patching windows @ mit

Patching Patching WindowsWindows @ MIT @ MITSUS Services

IS&T Network Infrastructure Services Team

Security Risk ManagementSecurity Risk ManagementHaving a Strategic Security Program

Threat: A threat is any potential danger to information or systems. Threat agent: A threat agent is the person or process attacking the network

through a vulnerable port on the firewall, or a process used to access data in a way that violates your security policy.

Vulnerability: A vulnerability is a software, hardware, or procedural weakness that may provide an attacker or threat agent with an opportunity to enter a computer or network and gain unauthorized access to resources within the environment

Risk: A risk is the likelihood of a threat agent taking advantage of a vulnerability. It is the potential for loss or the probability that a threat will exploit a vulnerability.

Exposure: An exposure occurs when a threat agent exposes a company asset to potential loss. A vulnerability can cause an organization to be exposed to possible damages.

Countermeasure: A countermeasure, or safeguard, mitigates a risk. Countermeasures include software configurations, hardware, or procedures that eliminate a vulnerability or reduce the risk of a threat agent from being able to exploit a vulnerability. PROACTIVE!

Microsoft Software Update Services Microsoft Software Update Services (SUS)(SUS)

The accelerating lifecycle of a security patch

Introduction to Software Update Services

Features/Components– SUS Server– Client

The accelerating lifecycle of a security patchThe accelerating lifecycle of a security patch

Frequency between new vulnerabilities

Time the vendor has to release a patch

Time between publication and exploit code

Time for the Administrator or End User to patch

Number of products to patch

Introduction to Software Update ServicesIntroduction to Software Update Services

Automate: Keep Windows up-to-date with the latest critical and security patches

Simplify: The patch management process - MBSA

Schedule Update times

Deploy: Reach clients that are not part of a Windows Domain

OverviewOverview

Microsoft AutoUpdates vs. SUS

WindowsUpdateWindowsUpdate

SUS serverSUS server

updatesupdates

Sync UpdatesSync Updates

Automatic Automatic Updates ClientUpdates Client

Configured Configured by Adminby Admin

InternetInternet

IntranetIntranet

Features/ComponentsFeatures/Components

SERVER: SUS– Automatic Updates on computers (desktops or servers) – An internally-hosted Windows Update server – An internally -controlled content synchronization service – Administrator control over updates – Multi-language support - Localized in 24 languages– Digital signatures on downloaded content– Server-side logging– Log of client status

Load balancing SUS at MITLoad balancing SUS at MIT

Microsoft’s

SUSSUS

SyncSync

Windows UpdateWindows Update SUSSUS

F5 (Big IP)F5 (Big IP)

Features/Features/ComponentsComponents (2) (2) CLIENT: Automatic Updates

– Installed on computers on the network– Checks SUS server or public WU for updates regularly– Auto-download and install updates under

admin control– Automatically download and install critical updates– Consolidate multiple reboots into a single oneNotify

local administrator on the machine about pending updates

– Notify logged-on users about pending reboots– Configured using Registry keys– Supports Group Policy– Downloads are done in the background using BITS

technology

MBSAMBSA Free tool that scans for common security

misconfigurations and missing security updates– GUI and command-line interface (CLI)– Perform security update portion of scan against local SUS

server Scans for approved updates on SUS server instead of all available

updates

– User interface: MBSA reads registry for SUS server information, or user manually enters it

– CMD LINE mbsacli.exe /sus http://mysusserver

Client ConfigurationClient Configuration

– With Active Directory (using Group Policy) ADM file – WUAU.adm Client behavior and SUS server selection can be

configured

– Without Active Directory (but central tool) Script to deploy the registry policy keys

Website Demo:

http://web.mit.edu/ist/topics/windows/updates