SAGE-AU Adelaide Windows Update Services

Michael KleefIT Pro Evangelist

Microsoft Corporation Level 200

Agenda

• Security

• Process and Patch Management

• Windows Server 2003

• Q&A

Security

Security Solutions Matrix

Datacenter

Business Partner

Internet Sevices

Managed Clients

Mobile Clients

Phys

ical

Net

wor

k

Iden

tity

Hos

t

App

licat

ion

Dat

a

Con

trol

s by

Env

iron

men

t

Defense in Depth

Unmanaged Clients

Security Framework

Clear security commitmentClear security commitment Full member of the security communityFull member of the security community Microsoft Security Response CenterMicrosoft Security Response Center

Secure architectureSecure architecture Security aware featuresSecurity aware features Reduce vulnerabilities in the codeReduce vulnerabilities in the code

Reduce attack surface areaReduce attack surface area Unused features off by defaultUnused features off by default Only require minimum privilegeOnly require minimum privilege

Protect, detect, defend, recover, manageProtect, detect, defend, recover, manage Process: How to’s, architecture guidesProcess: How to’s, architecture guides People: TrainingPeople: Training

SDSD33 + Communications + Communications

Secure by Secure by DesignDesign

Secure by Secure by DefaultDefault

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

SD3 At Work – MS03-007Windows Server 2003 UnaffectedThe underlying The underlying DLL (NTDLL.DLL) DLL (NTDLL.DLL) not vulnerablenot vulnerable

The underlying The underlying DLL (NTDLL.DLL) DLL (NTDLL.DLL) not vulnerablenot vulnerable

Fixed during secure code reviewFixed during secure code reviewFixed during secure code reviewFixed during secure code review

EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have DAV enabled by defaultIIS 6.0 doesn’t have DAV enabled by defaultIIS 6.0 doesn’t have DAV enabled by defaultIIS 6.0 doesn’t have DAV enabled by default

EvenEven if it did have if it did have DAV enabledDAV enabledEvenEven if it did have if it did have DAV enabledDAV enabled

Maximum URL length in IIS 6.0 is 16kb Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) by default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) by default (>64kb needed)

EvenEven if it was if it was vulnerablevulnerableEvenEven if it was if it was vulnerablevulnerable

IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003

EvenEven if it DID get this if it DID get this far and there WAS an far and there WAS an actual Buffer Overrunactual Buffer Overrun

EvenEven if it DID get this if it DID get this far and there WAS an far and there WAS an actual Buffer Overrunactual Buffer Overrun

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is now running as ‘network which is now running as ‘network service’service’

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is now running as ‘network which is now running as ‘network service’service’

Process and Patch Management

Patch Management Process1. Assess Environment to be Patched1. Assess Environment to be Patched

Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems

B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)

C. Review Infrastructure/C. Review Infrastructure/ configuration configuration

Ongoing TasksOngoing TasksA. Discover AssetsA. Discover AssetsB. Inventory ClientsB. Inventory Clients

1. Assess1. Assess 2. 2. IdentifyIdentify

4. Deploy4. Deploy 3. 3. Evaluate Evaluate & Plan& Plan

2. Identify New Patches2. Identify New Patches

TasksTasksA. Identify new patchesA. Identify new patches

B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)

C. Verify patch authenticity & integrityC. Verify patch authenticity & integrity (no virus: installs on isolated (no virus: installs on isolated system) system)

3. Evaluate & Plan Patch Deployment3. Evaluate & Plan Patch Deployment

TasksTasksA. Obtain approval to deploy patchA. Obtain approval to deploy patch

B. Perform risk assessmentB. Perform risk assessment

C. Plan patch release processC. Plan patch release process

D. Complete patch acceptance testingD. Complete patch acceptance testing

4. Deploy the Patch4. Deploy the Patch

TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions

D. Review deploymentD. Review deployment

• Four step process to assess, identify, evaluate & plan, and deploy patches to their environments

• Provides best practices for implementing technology to distribute patches

• Provides best practices using SMS2003 for critical patching in a 24 hour period

• Guidelines for operational tasks required for effective patch management

• Downloadable from TechNet

Patch Management Solution Accelerator

Configuration M

anagement

Subscription

Baselining

Change Request

Change Classification

Change Authorization

Change Development

Quarantine Quarantine

Relevance

Identification

Change Review

-Rol

l-

Plan Release

Release Development

Acceptance Testing

Roll-Out Planning

Roll-Out Preparation

Release Deployment

Setup Activities

Change Initiation

Change Management

Change Management

Release Management

Setup Activities

Change Initiation

Change Management

Change Management

Release Management

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/msm/smf/default.asp

ReduceFrequency,Quantity of

Patches

InadequateCommunications,

Guidance, andTraining

InconsistentPatching

Experience

Multiple,Incomplete Patch

ManagementTools

InconsistentPatch

Quality

Customer Feedback

Patch Management InitiativeProgress to Date

Informed & Informed & Prepared CustomersPrepared Customers

Informed & Informed & Prepared CustomersPrepared Customers

Superior Patch Superior Patch QualityQuality

Superior Patch Superior Patch QualityQuality

Consistent & Consistent & Superior Update Superior Update

ExperienceExperience

Consistent & Consistent & Superior Update Superior Update

ExperienceExperience

Best Patch & Best Patch & Update Update

Management Management SolutionsSolutions

Best Patch & Best Patch & Update Update

Management Management SolutionsSolutions

Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Readiness Kit; Patch Management guidance, Security Readiness Kit; Patch Management guidance, etc.etc.

Rationalized patch severity rating levelsRationalized patch severity rating levelsBetter security bulletins and KB articlesBetter security bulletins and KB articlesSecurity Readiness Kit; Patch Management guidance, Security Readiness Kit; Patch Management guidance, etc.etc.

Developed Patch & Update Management tools Developed Patch & Update Management tools roadmaproadmapWUS 2.0 in development: significantly enhanced WUS 2.0 in development: significantly enhanced capabilitiescapabilitiesReleased SMS 2003 which delivers expanded patch Released SMS 2003 which delivers expanded patch and update management capabilitiesand update management capabilities

Developed Patch & Update Management tools Developed Patch & Update Management tools roadmaproadmapWUS 2.0 in development: significantly enhanced WUS 2.0 in development: significantly enhanced capabilitiescapabilitiesReleased SMS 2003 which delivers expanded patch Released SMS 2003 which delivers expanded patch and update management capabilitiesand update management capabilities

Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/month

Standardized patch and update terminologyStandardized patch and update terminologyStandardized patch naming and installer switch Standardized patch naming and installer switch options*options*Installer consolidation plan in place – will go from ~8 Installer consolidation plan in place – will go from ~8 to 2to 2Reduced patch release frequency from 1/week to Reduced patch release frequency from 1/week to 1/month1/monthImproved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**

Improved patch testing process and coverageImproved patch testing process and coverageExpanded test process to include customersExpanded test process to include customersReduced reboots by 10%; reduced patch size by up Reduced reboots by 10%; reduced patch size by up to 75%**to 75%**

More on the Patch Management Initiative in the Roadmap Section of this presentation…

*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0

**75% for Windows Update installs, more than 25% for other patches**75% for Windows Update installs, more than 25% for other patches

H1 2005H1 2005TodaTodayy

Windows Update And Office Update Microsoft Update

• Microsoft Update– Online service and update repository

for updating all Microsoft software

– Built on SUS infrastructure

– Includes automated scanning, update install, and reporting capabilities available in Windows Update

Office Update

SMSSMS

Windows Update

SUSSUS

Microsoft UpdateWindows Update

Patch Management Tools Direction

• Longer-term (Longhorn time frame)– WUS functionality integrated into Windows

– WUS supports updating of all Microsoft software

– WUS infrastructure can be used to build patch management solutions for 3rd party and in-house built software

– SMS patch management built on WUS infrastructure and delivers advanced patch management functionality

• Near-term– Windows Update Services 2.0 (H1 CY2005)

• Single infrastructure for patch management

• Support for additional Microsoft products

• Significant improvements in patch management functionality

– SMS 2003 Update Management Feature Pack (H1 CY2005)• Leverages SUS for update scanning & download

• Leverages SUS client (Automatic Updates) for installs

Windows Update Services 2.0 Highlights

• Support for additional Microsoft products– Office 2003, SQL Server 2000, Exchange 2000, + additional

products over time*

• Status reporting– Deployment status aggregation per machine/per update/per group– Download / install success, failure, and error info– Custom reports using read-only SQL queries

• Administrative control– Pre-deployment checks; Initiate install & uninstall – Set polling frequencies & install deadlines– Target updates to groups of machines; Policy (AD) or list based

group definitions– Rules for auto-handing of updates

• Deployment & targeting– Download subset of WU content (e.g., WinXP but not Win2K)– Automatically deploys / updates SUS clients

*Support for product versions listed here will be available when WUS 2.0 is released; support for additional versions and products *Support for product versions listed here will be available when WUS 2.0 is released; support for additional versions and products will be delivered over time without the need to upgrade or redeploy WUS 2.0 will be delivered over time without the need to upgrade or redeploy WUS 2.0

Windows Update ServicesWindows Update Services

Windows Server 2003

Windows Server 2003

• WS2003 Service Pack 1 – H1 2005– Defence in Depth

• Windows Server 2003 R2 – H2 2005– Feature Release

• Identity Federation• Branch Office

• Longhorn Server - 2007

Summary

• Defense in Depth– Microsoft strongly driving holistic security

model

• Windows Update Services– Point solution for patch management– Process is key

• Windows Server 2003 SP1 builds on this

Microsoft Events and Communities

Not getting event invites anymore? Don’t know what's on in your state?

Subscribe to TechNet Flash via TechNet Lounge

• http://www.microsoft.com/australia/technet

Visit MSDN Community Website and join MSDN Connections

• http://www.microsoft.com/australia/msdn

Subscribe to MSDN Flash Newsletter (events)

• http://msdn.microsoft.com/flash

Or…Visit the Profile Center and subscribe to all of them

https://profile.microsoft.com/RegSysSubscriptionCnt/SubCntDefault.aspx

© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.