Upload
arnold-tyler
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
How To Keep Up With How To Keep Up With Security PatchesSecurity Patches
Eric SchultzeEric Schultze
Security StrategiesSecurity Strategies
MicrosoftMicrosoft
QuestionsQuestions
How do I know if I’m up to date on patches?How do I know if I’m up to date on patches? How do I know when a new patch is released?How do I know when a new patch is released? How do I know that the patch is valid on my How do I know that the patch is valid on my
system?system? How can I deploy patches to all my machines?How can I deploy patches to all my machines? What is Microsoft doing to make it easier to What is Microsoft doing to make it easier to
assess and deploy patches?assess and deploy patches?
Patch ProcessPatch Process
New Patch NotificationNew Patch Notification Host and Network AssessmentHost and Network Assessment DeploymentDeployment ValidationValidation
NotificationNotification
How do I know when new security How do I know when new security patches are available?patches are available? Security Bulletin Notification ServiceSecurity Bulletin Notification Service
www.microsoft.com/technet/securitywww.microsoft.com/technet/security Windows UpdateWindows Update Client Update Notification AppletClient Update Notification Applet HFNetChkHFNetChk
How can I tell which machines How can I tell which machines need patches?need patches?
HFNetChkHFNetChk Can be run against Windows NT 4, Can be run against Windows NT 4,
Windows 2000, Windows XPWindows 2000, Windows XP Evaluates patch status for OS, IIS, IE, and Evaluates patch status for OS, IIS, IE, and
a limited amount of SQL 7 and 2000.a limited amount of SQL 7 and 2000.
See KB article Q303215 for more info and See KB article Q303215 for more info and download locationdownload location
HFNetChk DemoHFNetChk Demo
How Does HFNetChk Work?How Does HFNetChk Work?
1.1. Downloads signed CAB file (containing Downloads signed CAB file (containing XML data) from microsoft.comXML data) from microsoft.com
1.1. May also use a local copy of the XML file May also use a local copy of the XML file from a file or http sharefrom a file or http share
2.2. Tool Version CheckTool Version Check3.3. Language \ OS \ SP \ Application checkLanguage \ OS \ SP \ Application check4.4. Identifies all relevant security patches Identifies all relevant security patches
for OS \ SP \ Appfor OS \ SP \ App
MSSecure.XMLMSSecure.XML
How Does HFNetChk Work?How Does HFNetChk Work?
For each applicable hotfix:For each applicable hotfix:
5.5. Compare registry key from XML file Compare registry key from XML file to registry key on the systemto registry key on the system
• If reg key does NOT exist, file is If reg key does NOT exist, file is determined to be NOT installeddetermined to be NOT installed
• Reg key check can be bypassed with Reg key check can be bypassed with the –z switchthe –z switch
How Does HFNetChk Work?How Does HFNetChk Work?
6.6. If registry key DOES exist*, If registry key DOES exist*, compare file version information compare file version information from XML file to files on systemfrom XML file to files on system
7.7. If registry key DOES exist*, If registry key DOES exist*, compare file checksum information compare file checksum information from XML file to files on systemfrom XML file to files on system
* Or if registry checks were bypassed* Or if registry checks were bypassed
MSSecure.XMLMSSecure.XML
How Does HFNetChk Work?How Does HFNetChk Work?
If either the file version and/or the If either the file version and/or the checksum does NOT match for any checksum does NOT match for any file, the patch is considered NOT file, the patch is considered NOT installed installed
(a Warning is given if the fileversion is (a Warning is given if the fileversion is greater than expected)greater than expected)
In every instance file versions In every instance file versions and checksums are evaluated!and checksums are evaluated!
New MSSecure SchemaNew MSSecure Schema
Patch details for all languagesPatch details for all languages Download URL for each patch for each languageDownload URL for each patch for each language hotfix installer engine and related switcheshotfix installer engine and related switches MD5 and SHA1 file hashesMD5 and SHA1 file hashes Specific file location (relative and/or system variable)Specific file location (relative and/or system variable) 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 56 bit vs 128 bit crypto, mulit-proc vs. single-proc,
32 bit vs 64 bit architecture32 bit vs 64 bit architecture Severity dataSeverity data CVE dataCVE data reboot actionsreboot actions
DeploymentDeployment
How do I push patches to the How do I push patches to the machines that need them?machines that need them? SMSSMS Third party toolsThird party tools Active Directory / Group PolicyActive Directory / Group Policy
SMSSMS
HFNetChkProHFNetChkPro
HFNetChkProHFNetChkPro
HFNetChkProHFNetChkPro
Group Policy and MSIGroup Policy and MSI
Create MSI package for hotfixCreate MSI package for hotfix Future MS hotfixes may include MSI Future MS hotfixes may include MSI
packagespackages Use third party MSI creatorUse third party MSI creator
InstallShield, SMS, etc.InstallShield, SMS, etc.
Create Group Policy with Computer Create Group Policy with Computer Settings for Software InstallationSettings for Software Installation
Group Policy and MSIGroup Policy and MSI
Corporate Windows UpdateCorporate Windows Update
Allows Corporations to host their own Allows Corporations to host their own Windows Update Server.Windows Update Server. CorpWU Server downloads catalogs and CorpWU Server downloads catalogs and
patches from Microsoftpatches from Microsoft Administrator chooses which ones to Administrator chooses which ones to
make available on corpnetmake available on corpnet New WU clients are configured (via New WU clients are configured (via
Group Policy or Reg key) to perform WU Group Policy or Reg key) to perform WU operations against CorpWU Serveroperations against CorpWU Server
Corporate Windows UpdateCorporate Windows Update
Clients can also be configured via Group Clients can also be configured via Group Policy to autodownload and apply the Policy to autodownload and apply the patches within a given period of time, patches within a given period of time, should the system owner not do it on should the system owner not do it on their own.their own.
What else is Microsoft What else is Microsoft doing?doing?
Focus on Trustworthy Computing Focus on Trustworthy Computing email from BillGemail from BillG
Rollup PackagesRollup Packages CumulativeCumulative Every two months for latest Service PackEvery two months for latest Service Pack May be released as MSIMay be released as MSI
Increase in No-Reboot patchesIncrease in No-Reboot patches Additional Tools like HFNetChkAdditional Tools like HFNetChk
Contact InfoContact Info
[email protected]@microsoft.com