Post on 06-Mar-2015
Microsoft Security & Patch Management Solutions And Strategy
Microsoft Corporation
Most attacks Most attacks occur hereoccur here
SituationSituationProcess, Guidance, Tools CriticalProcess, Guidance, Tools Critical
Product Product shipship
VulnerabilityVulnerabilitydiscovereddiscovered
ComponentComponentmodifiedmodified
Patch Patch releasedreleased
Patch Patch deployeddeployed
at customer at customer sitesite
Why does this Why does this gap exist?gap exist?
Exploit TimelineExploit Timeline
Days From Patch to ExploitDays From Patch to ExploitThe average is now The average is now daysdays for a for a patch to be reverse-patch to be reverse-engineeredengineeredAs this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizations, organizations, automation automation for for testing and deployment testing and deployment neededneeded
Why does this Why does this gap exist?gap exist?
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammerSlammer
exploitexploitcodecodepatchpatch
Days between patch and exploitDays between patch and exploit
Microsoft Security Response Microsoft Security Response ProcessProcessProduct TeamProduct Team Security TeamSecurity Team
• Security BulletinSecurity Bulletin• Knowledge Base ArticleKnowledge Base Article• Premier Customer AlertPremier Customer Alert
• Notification via:Notification via:• www.microsoft.com/securitywww.microsoft.com/security• Notification serviceNotification service• Mailing listsMailing lists
• Patches released*Patches released*
• Secure@microsoft.com• Microsoft Technical SupportMicrosoft Technical Support• Mailing lists (NTBugTraq, Mailing lists (NTBugTraq,
BugTraq, etc.)BugTraq, etc.)• Web formWeb form
• CriticalCritical• ImportantImportant• ModerateModerate
• LowLow• NoneNone
• Verify issue is fixedVerify issue is fixed• Developer testingDeveloper testing
• Sustained engg. testingSustained engg. testing• Testing by customersTesting by customers
VulnerabilityVulnerabilityReport ReceivedReport Received
Triaged forTriaged forCriticalityCriticality
IssueIssueReproducedReproduced
PatchPatchDevelopedDeveloped
PatchPatchTestedTested
DocumentationDocumentationDevelopedDeveloped
Field GuidanceField GuidanceDevelopedDeveloped
Patch Released & Patch Released & Notification SentNotification Sent
DevelopmentDevelopmentPractices UpdatedPractices Updated
*On second Tuesday*On second Tuesday of each month of each month
• Associated with patch release:Associated with patch release:• Security bulletinSecurity bulletin• Updated MSSecure.xml file for MBSAUpdated MSSecure.xml file for MBSA• Patch (including localized versions) on Windows Update and Download CenterPatch (including localized versions) on Windows Update and Download Center• Update catalog for SUSUpdate catalog for SUS
Improved Patching Improved Patching ExperienceExperienceMicrosoft Patch Policies Microsoft Patch Policies Non-emergency security patches on a Non-emergency security patches on a
monthly release schedule, the monthly release schedule, the second second TuesdayTuesday of every month (if there are some of every month (if there are some to release, sometimes there are none, as to release, sometimes there are none, as was the case for March 2005)was the case for March 2005)Security Notification Service sends an alert Security Notification Service sends an alert 3 business days ahead of time3 business days ahead of timeNew alert mechanisms such asNew alert mechanisms such asRSS Feed, IM, or MSRC BlogRSS Feed, IM, or MSRC BlogSecurity Bulletins now verySecurity Bulletins now verycomprehensive, detailedcomprehensive, detailedLanguage clear and conciseLanguage clear and concise
Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately
Enhancements to the Enhancements to the Advanced Notification Advanced Notification ProgramProgramProgram introduced in November 2004 to assist Program introduced in November 2004 to assist with with
preparation and resource planningpreparation and resource planning
Expanded to include the following information each Expanded to include the following information each month:month:
Strains of malicious software that will be cleaned with the Strains of malicious software that will be cleaned with the Malicious Software Removal toolMalicious Software Removal tool
Information about the detection tool applicable to the Information about the detection tool applicable to the upcoming security updates upcoming security updates
Any non-security, high priority updates on Windows Update Any non-security, high priority updates on Windows Update that that will be released on the same day as security updates will be released on the same day as security updates
More information: More information: www.microsoft.com/technet/security/bulletin/advance.mspxwww.microsoft.com/technet/security/bulletin/advance.mspx
New Resources This Month New Resources This Month (April)(April)MSN Security Alerts:MSN Security Alerts:
A new “security” category added to the MSN Alerts Service:A new “security” category added to the MSN Alerts Service:Security bulletin release notificationsSecurity bulletin release notificationsSecurity incident updatesSecurity incident updates
MSN Messenger user can receive a popup whenever new MSN Messenger user can receive a popup whenever new information is availableinformation is availableFor more information: For more information: www.microsoft.com/security/bulletins/alerts.mspxwww.microsoft.com/security/bulletins/alerts.mspx
RSS feed for consumer level security bulletins:RSS feed for consumer level security bulletins:By using an RSS reader, customers can now be proactively By using an RSS reader, customers can now be proactively notified when new bulletins are availablenotified when new bulletins are availableMore information: More information: www.microsoft.com/updateswww.microsoft.com/updates
MSRC Blog on TechNet:MSRC Blog on TechNet:First introduced during the RSA Conference in February First introduced during the RSA Conference in February 20052005Received positive customer responseReceived positive customer responseMoved to a more permanent home on TechNetMoved to a more permanent home on TechNethttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc
Register to review the April 19 session: Register to review the April 19 session: www.microsoft.com/security360www.microsoft.com/security360
Microsoft “Security360” Microsoft “Security360” April April 20052005
Topic: Topic: E-mail Security, It’s More Than FilteringE-mail Security, It’s More Than FilteringE-Mail security is not just about preventing E-Mail security is not just about preventing unsolicited messages; it is also about protecting unsolicited messages; it is also about protecting the digital information assets you send through e-the digital information assets you send through e-mailmailDiscussion covering the whole spectrum of e-mail Discussion covering the whole spectrum of e-mail security, including filtering technologies, e-mail security, including filtering technologies, e-mail policies and enforcement, and partner solutionspolicies and enforcement, and partner solutionsA checklist of recommendations and resourcesA checklist of recommendations and resources
ResourcesResourcesSecurity Bulletins Summary Security Bulletins Summary www.microsoft.com/technet/security/bulletin/ms05-Apr.mspxwww.microsoft.com/technet/security/bulletin/ms05-Apr.mspx
Security Bulletins Search Security Bulletins Search www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/current.aspx
May Security Bulletins Webcast May Security Bulletins Webcast http://msevents.microsoft.com/CUI/EventDetail.aspx?http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032273403&Culture=en-USEventID=1032273403&Culture=en-US Windows XP Service Pack 2 Windows XP Service Pack 2 www.microsoft.com/technet/winxpsp2 www.microsoft.com/technet/winxpsp2
Windows Server 2003 Service Pack 1 Windows Server 2003 Service Pack 1 www.microsoft.com/windowsserver2003/default.mspx www.microsoft.com/windowsserver2003/default.mspx
Security Newsletter Security Newsletter www.microsoft.com/technet/security/secnews/default.mspx www.microsoft.com/technet/security/secnews/default.mspx
On-demand Supplement Webcast on Detection & On-demand Supplement Webcast on Detection & Deployment Deployment http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032268810&Culture=en-USEventID=1032268810&Culture=en-US
Solutions for Management Solutions for Management Patch Management GuidancePatch Management Guidance
Provides best practices guidance for patch Provides best practices guidance for patch managementmanagement
Scales from small organizations up to an enterprise Scales from small organizations up to an enterprise organizationorganization
People, Process & Tools Guidance consists of:People, Process & Tools Guidance consists of:End to End Process for Patching (built on MOF)End to End Process for Patching (built on MOF)Description of how the tools (SMS 2003 & SUS) Description of how the tools (SMS 2003 & SUS) automates the processautomates the processGuidance on roles and responsibilitiesGuidance on roles and responsibilities
Built upon a Management ArchitectureBuilt upon a Management Architecture
The MSM offering may be downloaded from The MSM offering may be downloaded from http://www.microsoft.com/technet/itsolutions/msmhttp://www.microsoft.com/technet/itsolutions/msm The Patch Management Guidance can be found at The Patch Management Guidance can be found at http://www.microsoft.com/technet/security/topics/patchmanagement.http://www.microsoft.com/technet/security/topics/patchmanagement.mspxmspx
Patch Management Patch Management ProcessProcess1. Assess Environment to be Patched1. Assess Environment to be Patched
Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems
B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)
C. Review Infrastructure/C. Review Infrastructure/ configuration configuration
Ongoing TasksOngoing TasksA. Discover AssetsA. Discover AssetsB. Inventory ClientsB. Inventory Clients
1. Assess1. Assess 2. 2. IdentifyIdentify
4. Deploy4. Deploy 3. 3. Evaluate Evaluate & Plan& Plan
2. Identify New Patches2. Identify New Patches
TasksTasksA. Identify new patchesA. Identify new patches
B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)
C. Verify patch authenticity & integrityC. Verify patch authenticity & integrity (no virus: installs on isolated (no virus: installs on isolated system) system)
3. Evaluate & Plan Patch Deployment3. Evaluate & Plan Patch Deployment
TasksTasksA. Obtain approval to deploy patchA. Obtain approval to deploy patch
B. Perform risk assessmentB. Perform risk assessment
C. Plan patch release processC. Plan patch release process
D. Complete patch acceptance testingD. Complete patch acceptance testing
4. Deploy the Patch4. Deploy the Patch
TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions
D. Review deploymentD. Review deployment
Microsoft Severity RatingsMicrosoft Severity Ratings
Rating Definition
CriticalExploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action
ImportantExploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or in the integrity or availability of processing resources
ModerateSerious vulnerability, but exploitability mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation
LowExploitation is extremely difficult, or impact is minimal
Patching TimeframesPatching Timeframes
Severity Rating Recommended Patching Timeframe
Critical Within 24 hours
Important Within 1 month
ModerateDepending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 4 months
LowDepending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 1 year
Factor Potential ImpactHigh value or high exposure assets impacted Decrease timeframe
Assets historically attacked are impacted Decrease timeframe
Mitigating factors in place or will be quickly put in place
Increase timeframe
Low risk of exposure for impacted assets Increase timeframe
Factors Impacting Release TimeframesFactors Impacting Release Timeframes
Patch Management ProcessPatch Management ProcessStep 1: AssessStep 1: Assess
Are there any threats or Are there any threats or vulnerabilities in the environment?vulnerabilities in the environment?
Has anything changed in production?Has anything changed in production?New operating systems and applicationsNew operating systems and applicationsChanges to network or management Changes to network or management infrastructureinfrastructure
Accurate and up-to-date inventory Accurate and up-to-date inventory information is essential to the information is essential to the processprocess
Is the management infrastructure Is the management infrastructure able to support patch managementable to support patch management
Patch Management ProcessPatch Management ProcessStep 2: IdentifyStep 2: Identify
How can you be notified about new patches?How can you be notified about new patches?
Is the patch relevant to the organization?Is the patch relevant to the organization?
Which systems need to be patched?Which systems need to be patched?
Do all systems need to be patched with the same Do all systems need to be patched with the same level of priority?level of priority?
Which systems are most vulnerable?Which systems are most vulnerable?
Has the patch been downloaded and checked to Has the patch been downloaded and checked to be virus free?be virus free?
Does the patch install successfully on a trial Does the patch install successfully on a trial system?system?
Has a change request (RFC) been submitted for Has a change request (RFC) been submitted for this patch? this patch?
Patch Management ProcessPatch Management ProcessStep 3: Evaluate and PlanStep 3: Evaluate and Plan
Need to test the patch before Need to test the patch before deploymentdeployment
Important to ensure that business critical Important to ensure that business critical functions still workfunctions still workAmount of testing will depend on riskAmount of testing will depend on risk
Use change management process to Use change management process to ensure all parties agree with need to ensure all parties agree with need to deploydeploy
If critical, use an expedited process!If critical, use an expedited process!
Patch Management ProcessPatch Management ProcessStep 3: Evaluate and Plan (Cont.)Step 3: Evaluate and Plan (Cont.)
Consider how & when to install the Consider how & when to install the patchpatch
Installation process may differ for server Installation process may differ for server and desktop devicesand desktop devices
Need to consider outage windows and Need to consider outage windows and business continuitybusiness continuity
Need to consider how to patch mobile Need to consider how to patch mobile clients and clients connection across slow clients and clients connection across slow or unreliable networksor unreliable networks
Can the patch be combined with other Can the patch be combined with other changes to minimize down time…changes to minimize down time…
Patch Management ProcessPatch Management ProcessStep 4: DeployStep 4: Deploy
Production environment needs to be Production environment needs to be prepared for new patchesprepared for new patches
Administrators/users will need to be informed Administrators/users will need to be informed of possible downtimeof possible downtime
Possible training to assist support deskPossible training to assist support desk
Distribution points checked to confirm Distribution points checked to confirm presence of patch and associated binariespresence of patch and associated binaries
Patch Management ProcessPatch Management ProcessStep 4: Deploy (Cont.)Step 4: Deploy (Cont.)
Monitor patch distributionMonitor patch distributionCheck progress and deal with Check progress and deal with exceptionsexceptions
Releasing patches to mobile clients Releasing patches to mobile clients and slow connectionsand slow connections
Size of patch may be a significant issueSize of patch may be a significant issueOptions include forcing mobile clients Options include forcing mobile clients into the office or distributing across the into the office or distributing across the networknetwork
Patch Management ProcessPatch Management ProcessRoles and ResponsibilitiesRoles and Responsibilities
People need to have defined roles and People need to have defined roles and responsibilitiesresponsibilities
Perform daily, weekly, monthly, and Perform daily, weekly, monthly, and as-needed tasksas-needed tasks
Audit server production environment (daily)Audit server production environment (daily)Check for new information sources (monthly)Check for new information sources (monthly)Review new patch notifications (as needed)Review new patch notifications (as needed)
Points about PatchingPoints about Patching
For successful patch management in a For successful patch management in a distributed IT environment consider: distributed IT environment consider:
How to stay aware of new patches and fixes. How to stay aware of new patches and fixes.
Whether it is necessary to apply a particular patch. Whether it is necessary to apply a particular patch.
The system-wide impact of installing a patch. The system-wide impact of installing a patch.
What specifically a patch will change. What specifically a patch will change.
If a patch can be removed, once installed. If a patch can be removed, once installed.
Dependencies between components in the production Dependencies between components in the production environment and the impact of applying a patch to one of environment and the impact of applying a patch to one of those components. those components.
How to evaluate the success of a patch installation. How to evaluate the success of a patch installation.
The possible scenarios for restoring a patched The possible scenarios for restoring a patched environment. environment.
Solution ComponentsSolution ComponentsAnalysis
Tools
• Microsoft Baseline Security Analyzer (MBSA)
• Office Inventory Tool
Online Update Services
• Windows Update
• Office Update
Content Repositories
• Windows Update Catalog
• Office Download Catalog
• Microsoft Download Center
Management Tools
• Automatic Updates (AU) feature in Windows
• Software Update Services (SUS)
• Systems Management Server (SMS)
PrescriptiveGuidance
• Microsoft Guide to Security Patch Management
• Patch Management Using SUS
• Patch Management Using SMS
Content Repository Content Repository ComparisonComparison
Windows Update* Office UpdateMS Download
Center
Supported Software
• Windows operating systems and its components only
• Microsoft Office and its components only
• All Microsoft products
Supported Content Types
• Security patches, security rollups, critical updates, SP’s and driver updates
• Security patches, critical updates, and SP’s
• All types of content
Scans for Updates
• Yes • Yes • No
Usage Options
• User initiated -- automatically detects, downloads, & installs updates via online service
• Automatic Updates initiated – automatically detects & downloads updates
• Manual content search & download (from Windows Update Catalog)
• User initiated -- automatically detects, downloads, & installs updates via online service
• Manual content search & download (from Office Download Catalog)
• Manual content search & download only
CapabilityWindows Update
SUS 1.0 SMS 2003
Supported Platforms for Content
NT 4.0, Win2K, WS2003, WinXP, WinME, Win98
Win2K, WS2003, WinXPNT 4.0, Win2K, WS2003, WinXP, Win98
Supported Content Types
All patches, updates (including drivers), & service packs (SP’s) for the above
Only security & security rollup patches, critical updates, & SP’s for the above
All patches, SP’s & updates for the above; supports patch, update, & app installs for MS & other apps
Granularity of Control
Targeting Content to Systems
No No Yes
Network Bandwidth Optimization
No Yes (for patch deployment)
Yes (for patch deployment & server sync)
Patch Distribution Control No Basic Advanced
Patch Installation & Scheduling Flexibility
Manual, end user controlled
Admin (auto) or user (manual) controlled
Administrator control with granular scheduling capabilities
Patch Installation Status Reporting
Assessing computer history only
Limited (client install history & server based install logs)
Comprehensive (install status, result, and compliance details)
Additional Software Distribution Capabilities
Deployment Planning N/A N/A Yes
Inventory Management N/A N/A Yes
Compliance Checking N/A N/A Yes
Co
re P
atch
Man
agem
ent
Cap
abili
ties
Choosing A Patch Management Choosing A Patch Management SolutionSolution
MBSA Update Scanning MBSA Update Scanning FunctionalityFunctionality
Overall directionOverall directionMBSA update scanning functionality integrated into MBSA update scanning functionality integrated into Windows patch management functionalityWindows patch management functionality
MBSA becomes Windows vulnerability assessment & MBSA becomes Windows vulnerability assessment & mitigation enginemitigation engine
Near- and Intermediate-term plansNear- and Intermediate-term plansMBSA 1.2.1 (Q1 2004) MBSA 1.2.1 (Q1 2004)
Windows XP SP2 supportWindows XP SP2 support
Improves report consistency, product coverage, and Improves report consistency, product coverage, and locale supportlocale support
Integrates Office Update Inventory ToolIntegrates Office Update Inventory Tool
MBSA 2.0 (Q2 2005)MBSA 2.0 (Q2 2005)Update scanning functionality migrates to Microsoft Update scanning functionality migrates to Microsoft Update Services /Microsoft UpdateUpdate Services /Microsoft Update
MBSA leverages MSUS 2.0 for update scanningMBSA leverages MSUS 2.0 for update scanning
Beta program now open for participationBeta program now open for participation
Adopt a Patch Management Adopt a Patch Management SolutionSolution
*Microsoft does not endorse or recommend a specific patch management product or company*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality may also provide patch management functionality
At Microsoft, our #1 concern is the security and availability of your IT environmentAt Microsoft, our #1 concern is the security and availability of your IT environment
If none of the Microsoft patch management solutions meet your needs consider implementing a solution If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendor. Below is a partial list of available products:from another vendor. Below is a partial list of available products:
Company Name Product Name Company URLAltiris, Inc. Altiris Patch Management http://www.altiris.com
BigFix, Inc. BigFix Patch Manager http://www.bigfix.com
Configuresoft, Inc. Security Update Manager http://www.configuresoft.com
Ecora, Inc. Ecora Patch Manager http://www.ecora.com
GFI Software, Ltd.GFI LANguard Network Security Scanner
http://www.gfi.com
Gravity Storm Software, LLC
Service Pack Manager 2000 http://www.securitybastion.com
LANDesk Software, Ltd LANDesk Patch Manager http://www.landesk.com
Novadigm, Inc. Radia Patch Manager http://www.novadigm.com
PatchLink Corp. PatchLink Update http://www.patchlink.com
Shavlik Technologies HFNetChk Pro http://www.shavlik.com
St. Bernard Software UpdateExpert http://www.stbernard.com
SummarySummaryAddressing the patch management issue is a top Addressing the patch management issue is a top prioritypriority
Taking a comprehensive, tactical & strategic Taking a comprehensive, tactical & strategic approachapproach
Made progress, but much more work to be doneMade progress, but much more work to be done
Microsoft focused on:Microsoft focused on:Reducing the number of vulnerabilities & associated Reducing the number of vulnerabilities & associated patchespatches
Improving customer preparedness, training & Improving customer preparedness, training & communicationcommunication
Simplifying & standardizing the patching experienceSimplifying & standardizing the patching experience
Improving patch qualityImproving patch quality
Unifying and strengthening patch management Unifying and strengthening patch management offeringsofferings
Key Recommendations:Key Recommendations:Implement a good patch management process – it’s Implement a good patch management process – it’s the key to successthe key to success
Adopt a patch management solution that best fits your Adopt a patch management solution that best fits your needsneeds
ResourcesResources
Microsoft Security Response CenterMicrosoft Security Response CenterTo report a suspected vulnerability, send e-mail To report a suspected vulnerability, send e-mail to to Secure@Microsoft.ComSecure@Microsoft.Com
Microsoft Virus Safety LineMicrosoft Virus Safety LineOutside U.S. contact the local Microsoft PSS Outside U.S. contact the local Microsoft PSS support centersupport centerIn the U.S. In the U.S. 1-866-PC-SAFETY1-866-PC-SAFETYPremier Support Premier Support 1-800-936-31001-800-936-3100
Warning: Microsoft Warning: Microsoft nevernever distributes distributes software via e-mail please see:software via e-mail please see:http://www.microsoft.com/http://www.microsoft.com/technet/security/policy/swdist.asptechnet/security/policy/swdist.asp
Law #1: Law #1: Security Patches are a Fact of Life. Security Patches are a Fact of Life.Law #2:Law #2: It Does No Good to Patch a System That Was Never It Does No Good to Patch a System That Was Never
Secure to Begin With.Secure to Begin With.Law #3:Law #3: There is No Patch for Bad Judgment. There is No Patch for Bad Judgment.Law #4:Law #4: You Can’t Patch What You Don’t Know You Have. You Can’t Patch What You Don’t Know You Have.Law #5:Law #5: The Most Effective Patch is The One You Don’t Have The Most Effective Patch is The One You Don’t Have
to Apply. to Apply. Law #6:Law #6: A Service Pack Covers a Multitude of Patches. A Service Pack Covers a Multitude of Patches.Law #7:Law #7: All Patches Are Not Created Equal. All Patches Are Not Created Equal.Law #8:Law #8: Never Base Your Patching Decision on Whether Never Base Your Patching Decision on Whether
You’ve Seen Exploit Code… Unless You’ve Seen Exploit You’ve Seen Exploit Code… Unless You’ve Seen Exploit Code.Code.
Law #9:Law #9: Everyone Has a Patch Strategy, Whether They Know Everyone Has a Patch Strategy, Whether They Know It or Not.It or Not.
Law #10:Law #10: Patch Management is Really Risk Management. Patch Management is Really Risk Management.
The Ten Immutable Laws of The Ten Immutable Laws of Security Patch ManagementSecurity Patch Management