1 / 15

PatchDeploy Behind the Scenes

PatchDeploy Behind the Scenes. Dardan Shkreli  +41 41 748 22 04  shd@brainware.ch. Agenda. What is „Patch Day“? Benefits of Columbus Patch Deploy Supported Products The Workflow Next Steps Questions & Discussion. What is „Patch Day“?.

wirt
Download Presentation

PatchDeploy Behind the Scenes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PatchDeployBehind the Scenes Dardan Shkreli  +41 41 748 22 04  shd@brainware.ch

  2. Agenda • What is „Patch Day“? • Benefits of Columbus Patch Deploy • Supported Products • The Workflow • Next Steps • Questions & Discussion (c) 2004 Brainware Solutions AG

  3. What is „Patch Day“? • Microsoft products always “under construction“ • Security issues, vulnerabilities, bug fixes • Updates published 2nd Tuesday of each Month (c) 2004 Brainware Solutions AG

  4. Benefits of Columbus Patch Deploy • Tested in advance • Correctness, Revisions, Adjustment • Management • One place to manage • Delivered like software packages through Columbus • Control and reduce risk • You decide which patches to deploy, when, and to which clients • Grouping • Make custom deployment groups: OS, SP, Severity, Clients, Sites • Efficient • Target only candidate clients, schedule deployment (c) 2004 Brainware Solutions AG

  5. Supported Products • OS (Workstation/Server) • MS Office (XP, 2003, 2007) • Over 230 products • Five languages (c) 2004 Brainware Solutions AG

  6. The Workflow • Analysis • OS, SP, Products, Severity • Development • ENU, DEU, JPN, etc. • Severity • Testing • Detection, Installation, Verification • Publishing • Catalogs, Encryption, Backup (c) 2004 Brainware Solutions AG

  7. Analysis • First steps - Security Bulletin • Analysis (OS, SP, Products, Severity) • Filtering (SLA) • Infrastructure (c) 2004 Brainware Solutions AG

  8. Development • Security Bulletins – KB Articles • Each Patch analysed • Prerequisites, Sources, File Info, Command lines (c) 2004 Brainware Solutions AG

  9. Development • Security Bulletins – KB Articles • Each Patch analysed • Prerequisites, Sources, File Info, Command lines [Package] Description=KB 950760 / MS08-032 - Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760): SP2-SP3 Identifier=950760 - MS08-032.BWP000183.BWS000312 Language=ENU Version=01 Patch=0 Platform=XP AllowConditionalUsage=0 Usercondition=File '*.*' Clientcondition= (reserved for future use only) Servercondition= (reserved for future use only) ; When should the package be released ? ; e.g. ServerReleaseDate=19970930193000 ServerReleaseDate=00000000000000 ClientReleaseDate=00000000000000 UserReleaseDate=00000000000000 FriendlyInstallText= OrderType= Friendly=YES Category=#Microsoft Patch# Active=3 ; Repetitive Jobs ; Repeat=EachTime ; This section allows you to define, in which CCC groups the package ; automatically should be inserted [Groups] OS Patches ENU_XP__SP2 OS Patches ENU_XP__SP3 [PatchManagement] Severity=2 BrainwareID={78F07EDF-2919-432E-AAEE-984298B6FC6D} IsPatch=1 Vendor=Microsoft KBID=950760 [UserAdd] [ClientAdd] ;#STARTCRYPT# if '%_NoPatchInstallationChecks%'='1' then goto INSTALL if not '%_OSMajorVersion%.%_OSMinorVersion%' = '6.0' then exit 'Invalid operating system. Required: 6.0 - Current: %_OSMajorVersion%.%_OSMinorVersion%' 'PDW001' if not '%_OSType%' = 'NT_WORKSTATION' then Exit 'Invalid operating system. Required: NT_WORKSTATION - Current: %_OSType%' 'PDW002' if '%_64BitOS%' = '1' then Exit 'Wrong type of OS - only for 32Bit OS' 'PDW011' RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Immediate if '%_SPLevel%'='0' then goto SP0_OK if '%_SPLevel%'='256' then goto SP1_OK Exit 'The current Service pack is not supported.' 'PDW005' :SP0_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001' if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6000.16681' then goto File_OK :SP1_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001' if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6001.18063' then goto File_OK if '%_PkgReinstall%'='1' then goto File_OK Exit 'No requirements met.' 'PDW090' :File_OK :INSTALL ;#ENDCRYPT# ;SetSystemRestorePoint /Daily /NoErrors if '%_AllowPatchesUnistall%'='1' then goto AllowUninstall goto NoUninstall [Summary] This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb. [Checks] if not '%_OSMajorVersion%.%_OSMinorVersion%' = '5.1' then Exit 'Not applicable. Required: 5.1 - Current: %_OSMajorVersion%.%_OSMinorVersion%' '1' if Not FileLanguage '%_WindowsSystem%\browselc.dll' = 'ENU' then Exit 'Not applicable - wrong language.' '3' RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Machine if '%_SPLevel%'='' then Set _SPLevel='0' /Machine if '%_SPLevel%'='512' then goto SP_OK if '%_SPLevel%'='768' then goto SP_OK Exit 'The current Service pack is not supported.' '5' :SP_OK RegRead 'HKEY_LOCAL_MACHINE' 'SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB950760' 'InstalledDate' '_KB950760_InstalledDate' /Script if '%_KB950760_InstalledDate%'='' then Exit 'Registry indicates missing (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB950760\InstalledDate)' '102' Exit 'Installed' '120' • Patch creation • Methods • Snapshots (Package Maker), MSI, Copy, Combination • Architecture (c) 2004 Brainware Solutions AG

  10. Testing/Infrastructure • Combined testing - automated/human • Analysis & Infrastructure for testing • Static test • Source check • Command lines • Severity • Description Passed! • 1 Patch = Different OS/Products (c) 2004 Brainware Solutions AG

  11. Testing/Infrastructure • Combined testing - automated/human • Analysis & Infrastructure for testing • Static test • Source check • Command lines • Severity • Description • Live tests • Download • Recognition • Installation • Verification Passed! Passed! • Test against MBSA, Windows Update, SMS, … Patch OK! (c) 2004 Brainware Solutions AG

  12. Publishing • Last checks (syntax, coverage) • Expand Product, Service Packs & Patch Catalogs • Encrypt files • Place created patches into web server • Test download of catalogs from web server • Backup • Inform Helpdesk about published Patches • How do the clients get their patches ? • Columbus – Patch Deploy Module • Patch Deploy Agent (c) 2004 Brainware Solutions AG

  13. Next steps… • Microsoft (…x64) • Adobe • McAfee • Others (c) 2004 Brainware Solutions AG

  14. Questions & Discussion ? (c) 2004 Brainware Solutions AG

  15. Thank You Dardan Shkreli  +41 41 748 22 04  shd@brainware.ch (c) 2004 Brainware Solutions AG

More Related