WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…
20
WSUS for Secure Patching: Top Tips, Tricks and Scripts for Overcoming Limitations and Challenges © 2013 Monterey Technology Group Inc.
-
Upload
lumension -
Category
Technology
-
view
2.517 -
download
1
description
In case you aren’t familiar with Windows Server Update Services, WSUS is Microsoft’s built-in technology for centrally deploying patches to workstations and servers for Windows, Office and other Microsoft software. When it came out, WSUS was a great leap forward for all of us who must keep systems secure and patched. As time has passed, patching is even more critical than it was before and more complicated because we have to: • patch more quickly to defend against 0-day exploits • deal with power management concerns • patch servers inside tighter maintenance windows • patch more than just Windows In these slides, Randy Franklin Smith from UltimateWindowsSecurity shares a load of tips, tricks and scripts for helping you address these issues and deal with limitations in WSUS. One of the biggest issues with WSUS is that you control patch management partly from within WSUS and partly from group policy. In WSUS, you select which patches are approved for deployment, but you control patch schedule and other Automatic Update settings with group policy. Learn a ton of advanced ways to use group policy to the full in order to finely tune how updates are applied on your network. Points covered: • How to ensure not a single computer in your domain is missed by WSUS while not misapplying a patch by accident • Why you should start with 3 top-level computer groups in WSUS: Servers, Workstations, Terminal Servers • How to schedule automatic updates and reboots for servers during their maintenance window using group policy and WSUS (and the limitations) • How to use “client-side targeting” to automatically assign computers to WSUS groups and avoid manually assigning computers • How to set up a test group of computers from across all your OUs to receive updates first • How to address the problem of computers that are powered down when a patch should be installed • How to patch computers in your DMZ Fine-tuning BITS for bandwidth protection Understanding how time zones work in WSUS and the AU client Another issue we’ll tackle though is: “Should I even be using WSUS?” Issues we’ll discuss: • Do you require Wake-On-LAN capability to fulfill a green initiative with timely patching? • Do you have strict maintenance window requirements • Do you understand the critical need to centrally control patching non-MS apps without relying on each app’s auto-updater? This is where our sponsor Lumension comes in. Russ Ernst shows how Lumension’s Endpoint Management and Security Suite addresses all of these issues and more, much more.
Transcript of WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…
WSUS for Secure Patching: Top Tips, Tricks and Scripts for
Overcoming Limitations and Challenges
© 2013 Monterey Technology Group Inc.
Brought to you by
Speaker Russ Ernst – Group Product Manager
www.lumension.com
Preview of Key Points
© 2013 Monterey Technology Group Inc.
Lots of tipsTroubleshooting resourcesWhat’s new in Win2013 WSUSWhen is WSUS not enough
Ensure “no computer left behind”
© 2013 Monterey Technology Group Inc.
Create a top level GPO that configures Specify intranet Microsoft update service location
“once an organisation does this they are amazed how this discovers a number of “hiding” computers on their network that have never been patched”Alan Burchill,
http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/
Internet-Facing WSUShttp://blogs.technet.com/b/sus/archive/2011/05/09/how-
to-create-an-internet-facing-wsus-server-that-uses-different-internal-and-external-names.aspx
Enable Client side targeting
© 2013 Monterey Technology Group Inc.
May be a no-brainer for many but…WSUS Computer Groups allow you to target patches
at specific computersBTW, these are not AD groups
In WSUSSet “You can specify how to assign computers to
groups” to “Use Group Policy”• This allows you to assign computers automatically as they
appear in AD
In group policy Set “Enable client-side targeting” to appropriate WSUS
group
Think hard on OU, GPO and WSUS group structure
© 2013 Monterey Technology Group Inc.
WSUS allows parent/child groupsBuilding WSYS groups to match OU structure
reduces confusion1 WSUS group 1 OU 1 GPOSame names
But make sure you have computers divided up according to how you want to patch
Have large sets of computers broken into smaller groups to your can phase in updates and stop if problems occur
Set up a Test Group that draws on sampling of computers
© 2013 Monterey Technology Group Inc.
For each major set of computers – especially workstations Create a WSUS group called Test Workstations Create an AD security group WSUS Test Worksations Take computers from each OU/department/subtype of the larger set
make member of WSUS Test Workstations group Goal to have a representative “sampling” of all systems to test patches
upon Perhaps identity users from each department most amenable or most
likely to notice problems Create a WSUS Test GPO at root of domain or topmost OU
containing applicable computers Enforce GPO Change the “apply group policy” permission from Everyone to WSUS
Test Workstations Set “Enable client-side targeting” to WSUS Test Workstations
Ensure computers are patched quickly
© 2013 Monterey Technology Group Inc.
In group policy “4 – Auto download and schedule” Every day 3AM or whatever Timezone based on client
• Patches with deadlines on WSUS relative to WSUS server’s timezone
Need it faster? Check out “Automatic Updates detection frequency” at http
://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ Enable “Allow Automatic Updates immediate installation” Enable “wake up computer if powered down”
Wake on LAN is better Theoretically could deal with computers turned off when patch time rolls
around But there are some dangers http://www.nynaeve.net/?p=160
Limit/schedule bandwidth usedfor download patches
© 2013 Monterey Technology Group Inc.
Explore BITS settings/Computer Configuration/Admin Templates/Network/Background Intelligent…
Schedule Limit bandwidthPeer caching
Reduce VPN or local traffic
© 2013 Monterey Technology Group Inc.
Lots of computers off-siteAt other sites across a WANCalling in via VPN
Configure WSUS so that clients download the actual bits of updates from Microsoft
BranchCache Acceleration
Other tips
© 2013 Monterey Technology Group Inc.
Other good tips covered at http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ Handling computers that should not be auto-rebooted
WSUS for DMZ serversRun the Cleanup Wizard regularly
Trouble Shooting
© 2013 Monterey Technology Group Inc.
WSUS Troubleshooting Survival Guide http://
social.technet.microsoft.com/wiki/contents/articles/2491.wsus-troubleshooting-survival-guide.aspx
Cool WSUS troubleshooting tools and script examples http://
blogs.technet.com/b/sus/archive/2008/10/16/cool-wsus-troubleshooting-tools-and-script-examples.aspx
Scripts http://gallery.technet.microsoft.com/scriptcenter/site/search?f
%5B0%5D.Type=RootCategory&f%5B0%5D.Value=windowsupdate&f%5B0%5D.Text=Windows%20Update
• Then look at the subcategories tags for WSUS
Other good links http://
blogs.technet.com/b/sus/archive/2009/02/19/troubleshooting-guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx
What’s new in Win2013 WSUS?
© 2013 Monterey Technology Group Inc.
Feature and functionality Windows Server 2008 R2 Windows Server 2012
Inclusion of Windows PowerShell cmdlets to manage the ten most important administrative tasks in WSUS
X
Security enhancements with SHA256 hash capability
X
Client and server separation: Versions of the Windows Update Agent (WUA) can ship independently of WSUS
X
WSUS isn’t enough if you need Real control over scheduling
• Server patching
• WakeOnLAN
#1 Third party patches!!!• http://
www.lumension.com/vulnerability-management/patch-management-software/compare.aspx
Custom application patching Non domain member discovery More than basic reporting
• Compliance!
Comprehensive endpoint security• Patch is just one slice of the pie
• Think about that before going to System Center for enhanced patching
Bottom Line
© 2013 Monterey Technology Group Inc.
Flexible Deployment Options
Integrated Asset Discovery Across DomainsIntegrated Wake on LAN
Custom Content Creation
Manage 3rd Party Application and Cross Platform Vulnerabilities
Comprehensive Compliance Reporting
Defense-in-Depth Strategy
AVControl the Bad
Device ControlControl the Flow
HD and Media EncryptionControl the Data
Application ControlControl the Gray
Patch and Configuration ManagementControl the Vulnerability Landscape
Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which go beyond the traditional blacklist approach.
18
Brought to you by
Speaker Russ B. Ernst – Group Product Manager
www.lumension.com
More Information• Free Security Scanner Tools
» Vulnerability Scanner – discover all OS and application vulnerabilities on your network
» Application Scanner – discover all the apps being used in your network
» Device Scanner – discover all the devices being used in your network
http://www.lumension.com/Resources/Security-Tools.aspx
• Lumension® Endpoint Management and Security Suite» Online Demo Video:
http://www.lumension.com/Resources/Demo-Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#2
20
