1 / 37

Chapter 27: Patch Management

Chapter 27: Patch Management. BAI617. Chapter Topics. The Four Phases of Patch Management Windows Server Update Services WSUS Deployment Scenarios Installing WSUS Pointing Your Clients to the WSUS Server. Patch Management.

shaman
Download Presentation

Chapter 27: Patch Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 27:Patch Management BAI617

  2. Chapter Topics • The Four Phases of Patch Management • Windows Server Update Services • WSUS Deployment Scenarios • Installing WSUS • Pointing Your Clients to the WSUS Server

  3. Patch Management • Patch management refers to the process by which software updates are installed on computers managed by your organization • You need to know whether each update is applicable to computers on your network, whether it is compatible with your existing applications, and how urgent it is to deploy this update.

  4. The Four Phases of Patch Management • Installing updates on the computers on your organization’s network is critical to protect the security of the network and to keep the organization’s client computers performing optimally

  5. The Four Phases of Patch Management • How updates are rolled out on your network requires planning and testing to ensure a successful installation • Microsoft Recommends • Assess • Identify • Evaluate and Plan • Deploy

  6. Phase 1: Assess • The Assess phase is when you • look at your current patch management policies and procedures • collect information about the computers on your network • determine the effectiveness of your current patch management infrastructure

  7. Phase 1: Assess • Current patch management policies and procedures • Do you have one? • Is it communicated? • To the Team • To the Users

  8. Phase 1: Assess • Collect information • Detailed Inventory: • Hardware • O/S Versions • O/S Service Packs • Installed Software • Versions, Service Packs and customization. • Simple example - http://www.belarc.com

  9. Phase 1: Assess • Current patch management infrastructure • What are you doing? • How are you validating? • Who is responsible?

  10. Phase 2: Identify • This Phase has 3 parts • Update notification • Determining proper use of update • Prioritizing

  11. Phase 2: Identify • Update notification • Staying on top of when updates are released and then determining whether an update affects computers on your network can be a daunting task • Microsoft Offers: • Email notifications • RSS Feed Subscriptions • Windows Live Alerts

  12. Phase 2: Identify • Update notification • www.microsoft.com/technet/security/bulletin/notify.mspx

  13. Phase 2: Identify • Update notification • Third Party Sites that offer ongoing updates of vulnerabilities (not a comprehensive list) • The United States Computer Emergency Readiness Team (US-CERT) • SANS Internet Storm diary • Full Disclosure mailing list • University of Michigan Virus Busters • Symantec Security Response

  14. Phase 2: Identify • Determining proper use of update • Determine whether the update is applicable to computers on your network • Microsoft security updates are all accompanied by a security bulletin that includes a section titled “Affected and Non-Affected Software.” • If you find that your computers are affected, you must determine how quickly the update should be deployed on your computers

  15. Phase 2: Identify • Prioritizing • Once you’ve determined that an update applies to computers on your network, you should decide how quickly you need to deploy the update • The security bulletin can be a good place to start to decide the priority at which the update should be deployed

  16. Phase 3: Evaluate and Plan • Once you have determined that an update is applicable to computers on your network, you need: • To submit a change request (optional - policy dependent) to deploy the update • Prep the computers for the update • Determine how the update will be deployed

  17. Phase 3: Evaluate and Plan • Prepping the computers for the update includes looking for anything that may block the installation of the update: • Insufficient disk space • Computers not being powered on • Software restriction policies • Group Policy objects that may block the installation

  18. Phase 3: Evaluate and Plan • Determining how the update will be deployed: • writing scripts • Building tools – i.e. QCHAIN (command line ) • Using patch management software • Windows Server Update Services (WSUS)

  19. Phase 4: Deploy • Key Steps of this phase: • Update is tested on a subset of computers • The specific details of the deployment are communicated to end users • Then the update is deployed to all affected computers on your network

  20. Phase 4: Deploy • Testing the update on a subset of computers: • important to identify any unknown compatibility issues or other last-minute changes that need to be addressed. • When choosing the subset, you should pick computers that will not significantly impact your organization’s business. • Consider imaging machines for lab setting.

  21. Phase 4: Deploy • Communicating with Users • Time at which the update will be installed • Expected downtime required to perform the update • Support channel in the event something goes wrong. (Who to call / email)

  22. Phase 4: Deploy • Deploy and verify updates.

  23. Windows Server Update Services • WSUS is an update-management product designed to deploy updates to Windows client computers on your network

  24. Windows Server Update Services • Features of WSUS 3.0 • The ability to automatically download updates by product, update classification, or language • Email notification when new updates are ready • The ability to scan WSUS clients for needed updates before deploying them • Create reports on client update status • The ability to target updates to a group of computers • The ability to install the WSUS Administration Console on a computer other than the WSUS server

  25. Windows Server Update Services

  26. Software Requirements for WSUS Servers • Windows Server 2003 with Service Pack 1, Windows Server 2008, or Windows Server 2008 R2. • Internet Information Services (IIS). • Windows Installer 3.1 or newer. • .NET Framework 2.0 or newer. • SQL (optional) for high volume DB solution

  27. WSUS Client Requirements • WSUS clients must be running one of the following operating systems: • Windows 7 • Windows Server 2008 R2 • Windows Server 2008 • Windows Server 2003 • Windows Vista • Windows XP • Windows 2000 with Service Pack 4

  28. WSUS Deployment Scenarios • WSUS 3.0 can be broken down into three main deployments: small businesses, medium businesses, and business with limited connectivity

  29. WSUS Deployment Scenarios • Small business: • normally comprises one WSUS server that synchronizes directly with Microsoft Update. • All WSUS clients are geographically close • All are behind the same firewall

  30. WSUS Deployment Scenarios • Medium-size business: • Comprised of more than one WSUS server serving clients that are geographically close. • One WSUS server may synchronize with the other or they may get their updates separately from Microsoft Update Option 1 Single Server Updating

  31. WSUS Deployment Scenarios • Medium-size business: • Comprised of more than one WSUS server serving clients that are geographically close. • One WSUS server may synchronize with the other or they may get their updates separately from Microsoft Update Option 2 Both Servers Updating

  32. Installing WSUS • PreReq – IIS • See p.1135 of text for instructions • Step #7 is important – read it • Install the Report Viewer 2008 SP1 Redistributable • See p.1138 • Install WSUS 3.0 • See p.1138

  33. Pointing Your Clients to the WSUS Server • Client computers use the Windows automatic updating client to receive WSUS updates and can be configured by using a Group Policy object. • This drastically reduces the administrative overhead because one GPO can be deployed to all computers in an Active Directory installation at once. • See p.1144 of text for detailed steps for GPO config

  34. Review • The Four Phases of Patch Management • Windows Server Update Services • WSUS Deployment Scenarios • Installing WSUS • Pointing Your Clients to the WSUS Server

  35. Questions?

  36. Lab Environment

  37. Hands On • Next class’s lab will involve configuring a WSUS server and client.

More Related