Title: 70299 MCSE Guide to Implementing and Administering Security in a Microsoft Windows Server 2003 Netwo
170-299 MCSE Guide to Implementing and
Administering Security in a Microsoft Windows
Server 2003 Network
- Chapter Five
- Planning and Deploying Patch Management
2Objectives
- Plan the deployment of service packs and hotfixes
- Evaluate the applicability of service packs and
hotfixes - Implement Microsoft Software Update Services
(SUS) architecture - Plan the batch deployment of multiple hotfixes
3Objectives (continued)
- Understand deployment considerations for various
machines - Post deployment review
- Plan a rollback strategy
4Planning the Deployment of Service Packs and
Hotfixes
- Patch management Method for keeping computers up
to date with new software releases - Keeps technology environment secure and reliable
- Requires identifying security vulnerabilities and
responding quickly - Security patch management patch management with
a concentration on reducing security
vulnerabilities essential for secure IT
management and operations
5Types of Attacks and Vulnerabilities
- Most common types of attacks
- Denial of service and distributed denial of
service (DoS/DDoS), backdoors - Brute force, buffer overflows, man-in-the-middle,
and session hijacking - Spoofing, scripting files, social engineering
- Viruses, worms, and Trojan horses
6Denial of Service and Distributed Denial of
Service Attacks (DoS/DDoS)
- DoS/DDoS Executed by manipulating protocols
- In DDoS, attacker distributes software that
allows the attacker partial or full control of
infected system effects are multiplied by total
number of zombie machines under the control of
the attacker - Prevention
- Set up filters on external routers
- Reduce the time before the reset of an unfinished
TCP connection
7Denial of Service and Distributed Denial of
Service Attacks (DoS/DDoS) (continued)
- Back door A program that allows access to a
system without using security checks - Examples includes Back Orifice, NetBus, and Sub7
- Have two essential parts
- Server Infected machine
- Client used for remotely controlling the server
- Can be also in the form of a privileged user
account - Prevention need to set proper access to the
users
8Brute Force Attacks and Buffer Overflow Attacks
- Brute force
- Way of cracking a cryptographic key or password,
e.g., L0phtcrack program - Prevention Enforce a strong password length and
complexity policy - Buffer overflow
- More data is sent to a computers memory buffer
than it is able to handle, causing it to overflow - Prevention improve the way applications are
programmed
9Man-in-the-Middle Attacks
- Man-in-the-Middle Attacks
- Attacker intercepts traffic and tricks the
parties at both ends into believing that they are
communicating - Common in Telnet and wireless technologies
- Prevention
- Restrict access to wiring closets and switches
- DNS access should be restricted to read-only
- Use encryption and secure protocols
10Session Hijacking and Spoofing
- Session Hijacking
- Takes control of a session between the server and
a client - Prevention force user to reauthenticate before
allowing transactions to occur, and use of unique
ISNs and Web session cookies - Spoofing
- Making data appear to come from somewhere other
than where it really originated - Prevention careful about what information is
given when responding to e-mail and Web requests
11Scripting Files, Software Exploitation, and
Social Engineering
- Scripting files unintentional execution of
scripts in a Web-based massage, written by an
attacker - Prevention disable scripting languages in
browser - Software exploitation method of searching for
specific problems, or security holes in software - Prevention keep latest patches and service
packs - Social engineering attack targeted by exploiting
human nature and human behaviour - Prevention solid company policies and user
education
12Virus, Worms and Trojan Horses
- Virus program or piece of code that is loaded
onto your computer without your knowledge and is
designed to attach itself to other code and
replicate - Trojan horses programs disguised as useful
applications,though do not replicate themselves - Worms self-replicating programs similar in
function to virus and Trojan horses - Prevention install/update antivirus software
13Applying a Four-Step Process for Updates to Your
Environment
- Microsoft-recommended patch management process
include four phases - Assess
- Identify
- Evaluate and plan
- Deploy
14Phase 1 Assess
- Conduct an audit to inventory existing computing
assets - Assess security threats and vulnerabilities
- Determine the best source for information about
software updates - Assess the existing software distribution
infrastructure - Assess operational effectiveness
15Phase 2 Identify
- Discover new software updates in a reliable way
- Determine the relevancy of updates to your
production environment - Obtain software update source files and confirm
that they are safe - Determine whether the software update should be
considered an emergency
16Phase 3 Evaluate and Plan
- Determine appropriate response prioritize and
categorize the request then getting authorization
to deploy - Plan the release of the software update
determining what needs to be patched, then
identifying the key issues and constraints - Build the release develop scripts, tools, and
procedures - Conduct acceptance testing of the release
17Phase 4 Deploy
- Prepare for deployment communicate the rollout
schedule to organization - Deploy the software update to targeted computers
- Advertising the software update to client
computers - Monitoring and reporting on the progress of
deployment, and handling failed deployments - Conduct a postdeployment review
- Evaluating your organizations performance
throughout the incident - Updating the existing baseline for your
environment
18Evaluating the Applicability of Service Packs and
Hotfixes
- Information about new software updates can be
obtained from the following sources - E-mail notifications
- Web sites
- Microsoft technical representatives
19E-mail Notifications
- Microsoft releases its patches or hotfixes on a
monthly schedule and informs via - Microsoft Security Notification Service A free
e-mail notification service to inform customers
about the security of its products - Microsoft Security Update free e-mail alert
service - Product Security Notification for technical
alerts - Microsoft Security Update for non-technical
alerts
20E-mail Notifications (continued)
- Guidelines to validate each e-mail notification
- Delete any e-mail notifications with attached
software files - Do not click any links directly from inside an
e-mail notification - Visit the Microsoft Security Web site to read the
authoritative details of a security bulletin - Each Microsoft security patch comes with two
documents - Security Bulletin
- Knowledge Base Article
21Web Sites
Figure 5-2 Microsoft Security Bulletin search
window
22Testing the Compatibility of Service Packs and
Hotfixes for Existing Applications
- Software Update Services (SUS) allows to
configure a server that contains content from a
live site in your own environment to update
internal servers and clients - Ways to test update content before applying
- Use two SUS servers, one for testing and one for
production computers - Use a manually configured distribution point
23Creating a Content Distribution Point
- Distribution point server that will host the
content that you want your servers running SUS to
offer including the list of approved items - Can be created either manually or automatically
- Uses only port 80
- Located in the currently running IIS Web site
under a Vroot named /Content when automatically
configured
24Content Synchronization
- During synchronization, updated content can be
marked on the Approve updates in two ways - Automatically approve new versions of previously
approved updates - Do not automatically approve new versions of
approved updates - In a testing environment, second option is better
25Content Synchronization (continued)
Figure 5-3 Software Update Services option window
26Implementing Microsoft Software Update Services
Architecture
- Ways to deploy service packs and hotfixes
- SMS
- SUS
- Group Policy
- Slipstreaming
- Custom scripts
- Implementation during a Remote Installation
Services (RIS) installation -
27Getting Started with Software Update Services
- Advantages of SUS
- Updates can be approved individually on each SUS
server - Clients can be configured to get updates through
a SUS server instead of downloading them from
Microsofts site - SUS is a means to provide updates to computers
that dont have Internet access - SUS server architecture is made up of
parent-child relationships - Each SUS server can support up to 15,000 clients
28Getting Started with Software Update Services
(continued)
- SUS server requires the following
- A server with Windows 2000 Server or Server 2003
installed - An NTFS file system partition with at least 100
MB of available free space to install - SUS SP1 and a minimum of 6 GB of storage on an
NTFS partition to host the updates locally - IIS
- Port 80 to communicate with SUS clients
29Getting Started with Software Update Services
(continued)
- Features of SUS Feature Pack
- Capability to update status for all clients based
on new security update information - Ability to review and authorize missing updates
- Allows tailor-built packages and advertisements
for each update or set of updates - Can update advertisements distributed to
computers - Allows Windows Updatestyle notifications
- Ability to use timers
30Performing Software Update Services Common
Administration Tasks
- Tasks to be completed before SUS performs
synchronizing content and approving content - Properly configure proxy server settings if
required - Configure a DNS name for the server running SUS
if required - Synchronize the server content
- Have the actual content of the package updated
during synchronization - SUS keeps information about available updates in
metadata cache
31Performing Software Update Services Common
Administration Tasks (continued)
- SUS has two logs for tracking events
- Synchronization log keeps following information
- Time of the last and next scheduled
synchronization - Success and Failure notification
- Update packages that have been downloaded and/or
updated since the last synchronization, or that
failed synchronization - Whether synchronization was a Manual or Automatic
- Approval log keeps track of the content that has
been approved or not improved
32Planning a Software Update Services Deployment
Table 5-1 SUS deployment models
33Pilot Phase
- Make sure for the followings
- After the software update is installed, the
computer should restart properly - Software update has an uninstall program that can
successfully remove the update - Business-critical systems and services continue
to function normally after the software update
has been installed
34Pilot Phase (continued)
- Steps for performing a pilot rollout if update is
targeted at computers connected across slow or
unreliable links - Approve the update on the SUS pilot server only
- Create a new site-level GPO that is configured
- Apply Read and Apply policy settings rights to
this GPO for the SUS pilot clients only - Place SUS pilot GPO at the top of the list of
GPOs assigned to the site - Delete the SUS pilot GPO upon successful
deployment in production
35Production Phase
- Method to roll out Software updates SMS, Group
Policy, SUS, and scripts - Production phase includes
- Preparing for and executing the deployment
- Rollout schedule should be announced to the users
- Announcement to the users can be done through
Group Policy with several options - Update should be staged on the SUS server
- Perform a postdeployment review
- Use Wuau.adm template to control updates
36Production Phase (continued)
Figure 5-4 Group Policy Configure Automatic
Updates window
37Production Phase (continued)
Figure 5-5 Group Policy Windows Components window
38Production Phase (continued)
- Use Reschedule Automatic Updates scheduled
installations GPO setting for computers that have
missed scheduled installation - Actual package can be used to distribute service
packs by making a new software installation
package (.msi file) and linking it to a GPO - Steps to deploy a software update in production
include - Advertising the update to the clients,
- Checking the deployment progress
- Dealing with any failed deployments
- Conduct a postdeployment review
39Production Phase (continued)
Figure 5-6 Group Policy Automatic Updates
download location
40Production Phase (continued)
Figure 5-7 Group Policy package installation
41Server Backup and Disaster Recovery
- Recovery plan requires to back up the Web site
directory,SUS directory, and IIS metabase - In case of failure, steps taken before restoring
the data back to the server(II6 Servers) include - Physically disconnect the server from the network
- Install same OS that server was previously
running - Install same IIS components server previously had
- Install the latest service pack and security
fixes - Run IIS Security Wizard before connecting server
to network
42Server Backup and Disaster Recovery (continued)
Figure 5-8 Backing up the IIS metabase
43Planning the Batch Deployment of Multiple Hotfixes
- Using slipstreaming simultaneously installs
service packs with an operating system. - Steps include
- Installation includes components that you want to
install with updates as entries in the
Svcpack.inf file - Copy the installation files for the operating
system and the updates to a shared distribution
folder - Create the package
- Run setup to deploy the installation either from
the shared distribution folder or a CD-ROM
44Planning The Batch Deployment Of Multiple
Hotfixes (continued)
- Using custom scripts following scripts can be
used for installation - Windows Script Host ideal for both interactive
and noninteractive scripting, such as logon
scripting and administrative scripting - KixStart
- Using isolated installations update package
automatically installs the updated system files,
making the necessary registry changes
45Planning The Batch Deployment Of Multiple
Hotfixes (continued)
- Using QChain.exe updates can be chained together
so that they install without restarting the
computer between each installation
Table 5-2 Update.exe Switches
46Deployment Considerations for Various Machines
- New servers and clients options to install
service packs and hotfixes with the OS include - Slipstreaming, Custom Scripts, and Implementation
during a RIS installation RIS is used to
automatically install client OS by connecting to
network via booting, obtaining a DHCP address,
then obtaining proper image for a machine - Existing servers and existing clients
- SUS, Group Policy, and SMS SUS servers are the
core of the update process
47Postdeployment Review
- Use MBSA to identify installed updates as well as
approved updates that have yet to be installed - Post implementation review includes these steps
- Ensure that the vulnerabilities are added to your
vulnerability-scanning reports - Ensure that your build images have been updated
- Discuss planned versus actual results
- Discuss the risks associated with the release
48Postdeployment Review (continued)
- Post implementation review includes these steps
- Review organizations performance during the
incident - Discuss changes to your service windows
- Assess the total incident damage and cost
- Update the existing baseline for your environment
49Postdeployment Review (continued)
Figure 5-9 Scanning multiple computers for
missing updates
50Summary
- Proactive security patch management is necessary
to keep technology environment secure reliable - Organizations should have a process for
identifying security vulnerabilities and
responding quickly - Have a comprehensive plan for applying software
updates, configuration changes, and
countermeasures to remove vulnerabilities - Myriad attacks can be initiated against a network
- Microsofts patch management process is a
four-phase approach to control over the
deployment of service packs and hotfixes
51Summary (continued)
- E-mail notifications, Web sites, and Microsoft
technical representatives provide information
about new software updates - SUS can be used to deploy Windows-related
security patches and updates to any computers
running Windows 2000, Windows XP Professional, or
Windows Server 2003 - SMS, SUS, Group Policy, slipstreaming, custom
scripts and implementation during an RIS
installation can be used to deploy service packs
and hotfixes
52Summary (continued)
- With QChain.exe, updates can be installed without
restarting the computer between each installation - MBSA can be used to identify installed updates as
well as updates that have been approved on the
SUS server but have yet to be installed - A release should not be piloted in production
unless having rollback and recovery procedures