1 / 34

Leveraging Active Directory Group Policy to Patch Common Windows Applications

Leveraging Active Directory Group Policy to Patch Common Windows Applications. Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http:// www.josephpfisher.com 2012 Rock Eagle Computing Conference. About The Presenter. Working in IT since 1996

gavril
Download Presentation

Leveraging Active Directory Group Policy to Patch Common Windows Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leveraging Active Directory Group Policy to Patch Common Windows Applications Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http://www.josephpfisher.com 2012 Rock Eagle Computing Conference

  2. About The Presenter • Working in IT since 1996 • Started out assembling computers for free RAM • VMware, Linux, and Windows sysadmin at UGA

  3. About This Presentation • Patch Management • Windows Active Directory environment • Brief Overview of Group Policy Objects (GPOs) • Non-Microsoft Software • Java • Flash • Reader • Etc

  4. Are You Current on Your Patches?

  5. Best Malware Prevention Strategy • Limit over-privileged users • UAC, standard user accounts • User education • No more free screensavers • Anti-virus software • Only as good as the latest definitions • Update all software as soon as patches are available

  6. The Results • Average of 18.2 malware incidents per month in 250 PC environment prior to centralized patch management • Down to 1 incident in 6 months

  7. Options • Microsoft Systems Center • Powerful, but complicated, and expensive • Ninite Pro • Simple, effective, but still requires license outside of personal use • LANDesk • Like Systems Center, powerful but complicated and expensive • Active Directory Group Policy • Uses existing infrastructure, intermediate difficulty

  8. Overview of Group Policy Objects

  9. Pre-requisites • Active Directory • Rights to create GPOs and link to OUs • Repository • Sysvol • File server • Need a share readable by all “Authenticated Users”

  10. Remote Server Administration Tools • From a domain computer, install Remote Server Administration Tools • http://www.microsoft.com/en-us/download/details.aspx?id=7887 • Active Directory Users and Computers • Group Policy Management Console

  11. How to Apply GPOs • Link to an Organizational Unit (OU) • By default, GPOs apply to all child OUs • Able to block inheritance on specific child OUs • GPOs can override “block inheritance” by being set to “enforced” • Can view effective GPOs on an OU

  12. Group Policy Management Console

  13. Group Policy Management Console

  14. Group Policy Objects • Policies broken down into 2 groups: Users and Computers • Software installation should usually be performed at the Computer level

  15. Software Deployment • GPOs natively support MSI files • You can deploy other executables, but you’ll need to script these • Batch files are usually effective • Scripts deployed at the computer level are run with “system” privileges (i.e. administrators)

  16. Test, test, test! • Testing strategy: start with a single machine, then test a group, then a larger group, and finally bulk deploy • One GPO for each function • E.g. one GPO for Adobe Reader, another for Java, etc. • Easier to identify problematic GPOs • Virtual machines are handy! • Create a local VM using Virtual Box and snapshot it in a “clean” state • GPOs tattoo a system, always best to start clean

  17. Software Deployment

  18. Software Sources • AdobeFlash: http://www.adobe.com/products/flashplayer/distribution3.html • Adobe Reader: ftp://ftp.adobe.com/pub/adobe/reader/win/ • Customization Wizard: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4950 • Firefox: http://www.frontmotion.com/Firefox/ • Chrome: http://www.google.com/intl/en/chrome/business/browser/ • Java: Offline installer at http://java.com

  19. Adobe Flash • Need to apply for a free Flash distribution license • Create a GPO for Flash and assign the MSI file under “Software Installation”

  20. Adobe Flash • Suppress update notification: http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html • Need to create a file on each workstation • Can accomplish this via Group Policy: • Create the file and put it in your repository (Sysvol, file share, etc.) • Deploy via Group Policy Preference: Computer Configuration -> Preferences -> Windows Settings -> Files

  21. Adobe Reader • Obtain installer from Adobe FTP • Customize the installation via Adobe Customization Utility • Suppress EULA • Disable Update Checks • Generates MST file

  22. Adobe Reader

  23. Firefox • Mozilla doesn’t provide MSI installers • FrontMotionFirefox Community Edition • Different logo • Same browser • Administrative Templates to manage • Default browser checks • Update checks • Default home page • Proxy settings • etc

  24. Firefox

  25. Google Chrome • MSI available directly from Google • Google also provides administrative templates

  26. Java • No MSI available directly from Oracle • Problematic under normal conditions • Newer versions require successful uninstallation of most recent installed version • Uninstallation failures prevent installation of new versions • Only recommended tool to remove failed installations is no longer available (MS Office Cleanup Utility) • And not scriptable

  27. Java • We need a script: • Check if Java is the latest version • Uninstall the previous version if a new version is available • Install the new version • Check to see that the new version works • http://josephpfisher.com/2011/11/java-wont-uninstall-tips-for-end-users-and-enterprise-systems-administrators/ • Assign the batch file as a startup script (computer level)

  28. Java • Still need to obtain MSI • Still need to generate a transform (MST) • Need Orca MSI editor • http://www.technipages.com/download-orca-msi-editor.html • Run offline installer and monitor App Data folder • Start -> Run -> %APPDATA% • MSI installer should appear while offline installer is open

  29. Java • Open MSI in Orca • Create new transform (Transform menu -> New Transform) • Better than modifying the MSI directly • Go to “Property” table and modify: • AUTOUPDATECHECK = 0 • EULA = 0 • Iexplorer = 1 • JAVAUPDATE = 0 • JU = 0 • Mozilla = 1 • Systray = 0 • Go to “Transform” menu and click “Generate Transform” and save the MST file

  30. Java

  31. Common Problems

  32. Common Problems • Windows XP & Vista requires hotfix • http://support.microsoft.com/kb/974266 • Latest NIC drivers for gigabit adapters • From NIC manufacturer (i.e. not Dell) • Flush Group Policy history • Remove HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy • Remove from domain and re-join

  33. Resources • Microsoft Technet Forums • http://social.technet.microsoft.com/Forums/en-US/categories • EduGeek • http://edugeek.net • IT Ninja • http://www.itninja.com

  34. Questions?

More Related