Patch Warfare & Security Incident Response Microsoft Corporation Presented by Ro

Patch Warfare & Security Incident Response Microsoft Corporation Presented by Ro www.phwiki.com

Patch Warfare & Security Incident Response Microsoft Corporation Presented by Ro

Sauer, Jeff, Contributing Writer has reference to this Academic Journal, PHwiki organized this Journal Patch Warfare & Security Incident Response Microsoft Corporation Presented by Robert Hensing – PSS Security Specialist Agenda Situation Solution Components Roadmap Security Incident Response Customer Feedback Reduce Frequency, Quantity of Patches Inadequate Communications, Guidance, in addition to Training Inconsistent Patching Experience Multiple, Incomplete Patch Management Tools Inconsistent Patch Quality

New England Tractor Trailer Training School of Rhode Island RI www.phwiki.com

This Particular University is Related to this Particular Journal

Addressing The Situation Security in addition to patch management priority 1 – bar none – at Microsoft Microsoft problem Industry problem Ongoing battle with malicious hackers Microsoft taking a comprehensive, tactical in addition to strategic approach to addressing the situation Patch Management Initiative Progress to Date (July 2004) Update.exe now using st in addition to ardized switches; Windows Installer will use these in MSI 3.0 75% as long as Windows Update installs, more than 25% as long as other patches More on the deliverables of the Patch Management Initiative in the Roadmap Section of this presentation In as long as med & Prepared Customers Superior Patch Quality Consistent & Superior Update Experience Best Patch & Update Management Solutions Terminology

Naming St in addition to ards 824685 – Description of the File Names That Are Used as long as Microsoft Product Updates, Tools, in addition to Add-ins http://support.microsoft.com/kbid=824685 The st in addition to ardized file naming schema that Microsoft is adopting as long as packages that contain product updates, tools, in addition to add-ins uses the following as long as mat: ProductName-KBArticleNumber-Option-Language.exe WindowsXP-KB123456-IA64-ENU.exe – An update as long as the English (US)-language version of Microsoft Windows XP as long as computers with 64-bit Intel processors. The update is associated with Microsoft Knowledge Base article 123456. OfficeXP-KB123456-Client-ENU.exe – An update as long as the English (US)-language version of Microsoft Office XP. The update is associated with Knowledge Base article 123456. SQL2000-KB123456-8.00.0000-JPN.exe – An update as long as the Japanese-language version of Microsoft SQL Server 2000 Build 8.00.000. The update is associated with Knowledge Base article 123456. Revised November 2002 More in as long as mation at http://www.microsoft.com/technet/security/policy/rating.asp Bulletin Severity Rating System Prioritizing in addition to Scheduling the Release

A Serious Problem Decreasing time in which to deploy a patch Decreasing Time To Patch (Blaster) Vulnerability reported to us / Patch in progress Bulletin & patch available No exploit Exploit code in public Worm in the wild July 1, 2003 July 16, 2003 July 25, 2003 Aug 11, 2003 Report Vulnerability in RPC/DDOM reported MS activated highest level emergency response process Bulletin MS03-026 delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Exploit X-focus (Chinese group) published exploit tool MS heightened ef as long as ts to get in as long as mation to customers Worm Blaster worm discovered –; variants in addition to other viruses hit simultaneously (i.e. “SoBig”) Blaster shows the complex interplay between security researchers, software companies, in addition to hackers Decreasing Time To Patch (Sasser) Bulletin & patch available No exploit Exploit code in public Worm in the wild April 13 April 24-29 April 30 Bulletin MS03-026 delivered to customers (7/16/03) Continued outreach to analysts, press, community, partners, government agencies Exploit Reverse shell code posted to various web sites Worm Sasser worm discovered. Multiple variants hit simultaneously Sasser shows the continually shrinking window between the time a patch is released, exploit code is generally available in addition to a worm is written to exploit it.

Solution Components Solution Components Office Inventory Tool is no longer needed – MBSA 1.2 (released in January 2004) includes Office scanning functionality Update Management Guidance Implementing a consistent, high quality update management process is the key to successful update management Microsoft delivers best practices prescriptive guidance as long as effective update management Uses Microsoft Operations Framework (MOF) Based on ITIL (defacto st in addition to ard as long as IT best practices) Details requirements as long as effective update management: Technical & operational pre-requisites Operational processes & how technology supports them Daily, weekly, monthly & as-needed tasks to be per as long as med Testing options Three update management guidance offerings Microsoft Guide to Security Patch Management Patch Management using Software Update Services Patch Management using Systems Management Server In as long as mation Technology Infrastructure Library Emphasizes security patching & overall security management Comprehensive coverage of patch management using the specified technology Assess Identify Evaluate & Plan Deploy

MBSA Helps identify vulnerable Windows systems Scans as long as missing security patches in addition to common security mis-configurations Scans various versions of Windows in addition to other Microsoft applications Scans local or multiple remote systems via GUI or comm in addition to line invocation Generates XML scan reports on each scanned system Runs on Windows Server 2003, Windows 2000 in addition to Windows XP Integrates with SUS & SMS MBSA: How It Works Microsoft Download Center MSSecure.xml MSSecure.xml contains Security Bulletin names Product specific updates Version in addition to checksum info Registry keys changed KB article numbers Etc. MBSA Computer Only covers security patch scanning capabilities, not security configuration detection issues SUS Server Downloads CAB file with MSSecure.xml & verifies digital signature Run MBSA on Admin system, specify targets Scans target systems as long as OS, OS components, & applications Parses MSSecure to see if updates available Checks if required updates are missing Generates time stamped report of missing updates Windows Update (WU) Microsoft online update service (windowsupdate.microsoft.com): Identifies missing Windows OS patches / updates on accessing computer Generates targeted list of missing updates Installs user selected missing updates Provides update installation history WU content can be automatically downloaded via Automatic Updates Supplemented by Windows Update Catalog site which provides: Comprehensive repository as long as all Windows in addition to ‘Designed as long as Windows’ logo device driver updates Search – to find desired update Manual download of desired updates Download history as long as accessing computer Windows 98 in addition to later versions. Note: also updates 64-bit editions of Windows Server

Windows Update: How It Works Scenario 1: User Initiated Access Scenario 2: Access via Automatic Updates (AU) Windows Update Client side code (CC) in browser (or AU) validates WU server & gets download catalog metadata User points browser to WU site & selects ‘Scan as long as updates’ or AU automatically checks as long as new updates (every 17-22 hours) CC (or AU) uses metadata to identify missing updates WU (or AU – if so configured) lists missing updates in addition to user selects updates to download CC (or AU) downloads, validates, & installs updates. AU downloads using BITS, in addition to can be configured to allow user to select updates to install CC (or AU) updates history & statistics in as long as mation Note: No personally identifiable in as long as mation is collected. See http://v4.windowsupdate.microsoft.com/en/about.asp privacypolicy SUS 1.0 Deploys Windows security patches, security rollups, critical updates, in addition to service packs only Deploys above content as long as Windows 2000, Windows Server 2003 in addition to Windows XP only Provides patch download, deployment, in addition to installation configuration options B in addition to width optimized content deployment Provides central administrative control over which patches can be installed from Windows Update Provides basic patch installation status logging SUS 1.0: How It Works Parent SUS Server Firewall Child SUS Server Child SUS Server B in addition to width Throttling Windows Update Service Windows Update Service B in addition to width Throttling B in addition to width Throttling Administrator reviews, evaluates, in addition to approves updates SUS Server check as long as updates every 24 hours Approvals & updates synced with child SUS servers AU (the SUS client) gets approved updates list from SUS server AU either notifies user or auto-installs updates AU records install history AU downloads approved updates from SUS server or Windows Update SUS maintains approval logs & download, sync, & install statistics Configurable 1/day or 1/week

SUS Client Component: Automatic Updates Centrally configurable to get updates either from corporate SUS server or Windows Update service Can auto-download in addition to install patches under admin control Consolidates multiple reboots to a single reboot when installing multiple patches Included in Windows 2000 SP3, Windows XP SP1, in addition to Windows Server 2003 Localized in 24 languages SUS Server Component: SUS Server Downloads updates from Windows Update Web based administration GUI Specify server & update process configuration options View downloaded updates Approve updates & view approved updates Security by design in addition to default Requires NTFS; Installs IIS Lockdown in addition to URL scanner Supports secure administration over SSL Digital signatures on downloaded content validate authenticity Uses HTTP as long as content synchronization – only port 80 needs to be open Server side XML based logging on Web server Patch deployment & installation statistics Supports geographically distributed or scale-out deployments with centralized management as long as content synchronization & approvals Localized in English & Japanese If not already installed Note: Delivers updates as long as all 24 supported client languages SMS 2003 Identifies & deploys missing Windows in addition to Office security patches on target systems Can deploy any patch, update, or application in Windows environments Inventory management & inventory based targeting of software installs Install verification in addition to detailed reporting Flexible scheduling of content sync & installs Central, full administrative control over installs B in addition to width optimized content distribution Software metering in addition to remote control capabilities

Sauer, Jeff Sound & Video Contractor Contributing Writer www.phwiki.com

SMS 2003 Patch Management: How It Works Firewall SMS Site Server SMS Distribution Point SMS Clients SMS Clients Microsoft Download Center SMS Distribution Point Scan components replicate to SMS clients Setup: Download Security Update Inventory in addition to Office Inventory Tools; run inventory tool installer Clients scanned; scan results merged into SMS hardware inventory data Administrator uses Distribute Software Updates Wizard to authorize updates Software Update Installation Agent on clients deploy updates Periodically: Sync component checks as long as new updates; scans clients; in addition to deploys necessary updates Update files downloaded; packages, programs & advertisements created/updated; packages replicated & programs advertised to SMS clients SMS Clients SMS 2003 Patch Management: Functionality System scanning & patch content download Content from Microsoft Download Center MBSA & Office Inventory plug-ins scan as long as missing patches Supports updating of remote & mobile devices Updates various versions of Windows, Office, SQL, Exchange, in addition to Windows Media Player without need as long as update packaging / scripting Administrator control Update targeting based on AD, non-AD groups, WMI properties; additional options via scripting Patches content is downloaded from a central SMS repository only when the deployment process is initiated by the SMS administrator Specific start in addition to end times (change windows); multiple change windows Easily move patches from testing into production Reference system patch configurations can be used as a template to verify or en as long as ce compliance of systems that must mimic reference system configuration SMS 2003 Patch Management: Functionality (2) Patch download & installation Delta replication (site-site, server-server) of patches Uses BITS as long as mobile / remote client-server Uses SMB as long as LAN / priority situations Reminders in addition to rescheduling of install / reboot & en as long as cement dates Optimized graceful reboots, but as long as ced when en as long as cement date arrives Per-patch reboot-needed detection to reduce reboots Status & Compliance Reporting Deployment status as patches are attempted St in addition to ard in addition to customized reports through read-only SQL queries Determine actual baselines in the environment be as long as e changing the environment SLA measurement in addition to rate-of-spread Requires SMS Advanced Client

Adopt the solution that best meets the needs of your organization Core Patch Management Capabilities Choosing A Patch Management Solution Needs-Based Selection MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management in addition to software distribution capabilities Windows 2000, Windows XP, Windows Server 2003 Customer uses Windows Update or manual process as long as other OS versions & applications software Choosing A Patch Management Solution Typical Customer Decisions What could be better than patching Not having to patch Introducing Slipstreaming!

© 2004 Microsoft Corporation. All rights reserved. This presentation is as long as in as long as mational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Sauer, Jeff Contributing Writer

Sauer, Jeff is from United States and they belong to Sound & Video Contractor and they are from  Emeryville, United States got related to this Particular Journal. and Sauer, Jeff deal with the subjects like Consumer Video

Journal Ratings by New England Tractor Trailer Training School of Rhode Island

This Particular Journal got reviewed and rated by New England Tractor Trailer Training School of Rhode Island and short form of this particular Institution is RI and gave this Journal an Excellent Rating.