Secure Your Business

1
Secure Your Business

• PATCH MANAGEMENT STRATEGY

2
A risk based approach is key
Implement Patch Management
3
Some sources of risk

• Sources of risk were patch management could be an
  important building block to reduce them
• OS vulnerabilities
• Complex viruses/worms
• Exploits
• Spam
• Spyware

• Blended threats such as Nimda, Goner, SQL Slammer
  and Code Red have become increasingly more common
• Perimeter Defences such as firewalls are not
  enough to ward off these increasingly
  sophisticated threats

4
Patch management 4 steps

• Based on Microsoft Operations Framework (MOF)
• 4 phases defined
• ASSES
• IDENTIFY
• EVALUATE and PLAN
• DEPLOY

5
Step 1 Assess

• Know your computing environment
• OS, Service Pack, HotFix, and Patch levels
• Installed hardware (servers, desktops, laptops)
• End-user experience and knowledge
• IT staff abilities and knowledge
• Determine
• What you have in your production environment
• What security threats and vulnerabilities you
  might face
• Whether your organization is prepared to respond
  to new software updates
• Other MOF-Service Management Functions can
  interact

6
Step 1 Assess an Ongoing Process

• Inventory/discover existing computing assets
• Assess security threats and vulnerabilities
• Determine the best source for information about
  new software updates
• Assess the existing software distribution
  infrastructure
• Assess operational effectiveness

7
Step 1 Assess (contd)

• Assess security threats and vulnerabilities
• Apply bulletin information to inventory
• Determine the best source for information about
  new software updates
• Use notification services to prepare for patch
  release
• Preparation begins long before Patch Day
• Assess the existing software distribution
  infrastructure
• Keep a record of past experiences/success rates
• Assess operational effectiveness
• Are there steps that need to be improved?
• Were there factors that led to failure/that led
  to success?

8
Step 2 Identify

• Goals
• Discover new software updates in a reliable way
• Determine whether they are relevant to your
  production environment
• Determine whether an update represents a normal
  or emergency change
• Determine the applicability of a software update
  to your IT infrastructure
• Reading security bulletins and KB articles
• Reviewing the individual software updates
• Determine the applicability of a software update
  to your IT infrastructure

9
Step 2 Identify

• Decide When to Apply the Software Update
• Low, Medium, Important, Critical?
• Exploited in the wild?
• Applies to the production environment?
• Testing
• Confirm source files
• Deployability
• Installation options

10
Step 3 Evaluate and Plan

• Goals
• Make a go/no-go decision to deploy the software
  update
• Determine what is needed to deploy it
• Test the software update in a production-like
  environment to confirm that it does not
  compromise business critical systems and
  applications
• Goals
• Get approval for deployment
• Pass to deployment team

11
Step 3 Evaluate and Plan

• Determine the appropriate response
• Categorize software deployment

12
Step 3 Evaluate and Plan

• Plan the release of the software update
• Determine what needs to be patched
• Identify the key issues and constraints
• Build the release plan
• Emergency change request
• Build the release
• SMS 2003 package creation
• The Distribute Software Updates Wizard eliminates
  much of the work that would traditionally be
  required to deploy a software update using SMS
  2003
• Conduct acceptance testing of the release

13
Step 3 Evaluate and Plan

• Conduct acceptance testing of the release
• Once installation is complete, the computer
  should reboot as it is designed to.
• Software update works across slow/unreliable
  connections.
• Software update is supplied with an uninstall
  routine -- and it works!
• Business-critical systems and services continue
  to run once the software update has been
  installed.

14
Step 4 Deploy

• Goals
• Successfully roll out the approved software
  update into your production environment
• Meet all of the requirements of any deployment
  service level agreements (SLAs) you have in place

15
Step 4 deploy overview

• Deployment preparation
• Communicating rollout schedule to the
  organization
• Importing programs and advertisements from test
  environment
• Assigning distribution points
• Staging updates on distribution points
• Selecting deployment groups

16
Step 4 Deploy post implementation

• Post-Implementation Review
• Ensure that the vulnerabilities are added to your
  vulnerability scanning reports and security
  policy standards so the attack does not have an
  opportunity to recur
• Ensure that your build images have been updated
  to include the latest software updates following
  the deployment
• Discuss planned versus actual results and discuss
  the risks associated with the release
• Review your organizations performance throughout
  the incident. Improve your response plan and
  include lessons learned.
• Discuss changes to your service windows.
• Assess the total incident damage and costboth
  downtime costs and recovery costs.

17
More information?

• http//www.telindus.be/ProductsandServices/Secur
  ity/
• http//www.microsoft.com/MOF
• http//www.microsoft.com/windowsserver2003/techinf
  o/overview/quarantine.mspx

18
Extra MSM GUIDES

• MSM Guides
• Microsoft Solutions for Management
• High level instruction
• Detailed instruction
• Implementation
• Building blocks Microsoft Operations Framework
  (MOF)
• Guides of Interest
• Microsoft Solution Accelerator for Patch
  Management Using Systems Management Server 2003
• Microsoft Solution Accelerator for Patch
  Management Using Systems Management Server 2.0
• Microsoft Solution Accelerator for Patch
  Management Using Software Update Services 1.0
• http//www.microsoft.com/technet/itsolutions/msm/d
  efault.asp

19
Questions?
KOEN.BLANQUART_at_TELINDUS.BE HTTP//WWW.TELINDUS.BE
20
Thank you for your attention
KOEN.BLANQUART_at_TELINDUS.BE HTTP//WWW.TELINDUS.BE