WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…
-
Upload
lumension -
Category
Technology
-
view
2.517 -
download
1
description
Transcript of WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…
WSUS for Secure Patching: Top Tips, Tricks and Scripts for
Overcoming Limitations and Challenges
© 2013 Monterey Technology Group Inc.
Brought to you by
Speaker Russ Ernst – Group Product Manager
www.lumension.com
Preview of Key Points
© 2013 Monterey Technology Group Inc.
Lots of tipsTroubleshooting resourcesWhat’s new in Win2013 WSUSWhen is WSUS not enough
Ensure “no computer left behind”
© 2013 Monterey Technology Group Inc.
Create a top level GPO that configures Specify intranet Microsoft update service location
“once an organisation does this they are amazed how this discovers a number of “hiding” computers on their network that have never been patched”Alan Burchill,
http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/
Internet-Facing WSUShttp://blogs.technet.com/b/sus/archive/2011/05/09/how-
to-create-an-internet-facing-wsus-server-that-uses-different-internal-and-external-names.aspx
Enable Client side targeting
© 2013 Monterey Technology Group Inc.
May be a no-brainer for many but…WSUS Computer Groups allow you to target patches
at specific computersBTW, these are not AD groups
In WSUSSet “You can specify how to assign computers to
groups” to “Use Group Policy”• This allows you to assign computers automatically as they
appear in AD
In group policy Set “Enable client-side targeting” to appropriate WSUS
group
Think hard on OU, GPO and WSUS group structure
© 2013 Monterey Technology Group Inc.
WSUS allows parent/child groupsBuilding WSYS groups to match OU structure
reduces confusion1 WSUS group 1 OU 1 GPOSame names
But make sure you have computers divided up according to how you want to patch
Have large sets of computers broken into smaller groups to your can phase in updates and stop if problems occur
Set up a Test Group that draws on sampling of computers
© 2013 Monterey Technology Group Inc.
For each major set of computers – especially workstations Create a WSUS group called Test Workstations Create an AD security group WSUS Test Worksations Take computers from each OU/department/subtype of the larger set
make member of WSUS Test Workstations group Goal to have a representative “sampling” of all systems to test patches
upon Perhaps identity users from each department most amenable or most
likely to notice problems Create a WSUS Test GPO at root of domain or topmost OU
containing applicable computers Enforce GPO Change the “apply group policy” permission from Everyone to WSUS
Test Workstations Set “Enable client-side targeting” to WSUS Test Workstations
Ensure computers are patched quickly
© 2013 Monterey Technology Group Inc.
In group policy “4 – Auto download and schedule” Every day 3AM or whatever Timezone based on client
• Patches with deadlines on WSUS relative to WSUS server’s timezone
Need it faster? Check out “Automatic Updates detection frequency” at http
://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ Enable “Allow Automatic Updates immediate installation” Enable “wake up computer if powered down”
Wake on LAN is better Theoretically could deal with computers turned off when patch time rolls
around But there are some dangers http://www.nynaeve.net/?p=160
Limit/schedule bandwidth usedfor download patches
© 2013 Monterey Technology Group Inc.
Explore BITS settings/Computer Configuration/Admin Templates/Network/Background Intelligent…
Schedule Limit bandwidthPeer caching
Reduce VPN or local traffic
© 2013 Monterey Technology Group Inc.
Lots of computers off-siteAt other sites across a WANCalling in via VPN
Configure WSUS so that clients download the actual bits of updates from Microsoft
BranchCache Acceleration
Other tips
© 2013 Monterey Technology Group Inc.
Other good tips covered at http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ Handling computers that should not be auto-rebooted
WSUS for DMZ serversRun the Cleanup Wizard regularly
Trouble Shooting
© 2013 Monterey Technology Group Inc.
WSUS Troubleshooting Survival Guide http://
social.technet.microsoft.com/wiki/contents/articles/2491.wsus-troubleshooting-survival-guide.aspx
Cool WSUS troubleshooting tools and script examples http://
blogs.technet.com/b/sus/archive/2008/10/16/cool-wsus-troubleshooting-tools-and-script-examples.aspx
Scripts http://gallery.technet.microsoft.com/scriptcenter/site/search?f
%5B0%5D.Type=RootCategory&f%5B0%5D.Value=windowsupdate&f%5B0%5D.Text=Windows%20Update
• Then look at the subcategories tags for WSUS
Other good links http://
blogs.technet.com/b/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx
What’s new in Win2013 WSUS?
© 2013 Monterey Technology Group Inc.
Feature and functionality Windows Server 2008 R2 Windows Server 2012
Inclusion of Windows PowerShell cmdlets to manage the ten most important administrative tasks in WSUS
X
Security enhancements with SHA256 hash capability
X
Client and server separation: Versions of the Windows Update Agent (WUA) can ship independently of WSUS
X
WSUS isn’t enough if you need Real control over scheduling
• Server patching
• WakeOnLAN
#1 Third party patches!!!• http://
www.lumension.com/vulnerability-management/patch-management-software/compare.aspx
Custom application patching Non domain member discovery More than basic reporting
• Compliance!
Comprehensive endpoint security• Patch is just one slice of the pie
• Think about that before going to System Center for enhanced patching
Bottom Line
© 2013 Monterey Technology Group Inc.
Flexible Deployment Options
Integrated Asset Discovery Across DomainsIntegrated Wake on LAN
Custom Content Creation
Manage 3rd Party Application and Cross Platform Vulnerabilities
Comprehensive Compliance Reporting
Defense-in-Depth Strategy
AVControl the Bad
Device ControlControl the Flow
HD and Media EncryptionControl the Data
Application ControlControl the Gray
Patch and Configuration ManagementControl the Vulnerability Landscape
Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which go beyond the traditional blacklist approach.
18
Brought to you by
Speaker Russ B. Ernst – Group Product Manager
www.lumension.com
More Information• Free Security Scanner Tools
» Vulnerability Scanner – discover all OS and application vulnerabilities on your network
» Application Scanner – discover all the apps being used in your network
» Device Scanner – discover all the devices being used in your network
http://www.lumension.com/Resources/Security-Tools.aspx
• Lumension® Endpoint Management and Security Suite» Online Demo Video:
http://www.lumension.com/Resources/Demo-Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2
20