Rob Davidson, Partner Technology SpecialistMicrosoft Management Servers: Using management to stay secure
2
Agenda
Using Management Tools to Help with Security
SMS Patch Management (Client, Server) How partners can do to help customers
MOM Monitoring your networks security What partners can do to help
Summary / Q&A
3
4
Microsoft IT SMS 2003 Core Usage Scenarios
Asset management Patch management Software distribution Software metering Security Patches File collection Targeted Deployments
5
Patch Management Framework
1. Assess Environment to be Patched1. Assess Environment to be Patched
Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems
B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)
C. Review Infrastructure/C. Review Infrastructure/ configuration configuration
Ongoing TasksOngoing TasksA. Discover AssetsA. Discover Assets
B. Inventory ClientsB. Inventory Clients
1. Assess1. Assess 2. Identify2. Identify
4. Deploy4. Deploy3. 3.
Evaluate & Evaluate & PlanPlan
2. Identify New Patches2. Identify New Patches
TasksTasksA. Identify new patchesA. Identify new patches
B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)
C. Verify patch authenticity & C. Verify patch authenticity & integrityintegrity (no virus: installs on isolated (no virus: installs on isolated system) system)
3. Evaluate & Plan Patch 3. Evaluate & Plan Patch DeploymentDeployment
TasksTasksA. Complete patch acceptance A. Complete patch acceptance testing testing
B. Obtain approval to deploy patchB. Obtain approval to deploy patch
C. Perform risk assessmentC. Perform risk assessment
D. Plan patch release processD. Plan patch release process
4. Deploy the Patch4. Deploy the Patch
TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions
D. Review deploymentD. Review deployment
Desktop Patch Management
7
Desktop Patch Management
Overview Benefits of SMS 2003 patch management Best practices
8
Benefits of Using SMS Patch Management
Proactive Monthly Patching and Compliance Process Catch security issues before they affect productivity Minimize the cost of alternate compliance processes
Packaging is Automated No custom scripting and testing Faster time to market
Centralized Patch and Compliance Method Used across the company
Leverage Existing Resources Uses SMS server infrastructure Uses SMS administrators
9
Wed
s W
eds
10:0
0AM
10:0
0AM
Thur
sTh
urs
5:00
AM
5:00
AM
Fri
Fri
2:00
PM
2:00
PM
5:00
PM
5:00
PM
5:00
PM
5:00
PM
5:00
PM
5:00
PM
5:00
PM
5:00
PM
12%12%30%30%Vulnerable ClientsVulnerable Clients 6%6% 5%5% 3%3%
Microsoft IT Multiple-Prong Approach Managed and Unmanaged Environment
HighHighClient ImpactClient Impact
MethodMethod
LowLowClient ImpactClient Impact
Emergency client patch timelineEmergency client patch timeline
Windows Update (Optional)Windows Update (Optional)
Email & ITWeb Notification (Optional)Email & ITWeb Notification (Optional)
SMS Patch Management (Voluntary >Forced)SMS Patch Management (Voluntary >Forced)
Logon Script (Forced)Logon Script (Forced)
Internal Scanning Tool (Forced)Internal Scanning Tool (Forced)
Port ShutdownsPort Shutdowns
10
Best Practices to Enhance Patch Management
Great technology, great processes, great peopleSMS Client Health Management Plan
Manage using a scorecard Investigate by collecting client logs Repair thru logon script logic
SMS Client Coverage Management Plan Boundary Management Client Count Trending
SMS Infrastructure Management Plan MOM Management Pack for SMS
Server Patch Management
12
Servers…
Target Key ServersNot all Servers need all patches
A server that will not run IIS may not need to have IIS patches applied…
Know when reboot is required (Plan it)Backup / Recovery Plan (Ready)
13
Partner Opportunities
Security is the #1 priorityExecutive support is criticalThe process is just as critical as the implementation of the
technologySecurity AssessmentsWhat if? Planning and Recovery?HW and SW inventory frequency increased for patch compliance
reportingScalable Solution (Start small and grow)Assistance with MSUS – SMS choices
14
15
Polices, Procedures & Awareness
MOM and Security Management
Physical Security
Internal Network
Perimeter
Host
Application
Data
MOM 2005 is a platform
Monitoring vs. Administration
MOM
Management Packs
Operational Data
16
MOM 2005 Security Features
Secure by defaultRole based securityChannel securitySupport for more firewall scenariosMore…
17
More Security Features
MBSA Management Pack Scans for common security misconfigurations Needs admin level privileges
Task execution “auditing” What task was run When it was run By which user Against which computers Whether or not it was successful
18
Partner Opportunities
Mom Install ConfigurationSecurity Auditing, who, what, whenAnalysisWell Managed is Secure
19
Resources
http://www.microsoft.com/securityhttp://www.microsoft.com/smshttp://www.microsoft.com/mom
20
© 2004 Microsoft Corporation. All rights reserved. © 2004 Microsoft Corporation. All rights reserved.
This whitepaper presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. This whitepaper presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the Microsoft, Active Directory, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.United States and/or other countries.