Linux Guide to Linux Certification by MikeJenny


									     70-299 MCSE Guide to
Implementing and Administering
Security in a Microsoft Windows
      Server 2003 Network

             Chapter Five
Planning and Deploying Patch Management

• Plan the deployment of service packs and hotfixes
• Evaluate the applicability of service packs and
• Implement Microsoft Software Update Services
  (SUS) architecture
• Plan the batch deployment of multiple hotfixes

Guide to MCSE 70-299                              2
            Objectives (continued)

• Understand deployment considerations for various
• Post deployment review
• Plan a rollback strategy

Guide to MCSE 70-299                             3
  Planning the Deployment of Service
          Packs and Hotfixes

• Patch management: Method for keeping computers
  up to date with new software releases
   – Keeps technology environment secure and reliable
   – Requires identifying security vulnerabilities and
     responding quickly
• Security patch management: patch management
  with a concentration on reducing security
  vulnerabilities; essential for secure IT management
  and operations

Guide to MCSE 70-299                                     4
  Types of Attacks and Vulnerabilities

• Most common types of attacks:
   – Denial of service and distributed denial of service
     (DoS/DDoS), backdoors
   – Brute force, buffer overflows, man-in-the-middle,
     and session hijacking
   – Spoofing, scripting files, social engineering
   – Viruses, worms, and Trojan horses

Guide to MCSE 70-299                                       5
  Denial of Service and Distributed
Denial of Service Attacks (DoS/DDoS)

• DoS/DDoS: Executed by manipulating protocols
• In DDoS, attacker distributes software that allows
  the attacker partial or full control of infected
  system; effects are multiplied by total number of
  zombie machines under the control of the attacker
• Prevention:
   – Set up filters on external routers
   – Reduce the time before the reset of an unfinished
     TCP connection

Guide to MCSE 70-299                                     6
  Denial of Service and Distributed
Denial of Service Attacks (DoS/DDoS)
• Back door: A program that allows access to a
  system without using security checks
   – Examples includes Back Orifice, NetBus, and Sub7
   – Have two essential parts:
      • Server: Infected machine
      • Client: used for remotely controlling the server
   – Can be also in the form of a privileged user account
• Prevention: need to set proper access to the users

Guide to MCSE 70-299                                       7
      Brute Force Attacks and Buffer
             Overflow Attacks

• Brute force:
   – Way of cracking a cryptographic key or password,
     e.g., L0phtcrack program
   – Prevention: Enforce a strong password length and
     complexity policy
• Buffer overflow:
   – More data is sent to a computer’s memory buffer
     than it is able to handle, causing it to overflow
   – Prevention: improve the way applications are
Guide to MCSE 70-299                                     8
         Man-in-the-Middle Attacks

• Man-in-the-Middle Attacks:
   – Attacker intercepts traffic and tricks the parties at
     both ends into believing that they are communicating
   – Common in Telnet and wireless technologies
   – Prevention:
      • Restrict access to wiring closets and switches
      • DNS access should be restricted to read-only
      • Use encryption and secure protocols

Guide to MCSE 70-299                                     9
     Session Hijacking and Spoofing

• Session Hijacking:
   – Takes control of a session between the server and a
   – Prevention: force user to reauthenticate before
     allowing transactions to occur, and use of unique
     ISNs and Web session cookies
• Spoofing:
   – Making data appear to come from somewhere other
     than where it really originated
   – Prevention: careful about what information is given
     when responding to e-mail and Web requests

Guide to MCSE 70-299                                 10
 Scripting Files, Software Exploitation,
         and Social Engineering
• Scripting files: unintentional execution of scripts in
  a Web-based massage, written by an attacker
   – Prevention: disable scripting languages in browser
• Software exploitation: method of searching for
  specific problems, or security holes in software
   – Prevention: keep latest patches and service packs
• Social engineering: attack targeted by exploiting
  human nature and human behaviour
   – Prevention: solid company policies and user

Guide to MCSE 70-299                                  11
    Virus, Worms and Trojan Horses

• Virus: program or piece of code that is loaded onto
  your computer without your knowledge and is
  designed to attach itself to other code and replicate
• Trojan horses: programs disguised as useful
  applications,though do not replicate themselves
• Worms: self-replicating programs similar in function
  to virus and Trojan horses
• Prevention: install/update antivirus software

Guide to MCSE 70-299                                12
    Applying a Four-Step Process for
     Updates to Your Environment

•   Microsoft-recommended patch management
    process include four phases:
    –   Assess
    –   Identify
    –   Evaluate and plan
    –   Deploy

Guide to MCSE 70-299                         13
                 Phase 1: Assess

•   Conduct an audit to inventory existing computing
•   Assess security threats and vulnerabilities
•   Determine the best source for information about
    software updates
•   Assess the existing software distribution
•   Assess operational effectiveness

Guide to MCSE 70-299                              14
                 Phase 2: Identify

•   Discover new software updates in a reliable way
•   Determine the relevancy of updates to your
    production environment
•   Obtain software update source files and confirm
    that they are safe
•   Determine whether the software update should be
    considered an emergency

Guide to MCSE 70-299                            15
        Phase 3: Evaluate and Plan

•   Determine appropriate response: prioritize and
    categorize the request then getting authorization
    to deploy
•   Plan the release of the software update:
    determining what needs to be patched, then
    identifying the key issues and constraints
•   Build the release: develop scripts, tools, and
•   Conduct acceptance testing of the release

Guide to MCSE 70-299                              16
                 Phase 4: Deploy
•   Prepare for deployment: communicate the rollout
    schedule to organization
•   Deploy the software update to targeted computers:
    – Advertising the software update to client computers
    – Monitoring and reporting on the progress of
      deployment, and handling failed deployments
•   Conduct a postdeployment review:
    – Evaluating your organization’s performance
      throughout the incident
    – Updating the existing baseline for your environment

Guide to MCSE 70-299                                  17
    Evaluating the Applicability of Service
             Packs and Hotfixes

•    Information about new software updates can be
     obtained from the following sources:
     – E-mail notifications
     – Web sites
     – Microsoft technical representatives

Guide to MCSE 70-299                             18
                E-mail Notifications

•   Microsoft releases its patches or hotfixes on a
    monthly schedule and informs via:
    – Microsoft Security Notification Service: A free e-
      mail notification service to inform customers about
      the security of its products
    – Microsoft Security Update: free e-mail alert service
       •   Product Security Notification: for technical alerts
       •   Microsoft Security Update: for non-technical alerts

Guide to MCSE 70-299                                         19
      E-mail Notifications (continued)

•   Guidelines to validate each e-mail notification:
    – Delete any e-mail notifications with attached
      software files
    – Do not click any links directly from inside an e-mail
•   Visit the Microsoft Security Web site to read the
    authoritative details of a security bulletin
    – Each Microsoft security patch comes with two
       •   Security Bulletin
       •   Knowledge Base Article

Guide to MCSE 70-299                                    20
                       Web Sites

     Figure 5-2: Microsoft Security Bulletin search window

Guide to MCSE 70-299                                         21
    Testing the Compatibility of Service
      Packs and Hotfixes for Existing
•   Software Update Services (SUS): allows to
    configure a server that contains content from a
    live site in your own environment to update
    internal servers and clients
•   Ways to test update content before applying:
    – Use two SUS servers, one for testing and one for
      production computers
    – Use a manually configured distribution point

Guide to MCSE 70-299                                  22
    Creating a Content Distribution Point

•    Distribution point server that will host the content
     that you want your servers running SUS to offer
     including the list of approved items
•    Can be created either manually or automatically
•    Uses only port 80
•    Located in the currently running IIS Web site
     under a Vroot named /Content when automatically

Guide to MCSE 70-299                                  23
           Content Synchronization

•   During synchronization, updated content can be
    marked on the Approve updates in two ways:
    – Automatically approve new versions of previously
      approved updates
    – Do not automatically approve new versions of
      approved updates
•   In a testing environment, second option is better

Guide to MCSE 70-299                                 24
 Content Synchronization (continued)

     Figure 5-3: Software Update Services option window
Guide to MCSE 70-299                                      25
    Implementing Microsoft Software
      Update Services Architecture

•   Ways to deploy service packs and hotfixes:
    –   SMS
    –   SUS
    –   Group Policy
    –   Slipstreaming
    –   Custom scripts
    –   Implementation during a Remote Installation
        Services (RIS) installation

Guide to MCSE 70-299                                  26
    Getting Started with Software Update
•    Advantages of SUS:
     – Updates can be approved individually on each SUS
     – Clients can be configured to get updates through a
       SUS server instead of downloading them from
       Microsoft’s site
     – SUS is a means to provide updates to computers
       that don’t have Internet access
     – SUS server architecture is made up of parent-child
     – Each SUS server can support up to 15,000 clients

Guide to MCSE 70-299                                  27
    Getting Started with Software Update
            Services (continued)

•    SUS server requires the following:
     – A server with Windows 2000 Server or Server 2003
     – An NTFS file system partition with at least 100 MB
       of available free space to install
     – SUS SP1 and a minimum of 6 GB of storage on an
       NTFS partition to host the updates locally
     – IIS
     – Port 80 to communicate with SUS clients

Guide to MCSE 70-299                                  28
    Getting Started with Software Update
            Services (continued)

•    Features of SUS Feature Pack:
     – Capability to update status for all clients based on
       new security update information
     – Ability to review and authorize missing updates
     – Allows tailor-built packages and advertisements for
       each update or set of updates
     – Can update advertisements distributed to computers
     – Allows Windows Update–style notifications
     – Ability to use timers

Guide to MCSE 70-299                                   29
Performing Software Update Services
   Common Administration Tasks

• Tasks to be completed before SUS performs
  synchronizing content and approving content:
   – Properly configure proxy server settings if required
   – Configure a DNS name for the server running SUS if
   – Synchronize the server content
   – Have the actual content of the package updated
     during synchronization
• SUS keeps information about available updates in
  metadata cache
Guide to MCSE 70-299                                  30
Performing Software Update Services
   Common Administration Tasks
• SUS has two logs for tracking events:
   – Synchronization log: keeps following information
      • Time of the last and next scheduled synchronization
      • Success and Failure notification
      • Update packages that have been downloaded and/or
        updated since the last synchronization, or that failed
      • Whether synchronization was a Manual or Automatic
   – Approval log: keeps track of the content that has
     been approved or not improved

Guide to MCSE 70-299                                        31
 Planning a Software Update Services

             Table 5-1: SUS deployment models

Guide to MCSE 70-299                            32
                       Pilot Phase

•   Make sure for the followings:
    – After the software update is installed, the computer
      should restart properly
    – Software update has an uninstall program that can
      successfully remove the update
    – Business-critical systems and services continue to
      function normally after the software update has
      been installed

Guide to MCSE 70-299                                   33
            Pilot Phase (continued)

•   Steps for performing a pilot rollout if update is
    targeted at computers connected across slow or
    unreliable links:
    – Approve the update on the SUS pilot server only
    – Create a new site-level GPO that is configured
    – Apply Read and Apply policy settings rights to this
      GPO for the SUS pilot clients only
    – Place SUS pilot GPO at the top of the list of GPOs
      assigned to the site
    – Delete the SUS pilot GPO upon successful
      deployment in production
Guide to MCSE 70-299                                   34
                Production Phase

• Method to roll out Software updates: SMS, Group
  Policy, SUS, and scripts
• Production phase includes:
   – Preparing for and executing the deployment:
      • Rollout schedule should be announced to the users
      • Announcement to the users can be done through
        Group Policy with several options
      • Update should be staged on the SUS server
   – Perform a postdeployment review
• Use Wuau.adm template to control updates
Guide to MCSE 70-299                                    35
       Production Phase (continued)

Figure 5-4: Group Policy Configure Automatic Updates window
Guide to MCSE 70-299                                    36
       Production Phase (continued)

   Figure 5-5: Group Policy Windows Components window
Guide to MCSE 70-299                                    37
       Production Phase (continued)
•   Use Reschedule Automatic Updates scheduled
    installations GPO setting for computers that have
    missed scheduled installation
•   Actual package can be used to distribute service
    packs by making a new software installation
    package (.msi file) and linking it to a GPO
•   Steps to deploy a software update in production
      •   Advertising the update to the clients,
      •   Checking the deployment progress
      •   Dealing with any failed deployments
      •   Conduct a postdeployment review
Guide to MCSE 70-299                               38
       Production Phase (continued)

 Figure 5-6: Group Policy Automatic Updates download location
Guide to MCSE 70-299                                     39
       Production Phase (continued)

        Figure 5-7: Group Policy package installation
Guide to MCSE 70-299                                    40
Server Backup and Disaster Recovery
•   Recovery plan requires to back up the Web site
    directory,SUS directory, and IIS metabase
•   In case of failure, steps taken before restoring the
    data back to the server(II6 Servers) include:
    –   Physically disconnect the server from the network
    –   Install same OS that server was previously running
    –   Install same IIS components server previously had
    –   Install the latest service pack and security fixes
    –   Run IIS Security Wizard before connecting server
        to network

Guide to MCSE 70-299                                   41
Server Backup and Disaster Recovery

           Figure 5-8: Backing up the IIS metabase
Guide to MCSE 70-299                                 42
   Planning the Batch Deployment of
           Multiple Hotfixes

• Using slipstreaming: simultaneously installs service
  packs with an operating system.
• Steps include:
   – Installation includes components that you want to
     install with updates as entries in the Svcpack.inf file
   – Copy the installation files for the operating system
     and the updates to a shared distribution folder
   – Create the package
   – Run setup to deploy the installation either from the
     shared distribution folder or a CD-ROM
Guide to MCSE 70-299                                      43
  Planning The Batch Deployment Of
     Multiple Hotfixes (continued)

• Using custom scripts: following scripts can be used
  for installation:
   – Windows Script Host: ideal for both interactive and
     noninteractive scripting, such as logon scripting and
     administrative scripting
   – KixStart
• Using isolated installations: update package
  automatically installs the updated system files,
  making the necessary registry changes

Guide to MCSE 70-299                                   44
  Planning The Batch Deployment Of
     Multiple Hotfixes (continued)

• Using QChain.exe: updates can be chained
  together so that they install without restarting the
  computer between each installation

              Table 5-2: Update.exe Switches

Guide to MCSE 70-299                                     45
      Deployment Considerations for
            Various Machines

• New servers and clients; options to install service
  packs and hotfixes with the OS include:
   – Slipstreaming, Custom Scripts, and Implementation
     during a RIS installation; RIS is used to
     automatically install client OS by connecting to
     network via booting, obtaining a DHCP address, &
     then obtaining proper image for a machine
• Existing servers and existing clients:
   – SUS, Group Policy, and SMS: SUS servers are the
     core of the update process

Guide to MCSE 70-299                                46
           Postdeployment Review

• Use MBSA to identify installed updates as well as
  approved updates that have yet to be installed
   – Post implementation review includes these steps:
      • Ensure that the vulnerabilities are added to your
        vulnerability-scanning reports
      • Ensure that your build images have been updated
      • Discuss planned versus actual results
      • Discuss the risks associated with the release

Guide to MCSE 70-299                                        47
  Postdeployment Review (continued)

• Post implementation review includes these steps:
   – Review organization’s performance during the
   – Discuss changes to your service windows
   – Assess the total incident damage and cost
   – Update the existing baseline for your environment

Guide to MCSE 70-299                                     48
  Postdeployment Review (continued)

 Figure 5-9: Scanning multiple computers for missing updates
Guide to MCSE 70-299                                      49

• Proactive security patch management is necessary
  to keep technology environment secure & reliable
• Organizations should have a process for identifying
  security vulnerabilities and responding quickly
• Have a comprehensive plan for applying software
  updates, configuration changes, and
  countermeasures to remove vulnerabilities
• Myriad attacks can be initiated against a network
• Microsoft’s patch management process is a four-
  phase approach to control over the deployment of
  service packs and hotfixes
Guide to MCSE 70-299                              50
             Summary (continued)

• E-mail notifications, Web sites, and Microsoft
  technical representatives provide information about
  new software updates
• SUS can be used to deploy Windows-related
  security patches and updates to any computers
  running Windows 2000, Windows XP Professional,
  or Windows Server 2003
• SMS, SUS, Group Policy, slipstreaming, custom
  scripts and implementation during an RIS
  installation can be used to deploy service packs
  and hotfixes

Guide to MCSE 70-299                              51
             Summary (continued)

• With QChain.exe, updates can be installed without
  restarting the computer between each installation
• MBSA can be used to identify installed updates as
  well as updates that have been approved on the
  SUS server but have yet to be installed
• A release should not be piloted in production
  unless having rollback and recovery procedures

Guide to MCSE 70-299                             52

To top