Microsoft Security & Patch Management Solutions And Strategy

Microsoft Corporation

Most attacks Most attacks occur hereoccur here

SituationSituationProcess, Guidance, Tools CriticalProcess, Guidance, Tools Critical

Product Product shipship

VulnerabilityVulnerabilitydiscovereddiscovered

ComponentComponentmodifiedmodified

Patch Patch releasedreleased

Patch Patch deployeddeployed

at customer at customer sitesite

Why does this Why does this gap exist?gap exist?

Exploit TimelineExploit Timeline

Days From Patch to ExploitDays From Patch to ExploitThe average is now The average is now daysdays for a for a patch to be reverse-patch to be reverse-engineeredengineeredAs this cycle keeps getting As this cycle keeps getting shorter, patching is a less shorter, patching is a less effective defense in large effective defense in large organizations, organizations, automation automation for for testing and deployment testing and deployment neededneeded

Why does this Why does this gap exist?gap exist?

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammerSlammer

exploitexploitcodecodepatchpatch

Days between patch and exploitDays between patch and exploit

Microsoft Security Response Microsoft Security Response ProcessProcessProduct TeamProduct Team Security TeamSecurity Team

• Security BulletinSecurity Bulletin• Knowledge Base ArticleKnowledge Base Article• Premier Customer AlertPremier Customer Alert

• Notification via:Notification via:• www.microsoft.com/securitywww.microsoft.com/security• Notification serviceNotification service• Mailing listsMailing lists

• Patches released*Patches released*

• Secure@microsoft.com• Microsoft Technical SupportMicrosoft Technical Support• Mailing lists (NTBugTraq, Mailing lists (NTBugTraq,

BugTraq, etc.)BugTraq, etc.)• Web formWeb form

• CriticalCritical• ImportantImportant• ModerateModerate

• LowLow• NoneNone

• Verify issue is fixedVerify issue is fixed• Developer testingDeveloper testing

• Sustained engg. testingSustained engg. testing• Testing by customersTesting by customers

VulnerabilityVulnerabilityReport ReceivedReport Received

Triaged forTriaged forCriticalityCriticality

IssueIssueReproducedReproduced

PatchPatchDevelopedDeveloped

PatchPatchTestedTested

DocumentationDocumentationDevelopedDeveloped

Field GuidanceField GuidanceDevelopedDeveloped

Patch Released & Patch Released & Notification SentNotification Sent

DevelopmentDevelopmentPractices UpdatedPractices Updated

*On second Tuesday*On second Tuesday of each month of each month

• Associated with patch release:Associated with patch release:• Security bulletinSecurity bulletin• Updated MSSecure.xml file for MBSAUpdated MSSecure.xml file for MBSA• Patch (including localized versions) on Windows Update and Download CenterPatch (including localized versions) on Windows Update and Download Center• Update catalog for SUSUpdate catalog for SUS

Improved Patching Improved Patching ExperienceExperienceMicrosoft Patch Policies Microsoft Patch Policies Non-emergency security patches on a Non-emergency security patches on a

monthly release schedule, the monthly release schedule, the second second TuesdayTuesday of every month (if there are some of every month (if there are some to release, sometimes there are none, as to release, sometimes there are none, as was the case for March 2005)was the case for March 2005)Security Notification Service sends an alert Security Notification Service sends an alert 3 business days ahead of time3 business days ahead of timeNew alert mechanisms such asNew alert mechanisms such asRSS Feed, IM, or MSRC BlogRSS Feed, IM, or MSRC BlogSecurity Bulletins now verySecurity Bulletins now verycomprehensive, detailedcomprehensive, detailedLanguage clear and conciseLanguage clear and concise

Patches for emergency issues will still release immediatelyPatches for emergency issues will still release immediately

Enhancements to the Enhancements to the Advanced Notification Advanced Notification ProgramProgramProgram introduced in November 2004 to assist Program introduced in November 2004 to assist with with

preparation and resource planningpreparation and resource planning

Expanded to include the following information each Expanded to include the following information each month:month:

Strains of malicious software that will be cleaned with the Strains of malicious software that will be cleaned with the Malicious Software Removal toolMalicious Software Removal tool

Information about the detection tool applicable to the Information about the detection tool applicable to the upcoming security updates upcoming security updates

Any non-security, high priority updates on Windows Update Any non-security, high priority updates on Windows Update that that will be released on the same day as security updates will be released on the same day as security updates

More information: More information: www.microsoft.com/technet/security/bulletin/advance.mspxwww.microsoft.com/technet/security/bulletin/advance.mspx

New Resources This Month New Resources This Month (April)(April)MSN Security Alerts:MSN Security Alerts:

A new “security” category added to the MSN Alerts Service:A new “security” category added to the MSN Alerts Service:Security bulletin release notificationsSecurity bulletin release notificationsSecurity incident updatesSecurity incident updates

MSN Messenger user can receive a popup whenever new MSN Messenger user can receive a popup whenever new information is availableinformation is availableFor more information: For more information: www.microsoft.com/security/bulletins/alerts.mspxwww.microsoft.com/security/bulletins/alerts.mspx

RSS feed for consumer level security bulletins:RSS feed for consumer level security bulletins:By using an RSS reader, customers can now be proactively By using an RSS reader, customers can now be proactively notified when new bulletins are availablenotified when new bulletins are availableMore information: More information: www.microsoft.com/updateswww.microsoft.com/updates

MSRC Blog on TechNet:MSRC Blog on TechNet:First introduced during the RSA Conference in February First introduced during the RSA Conference in February 20052005Received positive customer responseReceived positive customer responseMoved to a more permanent home on TechNetMoved to a more permanent home on TechNethttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc

Register to review the April 19 session: Register to review the April 19 session: www.microsoft.com/security360www.microsoft.com/security360

Microsoft “Security360” Microsoft “Security360” April April 20052005

Topic: Topic: E-mail Security, It’s More Than FilteringE-mail Security, It’s More Than FilteringE-Mail security is not just about preventing E-Mail security is not just about preventing unsolicited messages; it is also about protecting unsolicited messages; it is also about protecting the digital information assets you send through e-the digital information assets you send through e-mailmailDiscussion covering the whole spectrum of e-mail Discussion covering the whole spectrum of e-mail security, including filtering technologies, e-mail security, including filtering technologies, e-mail policies and enforcement, and partner solutionspolicies and enforcement, and partner solutionsA checklist of recommendations and resourcesA checklist of recommendations and resources

ResourcesResourcesSecurity Bulletins Summary Security Bulletins Summary www.microsoft.com/technet/security/bulletin/ms05-Apr.mspxwww.microsoft.com/technet/security/bulletin/ms05-Apr.mspx

Security Bulletins Search Security Bulletins Search www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/current.aspx

May Security Bulletins Webcast May Security Bulletins Webcast http://msevents.microsoft.com/CUI/EventDetail.aspx?http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032273403&Culture=en-USEventID=1032273403&Culture=en-US Windows XP Service Pack 2 Windows XP Service Pack 2 www.microsoft.com/technet/winxpsp2 www.microsoft.com/technet/winxpsp2

Windows Server 2003 Service Pack 1 Windows Server 2003 Service Pack 1 www.microsoft.com/windowsserver2003/default.mspx www.microsoft.com/windowsserver2003/default.mspx

Security Newsletter Security Newsletter www.microsoft.com/technet/security/secnews/default.mspx www.microsoft.com/technet/security/secnews/default.mspx

On-demand Supplement Webcast on Detection & On-demand Supplement Webcast on Detection & Deployment Deployment http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032268810&Culture=en-USEventID=1032268810&Culture=en-US

Solutions for Management Solutions for Management Patch Management GuidancePatch Management Guidance

Provides best practices guidance for patch Provides best practices guidance for patch managementmanagement

Scales from small organizations up to an enterprise Scales from small organizations up to an enterprise organizationorganization

People, Process & Tools Guidance consists of:People, Process & Tools Guidance consists of:End to End Process for Patching (built on MOF)End to End Process for Patching (built on MOF)Description of how the tools (SMS 2003 & SUS) Description of how the tools (SMS 2003 & SUS) automates the processautomates the processGuidance on roles and responsibilitiesGuidance on roles and responsibilities

Built upon a Management ArchitectureBuilt upon a Management Architecture

The MSM offering may be downloaded from The MSM offering may be downloaded from http://www.microsoft.com/technet/itsolutions/msmhttp://www.microsoft.com/technet/itsolutions/msm The Patch Management Guidance can be found at The Patch Management Guidance can be found at http://www.microsoft.com/technet/security/topics/patchmanagement.http://www.microsoft.com/technet/security/topics/patchmanagement.mspxmspx

Patch Management Patch Management ProcessProcess1. Assess Environment to be Patched1. Assess Environment to be Patched

Periodic TasksPeriodic TasksA. Create/maintain baseline of systemsA. Create/maintain baseline of systems

B. Access patch managementB. Access patch management architecture (is it fit for purpose) architecture (is it fit for purpose)

C. Review Infrastructure/C. Review Infrastructure/ configuration configuration

Ongoing TasksOngoing TasksA. Discover AssetsA. Discover AssetsB. Inventory ClientsB. Inventory Clients

1. Assess1. Assess 2. 2. IdentifyIdentify

4. Deploy4. Deploy 3. 3. Evaluate Evaluate & Plan& Plan

2. Identify New Patches2. Identify New Patches

TasksTasksA. Identify new patchesA. Identify new patches

B. Determine patch relevanceB. Determine patch relevance (includes threat assessment) (includes threat assessment)

C. Verify patch authenticity & integrityC. Verify patch authenticity & integrity (no virus: installs on isolated (no virus: installs on isolated system) system)

3. Evaluate & Plan Patch Deployment3. Evaluate & Plan Patch Deployment

TasksTasksA. Obtain approval to deploy patchA. Obtain approval to deploy patch

B. Perform risk assessmentB. Perform risk assessment

C. Plan patch release processC. Plan patch release process

D. Complete patch acceptance testingD. Complete patch acceptance testing

4. Deploy the Patch4. Deploy the Patch

TasksTasksA. Distribute and install patchA. Distribute and install patchB. Report on progressB. Report on progressC. Handle exceptionsC. Handle exceptions

D. Review deploymentD. Review deployment

Microsoft Severity RatingsMicrosoft Severity Ratings

Rating Definition

CriticalExploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action

ImportantExploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or in the integrity or availability of processing resources

ModerateSerious vulnerability, but exploitability mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation

LowExploitation is extremely difficult, or impact is minimal

Patching TimeframesPatching Timeframes

Severity Rating Recommended Patching Timeframe

Critical Within 24 hours

Important Within 1 month

ModerateDepending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 4 months

LowDepending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 1 year

Factor Potential ImpactHigh value or high exposure assets impacted Decrease timeframe

Assets historically attacked are impacted Decrease timeframe

Mitigating factors in place or will be quickly put in place

Increase timeframe

Low risk of exposure for impacted assets Increase timeframe

Factors Impacting Release TimeframesFactors Impacting Release Timeframes

Patch Management ProcessPatch Management ProcessStep 1: AssessStep 1: Assess

Are there any threats or Are there any threats or vulnerabilities in the environment?vulnerabilities in the environment?

Has anything changed in production?Has anything changed in production?New operating systems and applicationsNew operating systems and applicationsChanges to network or management Changes to network or management infrastructureinfrastructure

Accurate and up-to-date inventory Accurate and up-to-date inventory information is essential to the information is essential to the processprocess

Is the management infrastructure Is the management infrastructure able to support patch managementable to support patch management

Patch Management ProcessPatch Management ProcessStep 2: IdentifyStep 2: Identify

How can you be notified about new patches?How can you be notified about new patches?

Is the patch relevant to the organization?Is the patch relevant to the organization?

Which systems need to be patched?Which systems need to be patched?

Do all systems need to be patched with the same Do all systems need to be patched with the same level of priority?level of priority?

Which systems are most vulnerable?Which systems are most vulnerable?

Has the patch been downloaded and checked to Has the patch been downloaded and checked to be virus free?be virus free?

Does the patch install successfully on a trial Does the patch install successfully on a trial system?system?

Has a change request (RFC) been submitted for Has a change request (RFC) been submitted for this patch? this patch?

Patch Management ProcessPatch Management ProcessStep 3: Evaluate and PlanStep 3: Evaluate and Plan

Need to test the patch before Need to test the patch before deploymentdeployment

Important to ensure that business critical Important to ensure that business critical functions still workfunctions still workAmount of testing will depend on riskAmount of testing will depend on risk

Use change management process to Use change management process to ensure all parties agree with need to ensure all parties agree with need to deploydeploy

If critical, use an expedited process!If critical, use an expedited process!

Patch Management ProcessPatch Management ProcessStep 3: Evaluate and Plan (Cont.)Step 3: Evaluate and Plan (Cont.)

Consider how & when to install the Consider how & when to install the patchpatch

Installation process may differ for server Installation process may differ for server and desktop devicesand desktop devices

Need to consider outage windows and Need to consider outage windows and business continuitybusiness continuity

Need to consider how to patch mobile Need to consider how to patch mobile clients and clients connection across slow clients and clients connection across slow or unreliable networksor unreliable networks

Can the patch be combined with other Can the patch be combined with other changes to minimize down time…changes to minimize down time…

Patch Management ProcessPatch Management ProcessStep 4: DeployStep 4: Deploy

Production environment needs to be Production environment needs to be prepared for new patchesprepared for new patches

Administrators/users will need to be informed Administrators/users will need to be informed of possible downtimeof possible downtime

Possible training to assist support deskPossible training to assist support desk

Distribution points checked to confirm Distribution points checked to confirm presence of patch and associated binariespresence of patch and associated binaries

Patch Management ProcessPatch Management ProcessStep 4: Deploy (Cont.)Step 4: Deploy (Cont.)

Monitor patch distributionMonitor patch distributionCheck progress and deal with Check progress and deal with exceptionsexceptions

Releasing patches to mobile clients Releasing patches to mobile clients and slow connectionsand slow connections

Size of patch may be a significant issueSize of patch may be a significant issueOptions include forcing mobile clients Options include forcing mobile clients into the office or distributing across the into the office or distributing across the networknetwork

Patch Management ProcessPatch Management ProcessRoles and ResponsibilitiesRoles and Responsibilities

People need to have defined roles and People need to have defined roles and responsibilitiesresponsibilities

Perform daily, weekly, monthly, and Perform daily, weekly, monthly, and as-needed tasksas-needed tasks

Audit server production environment (daily)Audit server production environment (daily)Check for new information sources (monthly)Check for new information sources (monthly)Review new patch notifications (as needed)Review new patch notifications (as needed)

Points about PatchingPoints about Patching

For successful patch management in a For successful patch management in a distributed IT environment consider: distributed IT environment consider:

How to stay aware of new patches and fixes. How to stay aware of new patches and fixes.

Whether it is necessary to apply a particular patch. Whether it is necessary to apply a particular patch.

The system-wide impact of installing a patch. The system-wide impact of installing a patch.

What specifically a patch will change. What specifically a patch will change.

If a patch can be removed, once installed. If a patch can be removed, once installed.

Dependencies between components in the production Dependencies between components in the production environment and the impact of applying a patch to one of environment and the impact of applying a patch to one of those components. those components.

How to evaluate the success of a patch installation. How to evaluate the success of a patch installation.

The possible scenarios for restoring a patched The possible scenarios for restoring a patched environment. environment.

Solution ComponentsSolution ComponentsAnalysis

Tools

• Microsoft Baseline Security Analyzer (MBSA)

• Office Inventory Tool

Online Update Services

• Windows Update

• Office Update

Content Repositories

• Windows Update Catalog

• Office Download Catalog

• Microsoft Download Center

Management Tools

• Automatic Updates (AU) feature in Windows

• Software Update Services (SUS)

• Systems Management Server (SMS)

PrescriptiveGuidance

• Microsoft Guide to Security Patch Management

• Patch Management Using SUS

• Patch Management Using SMS

Content Repository Content Repository ComparisonComparison

Windows Update* Office UpdateMS Download

Center

Supported Software

• Windows operating systems and its components only

• Microsoft Office and its components only

• All Microsoft products

Supported Content Types

• Security patches, security rollups, critical updates, SP’s and driver updates

• Security patches, critical updates, and SP’s

• All types of content

Scans for Updates

• Yes • Yes • No

Usage Options

• User initiated -- automatically detects, downloads, & installs updates via online service

• Automatic Updates initiated – automatically detects & downloads updates

• Manual content search & download (from Windows Update Catalog)

• User initiated -- automatically detects, downloads, & installs updates via online service

• Manual content search & download (from Office Download Catalog)

• Manual content search & download only

CapabilityWindows Update

SUS 1.0 SMS 2003

Supported Platforms for Content

NT 4.0, Win2K, WS2003, WinXP, WinME, Win98

Win2K, WS2003, WinXPNT 4.0, Win2K, WS2003, WinXP, Win98

Supported Content Types

All patches, updates (including drivers), & service packs (SP’s) for the above

Only security & security rollup patches, critical updates, & SP’s for the above

All patches, SP’s & updates for the above; supports patch, update, & app installs for MS & other apps

Granularity of Control

Targeting Content to Systems

No No Yes

Network Bandwidth Optimization

No Yes (for patch deployment)

Yes (for patch deployment & server sync)

Patch Distribution Control No Basic Advanced

Patch Installation & Scheduling Flexibility

Manual, end user controlled

Admin (auto) or user (manual) controlled

Administrator control with granular scheduling capabilities

Patch Installation Status Reporting

Assessing computer history only

Limited (client install history & server based install logs)

Comprehensive (install status, result, and compliance details)

Additional Software Distribution Capabilities

Deployment Planning N/A N/A Yes

Inventory Management N/A N/A Yes

Compliance Checking N/A N/A Yes

Co

re P

atch

Man

agem

ent

Cap

abili

ties

Choosing A Patch Management Choosing A Patch Management SolutionSolution

MBSA Update Scanning MBSA Update Scanning FunctionalityFunctionality

Overall directionOverall directionMBSA update scanning functionality integrated into MBSA update scanning functionality integrated into Windows patch management functionalityWindows patch management functionality

MBSA becomes Windows vulnerability assessment & MBSA becomes Windows vulnerability assessment & mitigation enginemitigation engine

Near- and Intermediate-term plansNear- and Intermediate-term plansMBSA 1.2.1 (Q1 2004) MBSA 1.2.1 (Q1 2004)

Windows XP SP2 supportWindows XP SP2 support

Improves report consistency, product coverage, and Improves report consistency, product coverage, and locale supportlocale support

Integrates Office Update Inventory ToolIntegrates Office Update Inventory Tool

MBSA 2.0 (Q2 2005)MBSA 2.0 (Q2 2005)Update scanning functionality migrates to Microsoft Update scanning functionality migrates to Microsoft Update Services /Microsoft UpdateUpdate Services /Microsoft Update

MBSA leverages MSUS 2.0 for update scanningMBSA leverages MSUS 2.0 for update scanning

Beta program now open for participationBeta program now open for participation

Adopt a Patch Management Adopt a Patch Management SolutionSolution

*Microsoft does not endorse or recommend a specific patch management product or company*Microsoft does not endorse or recommend a specific patch management product or company

Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality may also provide patch management functionality

At Microsoft, our #1 concern is the security and availability of your IT environmentAt Microsoft, our #1 concern is the security and availability of your IT environment

If none of the Microsoft patch management solutions meet your needs consider implementing a solution If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendor. Below is a partial list of available products:from another vendor. Below is a partial list of available products:

Company Name Product Name Company URLAltiris, Inc. Altiris Patch Management http://www.altiris.com

BigFix, Inc. BigFix Patch Manager http://www.bigfix.com

Configuresoft, Inc. Security Update Manager http://www.configuresoft.com

Ecora, Inc. Ecora Patch Manager http://www.ecora.com

GFI Software, Ltd.GFI LANguard Network Security Scanner

http://www.gfi.com

Gravity Storm Software, LLC

Service Pack Manager 2000 http://www.securitybastion.com

LANDesk Software, Ltd LANDesk Patch Manager http://www.landesk.com

Novadigm, Inc. Radia Patch Manager http://www.novadigm.com

PatchLink Corp. PatchLink Update http://www.patchlink.com

Shavlik Technologies HFNetChk Pro http://www.shavlik.com

St. Bernard Software UpdateExpert http://www.stbernard.com

SummarySummaryAddressing the patch management issue is a top Addressing the patch management issue is a top prioritypriority

Taking a comprehensive, tactical & strategic Taking a comprehensive, tactical & strategic approachapproach

Made progress, but much more work to be doneMade progress, but much more work to be done

Microsoft focused on:Microsoft focused on:Reducing the number of vulnerabilities & associated Reducing the number of vulnerabilities & associated patchespatches

Improving customer preparedness, training & Improving customer preparedness, training & communicationcommunication

Simplifying & standardizing the patching experienceSimplifying & standardizing the patching experience

Improving patch qualityImproving patch quality

Unifying and strengthening patch management Unifying and strengthening patch management offeringsofferings

Key Recommendations:Key Recommendations:Implement a good patch management process – it’s Implement a good patch management process – it’s the key to successthe key to success

Adopt a patch management solution that best fits your Adopt a patch management solution that best fits your needsneeds

ResourcesResources

Microsoft Security Response CenterMicrosoft Security Response CenterTo report a suspected vulnerability, send e-mail To report a suspected vulnerability, send e-mail to to Secure@Microsoft.ComSecure@Microsoft.Com

Microsoft Virus Safety LineMicrosoft Virus Safety LineOutside U.S. contact the local Microsoft PSS Outside U.S. contact the local Microsoft PSS support centersupport centerIn the U.S. In the U.S. 1-866-PC-SAFETY1-866-PC-SAFETYPremier Support Premier Support 1-800-936-31001-800-936-3100

Warning: Microsoft Warning: Microsoft nevernever distributes distributes software via e-mail please see:software via e-mail please see:http://www.microsoft.com/http://www.microsoft.com/technet/security/policy/swdist.asptechnet/security/policy/swdist.asp

Law #1: Law #1: Security Patches are a Fact of Life. Security Patches are a Fact of Life.Law #2:Law #2: It Does No Good to Patch a System That Was Never It Does No Good to Patch a System That Was Never

Secure to Begin With.Secure to Begin With.Law #3:Law #3: There is No Patch for Bad Judgment. There is No Patch for Bad Judgment.Law #4:Law #4: You Can’t Patch What You Don’t Know You Have. You Can’t Patch What You Don’t Know You Have.Law #5:Law #5: The Most Effective Patch is The One You Don’t Have The Most Effective Patch is The One You Don’t Have

to Apply. to Apply. Law #6:Law #6: A Service Pack Covers a Multitude of Patches. A Service Pack Covers a Multitude of Patches.Law #7:Law #7: All Patches Are Not Created Equal. All Patches Are Not Created Equal.Law #8:Law #8: Never Base Your Patching Decision on Whether Never Base Your Patching Decision on Whether

You’ve Seen Exploit Code… Unless You’ve Seen Exploit You’ve Seen Exploit Code… Unless You’ve Seen Exploit Code.Code.

Law #9:Law #9: Everyone Has a Patch Strategy, Whether They Know Everyone Has a Patch Strategy, Whether They Know It or Not.It or Not.

Law #10:Law #10: Patch Management is Really Risk Management. Patch Management is Really Risk Management.

The Ten Immutable Laws of The Ten Immutable Laws of Security Patch ManagementSecurity Patch Management