The purpose of this document is to provide a brief overview of ... · Web viewWord PowerPoint Project Lync SharePoint Launch the following applications: Oracle Forms S&D WorkBrain

The purpose of this document is to provide a brief overview of our desktop security patching process.

Section 1General Patch Information:“Patch Tuesday” refers to the second Tuesday of each month, when security patches are released. Although the patches are released on Tuesday, they don’t usually appear in patch manager until the following day. Once an update is received by WSUS / Patch Manager, it must be approved before deployment. We will be working in two servers, primarily in PUS302 which is the patch manager server, and PUS301, the WSUS server.

WSUS Groups:Groups determine which day of the week the computer will apply new updates as well as which day the computer will reboot. To move computers into different groups (or days), the change must be made in active directory. WSUS Groups > Group Policy > Days of the week OUs

This does not have to be done all the time. This just maintenance for after updates have been completed. Skip to email section PUS301 – WSUS: We will RDP into PUS301 to clean up / remove obsolete updates and check available disk space.

1. RDP into PUS301

2. Start Menu > Apps > Windows Server Update Services

CONFIDENTIAL DOCUMENT – FOR INTERNAL DISTRIBUTION ONLY TO IT DEPARTMENTS

3. Under Update Services > Options > Server Cleanup Wizard

4. When finished, you’ll see a screen similar to the image below. Don’t be concerned with deleted computers, they will be added back when they communicate with the server.


Email Updates:You will receive emails when new updates are available. Microsoft updates come from PUS301 and WSUS, while Third Party updates come from PUS302 and Patch Manager:

PUS301: PUS302:

Section 2Windows Security Update Process:

1. CEM Team to review patch matrix to understand each update (see email referenced above)2. Present updates in Tuesday’s Security Desktop meeting for approval (Patch Tuesday)3. Approve Critical Updates to Test Group (Wednesday +1 Day)4. Test for seven days (Wednesday – Tuesday)5. Meeting (SDT) to discuss deployment to larger group6. Deploy to Wednesday group (Thursday [+8 Days] – Tuesday)7. Meeting (SDT) to discuss deployment to remaining workstations.8. Deploy to remaining groups (Tuesday + 13 Days)9. CEM / Device Team closely monitor any Windows issues

The test group consists of mostly IT employees, with a few computers in the field and some home office administrative assistants.

The primary test machine is located next to Silvia’s cubicle. This is the computer we will start with to test each update. The computer name is LT7TKKCS1.

Before an update can be deployed, it must first be approved.


Update Approval Process:We will be working in PUS302 (Patch Manager) during the patching process.

1. Enterprise > Update Services > PUS301 > Updates > All Updates

2. Clear out any filters active from the previous session.3. To view newest updates, filter arrival date by current month. (This will show both Microsoft

updates as well as 3rd party updates.)4. Start with All Microsoft Updates. Select them > Right Click > Approve > Test


5. Log into the test computer (LT7TKKCS1) > Check for new updates > Install each one individually by selecting them one at a time.

6. After installing each one, go through the testing process.

Patch Test Verification:1. Launch the following Microsoft programs:

a. Outlookb. Excelc. Wordd. PowerPointe. Projectf. Lyncg. SharePoint

2. Launch the following applications:a. Oracle Formsb. S&Dc. WorkBraind. ESSe. MyHR – Launch Learning and test a training videof. Footprints (open a test ticket)g. Imagenowh. Webnowi. Works (Bank of America)j. eBusiness Desktop (Citrix)


k. SalesPro (Citrix)3. SharePoint

a. Open a .pdf, excel and word documentsb. Save each file back to a listc. Export a list to Exceld. Add a new item to a list

4. Lynca. Open an IMb. Start a Meeting

Section 3Third Party Software Patches

1. Go to Administration and Reporting > Software Publishing > All Packages2. Check the PM Email for packages that are available, but not downloaded or approved.3. Select the package you want to download and publish to the WSUS server. Right click on the

update and left click Publish Packages. If the package has not been downloaded it will start the download process before it is published to the WSUS server.

Third Party Software we are patching:Firefox, Chrome, Filezilla, iTunes, NotePad ++, Flash Player (not reader), FoxIT

After Publishing:1. Navigate back to PUS301> Updates > Third Party Updates2. right click > approve > for all computers


Use (upgrade) only to keep from installing software on computers that didn’t have it previously

When new update comes out, we want to retire old updates. Right click > decline

Search for dated over 30+ days third party updates and are declined to retire. Right click items that are declined and delete them:


Section 4Computer Explorer:Can be used to specifically troubleshoot a single computer

Reason to do this would be Top 10 Vulnerable Computers, look at it computer explorer, check on update status.

Check on update status for a single computer


Reboot only if required by windows update

To check the progress on the task you created Check on Active Tasks


If you would like to see if the install was successful Check under Task History: If you have a 100% green circle the install was successful. If the circle is partially red or any other color there was an error or the update was not applicable. You can drill down for details.


Repair Windows Update Agent:



Documents

The purpose of this document is to provide a brief overview of ... · Web viewWord PowerPoint Project Lync SharePoint Launch the following applications: Oracle Forms S&D WorkBrain