Patching Windows MIT

1
Patching Windows _at_ MIT

• SUS Services
• IST Network Infrastructure Services Team

2
Security Risk Management

• Having a Strategic Security Program
• Threat A threat is any potential danger to
  information or systems.
• Threat agent A threat agent is the person or
  process attacking the network through a
  vulnerable port on the firewall, or a process
  used to access data in a way that violates your
  security policy.
• Vulnerability A vulnerability is a software,
  hardware, or procedural weakness that may provide
  an attacker or threat agent with an opportunity
  to enter a computer or network and gain
  unauthorized access to resources within the
  environment
• Risk A risk is the likelihood of a threat agent
  taking advantage of a vulnerability. It is the
  potential for loss or the probability that a
  threat will exploit a vulnerability.
• Exposure An exposure occurs when a threat agent
  exposes a company asset to potential loss. A
  vulnerability can cause an organization to be
  exposed to possible damages.
• Countermeasure A countermeasure, or safeguard,
  mitigates a risk. Countermeasures include
  software configurations, hardware, or procedures
  that eliminate a vulnerability or reduce the risk
  of a threat agent from being able to exploit a
  vulnerability. PROACTIVE!

3
Microsoft Software Update Services (SUS)

• The accelerating lifecycle of a security patch
• Introduction to Software Update Services
• Features/Components
• SUS Server
• Client

4
The accelerating lifecycle of a security patch

• Frequency between new vulnerabilities
• Time the vendor has to release a patch
• Time between publication and exploit code
• Time for the Administrator or End User to patch
• Number of products to patch

5
Introduction to Software Update Services

• Automate Keep Windows up-to-date with the latest
  critical and security patches
• Simplify The patch management process - MBSA
• Schedule Update times
• Deploy Reach clients that are not part of a
  Windows Domain

6
Overview

• Microsoft AutoUpdates vs. SUS

updates
WindowsUpdate
Sync Updates
Configured by Admin
Automatic Updates Client
7
Features/Components

• SERVER SUS
• Automatic Updates on computers (desktops or
  servers)
• An internally-hosted Windows Update server
• An internally -controlled content synchronization
  service
• Administrator control over updates
• Multi-language support - Localized in 24
  languages
• Digital signatures on downloaded content
• Server-side logging
• Log of client status

8
Load balancing SUS at MIT

• Microsofts

Windows Update
F5 (Big IP)
9
Features/Components (2)

• CLIENT Automatic Updates
• Installed on computers on the network
• Checks SUS server or public WU for updates
  regularly
• Auto-download and install updates under admin
  control
• Automatically download and install critical
  updates
• Consolidate multiple reboots into a single
  oneNotify local administrator on the machine
  about pending updates
• Notify logged-on users about pending reboots
• Configured using Registry keys
• Supports Group Policy
• Downloads are done in the background using BITS
  technology

10
MBSA

• Free tool that scans for common security
  misconfigurations and missing security updates
• GUI and command-line interface (CLI)
• Perform security update portion of scan against
  local SUS server
• Scans for approved updates on SUS server instead
  of all available updates
• User interface MBSA reads registry for SUS
  server information, or user manually enters it
• CMD LINE
• mbsacli.exe /sus http//mysusserver

11
Client Configuration

• With Active Directory (using Group Policy)
• ADM file WUAU.adm
• Client behavior and SUS server selection can be
  configured
• Without Active Directory (but central tool)
• Script to deploy the registry policy keys
• Website Demo
• http//web.mit.edu/ist/topics/windows/updates