Network Patch Management

IT:Network:Microsoft Applications

• Network Patch Management

• Microsoft Baseline Security Analyzer

• Windows Software Update Services

• Third Party Products

Agenda

What is it?

• The process of controlling the deployment and maintenance of interim software releases into production environments

• Patch management is a critical part of maintaining the security of your systems and network.

• The patch management system that you build and maintain is, among other things, the channel through which you deploy security updates from Microsoft and other vendors.

• The timely application of security updates is one of the most important and effective things you can do to protect your systems and network, therefore, your patch management system must be as efficient as possible.

Network Patch Management

Poor update management can result in:

• Downtime

• Remediation time

• Questionable data integrity

• Lost credibility

• Negative public relations

• Legal defenses

• Stolen intellectual property

Network Patch Management

Ten Principles of Microsoft Patch Management

1. Service packs should form the foundation of your patch management strategy

2. Make Product Support Lifecycle a key element in your strategy

3. Perform risk assessment using the Severity Rating System as a starting point

4. Use mitigating factors to determine applicability and priority

5. Only use workarounds in conjunction with deployment

6. Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article

7. Test updates before deployment

8. Contact Microsoft Product Support Services if you encounter problems in testing or deployment

9. Use only methods and information recommended for detection and deployment

10.The Security Bulletin is always authoritative

Network Patch Management

Microsoft process for updating software after release

• Microsoft makes available periodic updates.

• Every Microsoft product group includes a sustaining engineering team which develops updates to resolve problems.

The process is as follows:

• Microsoft is made aware of a security vulnerability.

• Issue is evaluated and verified by the Microsoft Security Response Center.

• The product groups sustaining team creates and tests update.

• Microsoft distributes the software update through the Microsoft Download Center and other services:• Automatic Updates and User Initiated Updates

Network Patch Management

Term Definition

Security patch

A broadly released fix for a specific product, addressing a security vulnerability

Critical update

A broadly released fix for a specific problem, addressing a critical, non-security–related bug

Update A broadly released fix for a specific problem, addressing a non-critical, non-security–related bug

Hotfix A single package composed of one or more files used to address a problem in a product.

Service pack A cumulative set of hotfixes, security patches, critical updates, and updates since the release of the product, including many resolved problems that have not been made available through any other software updates. Service packs may also contain a limited number of customer-requested design changes or features.

Microsoft Update Definitions

Network Patch Management

Windows updates—additions to software that can help prevent or fix problems, improve how your computer works, or enhance your computing experience

Windows updates can be managed through Control PanelSystem and SecurityWindows Update.

Network Patch Management

A tool designed for the IT professional that helps determine their security state in accordance with Microsoft security recommendations and offers remediation guidance. You can use MBSA to detect common security misconfigurations and missing security updates on your computer systems.

The MBSA can check computers running:

• Windows Server 2012, R2

• Windows 8

• Windows Server 2008 R2, Windows Server 2008

• Windows 7

• Windows Server 2003

• Windows Vista

Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA)

• Enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system.

• By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.

• Must be added as a Role for Windows Server 2008 R2

• Requires Internet Information Services to be added as a Role Service

Windows Software Update Services

Windows Software Update Services

• Enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system.

• By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.

• Must be added as a Role for Windows Server 2008 R2

• Requires Internet Information Services to be added as a Role Service

Windows Software Update Services

What client platforms support WSUS?

• Windows XP

• Windows Vista

• Windows 7

• Windows Server 2003

• Windows Server 2008

• Windows Server 2008 R2

Windows Software Update Services

Windows Software Update Services

Windows Software Update Services

Ten Principles of Microsoft Patch Management

• http://technet.microsoft.com/en-us/library/cc512589.aspx

Windows Software Update Services

• http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

Lumension

• http://www.lumension.com/

Spiceworks

• http://www.spiceworks.com/

Microsoft System Center Essentials 2010

• http://www.microsoft.com/systemcenter/en/us/essentials.aspx

References and other solutions