Embed Size (px)
Citation preview
Patch Management Patch Management ToolsTools
Solution ComponentsSolution ComponentsAnalysis
Tools
• Microsoft Baseline Security Analyzer (MBSA)
• Office Inventory Tool
Online Update Services
• Windows Update
• Office Update
Content Repositories
• Windows Update Catalog
• Office Download Catalog
• Microsoft Download Center
Management Tools
• Automatic Updates (AU) feature in Windows
• Software Update Services (SUS)
• Systems Management Server (SMS)
PrescriptiveGuidance
• Microsoft Guide to Security Patch Management
• Patch Management Using SUS
• Patch Management Using SMS
Client Patch Management Client Patch Management OptionsOptions
Consumer and Small Business:Consumer and Small Business: Windows UpdateWindows Update User Initiated Deployment or Automated UpdatesUser Initiated Deployment or Automated UpdatesAccess to all available updates Access to all available updates Deployment from Microsoft.comDeployment from Microsoft.com
Medium Business:Medium Business: Software Update ServicesSoftware Update ServicesUser Initiated Deployment or Automated UpdatesUser Initiated Deployment or Automated UpdatesAdministrator approved updates onlyAdministrator approved updates onlyDeployment from servers behind firewallsDeployment from servers behind firewalls
Enterprises:Enterprises: SMS and SMS Software Update Services SMS and SMS Software Update Services Feature PacFeature Packk
User or Administrator Initiated DeploymentsUser or Administrator Initiated DeploymentsAdministrator approved updatesAdministrator approved updatesDeployment from servers behind firewallsDeployment from servers behind firewallsReportingReportingSchedulingScheduling
MBSA: What It DoesMBSA: What It Does
Helps identify vulnerable Windows Helps identify vulnerable Windows systemssystems
Scans for missing Scans for missing securitysecurity patches and patches and common common securitysecurity mis-configurations mis-configurations
Scans various versions of Windows and Scans various versions of Windows and other Microsoft applicationsother Microsoft applications
Scans local or multiple remote systems via Scans local or multiple remote systems via
GUI or command line invocationGUI or command line invocation
Generates XML scan reports on each Generates XML scan reports on each scanned systemscanned system
Runs on Windows Server 2003, Runs on Windows Server 2003, Windows 2000 and Windows XPWindows 2000 and Windows XP
Integrates with SUS & SMSIntegrates with SUS & SMS
Evaluate & Plan
New Update
Deploy
Identify
Assess
MBSA: How It Works*MBSA: How It Works*
MicrosoftDownload Center
MSSecure.xmlMSSecure.xml
MSSecure.xml containsMSSecure.xml contains• Security Bulletin namesSecurity Bulletin names• Product specific updatesProduct specific updates• Version and checksum infoVersion and checksum info• Registry keys changedRegistry keys changed• KB article numbersKB article numbers• Etc.Etc.
MSSecure.xml containsMSSecure.xml contains• Security Bulletin namesSecurity Bulletin names• Product specific updatesProduct specific updates• Version and checksum infoVersion and checksum info• Registry keys changedRegistry keys changed• KB article numbersKB article numbers• Etc.Etc.
MBSAMBSAComputerComputer
*Only covers security patch scanning capabilities, not security configuration detection issues*Only covers security patch scanning capabilities, not security configuration detection issues
SUS ServerSUS Server
2.2. Downloads CAB file Downloads CAB file with MSSecure.xml & with MSSecure.xml & verifies digital verifies digital signaturesignature
1.1. Run MBSA on Admin Run MBSA on Admin system, specify system, specify targetstargets
3.3. Scans target Scans target systems for OS, OS systems for OS, OS components, & components, & applicationsapplications4.4. Parses Parses MSSecure to MSSecure to see if updates see if updates availableavailable5.5. Checks if Checks if required required updates are updates are missingmissing6.6. Generates time Generates time stamped report of stamped report of missing updatesmissing updates
MBSA 1.1.1MBSA 1.1.1
Windows Update: How It Windows Update: How It WorksWorksScenario 1: User Initiated AccessScenario 1: User Initiated Access
Windows Update Service
2.2. Client side code (CC) in Client side code (CC) in browser validates WU browser validates WU server & gets download server & gets download catalog metadatacatalog metadata
1.1. User goes to Windows User goes to Windows Update (WU) & selects Update (WU) & selects ‘Scan for updates’‘Scan for updates’
3.3. CC uses metadata to CC uses metadata to identify missing identify missing updatesupdates4.4. User selects User selects updates to installupdates to install
5.5. CC downloads, validates, CC downloads, validates, & installs updates& installs updates
6.6. CC updates history & CC updates history & statistics information*statistics information*
*Note: No personally identifiable information is collected. *Note: No personally identifiable information is collected. See See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy
Windows Update: How It Windows Update: How It WorksWorksScenario 2: Automatic Updates Initiated Scenario 2: Automatic Updates Initiated AccessAccess
Windows Update Service2.2. AU validates WU server AU validates WU server
& gets download catalog & gets download catalog metadatametadata
1.1. AU check WU service AU check WU service for new updates for new updates (every 17-22 hours)(every 17-22 hours)
3.3. AU uses metadata to AU uses metadata to identify missing identify missing updatesupdates
4.4. AU either notifies user AU either notifies user or auto-downloads or auto-downloads using BITS & validates using BITS & validates new updatesnew updates
5.5. AU either notifies user or AU either notifies user or auto-installs updatesauto-installs updates
6.6. AU updates history & AU updates history & statistics information*statistics information*
*Note: No personally identifiable information is collected. *Note: No personally identifiable information is collected. See See http://v4.windowsupdate.microsoft.com/en/about.asp#privacypolicy
SUS 1.0: What it DoesSUS 1.0: What it Does
Deploys Windows security patches, security Deploys Windows security patches, security rollups, rollups, critical updates*, and service packs onlycritical updates*, and service packs only
Deploys above content for Windows 2000, Deploys above content for Windows 2000, Windows Server 2003 and Windows XP onlyWindows Server 2003 and Windows XP only
Provides patch download, deployment, and Provides patch download, deployment, and installation configuration options installation configuration options
Bandwidth optimized content deploymentBandwidth optimized content deployment
Provides central administrative control over which Provides central administrative control over which patches can be installed from Windows Updatepatches can be installed from Windows Update
Provides basic patch installation status loggingProvides basic patch installation status logging
*Including critical driver updates*Including critical driver updates
Evaluate & Plan
Identify
Assess
New Update
Deploy
SUS BenefitsSUS Benefits
Gives administrators control over patch & Gives administrators control over patch & update managementupdate management
Works with Group Policy* to prevent installs of non-Works with Group Policy* to prevent installs of non-approved updates from Windows Updateapproved updates from Windows Update
Allows staging & testing of updates before installationAllows staging & testing of updates before installation
Simplifies & automates key aspects of the Simplifies & automates key aspects of the patch management processpatch management process
Ease of use alleviates difficulty of keeping Ease of use alleviates difficulty of keeping supported systems up-to-date, reducing supported systems up-to-date, reducing security riskssecurity risks
*Note: Use of SUS does not require implementation of Active Directory or Group Policy*Note: Use of SUS does not require implementation of Active Directory or Group Policy
SUS 1.0: How It WorksSUS 1.0: How It Works
ParentParentSUS ServerSUS Server
FirewallFirewall
ChildChildSUS ServerSUS Server
ChildChildSUS ServerSUS Server
BandwidthBandwidth
ThrottlingThrottling
WindowsUpdate Service
WindowsUpdate Service
Bandwidth
Bandwidth
Throttling
Throttling
Ban
dw
idth
Ban
dw
idth
Th
rottlin
gT
hro
ttling
2.2. Administrator Administrator reviews, evaluates, reviews, evaluates, and approves and approves updatesupdates
1.1. SUS Server check for SUS Server check for updates every 17-22 updates every 17-22 hourshours
3.3. Approvals & Approvals & updates synced updates synced with child SUS with child SUS servers*servers*
4.4. AU gets approved AU gets approved updates list from SUS updates list from SUS serverserver
6.6. AU either notifies user or AU either notifies user or auto-installs updatesauto-installs updates
7.7. AU records install historyAU records install history
5.5. AU downloads approved AU downloads approved updates from SUS server updates from SUS server or Windows Updateor Windows Update
*SUS maintains approval logs & download, sync, & install statistics*SUS maintains approval logs & download, sync, & install statistics
Client Component: Automatic Client Component: Automatic UpdatesUpdates
Centrally configurable to get updates either from Centrally configurable to get updates either from corporate SUS server or Windows Update servicecorporate SUS server or Windows Update service
Can auto-download and install patches under admin Can auto-download and install patches under admin controlcontrol
Consolidates multiple reboots to a single reboot Consolidates multiple reboots to a single reboot when installing multiple patcheswhen installing multiple patches
Included in Windows 2000 SP3, Windows XP SP1, Included in Windows 2000 SP3, Windows XP SP1, and Windows Server 2003and Windows Server 2003
Localized in 24 languagesLocalized in 24 languages
Server Component: SUS ServerServer Component: SUS ServerDownloads updates from Windows UpdateDownloads updates from Windows Update
Web based administration GUIWeb based administration GUISpecify server & update process configuration optionsSpecify server & update process configuration optionsView downloaded updatesView downloaded updatesApprove updates & view approved updatesApprove updates & view approved updates
Security by design and defaultSecurity by design and defaultRequires NTFS; Installs IIS Lockdown and URL scanner*Requires NTFS; Installs IIS Lockdown and URL scanner*Supports secure administration over SSLSupports secure administration over SSLDigital signatures on downloaded content validate authenticityDigital signatures on downloaded content validate authenticityUses HTTP for content synchronization – only port 80 needs to be Uses HTTP for content synchronization – only port 80 needs to be openopen
Server side XML based logging on Web serverServer side XML based logging on Web serverPatch deployment & installation statisticsPatch deployment & installation statistics
Supports geographically distributed or scale-out deployments Supports geographically distributed or scale-out deployments with centralized management for content synchronization & with centralized management for content synchronization & approvalsapprovals
Localized** in English & JapaneseLocalized** in English & Japanese*If not already installed*If not already installed
**Note: Delivers updates for all 24 supported client languages**Note: Delivers updates for all 24 supported client languages
SUS 1.0SUS 1.0
SMS 2003: What it DoesSMS 2003: What it Does
Identifies & deploys missing Windows and Office Identifies & deploys missing Windows and Office security patches on target systemssecurity patches on target systems
Can deploy any patch, update, or application in Can deploy any patch, update, or application in Windows environmentsWindows environments
Inventory management & inventory based Inventory management & inventory based targeting of software installstargeting of software installs
Install verification and detailed reportingInstall verification and detailed reporting
Flexible scheduling of content sync & installsFlexible scheduling of content sync & installs
Central, full administrative control over installsCentral, full administrative control over installs
Bandwidth optimized content distributionBandwidth optimized content distribution
Software metering and remote control capabilitiesSoftware metering and remote control capabilitiesIdentify
New Update
Deploy
Assess
Evaluate & Plan
SMS 2003 Patch SMS 2003 Patch Management: BenefitsManagement: Benefits
Gives administrators control over patch Gives administrators control over patch management management
Allows staging & testing of updates before installationAllows staging & testing of updates before installationFine-grained control of patch management optionsFine-grained control of patch management options
Automates key aspects of the patch management Automates key aspects of the patch management processprocess
Can update a broad range of Microsoft products Can update a broad range of Microsoft products (not limited to Windows and Office)(not limited to Windows and Office)
Can also be used to update third party software Can also be used to update third party software and deploy & install any software update or and deploy & install any software update or applicationapplication
High level of flexibility via use of scriptingHigh level of flexibility via use of scripting
SMS 2003 Patch SMS 2003 Patch Management: How It WorksManagement: How It Works
FirewallFirewall
SMS SMS Site ServerSite Server
SMS DistributionSMS DistributionPointPoint
SMS ClientsSMS Clients
SMS ClientsSMS Clients
MicrosoftDownload Center
SMS DistributionSMS DistributionPointPoint
2.2. Scan components Scan components replicate to SMS replicate to SMS clientsclients
1.1. Setup: Download Security Setup: Download Security Update Inventory and Office Update Inventory and Office Inventory Tools; run Inventory Tools; run inventory tool installerinventory tool installer
3.3. Clients scanned; scan Clients scanned; scan results merged into results merged into SMS hardware SMS hardware inventory datainventory data
4.4. Administrator uses Administrator uses Distribute Software Distribute Software Updates Wizard to Updates Wizard to authorize updatesauthorize updates
6.6. Software Update Installation Software Update Installation Agent on clients deploy Agent on clients deploy updatesupdates
7.7. Periodically: Sync component Periodically: Sync component checks for new updates; scans checks for new updates; scans clients; and deploys necessary clients; and deploys necessary updatesupdates
5.5. Update files downloaded; Update files downloaded; packages, programs & packages, programs & advertisements advertisements created/updated; packages created/updated; packages replicated & programs replicated & programs advertised to SMS clientsadvertised to SMS clients
SMS ClientsSMS Clients
SMS 2003 Patch SMS 2003 Patch Management: FunctionalityManagement: Functionality
System scanning & patch content downloadSystem scanning & patch content downloadContent from Microsoft Download CenterContent from Microsoft Download Center
MBSA & Office Inventory plug-ins scan for missing patchesMBSA & Office Inventory plug-ins scan for missing patches
Supports updating of remote & mobile devicesSupports updating of remote & mobile devices
Updates various versions of Windows, Office, SQL, Exchange, and Updates various versions of Windows, Office, SQL, Exchange, and Windows Media Player without need for update packaging / scriptingWindows Media Player without need for update packaging / scripting
Administrator controlAdministrator controlUpdate targeting based on AD, non-AD groups, WMI properties; Update targeting based on AD, non-AD groups, WMI properties; additional options via scriptingadditional options via scripting
Patches content is downloaded from a central SMS repository only Patches content is downloaded from a central SMS repository only when the deployment process is initiated by the SMS administrator when the deployment process is initiated by the SMS administrator
Specific start and end times (change windows); multiple change Specific start and end times (change windows); multiple change windowswindows
Easily move patches from testing into productionEasily move patches from testing into production
Reference system patch configurations can be used as a template to Reference system patch configurations can be used as a template to verify or enforce compliance of systems that must mimic reference verify or enforce compliance of systems that must mimic reference system configurationsystem configuration
Patch download & installationPatch download & installationDelta replication (site-site, server-server) of patchesDelta replication (site-site, server-server) of patches
Uses BITS* for mobile / remote client-serverUses BITS* for mobile / remote client-server
Uses SMB* for LAN / priority situations Uses SMB* for LAN / priority situations
Reminders and rescheduling of install / reboot & enforcement datesReminders and rescheduling of install / reboot & enforcement dates
Optimized graceful reboots, but forced when enforcement date Optimized graceful reboots, but forced when enforcement date arrivesarrives
Per-patch reboot-needed detection to reduce rebootsPer-patch reboot-needed detection to reduce reboots
Status & Compliance ReportingStatus & Compliance ReportingDeployment status as patches are attemptedDeployment status as patches are attempted
Standard and customized reports through read-only SQL queriesStandard and customized reports through read-only SQL queries
Determine actual baselines in the environment before changing the Determine actual baselines in the environment before changing the environmentenvironment
SLA measurement and rate-of-spreadSLA measurement and rate-of-spread
SMS 2003 Patch SMS 2003 Patch Management: Functionality Management: Functionality (2)(2)
*Requires SMS Advanced Client*Requires SMS Advanced Client
SMS 2003SMS 2003
WindowsWindowsUpdateUpdate
WindowsWindowsUpdateUpdate
Choosing a Patch Management Choosing a Patch Management SolutionSolutionFunctionality versusFunctionality versus IT Resources Based SelectionIT Resources Based SelectionChoose the solution that provides the best balance of Choose the solution that provides the best balance of
functionality versus IT resource constraints for your specific functionality versus IT resource constraints for your specific needsneeds
IT Resources & Administration Skill LevelIT Resources & Administration Skill Level
Bre
ad
th o
f F
un
cti
on
alit
yB
rea
dth
of
Fu
nc
tio
na
lity
SUSSUS
SMSSMS
LowLow HighHigh
HighHigh
Patch Management Tools Patch Management Tools FuturesFutures
MBSA Update Scanning MBSA Update Scanning FunctionalityFunctionality
Overall directionOverall directionMBSA update scanning functionality integrated into MBSA update scanning functionality integrated into Windows patch management functionalityWindows patch management functionality
MBSA becomes Windows vulnerability assessment & MBSA becomes Windows vulnerability assessment & mitigation enginemitigation engine
Near- and Intermediate-term plansNear- and Intermediate-term plansMBSA 1.2 (Q4 2003) MBSA 1.2 (Q4 2003)
Improves report consistency, product coverage, and Improves report consistency, product coverage, and locale supportlocale support
Integrates Office Update Inventory ToolIntegrates Office Update Inventory Tool
MBSA 2.0 (Q2 2004)MBSA 2.0 (Q2 2004)Update scanning functionality migrates to SUS 2.0 / Update scanning functionality migrates to SUS 2.0 / Microsoft UpdateMicrosoft Update
MBSA leverages SUS 2.0 for update scanningMBSA leverages SUS 2.0 for update scanning
MBSA 1.2MBSA 1.2Better international supportBetter international support
Japanese, French, German locale supportJapanese, French, German locale support
Expanded product supportExpanded product supportMDAC, MSXML, JVM, Content Mgt Server, Commerce Server, MDAC, MSXML, JVM, Content Mgt Server, Commerce Server, BizTalk, Host Integration Server and OfficeBizTalk, Host Integration Server and Office
Improved consistency of reportsImproved consistency of reportsSupport for alternate file versions in mssecure.xmlSupport for alternate file versions in mssecure.xml((“OR” logic to consider multiple sets of file details)“OR” logic to consider multiple sets of file details)
Handle case of non-security updates overwriting pervious security Handle case of non-security updates overwriting pervious security updatesupdates
Handle multiple patches for a product targeted at different OS Handle multiple patches for a product targeted at different OS versionsversions
Handle uniproc/multiproc patches, QFE/GDR branch patches, etc.Handle uniproc/multiproc patches, QFE/GDR branch patches, etc.
Office Update Inventory Tool integration (local scans only)Office Update Inventory Tool integration (local scans only)
Enhanced IE security zone checksEnhanced IE security zone checks
MBSA 2.0MBSA 2.0
Integration with SUS 2.0 / Microsoft Integration with SUS 2.0 / Microsoft UpdateUpdate
Centralized report storage (SQL, net Centralized report storage (SQL, net share)share)
Configurable/pluggable engine checks Configurable/pluggable engine checks (engine framework, SDK)(engine framework, SDK)
Integrates tools like IISLockdown & SQLScanIntegrates tools like IISLockdown & SQLScan
Infrastructure to support future Infrastructure to support future mitigation mitigation (via MOM, SMS, etc.)(via MOM, SMS, etc.)
H2 2004H2 2004TodaTodayy
Windows Update And Windows Update And Office Update Office Update Microsoft Microsoft UpdateUpdate
Microsoft UpdateMicrosoft UpdateOnline service and update Online service and update repository for updating repository for updating allall Microsoft softwareMicrosoft software
Built on SUS infrastructureBuilt on SUS infrastructure
Includes automated scanning, Includes automated scanning, update install, and reporting update install, and reporting capabilities available in capabilities available in Windows UpdateWindows Update
Office Update
SMSSMS
Windows Update
SUSSUS
Microsoft UpdateWindows Update
SUS 2.0SUS 2.0Support for additional Microsoft productsSupport for additional Microsoft products
Office 2003, SQL Server 2000, Exchange 2000, + additional products over time*
Enhanced infrastructure for patch managementEnhanced infrastructure for patch managementData Model - supercedence, update dependency & bundle Data Model - supercedence, update dependency & bundle relationshipsrelationships
Server APIs (.NET) and remoteable Client APIs (COM) for Server APIs (.NET) and remoteable Client APIs (COM) for flexibilityflexibility
Administrative controlAdministrative controlPre-deployment checks; Initiate install & uninstall Pre-deployment checks; Initiate install & uninstall
Set polling frequencies & install deadlinesSet polling frequencies & install deadlines
Target updates to groups of machines; Policy (AD) or list Target updates to groups of machines; Policy (AD) or list based based group definitionsgroup definitions
Rules for auto-handing of updatesRules for auto-handing of updates
Deployment & targetingDeployment & targetingDownload subset of WU content (e.g., WinXP but not Win2K)Download subset of WU content (e.g., WinXP but not Win2K)
Automatically deploys / updates SUS clients Automatically deploys / updates SUS clients *Support for product versions listed here will be available when SUS 2.0 is released; support for additional versions and products *Support for product versions listed here will be available when SUS 2.0 is released; support for additional versions and products will be delivered over time without the need to upgrade or redeploy SUS 2.0 will be delivered over time without the need to upgrade or redeploy SUS 2.0
SUS 2.0 (2)SUS 2.0 (2)
Bandwidth efficiencyBandwidth efficiencyUses BITS for client-server and server-server Uses BITS for client-server and server-server communicationcommunication(download throttling & checkpoint restart, limit max bandwidth usage, (download throttling & checkpoint restart, limit max bandwidth usage, etc.)etc.)
Support for ‘delta compression’ technologiesSupport for ‘delta compression’ technologies
Configurable update subscriptions Configurable update subscriptions
Configurable to only download updates at deployment Configurable to only download updates at deployment timetime
Scale out Scale out Hierarchical & replica topologyHierarchical & replica topology
Summary event roll-upSummary event roll-up
Status reportingStatus reportingDeployment status aggregation per machine/per Deployment status aggregation per machine/per update/per groupupdate/per group
Download / install success, failure, and error infoDownload / install success, failure, and error info
Custom reports using read-only SQL queriesCustom reports using read-only SQL queries
Patch Management Patch Management FunctionalityFunctionalityFuture DirectionFuture DirectionLonger-term (Longhorn time frame)Longer-term (Longhorn time frame)
SUS functionality integrated into Windows SUS functionality integrated into Windows
SUS supports updating of all Microsoft softwareSUS supports updating of all Microsoft software
SUS infrastructure can be used to build patch SUS infrastructure can be used to build patch management solutions for 3management solutions for 3rdrd party and in-house built party and in-house built softwaresoftware
SMS patch management built on SUS infrastructure and SMS patch management built on SUS infrastructure and delivers advanced patch management functionality delivers advanced patch management functionality
Near-termNear-termSUS 2.0 (Spring 2004)SUS 2.0 (Spring 2004)
Single infrastructure for patch managementSingle infrastructure for patch management
Support for additional Microsoft productsSupport for additional Microsoft products
Significant improvements in patch management Significant improvements in patch management functionalityfunctionality
SMS 2003 Update Management Feature Pack (H2 2004)SMS 2003 Update Management Feature Pack (H2 2004)Leverages SUS for update scanning & downloadLeverages SUS for update scanning & download
Leverages SUS client (Automatic Updates) for installsLeverages SUS client (Automatic Updates) for installs
CapabilityCapability Windows Windows UpdateUpdate SUS 1.0SUS 1.0 SMS 2003SMS 2003
Supported Platforms Supported Platforms for Contentfor Content
NT 4.0, Win2K, NT 4.0, Win2K, WS2003, WinXP, WS2003, WinXP, WinME, Win98WinME, Win98
Win2K, WS2003, WinXPWin2K, WS2003, WinXP NT 4.0, Win2K, WS2003, NT 4.0, Win2K, WS2003, WinXP, Win98WinXP, Win98
Supported Content Supported Content TypesTypes
All patches, updates All patches, updates & service packs (SPs) & service packs (SPs) for the abovefor the above
Only security & security Only security & security rollup patches, critical rollup patches, critical updates, & SPs for the updates, & SPs for the aboveabove
All patches, SPs & updates All patches, SPs & updates for the above; supports for the above; supports patch, update, & app installs patch, update, & app installs for MS & other appsfor MS & other apps
Granularity of Control
Targeting Content Targeting Content to Systemsto Systems NoNo NoNo YesYes
Network Bandwidth Network Bandwidth OptimizationOptimization NoNo Yes Yes
(for patch deployment)(for patch deployment)
Yes Yes (for patch deployment & server (for patch deployment & server sync)sync)
Patch Distribution Patch Distribution ControlControl NoNo BasicBasic AdvancedAdvanced
Patch Installation & Patch Installation & Scheduling FlexibilityScheduling Flexibility
Manual, end user Manual, end user controlledcontrolled
Admin (auto) or user Admin (auto) or user (manual) controlled(manual) controlled
Administrator control with Administrator control with granular scheduling granular scheduling capabilitiescapabilities
Patch Installation Patch Installation Status ReportingStatus Reporting NoNo
Limited Limited (client install history & server (client install history & server based install logs) based install logs)
Comprehensive Comprehensive (install status, result, and (install status, result, and compliance compliance details) details)
Additional Software Distribution Capabilities
Deployment PlanningDeployment Planning N/AN/A N/AN/A YesYes
Inventory Inventory ManagementManagement N/AN/A N/AN/A YesYes
Compliance CheckingCompliance Checking N/AN/A N/AN/A YesYes
Adopt the solution that Adopt the solution that best meets the needsbest meets the needs of your of your organizationorganization
Co
re P
atch
Man
agem
ent
Cap
abili
ties
Choosing A Patch Management Choosing A Patch Management SolutionSolutionNeeds-Based SelectionNeeds-Based Selection
2 patch 2 patch installers; installers; rollbackrollbackPatching Patching enhancemenenhancementstsSUS 2.0SUS 2.0SMS 2003SMS 2003More More guidance guidance and trainingand training
Integrated Integrated host host security security technologitechnologiesesNGSCBNGSCBWindows Windows hardeninghardeningMore More guidance guidance and trainingand training
Tools & Tools & PatchingPatching
Next-Next-Generation Generation
SecuritySecurityMonthly Monthly patch patch releasesreleasesGuidance Guidance & training& trainingHow How Microsoft Microsoft runs runs MicrosoftMicrosoftSupport for Support for W2K SP2 & W2K SP2 & NT4 SP6atNT4 SP6at
GuidanceGuidance
0 – 9 0 – 9 monthsmonths
9 – 12 9 – 12 monthsmonths FutureFuture
Security RoadmapSecurity Roadmap
TodayToday
Shield Shield technologietechnologies for client s for client and serverand server““MS Update”MS Update”
More More guidance guidance and trainingand training
ShieldsShields
Adopt a Patch Management SolutionAdopt a Patch Management Solution
*Microsoft does not endorse or recommend a specific patch management product or company*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality may also provide patch management functionality
At Microsoft, our #1 concern is the security and availability of At Microsoft, our #1 concern is the security and availability of your IT environmentyour IT environment
If none of the Microsoft patch management solutions meet your needs If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendorconsider implementing a solution from another vendor
Partial list of available products:Partial list of available products:
Company Name Product Name Company URLAltiris, Inc. Altiris Patch Management http://www.altiris.com
BigFix, Inc. BigFix Patch Manager http://www.bigfix.com
Configuresoft, Inc. Security Update Manager http://www.configuresoft.com
Ecora, Inc. Ecora Patch Manager http://www.ecora.com
GFI Software, Ltd.GFI LANguard Network Security Scanner
http://www.gfi.com
Gravity Storm Software, LLC
Service Pack Manager 2000 http://www.securitybastion.com
LANDesk Software, Ltd LANDesk Patch Manager http://www.landesk.com
Novadigm, Inc. Radia Patch Manager http://www.novadigm.com
PatchLink Corp. PatchLink Update http://www.patchlink.com
Shavlik Technologies HFNetChk Pro http://www.shavlik.com
St. Bernard Software UpdateExpert http://www.stbernard.com
SummarySummaryAddressing the patch management issue is a top priorityAddressing the patch management issue is a top priority
Taking a comprehensive, tactical & strategic approachTaking a comprehensive, tactical & strategic approach
Made progress, but much more work to be doneMade progress, but much more work to be done
Microsoft focused on:Microsoft focused on:Reducing the number of vulnerabilities & associated Reducing the number of vulnerabilities & associated patchespatches
Improving customer preparedness, training & Improving customer preparedness, training & communicationcommunication
Simplifying & standardizing the patching experienceSimplifying & standardizing the patching experience
Improving patch qualityImproving patch quality
Unifying and strengthening patch management offeringsUnifying and strengthening patch management offerings
Key Recommendations:Key Recommendations:Implement a good patch management process – it’s the key Implement a good patch management process – it’s the key to successto success
Adopt a patch management solution that best fits your Adopt a patch management solution that best fits your needsneeds
Make use of the resources detailed in these slidesMake use of the resources detailed in these slides
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
