Transcript Microsoft Patch & Update Management Solutions and Strategy

Identity Management and Security
Summit - Partner Technical Session
Jamie Sharp CISSP
Microsoft Consulting
[email protected]
Agenda - MS QuickStart for
Operating Secure Servers
Service Overview
Deliverables and Resources
Goals of the engagement
Key concepts to communicate to the
customer
Fixed-price Service
Sold as 2 weeks. Partner sets price.
96 hours delivery consultant(s)
2 weeks (80hrs)
plus 2 days for auxiliary expert, research, etc.
32 hours QA delivered by Microsoft expert (fee for
QA & IP license)
Engagement is simply “fixed price” to the
customer, do not discuss specific hours.
Target Customers
In it’s “pure” form, the target is the midsize corporation 500-10,000 seats. Larger
customers can be accommodated
Invested in Windows 2000: Some value to
NT 4 customer but the prescriptive
guidance assumes Windows 2000.
Looking to understand their current
exposure and what is possible to achieve.
Consultant Requirements
MCSE (Active Directory Architect)
CISSP or equivalent cert/experience
ITIL Foundations or MOF Essentials
Comfortable in a Project Lead Role
MS QuickStart trained
Comfortable in presenting and leading
design sessions
Project Schedule
Week #1
Brief Security Intro
Assessment
Week #2
Brief Operations Overview
Operations Workshop
Prescriptive Configuration Guidance and
Design
Consultant Resources
Presentations
Security Intro
Operations Overview
Delivery Guide
Security Operations Guide Worksheet
Consultant Guide for SOG Worksheet
Consultant Deliverables
Resource Planning Guide
Assessment
Known vulnerability spreadsheet
Baseline Security analyzer
Assessment report template
Configuration Guidance
Security Operations Guide Windows 2000 Server
Microsoft Operations Framework Core Documents
Security Operations Guide Worksheet
Tools Used
Microsoft Baseline Security Analyzer
HFNetChk
Group policies and security templates
IIS Lockdown and URLScan
EventCombMT
DCDiag, NetDiag, NSLookUp, RepAdmin,
GPResult, GPOTool, etc.
Techniques Used
Thread modeling: S.T.R.I.D.E.
Risk management
Change, Configuration and Release
management
Maintaining hotfixes & service packs
Ongoing monitoring and assessment
Incident response
Engagement Goals
Get secure:
Security assessment
Application of current OS updates
Host configuration best practices
Stay secure:
Operational best practices
Leverage Active Directory to implement management
of servers by roll using organizational units, group
policies, and delegation of administration
Identify update procedures to keep patches up to
date
Use auxiliary tools like URLScan to help protect IIS
servers from yet-to-be discovered vulnerabilities
Engagement Goals
Just an assessment, even a full assessment would
NOT be enough.
A “Plan to Operate Securely”, turns the findings in
the assessment into manageable configuration
and operations tasks and gets them moving in a
positive direction.
Without the Assessment, the “Plan to Operate
Securely” may not have the weight/backing it
needs. Both are needed!
Why is the Engagement so Short?
We’re going for quick results, results that
can be demonstrated for the client.
Follow-on work will be necessary, this
engagement is only the start.
Assessment gives justification for the effort
of the follow-on work and the best practices
show that it is a doable effort.
Summary
Microsoft QuickStart Service is a complete
packaged service
Use the resources provided to you
Manage to the time allowed
Avoid scope creep
The Assessment and the Planning do not
create an endpoint, it is a quick start
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Agenda
Understanding Security
Current Situation
Solution Components
Roadmap
Wireless
VPN
Perimeter
Understanding Security
Understanding Security
Risk Management
Resources
Threats
Vulnerabilities
Exploits
Countermeasures
Defence in Depth
Assume prior layers fail
Perimeter Defenses
Network Defenses
Host Defenses
Application Defenses
Data Defenses
Physical Security
Policies and Procedures
Principle of Least Privilege
Any administrator, user, service etc.
that needs to perform a task, should
only be granted the minimum rights
and permissions necessary to perform
that task.
Threat Modeling
You cannot build secure infrastructure
or applications unless you understand
the associated threats.
Security Challenges
Products lack security
features
Products have bugs
Many issues are not
addressed by technical
standards
Too hard to stay
up-to-date
Design for security
Roles & responsibilities
Audit, track, follow-up
Response plans
Stay up-to-date with
security development
People
Lack of knowledge
Lack of commitment
Human error
Current Situation
Current Situation
Patches proliferating
Time to exploit decreasing
Exploits are more
sophisticated
Current approach is not
sufficient
Days between patch
and exploit
331
180
Security is our #1 Priority
There is no silver bullet
Change requires innovation
151
25
Customer Feedback
You’ve Told Us
Our Action Items
“The quality of the
patching process is low
and inconsistent”
Improve the Patching
Experience
“I need to know the right
way to run a Microsoft
enterprise”
Provide Guidance
and Training
“I can’t keep up…new
patches are released
every week”
“There are still too many
vulnerabilities in your
products”
Mitigate Vulnerabilities
Without Patches
Continue Improving
Quality
Addressing The Situation
Security and Patch Management
Priority #1 at Microsoft
Comprehensive tactical and strategic
approach to addressing the situation
Trustworthy Computing Initiative
SD3+C Security framework
Patch Management Initiative
Patch Management Initiative
Progress to Date
Informed & Prepared
Customers
Rationalized patch severity rating levels
Better security bulletins and KB articles
Security Readiness Kit; Patch Management guidance, etc.
Consistent & Superior
Update Experience
Standardized patch and update terminology
Standardized patch naming and installer switch options*
Installer consolidation plan in place – will go from ~8 to 2
Reduced patch release frequency from 1/week to 1/month
Superior Patch Quality
Improved patch testing process and coverage
Expanded test process to include customers
Reduced reboots by 10%; reduced patch size by up to 75%**
Best Patch & Update
Management Solutions
Developed Patch & Update Management tools roadmap
SUS 2.0 in development: significantly enhanced capabilities
SMS 2003 delivers expanded patch and update management
capabilities
More on the Patch Management Initiative in the
Roadmap Section of this presentation…
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0
**75% for Windows Update installs, more than 25% for other patches
Solution Components
Successful Patch Management
Trained People
Tools &
Technologies
Repeatable
Processes
Patch Management Process
1. Assess Environment to be Patched
2. Identify New Patches
Periodic Tasks
A. Create/maintain baseline of systems
B. Access patch management
architecture (is it fit for purpose)
C. Review Infrastructure/
configuration
Tasks
A. Identify new patches
B. Determine patch relevance
(includes threat assessment)
C. Verify patch authenticity & integrity
(no virus: installs on isolated
system)
Ongoing Tasks
A. Discover Assets
B. Inventory Clients
1. Assess
2. Identify
4. Deploy
3. Evaluate
4. Deploy the Patch
3. Evaluate & Plan Patch Deployment
Tasks
A. Distribute and install patch
B. Report on progress
C. Handle exceptions
D. Review deployment
Tasks
A. Obtain approval to deploy patch
B. Perform risk assessment
C. Plan patch release process
D. Complete patch acceptance testing
Patch Management Guidance
Prescriptive guidance from Microsoft for effective
patch management
Uses Microsoft Operations Framework (MOF)
Based on ITIL* (defacto standard for IT best practices)
Details requirements for effective patch management:
Technical & operational pre-requisites
Operational processes & how technology supports them
Daily, weekly, monthly & as-needed tasks to be performed
Testing options
Three patch management guidance offerings
Microsoft Guide to Security Patch Management**
Patch Management using Software Update Services***
Patch Management using Systems Management Server***
*Information Technology Infrastructure Library
**Emphasizes security patching & overall security management
***Comprehensive coverage of patch management using the specified technology
MBSA
Helps identify vulnerable Windows systems
Scans for missing security patches and
common security mis-configurations
Scans various versions of Windows and other
Microsoft applications
New
Update
Assess
Identify
Evaluate
& Plan
Deploy
Scans local or multiple remote systems via
GUI or command line invocation
Generates XML scan reports on each scanned
system
Runs on Windows Server 2003, Windows
2000 and Windows XP
Integrates with SUS & SMS
Software Update Services
Deploys Windows security patches, security
rollups, critical updates*, and service packs
only
Deploys above content for Windows 2000,
Windows Server 2003 and Windows XP only
Provides patch download, deployment, and
installation configuration options
New
Update
Bandwidth optimized content deployment
Assess
Provides central administrative control over
which patches can be installed from
Windows Update
Identify
Evaluate
& Plan
Provides basic patch installation status
logging
Deploy
*Including critical driver updates
SMS 2003
Identifies & deploys missing Windows and
Office security patches on target systems
Can deploy any patch, update, or application
in Windows environments
Inventory management & inventory based
targeting of software installs
Install verification and detailed reporting
New
Update
Assess
Identify
Evaluate
& Plan
Deploy
Flexible scheduling of content sync &
installs
Central, full administrative control over
installs
Bandwidth optimized content distribution
Software metering and remote control
capabilities
Choosing A Patch Management Solution
Typical Customer Decisions
Customer
Type
Large or
Medium
Enterprise
Small
Business
Consumer
Scenario
Customer
Chooses
Want single flexible patch management solution with extended
level of control to patch & update (+ distribute) all software
SMS
Want patch management solution with basic level of control that
updates Windows 2000 and newer versions* of Windows**
SUS
Have at least 1 Windows server and 1 IT administrator**
SUS
All other scenarios
All scenarios
Windows
Update
Windows
Update
Adopt the solution that best meets the needs of
your organisation
*Windows 2000, Windows XP, Windows Server 2003
**Customer uses Windows Update or manual process for other OS versions & applications software
Roadmap
Informed & Prepared Customers
New Security & Patch Management workshops
Regular web casts on security patch management*
Updated roadmap, whitepapers, and guidance
Q4 ‘02
Q1 ‘03
Q2 ‘03
Q3 ‘03
Q4 ‘03
Q1 ‘04
Q2 ‘04
Q3 ‘04
Patch Management Guides
Improved KB Articles
Security Bulletin
Teleconferences
GTM Partnership
Deliverables
Bulletin
Search Page
Informed and Prepared Customers
Clearer Severity
Rating Levels
Patch Management
Guides
Security Readiness Kit
(Guides, Tools, Best Practices)
Patch Management
Roadmap
Sustaining Engineering
Practices White Paper
Patch Management
White Paper
*See http://www.microsoft.com/usa/webcasts/upcoming/default.asp for upcoming web casts
Revised Patch
Management Guides
Consistent & Superior Update
Experience
Q1 ‘03
Q2 ‘03
Standard installer
switches defined
Standard naming
and signing
Q3 ‘03
Q4 ‘03
Q1 ‘04
Q2 ‘04
Add/Remove Program
Improvements
Standard terminology
for documentation
Q3 ‘04
Q4 ‘04
Standard Detection
Manifest
2 Installers:
MSI, Update.exe
MSI 3.0
Consistent & Superior Update Experience
Patches & Security Bulletins
released once a month
Standard Titles*
Standard Property
Sheet
Standard
Registry Entries
MSI 3.0 supports uninstall, binary delta patching, etc. – Q2 2004
Converge to two installers – Q4 2004
Monthly patch delivery for non-emergency patches - Today
*For Add/Remove Programs, Windows Update, and Download Center
Superior Patch Quality
Up to 75% reduction in patch size*
10% reduction in patch reboots
Patch test process extended to include customers
Q4 ‘02
Q1 ‘03
Q2 ‘03
Q3 ‘03
Q4 ‘03
Q1 ‘04
75% Reduction
in Patch Size*
Q2 ‘04
Q3 ‘04
90% Reduction
in Patch Size
25% Reduction
in Patch Size
Superior Patch Quality
10% Reduction
in Patch Reboots
*For Windows Update installs, more than 25% reduction for other patches
**For Windows Server 2003 patches
Patch test process
includes
participating
customers
30% Reduction
in Patch Reboots**
MBSA
Overall direction
MBSA update scanning functionality integrated into
Windows patch management functionality
MBSA becomes Windows assessment & mitigation
engine
Near- and Intermediate-term plans
MBSA 1.2 (Q4 2003)
Improves report consistency, product coverage, and locale
support
Integrates Office Update Inventory Tool
MBSA 2.0 (Q2 2004)
Update scanning functionality migrates to SUS 2.0 /
Microsoft Update
MBSA leverages SUS 2.0 for update scanning
SUS 2.0
Support for additional Microsoft products
Administrative control
Deployment & targeting
Bandwidth efficiency
Scale out
Status reporting
Patch Management Functionality
Future Direction
Longer-term (Longhorn time frame)
SUS functionality integrated into Windows
SUS supports updating of all Microsoft software
SUS infrastructure can be used to build patch management
solutions for 3rd party and in-house built software
SMS patch management built on SUS infrastructure and delivers
advanced patch management functionality
Near-term
SUS 2.0 (Spring 2004)
Single infrastructure for patch management
Support for additional Microsoft products
Significant improvements in patch management functionality
SMS 2003 Update Management Feature Pack (H2 2004)
Leverages SUS for update scanning & download
Leverages SUS client (Automatic Updates) for installs
Wireless
Current Situation
Huge fear of wireless
Rooted in misunderstandings of
security
Wireless can be made secure
Takes work
Need to understand problem
Need to plan for secure solution
WEP Issues
Key and initialisation vector reuse
Known plaintext attack
Partial known plaintext attack
Weaknesses in RC4 key scheduling algorithm
Authentication forging
Realtime decryption
More Information
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
WEP - Wired Equivalent Privacy
Solution Today - 802.1X
Port-based access control mechanism
defined by IEEE
Works on anything, wired and wireless
Access point must support 802.1X
No special WIC requirements
Allows choice of authentication methods
using EAP
Chosen by peers at authentication time
Access point doesn’t care about EAP methods
Manages keys automagically
No need to preprogram WICs
Solution Today - EAP
Link-layer security framework
Simple encapsulation protocol for
authentication mechanisms
Runs over any link layer, lossy or lossless
No built-in security
Doesn’t assume physically secure link
Authentication methods must incorporate their
own security
AuthN Supported in Windows
EAP-MD5 disallowed for wireless
Can’t create encrypted session between
supplicant and authenticator
Would transfer password hashes in the clear
Cannot perform mutual authentication
Vulnerable to man-in-the-middle attacks
EAP-TLS in Windows XP release
Requires client certificates
Best to have machine and user
Service pack 1 adds protected EAP (PEAP)
Protected EAP (PEAP)
Extension to EAP
Allows use of any secure authentication
mechanism for EAP
No need to write individual EAP-enabled methods
Windows PEAP allows:
MS-CHAPv2—passwords
TLS (SSL channel)—certificates
PEAP-EAP-TLS a little slower than EAP-TLS
SecurID—but not tested/supported for wireless
For many deployments, machine and user
passwords still are necessary
PEAP enables secure wireless now
Allows easy migration to certificates and smartcards
later
802.1X & EAP Provides
Mutual device authentication
Workstation and authentication server
No rogue access points
Prevents man-in-the-middle attacks
Ensures key is transferred to correct entity
User authentication
No unauthorized access or interception
WEP key uniqueness and regeneration
Packet/disassociation spoofing prevention
WPA - An Interim Until 802.11i
Goals
Require secure networking
Solve WEP issues with software and firmware
upgrades
Provide secure wireless for SOHO
No RADIUS needed
Be forward compatible with 802.11i
Be available today
WPA Wireless Security Update in Windows XP
http://support.microsoft.com/?kbid=815485
The Future - 802.11i
IEEE is working on 802.11i
Replacement for WEP
Includes TKIP (Temporal Key Integrity Protocol)
, 802.1x, and keyed integrity check
Mandatory AES (Advanced Encryption
Standard)
Addresses all currently known vulnerabilities
and poor implementation decisions
Need to be IEEE member to read work in
progress
Expected ratification in Q4 2003
VPN
Remote Access Trends
Explosive growth of mobile users
63.4M handheld computers to be sold by 2003*
Increasing methods of access
Application specific access
Combined functionality
VPN and Firewall combined platforms
* Source - (IDC)
VPN Solution Components
Corporate Network
Clients
Protocols
Policy
File/Print
Server
Domain
Controller
Mobile
Worker
Internet
Database
Server
ISP
Telecommuter
VPN Server
Gateway
Web
Server
IAS Server
Administrator
Deployment Tools
Authentication
Email
Server
Windows VPN Components
Client
Integrated VPN client
Gateway
Routing and Remote
Access Services
Protocols
Platform Support for
Industry Standard
Protocols
Authentication
Policy
Deployment
Tools
Internet Authentication
Services
& Active Directory
Connection Manager
Administration Kit
Windows XP
Windows Server
2003
Windows XP Professional
Client
Gateway
Integrated VPN Client
Initiates connection to remote
networks.

Protocols

Authentication
Policy
Deployment
Tools
Simplicity
 New Connections Wizard
 Automatic protocol detection
Security
 Client state check with
“Quarantine”
 Supports advanced security and
encryption
 Supports certificates, smart
cards, token cards and more
Windows Server Gateway
Client
Gateway
Protocols
Authentication
Policy
Deployment
Tools
Routing and Remote Access Services
Link clients to private networks
• Security
• Secure remote access connection
technology
• Per session VPN packet filters
• Performance
• Offload hardware encryption
supported
• Load Balance support for VPN
• Manageability
• Integrated Active Directory™
authentication
• Supports standards based
Authentication Servers (RADIUS)
Windows XP & Server 2003
Protocols
Client
Gateway
Protocols
Authentication
Policy
Deployment
Tools
Industry Standard Protocols
Specify link capabilities and
encrypts data traffic.
• Security
• Advanced security with L2TP/IPSec
tunneling protocols.
• PKI authentication support
• Legacy user authentication support
with PPTP
• Support for Smart Cards with EAP
• Interoperability
• IETF standards based solutions
• Network Transparency
• Multi-protocol and Multi-cast support
Windows Server Authentication
Client
Gateway
Protocols
Authentication
Policy
Deployment
Tools
Internet Authentication Services
Validates user access to the
network
Directory Integration
• Integrates with Active Directory
Interoperability
• Authenticates other 3rd party VPN
products that support RADIUS
Security
• Support for “Quarantine”
New authentication support
• Smart Cards, Token Cards,
Fingerprint scanners and more
Windows Server Policies
Client
Gateway
Protocols
AD Group Policy
Network policies for users to gain access
Security
• Enforcement of policies to check the
state of the client via quarantine
service
• Restricted access based on group
membership
Authentication
Policy
Deployment
Tools
Manageability
• Centralized user management with
integration of AD and authentication
service
Windows Server Deployment
Tools
Client
Gateway
Protocols
Authentication
Policy
Deployment
Tools
Connection Manager Administration Kit
Create and manage client connection
configurations
Central Configuration
• Create pre-configured dial-up
connection software for simplified
client experience
Extensibility
• Customizable help files, help-desk
numbers, and more
• Configurable connect actions to
launch custom code before or after
connection
Phonebook Management
• Automatic phonebook updates for
local ISP access numbers
Components of Network
Access Quarantine Control
White Paper: Network Access Quarantine Control in Windows Server 2003
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
Perimeter
What is ISA Server?
High Performance Web cache
Multi-layered firewall
Packet Level (static and dynamic filters)
Circuit Level (stateful inspection)
Application Level (payload inspection)
Network Address Translation (NAT)
Centralised or Distributed Management
ICSA Certified
Common Criteria EAL2 Certified
Current Situation
Traditional firewalls focus on packet filtering
and stateful inspection
Today’s attacks freely bypass this
Ports are overloaded & can be exploited
Port 80 Yesterday—Web browsing only
Port 80 Today—Web browsing, OWA, XML Web
Services, …
Packet filtering and stateful inspection are
not enough
Application-layer Firewalls are
Necessary
Application-layer firewalls are required to stop
these attacks
Enable deep content inspection
Requirement for network security today
to internal
Internet
network
Packet filtering
firewall/router
Applicationlayer firewall
“To provide edge security in this application centric
world…application-layer firewalls will be required”
—John Pescatore, Gartner
ISA Deployment Benefits
Cost-effective to build, monitor and
operate
Integrated with Windows security and
compatible with non-Windows hosts
Saves bandwidth by caching frequently
accessed content
Provides a firewall engine with
application layer inspection
Enables QOS, detailed reporting,
strong user authentication and high
availability
Partner Opportunities
Implementing good patch management
process
Eliminate fear of wireless networks
Revisiting corporate remote access
strategies
Evaluate the security of customer’s DMZ
environments
Regularly check
www.microsoft.com/security
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.