Download - Patching Windows @ MIT
Patching Patching WindowsWindows @ MIT @ MITSUS Services
IS&T Network Infrastructure Services Team
Security Risk ManagementSecurity Risk ManagementHaving a Strategic Security Program
Threat: A threat is any potential danger to information or systems. Threat agent: A threat agent is the person or process attacking the network
through a vulnerable port on the firewall, or a process used to access data in a way that violates your security policy.
Vulnerability: A vulnerability is a software, hardware, or procedural weakness that may provide an attacker or threat agent with an opportunity to enter a computer or network and gain unauthorized access to resources within the environment
Risk: A risk is the likelihood of a threat agent taking advantage of a vulnerability. It is the potential for loss or the probability that a threat will exploit a vulnerability.
Exposure: An exposure occurs when a threat agent exposes a company asset to potential loss. A vulnerability can cause an organization to be exposed to possible damages.
Countermeasure: A countermeasure, or safeguard, mitigates a risk. Countermeasures include software configurations, hardware, or procedures that eliminate a vulnerability or reduce the risk of a threat agent from being able to exploit a vulnerability. PROACTIVE!
Microsoft Software Update Services Microsoft Software Update Services (SUS)(SUS)
The accelerating lifecycle of a security patch
Introduction to Software Update Services
Features/Components– SUS Server– Client
The accelerating lifecycle of a security patchThe accelerating lifecycle of a security patch
Frequency between new vulnerabilities
Time the vendor has to release a patch
Time between publication and exploit code
Time for the Administrator or End User to patch
Number of products to patch
Introduction to Software Update ServicesIntroduction to Software Update Services
Automate: Keep Windows up-to-date with the latest critical and security patches
Simplify: The patch management process - MBSA
Schedule Update times
Deploy: Reach clients that are not part of a Windows Domain
OverviewOverview
Microsoft AutoUpdates vs. SUS
WindowsUpdateWindowsUpdate
SUS serverSUS server
updatesupdates
Sync UpdatesSync Updates
Automatic Automatic Updates ClientUpdates Client
Configured Configured by Adminby Admin
InternetInternet
IntranetIntranet
Features/ComponentsFeatures/Components
SERVER: SUS– Automatic Updates on computers (desktops or servers) – An internally-hosted Windows Update server – An internally -controlled content synchronization service – Administrator control over updates – Multi-language support - Localized in 24 languages– Digital signatures on downloaded content– Server-side logging– Log of client status
Load balancing SUS at MITLoad balancing SUS at MIT
Microsoft’s
SUSSUS
SyncSync
Windows UpdateWindows Update SUSSUS
F5 (Big IP)F5 (Big IP)
Features/Features/ComponentsComponents (2) (2) CLIENT: Automatic Updates
– Installed on computers on the network– Checks SUS server or public WU for updates regularly– Auto-download and install updates under
admin control– Automatically download and install critical updates– Consolidate multiple reboots into a single oneNotify
local administrator on the machine about pending updates
– Notify logged-on users about pending reboots– Configured using Registry keys– Supports Group Policy– Downloads are done in the background using BITS
technology
MBSAMBSA Free tool that scans for common security
misconfigurations and missing security updates– GUI and command-line interface (CLI)– Perform security update portion of scan against local SUS
server Scans for approved updates on SUS server instead of all available
updates
– User interface: MBSA reads registry for SUS server information, or user manually enters it
– CMD LINE mbsacli.exe /sus http://mysusserver
Client ConfigurationClient Configuration
– With Active Directory (using Group Policy) ADM file – WUAU.adm Client behavior and SUS server selection can be
configured
– Without Active Directory (but central tool) Script to deploy the registry policy keys
Website Demo:
http://web.mit.edu/ist/topics/windows/updates