70299 MCSE Guide to Implementing and Administering Security in a Microsoft Windows Server 2003 Netwo

1
70-299 MCSE Guide to Implementing and
Administering Security in a Microsoft Windows
Server 2003 Network

• Chapter Five
• Planning and Deploying Patch Management

2
Objectives

• Plan the deployment of service packs and hotfixes
• Evaluate the applicability of service packs and
  hotfixes
• Implement Microsoft Software Update Services
  (SUS) architecture
• Plan the batch deployment of multiple hotfixes

3
Objectives (continued)

• Understand deployment considerations for various
  machines
• Post deployment review
• Plan a rollback strategy

4
Planning the Deployment of Service Packs and
Hotfixes

• Patch management Method for keeping computers up
  to date with new software releases
• Keeps technology environment secure and reliable
• Requires identifying security vulnerabilities and
  responding quickly
• Security patch management patch management with
  a concentration on reducing security
  vulnerabilities essential for secure IT
  management and operations

5
Types of Attacks and Vulnerabilities

• Most common types of attacks
• Denial of service and distributed denial of
  service (DoS/DDoS), backdoors
• Brute force, buffer overflows, man-in-the-middle,
  and session hijacking
• Spoofing, scripting files, social engineering
• Viruses, worms, and Trojan horses

6
Denial of Service and Distributed Denial of
Service Attacks (DoS/DDoS)

• DoS/DDoS Executed by manipulating protocols
• In DDoS, attacker distributes software that
  allows the attacker partial or full control of
  infected system effects are multiplied by total
  number of zombie machines under the control of
  the attacker
• Prevention
• Set up filters on external routers
• Reduce the time before the reset of an unfinished
  TCP connection

7
Denial of Service and Distributed Denial of
Service Attacks (DoS/DDoS) (continued)

• Back door A program that allows access to a
  system without using security checks
• Examples includes Back Orifice, NetBus, and Sub7
• Have two essential parts
• Server Infected machine
• Client used for remotely controlling the server
• Can be also in the form of a privileged user
  account
• Prevention need to set proper access to the
  users

8
Brute Force Attacks and Buffer Overflow Attacks

• Brute force
• Way of cracking a cryptographic key or password,
  e.g., L0phtcrack program
• Prevention Enforce a strong password length and
  complexity policy
• Buffer overflow
• More data is sent to a computers memory buffer
  than it is able to handle, causing it to overflow
• Prevention improve the way applications are
  programmed

9
Man-in-the-Middle Attacks

• Man-in-the-Middle Attacks
• Attacker intercepts traffic and tricks the
  parties at both ends into believing that they are
  communicating
• Common in Telnet and wireless technologies
• Prevention
• Restrict access to wiring closets and switches
• DNS access should be restricted to read-only
• Use encryption and secure protocols

10
Session Hijacking and Spoofing

• Session Hijacking
• Takes control of a session between the server and
  a client
• Prevention force user to reauthenticate before
  allowing transactions to occur, and use of unique
  ISNs and Web session cookies
• Spoofing
• Making data appear to come from somewhere other
  than where it really originated
• Prevention careful about what information is
  given when responding to e-mail and Web requests

11
Scripting Files, Software Exploitation, and
Social Engineering

• Scripting files unintentional execution of
  scripts in a Web-based massage, written by an
  attacker
• Prevention disable scripting languages in
  browser
• Software exploitation method of searching for
  specific problems, or security holes in software
• Prevention keep latest patches and service
  packs
• Social engineering attack targeted by exploiting
  human nature and human behaviour
• Prevention solid company policies and user
  education

12
Virus, Worms and Trojan Horses

• Virus program or piece of code that is loaded
  onto your computer without your knowledge and is
  designed to attach itself to other code and
  replicate
• Trojan horses programs disguised as useful
  applications,though do not replicate themselves
• Worms self-replicating programs similar in
  function to virus and Trojan horses
• Prevention install/update antivirus software

13
Applying a Four-Step Process for Updates to Your
Environment

• Microsoft-recommended patch management process
  include four phases
• Assess
• Identify
• Evaluate and plan
• Deploy

14
Phase 1 Assess

• Conduct an audit to inventory existing computing
  assets
• Assess security threats and vulnerabilities
• Determine the best source for information about
  software updates
• Assess the existing software distribution
  infrastructure
• Assess operational effectiveness

15
Phase 2 Identify

• Discover new software updates in a reliable way
• Determine the relevancy of updates to your
  production environment
• Obtain software update source files and confirm
  that they are safe
• Determine whether the software update should be
  considered an emergency

16
Phase 3 Evaluate and Plan

• Determine appropriate response prioritize and
  categorize the request then getting authorization
  to deploy
• Plan the release of the software update
  determining what needs to be patched, then
  identifying the key issues and constraints
• Build the release develop scripts, tools, and
  procedures
• Conduct acceptance testing of the release

17
Phase 4 Deploy

• Prepare for deployment communicate the rollout
  schedule to organization
• Deploy the software update to targeted computers
• Advertising the software update to client
  computers
• Monitoring and reporting on the progress of
  deployment, and handling failed deployments
• Conduct a postdeployment review
• Evaluating your organizations performance
  throughout the incident
• Updating the existing baseline for your
  environment

18
Evaluating the Applicability of Service Packs and
Hotfixes

• Information about new software updates can be
  obtained from the following sources
• E-mail notifications
• Web sites
• Microsoft technical representatives

19
E-mail Notifications

• Microsoft releases its patches or hotfixes on a
  monthly schedule and informs via
• Microsoft Security Notification Service A free
  e-mail notification service to inform customers
  about the security of its products
• Microsoft Security Update free e-mail alert
  service
• Product Security Notification for technical
  alerts
• Microsoft Security Update for non-technical
  alerts

20
E-mail Notifications (continued)

• Guidelines to validate each e-mail notification
• Delete any e-mail notifications with attached
  software files
• Do not click any links directly from inside an
  e-mail notification
• Visit the Microsoft Security Web site to read the
  authoritative details of a security bulletin
• Each Microsoft security patch comes with two
  documents
• Security Bulletin
• Knowledge Base Article

21
Web Sites
Figure 5-2 Microsoft Security Bulletin search
window
22
Testing the Compatibility of Service Packs and
Hotfixes for Existing Applications

• Software Update Services (SUS) allows to
  configure a server that contains content from a
  live site in your own environment to update
  internal servers and clients
• Ways to test update content before applying
• Use two SUS servers, one for testing and one for
  production computers
• Use a manually configured distribution point

23
Creating a Content Distribution Point

• Distribution point server that will host the
  content that you want your servers running SUS to
  offer including the list of approved items
• Can be created either manually or automatically
• Uses only port 80
• Located in the currently running IIS Web site
  under a Vroot named /Content when automatically
  configured

24
Content Synchronization

• During synchronization, updated content can be
  marked on the Approve updates in two ways
• Automatically approve new versions of previously
  approved updates
• Do not automatically approve new versions of
  approved updates
• In a testing environment, second option is better

25
Content Synchronization (continued)
Figure 5-3 Software Update Services option window
26
Implementing Microsoft Software Update Services
Architecture

• Ways to deploy service packs and hotfixes
• SMS
• SUS
• Group Policy
• Slipstreaming
• Custom scripts
• Implementation during a Remote Installation
  Services (RIS) installation

27
Getting Started with Software Update Services

• Advantages of SUS
• Updates can be approved individually on each SUS
  server
• Clients can be configured to get updates through
  a SUS server instead of downloading them from
  Microsofts site
• SUS is a means to provide updates to computers
  that dont have Internet access
• SUS server architecture is made up of
  parent-child relationships
• Each SUS server can support up to 15,000 clients

28
Getting Started with Software Update Services
(continued)

• SUS server requires the following
• A server with Windows 2000 Server or Server 2003
  installed
• An NTFS file system partition with at least 100
  MB of available free space to install
• SUS SP1 and a minimum of 6 GB of storage on an
  NTFS partition to host the updates locally
• IIS
• Port 80 to communicate with SUS clients

29
Getting Started with Software Update Services
(continued)

• Features of SUS Feature Pack
• Capability to update status for all clients based
  on new security update information
• Ability to review and authorize missing updates
• Allows tailor-built packages and advertisements
  for each update or set of updates
• Can update advertisements distributed to
  computers
• Allows Windows Updatestyle notifications
• Ability to use timers

30
Performing Software Update Services Common
Administration Tasks

• Tasks to be completed before SUS performs
  synchronizing content and approving content
• Properly configure proxy server settings if
  required
• Configure a DNS name for the server running SUS
  if required
• Synchronize the server content
• Have the actual content of the package updated
  during synchronization
• SUS keeps information about available updates in
  metadata cache

31
Performing Software Update Services Common
Administration Tasks (continued)

• SUS has two logs for tracking events
• Synchronization log keeps following information
• Time of the last and next scheduled
  synchronization
• Success and Failure notification
• Update packages that have been downloaded and/or
  updated since the last synchronization, or that
  failed synchronization
• Whether synchronization was a Manual or Automatic
• Approval log keeps track of the content that has
  been approved or not improved

32
Planning a Software Update Services Deployment
Table 5-1 SUS deployment models
33
Pilot Phase

• Make sure for the followings
• After the software update is installed, the
  computer should restart properly
• Software update has an uninstall program that can
  successfully remove the update
• Business-critical systems and services continue
  to function normally after the software update
  has been installed

34
Pilot Phase (continued)

• Steps for performing a pilot rollout if update is
  targeted at computers connected across slow or
  unreliable links
• Approve the update on the SUS pilot server only
• Create a new site-level GPO that is configured
• Apply Read and Apply policy settings rights to
  this GPO for the SUS pilot clients only
• Place SUS pilot GPO at the top of the list of
  GPOs assigned to the site
• Delete the SUS pilot GPO upon successful
  deployment in production

35
Production Phase

• Method to roll out Software updates SMS, Group
  Policy, SUS, and scripts
• Production phase includes
• Preparing for and executing the deployment
• Rollout schedule should be announced to the users
• Announcement to the users can be done through
  Group Policy with several options
• Update should be staged on the SUS server
• Perform a postdeployment review
• Use Wuau.adm template to control updates

36
Production Phase (continued)
Figure 5-4 Group Policy Configure Automatic
Updates window
37
Production Phase (continued)
Figure 5-5 Group Policy Windows Components window
38
Production Phase (continued)

• Use Reschedule Automatic Updates scheduled
  installations GPO setting for computers that have
  missed scheduled installation
• Actual package can be used to distribute service
  packs by making a new software installation
  package (.msi file) and linking it to a GPO
• Steps to deploy a software update in production
  include
• Advertising the update to the clients,
• Checking the deployment progress
• Dealing with any failed deployments
• Conduct a postdeployment review

39
Production Phase (continued)
Figure 5-6 Group Policy Automatic Updates
download location
40
Production Phase (continued)
Figure 5-7 Group Policy package installation
41
Server Backup and Disaster Recovery

• Recovery plan requires to back up the Web site
  directory,SUS directory, and IIS metabase
• In case of failure, steps taken before restoring
  the data back to the server(II6 Servers) include
• Physically disconnect the server from the network
• Install same OS that server was previously
  running
• Install same IIS components server previously had
  
• Install the latest service pack and security
  fixes
• Run IIS Security Wizard before connecting server
  to network

42
Server Backup and Disaster Recovery (continued)
Figure 5-8 Backing up the IIS metabase
43
Planning the Batch Deployment of Multiple Hotfixes

• Using slipstreaming simultaneously installs
  service packs with an operating system.
• Steps include
• Installation includes components that you want to
  install with updates as entries in the
  Svcpack.inf file
• Copy the installation files for the operating
  system and the updates to a shared distribution
  folder
• Create the package
• Run setup to deploy the installation either from
  the shared distribution folder or a CD-ROM

44
Planning The Batch Deployment Of Multiple
Hotfixes (continued)

• Using custom scripts following scripts can be
  used for installation
• Windows Script Host ideal for both interactive
  and noninteractive scripting, such as logon
  scripting and administrative scripting
• KixStart
• Using isolated installations update package
  automatically installs the updated system files,
  making the necessary registry changes

45
Planning The Batch Deployment Of Multiple
Hotfixes (continued)

• Using QChain.exe updates can be chained together
  so that they install without restarting the
  computer between each installation

Table 5-2 Update.exe Switches
46
Deployment Considerations for Various Machines

• New servers and clients options to install
  service packs and hotfixes with the OS include
• Slipstreaming, Custom Scripts, and Implementation
  during a RIS installation RIS is used to
  automatically install client OS by connecting to
  network via booting, obtaining a DHCP address,
  then obtaining proper image for a machine
• Existing servers and existing clients
• SUS, Group Policy, and SMS SUS servers are the
  core of the update process

47
Postdeployment Review

• Use MBSA to identify installed updates as well as
  approved updates that have yet to be installed
• Post implementation review includes these steps
• Ensure that the vulnerabilities are added to your
  vulnerability-scanning reports
• Ensure that your build images have been updated
• Discuss planned versus actual results
• Discuss the risks associated with the release

48
Postdeployment Review (continued)

• Post implementation review includes these steps
• Review organizations performance during the
  incident
• Discuss changes to your service windows
• Assess the total incident damage and cost
• Update the existing baseline for your environment

49
Postdeployment Review (continued)
Figure 5-9 Scanning multiple computers for
missing updates
50
Summary

• Proactive security patch management is necessary
  to keep technology environment secure reliable
• Organizations should have a process for
  identifying security vulnerabilities and
  responding quickly
• Have a comprehensive plan for applying software
  updates, configuration changes, and
  countermeasures to remove vulnerabilities
• Myriad attacks can be initiated against a network
• Microsofts patch management process is a
  four-phase approach to control over the
  deployment of service packs and hotfixes

51
Summary (continued)

• E-mail notifications, Web sites, and Microsoft
  technical representatives provide information
  about new software updates
• SUS can be used to deploy Windows-related
  security patches and updates to any computers
  running Windows 2000, Windows XP Professional, or
  Windows Server 2003
• SMS, SUS, Group Policy, slipstreaming, custom
  scripts and implementation during an RIS
  installation can be used to deploy service packs
  and hotfixes

52
Summary (continued)

• With QChain.exe, updates can be installed without
  restarting the computer between each installation
• MBSA can be used to identify installed updates as
  well as updates that have been approved on the
  SUS server but have yet to be installed
• A release should not be piloted in production
  unless having rollback and recovery procedures