How To Keep Up With Security Patches Eric Schultze Security

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft

Questions How do I know if I’m up to date on patches? How do I know when a new patch is released? How do I know that the patch is valid on my system? How can I deploy patches to all my machines? What is Microsoft doing to make it easier to assess and deploy patches?

Patch Process New Patch Notification Host and Network Assessment Deployment Validation

Notification How do I know when new security patches are available? Security Bulletin Notification Service www.microsoft.com/technet/security Windows Update Client Update Notification Applet HFNetChk

How can I tell which machines need patches? HFNetChk Can be run against Windows NT 4, Windows 2000, Windows XP Evaluates patch status for OS, IIS, IE, and a limited amount of SQL 7 and 2000. See KB article Q303215 for more info and download location

HFNetChk Demo

How Does HFNetChk Work? 1. Downloads signed CAB file (containing XML data) from microsoft.com 1. 2. 3. 4. May also use a local copy of the XML file from a file or http share Tool Version Check Language \ OS \ SP \ Application check Identifies all relevant security patches for OS \ SP \ App

MSSecure.XML

How Does HFNetChk Work? For each applicable hotfix: 5. Compare registry key from XML file to registry key on the system If reg key does NOT exist, file is determined to be NOT installed Reg key check can be bypassed with the –z switch

How Does HFNetChk Work? 6. 7. If registry key DOES exist*, compare file version information from XML file to files on system If registry key DOES exist*, compare file checksum information from XML file to files on system * Or if registry checks were bypassed

MSSecure.XML

How Does HFNetChk Work? If either the file version and/or the checksum does NOT match for any file, the patch is considered NOT installed (a Warning is given if the fileversion is greater than expected) In every instance file versions and checksums are evaluated!

New MSSecure Schema Patch details for all languages Download URL for each patch for each language hotfix installer engine and related switches MD5 and SHA1 file hashes Specific file location (relative and/or system variable) 56 bit vs 128 bit crypto, mulit-proc vs. single-proc, 32 bit vs 64 bit architecture Severity data CVE data reboot actions

Deployment How do I push patches to the machines that need them? SMS Third party tools Active Directory / Group Policy

SMS

HFNetChkPro

HFNetChkPro

HFNetChkPro

Group Policy and MSI Create MSI package for hotfix Future MS hotfixes may include MSI packages Use third party MSI creator InstallShield, SMS, etc. Create Group Policy with Computer Settings for Software Installation

Group Policy and MSI

Corporate Windows Update Allows Corporations to host their own Windows Update Server. CorpWU Server downloads catalogs and patches from Microsoft Administrator chooses which ones to make available on corpnet New WU clients are configured (via Group Policy or Reg key) to perform WU operations against CorpWU Server

Corporate Windows Update Clients can also be configured via Group Policy to autodownload and apply the patches within a given period of time, should the system owner not do it on their own.

What else is Microsoft doing? Focus on Trustworthy Computing email from BillG Rollup Packages Cumulative Every two months for latest Service Pack May be released as MSI Increase in No-Reboot patches Additional Tools like HFNetChk

Contact Info [email protected]