PatchDeploy Behind the Scenes Dardan Shkreli +41 41 748 22 04 [email protected].
-
Upload
pierce-holly -
Category
Documents
-
view
222 -
download
5
Transcript of PatchDeploy Behind the Scenes Dardan Shkreli +41 41 748 22 04 [email protected].
PatchDeployBehind the Scenes
Dardan Shkreli +41 41 748 22 04 [email protected]
2
(c) 2004 Brainware Solutions AG
Agenda
What is „Patch Day“? Benefits of Columbus Patch Deploy Supported Products The Workflow Next Steps Questions & Discussion
3
(c) 2004 Brainware Solutions AG
What is „Patch Day“?
Microsoft products always “under construction“
Security issues, vulnerabilities, bug fixes Updates published 2nd Tuesday of each
Month
4
(c) 2004 Brainware Solutions AG
Benefits of Columbus Patch Deploy
Tested in advance Correctness, Revisions, Adjustment
Management One place to manage
Delivered like software packages through Columbus
Control and reduce risk You decide which patches to deploy, when, and to which
clients
Grouping Make custom deployment groups: OS, SP, Severity, Clients,
Sites
Efficient Target only candidate clients, schedule deployment
5
(c) 2004 Brainware Solutions AG
Supported Products
OS (Workstation/Server) MS Office (XP, 2003, 2007) Over 230 products Five languages
OS Vers. SP 32bit 64bit Language
EN GE FR JP IT
Win 2000 Professional WS SP4 √ √ √ √ √
Win 2000 Standard Server SP4 √ √ √
Win 2000Advanced Server SP4 √ √ √
Win 2003 Server Standard SP1 √ √ √ √
Win 2003 Server Standard SP2 √ √ √ √
Win 2003 Server Enterprise SP1 √ √ √
Win 2003 Server Enterprise SP2 √ √ √
Win XP Professional SP2 √ √ √ √ √ √
Win XP Professional SP3 √ √ √ √ √ √
Vista SP0 √ √ √ √ √ √ √
Vista SP1 √ √ √ √ √ √ √
Win 2008 Server SP1 √ √ √ √ √ √ √
6
(c) 2004 Brainware Solutions AG
The Workflow
1. Analysis OS, SP, Products, Severity
2. Development ENU, DEU, JPN, etc. Severity
3. Testing Detection, Installation, Verification
4. Publishing Catalogs, Encryption, Backup
7
(c) 2004 Brainware Solutions AG
Analysis
First steps - Security Bulletin Analysis (OS, SP, Products, Severity) Filtering (SLA) Infrastructure
8
(c) 2004 Brainware Solutions AG
Security Bulletins – KB Articles Each Patch analysed
Prerequisites, Sources, File Info, Command lines
Development
9
(c) 2004 Brainware Solutions AG
Patch creation Methods
Snapshots (Package Maker), MSI, Copy, Combination
Architecture
Development
[Package]Description=KB 950760 / MS08-032 - Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760): SP2-SP3Identifier=950760 - MS08-032.BWP000183.BWS000312Language=ENUVersion=01Patch=0Platform=XP
AllowConditionalUsage=0Usercondition=File '*.*'Clientcondition= (reserved for future use only)Servercondition= (reserved for future use only)
; When should the package be released ?; e.g. ServerReleaseDate=19970930193000ServerReleaseDate=00000000000000ClientReleaseDate=00000000000000UserReleaseDate=00000000000000FriendlyInstallText=OrderType=Friendly=YESCategory=#Microsoft Patch#Active=3
; Repetitive Jobs; Repeat=EachTime
; This section allows you to define, in which CCC groups the package; automatically should be inserted[Groups]OS Patches ENU_XP__SP2OS Patches ENU_XP__SP3
[PatchManagement]Severity=2BrainwareID={78F07EDF-2919-432E-AAEE-984298B6FC6D}IsPatch=1Vendor=MicrosoftKBID=950760
[Summary]This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb.
[Checks] if not '%_OSMajorVersion%.%_OSMinorVersion%' = '5.1' then Exit 'Not applicable. Required: 5.1 - Current: %_OSMajorVersion%.%_OSMinorVersion%' '1'
if Not FileLanguage '%_WindowsSystem%\browselc.dll' = 'ENU' then Exit 'Not applicable - wrong language.' '3'
RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Machine if '%_SPLevel%'='' then Set _SPLevel='0' /Machine if '%_SPLevel%'='512' then goto SP_OK if '%_SPLevel%'='768' then goto SP_OK Exit 'The current Service pack is not supported.' '5'
:SP_OK RegRead 'HKEY_LOCAL_MACHINE' 'SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB950760' 'InstalledDate' '_KB950760_InstalledDate' /Script if '%_KB950760_InstalledDate%'='' then Exit 'Registry indicates missing (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB950760\InstalledDate)' '102' Exit 'Installed' '120'
[UserAdd]
[ClientAdd];#STARTCRYPT# if '%_NoPatchInstallationChecks%'='1' then goto INSTALL if not '%_OSMajorVersion%.%_OSMinorVersion%' = '6.0' then exit 'Invalid operating system. Required: 6.0 - Current: %_OSMajorVersion%.%_OSMinorVersion%' 'PDW001'
if not '%_OSType%' = 'NT_WORKSTATION' then Exit 'Invalid operating system. Required: NT_WORKSTATION - Current: %_OSType%' 'PDW002'
if '%_64BitOS%' = '1' then Exit 'Wrong type of OS - only for 32Bit OS' 'PDW011'
RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Immediate if '%_SPLevel%'='0' then goto SP0_OK if '%_SPLevel%'='256' then goto SP1_OK Exit 'The current Service pack is not supported.' 'PDW005'
:SP0_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001'
if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6000.16681' then goto File_OK :SP1_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001'
if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6001.18063' then goto File_OK if '%_PkgReinstall%'='1' then goto File_OK Exit 'No requirements met.' 'PDW090'
:File_OK
:INSTALL;#ENDCRYPT# ;SetSystemRestorePoint /Daily /NoErrors if '%_AllowPatchesUnistall%'='1' then goto AllowUninstall goto NoUninstall
Security Bulletins – KB Articles Each Patch analysed
Prerequisites, Sources, File Info, Command lines
10
(c) 2004 Brainware Solutions AG
Testing/Infrastructure
Combined testing - automated/human Analysis & Infrastructure for testing Static test
Source check Command lines Severity Description
Passed!
1 Patch = Different OS/Products
11
(c) 2004 Brainware Solutions AG
Testing/Infrastructure
Combined testing - automated/human Analysis & Infrastructure for testing
Live tests Download Recognition Installation Verification
Static test Source check Command lines Severity Description
Test against MBSA, Windows Update, SMS, …
Passed!Passed!
Patch OK!
12
(c) 2004 Brainware Solutions AG
Publishing
Last checks (syntax, coverage) Expand Product, Service Packs & Patch Catalogs Encrypt files Place created patches into web server Test download of catalogs from web server Backup Inform Helpdesk about published Patches
How do the clients get their patches ? Columbus – Patch Deploy Module Patch Deploy Agent
13
(c) 2004 Brainware Solutions AG
Next steps…
Microsoft (…x64) Adobe McAfee Others
14
(c) 2004 Brainware Solutions AG
Questions & Discussion
??