all
Windows computers
• Will be updated shortly to incorporate WUS
engine
Comparing WUS And SMS
• Simple (WUS) versus Advanced (SMS)
– SMS not intended for small networks (<20pcs)
•
•
•
•
Client support – SMS still supports Win9x/NT4
Update / Application deployment
Reporting features – SMS far more wide ranging
WUS: Want update management-only solution
that provides simple updating for Microsoft
software
• SMS: Single flexible update management
solution with extended level of control to update
(+ distribute) ALL Windows OS’s and
Applications, as well as an integrated asset
management solution
Choosing A Patch Management
Solution
Typical customer decisions
Customer
Type
Large or
Medium
Enterprise
Scenario
Customer
Chooses
Want single flexible update management solution with extended
level of control to update (+ distribute) ALL Windows OSes and
Applications, as well as an integrated asset management
solution
SMS 2003
Want update management-only solution that provides simple
updating for Microsoft software and initially supports Windows
(Win2K & later versions), Office (2003 & XP), Exchange 2003,
SQL Server 2000, and MSDE 2000
WUS*/RUS
Have at least 1 Windows server and 1 IT administrator
Small
Business
Consumer
WUS* / RUS
All other scenarios
RUS / Microsoft
Update*
All scenarios
RUS / Microsoft
Update*
*Customer uses Windows Update, another update tool, or manual update process for
OS versions & applications not supported by WUS or Microsoft Update
Consolidated Solutions Roadmap
SMS 2003 FP
Time frame
H1/2005
Current
Longhorn
Time frame
Update Content Repositories and Online Services
Windows
Update
Download
Center
Office
Update
Download
Windows
Center
Update
Microsoft
Update
Windows
Update
Microsoft
Update
Standalone Update Scanning Tools
Office
Inventory
Tool
MBSA 1.2
In-house
developed
apps update
repository
MBSA 2.0
(includes OIT)
MBSA 1.1.1
SMS 2.0 with
Feature Pack
SMS 2003
SUS 1.0
Manual / Script
Based Updating
WUS
WUS
Client
3rd party apps
update repository
SMS 2003
with
Feature
Pack
System
Center
3rd Party /
In-house Tools
WUS n.0
Windows Server
Longhorn
Update Management Products
Additional Information
• Sign up to receive information about the Open Evaluation
Program at http://www.microsoft.com/wus
• Visit www.microsoft.com/sus for the latest information on
SUS 1.0
• Join the SUS news group
• Microsoft’s prescriptive guidance for patch management
• For information on SMS 2003 go to
www.microsoft.com/smserver
• Or just ask your Raven Representative
Conclusions
• Patch management is essential in the current computing
climate
– Otherwise you Will be hacked
• SUS can automate deployment of Windows Patches, but needs
managing
– Contact your Raven representative to arrange installation NOW
• RUS removes the burden of approving Windows patches enabling
SUS to run virtually hands free
– Sign up for RUS here, today!
• Office and other products must be patched separately for now
– Raven Consultants are available to assist in deployment
• WUS will improve manageability of SUS and extend it to include
other products
• RUS will support WUS when it is available
• For larger enterprises, consider SMS
– Speak to your Raven representative to find out if SMS is for you
Any Questions?
David Wallis
Senior Systems Consultant
Raven Computers Ltd
[email protected]