Wat is nu eigenlijk: Windows Update en WSUS - Cevi-Users
Transcript of Wat is nu eigenlijk: Windows Update en WSUS - Cevi-Users
Centrum voor Informatica NV
Wat is nu eigenlijk:"Windows Update" en "WSUS"
Van Hecke Vincent
Centrum voor Informatica NV
Microsoft Patch Management
Van Hecke Vincent
Centrum voor Informatica NV
Topics
� Terminologie
� Hoe Microsoft zijn software “fixed”.
� Overzicht technologiën en producten:� Overzicht technologiën en producten:
� “Automatic Updates” of “WSUS”?
� WSUS
� Extra’s: MBSA,…
Centrum voor Informatica NV
TERMINOLOGIE
http://technet.microsoft.com/en-us/library/cc700845.aspx
http://support.microsoft.com/kb/824684
Centrum voor Informatica NV
Important Security Terms
Term Definition
Vulnerability Software, hardware, a procedural weakness, a
feature, or a configuration that could be a weak point exploited during an attack. Also called an exposure.exploited during an attack. Also called an exposure.
Threat A source of danger.
Attack A threat agent attempting to take advantage of
vulnerabilities for unwelcome purposes.
Countermeasure Software configurations, hardware, or procedures
that reduce risk in a computer environment. Also
called a safeguard or mitigation.
Centrum voor Informatica NV
Software Vulnerabilities
Term Definition
Buffer overrun
(overflow)
An unchecked buffer in a program that can
overwrite the program code with new data. If the program code is overwritten with new executable program code is overwritten with new executable
code, the effect is to change the program's operation as dictated by the attacker.
Privilege elevation
(escalation)
Allows users or attackers to attain higher privileges
in certain circumstances.
Validation error
(source code)
Allows malformed data to have unintended
consequences.
Centrum voor Informatica NV
Vulnerability Severity Ratings
Rating Definition
CriticalA vulnerability whose exploitation could allow the
propagation of an Internet worm without user action.
A vulnerability whose exploitation could result in
Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability
of users' data, or of the integrity or availability of
processing resources.
ModerateExploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of
exploitation.
LowA vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
Centrum voor Informatica NV
STRIDE Model of Threat Categories (1/2)
Term Definition
Spoofing
identity
Illegally obtaining access and use of another person's
authentication information, such as a user name or password.password.
Tampering
with dataThe malicious modification of data.
Repudiation
Associated with users who deny performing an action,
yet there is no way to prove otherwise.(Non-repudiation refers to the ability of a system to counter repudiation
threats, and includes techniques such as signing for a
received parcel so that the signed receipt can be used as evidence.)
Centrum voor Informatica NV
STRIDE Model of Threat Categories(2/2)
Term Definition
Information
disclosure
The exposure of information to individuals who are not
supposed to have access to it, such as accessing files without having the appropriate rights.without having the appropriate rights.
Denial of
service
An explicit attempt to prevent legitimate users from
using a service or system.
Elevation (Escalation) of
privilege
Where an unprivileged user gains privileged access. An
example of privilege elevation would be an unprivileged user who contrives a way to be added to the
Administrators group.
Centrum voor Informatica NV
Threat Agents (1/3)
Term Definition
Virus
An intrusive program that infects computer files by
inserting copies of self-replicating code, and deletes critical files, makes system modifications, or performs
Viruscritical files, makes system modifications, or performs
some other action to cause harm to data on the computer or to the computer itself. A virus attaches
itself to a host program.
WormA self-replicating program, often malicious like a virus, that can spread from computer to computer without
infecting files first.
Trojan horseSoftware or e-mail that professes to be useful and benign, but which actually performs some destructive
purpose or provides access to an attacker.
Centrum voor Informatica NV
Threat Agents (2/3)
Term Definition
Mail bomb
A malicious e-mail sent to an unsuspecting recipient.
When the recipient opens the e-mail or runs the program, the mail bomb performs some malicious program, the mail bomb performs some malicious
action on their computer.
Adware
Any software application or program in which
advertising banners are displayed or Pop-up windows
appear while the program is running. Adware is considered "Spyware" and is installed without the
user's knowledge.
Centrum voor Informatica NV
Threat Agents (3/3)
Term Definition
Any software that covertly gathers user information
through the user's Internet connection without his or her knowledge, usually for advertising purposes. … Once
Spyware
knowledge, usually for advertising purposes. … Once
installed, the Spyware monitors user activity on the Internet and transmits that information in the
background to someone else. Spyware can also gather
information about e-mail addresses and even passwords and credit card numbers. Spyware is similar
to a Trojan horse in that users unwittingly install the
product when they install something else. A common
way to become a victim of Spyware is to download certain peer-to-peer file swapping products that are available today.
Centrum voor Informatica NV
“Microsoft is committed to protecting customers from security
HOE MICROSOFT ZIJN SOFTWARE “FIXED”
“Microsoft is committed to protecting customers from security vulnerabilities. As part of this effort, Microsoft makes available periodic releases of software”.
Meer info: Google "Trustworthy Computing"
Centrum voor Informatica NV
Centrum voor Informatica NV
MSRC Security Bulletin
Centrum voor Informatica NV
OVERZICHT TECHNOLOGIEËN EN PRODUCTEN
Centrum voor Informatica NV
• WU: Windows Update
• MU: Microsoft Update
• MOU: Microsoft Office Update• MOU: Microsoft Office Update
• WSUS: Windows Server Update Services
• SCCM: System Center Configuration Manager
• MUC: Microsoft Update Catalog
Centrum voor Informatica NV
Windows Update
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Microsoft Update
Centrum voor Informatica NV
Via Office toepassing
Centrum voor Informatica NV
Via Windows Update
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV Vergelijking
Microsoft Update Windows Update
Centrum voor Informatica NV
De weg terug naar Windows Update
Want eens de agent gekozen voor MU, blijft deze actief tot de WU agent terug wordt geïnstalleerd.
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Microsoft Office Update
Centrum voor Informatica NV
Via Windows Update
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Het update proces
Centrum voor Informatica NV
Centrum voor Informatica NV
Het update proces: type updates
• High priorityCritical updates, security updates, service packs, and update rollups.
• Software (optional)Non-critical fixes for Windows programs
• Hardware (optional)Non-critical fixes for drivers and other hardware devices
Centrum voor Informatica NV
Express vs Custom
• Express (recommended) displays all high priority updates for your computer so that you can install them with one click. This is the quickest and
easiest way to keep your computer up to date.
• Custom displays high priority and optional updates for your computer. You review and select the updates that you want to install, one by one.
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
De (ongekende?) opties
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
WSUS
Centrum voor Informatica NV
Situering
Centrum voor Informatica NV
Situering
Centrum voor Informatica NV
Meerdere WSUS servers
Centrum voor Informatica NV
Voordelen WSUS
• Beter beheer van Microsoft Updates, vooral in grotere omgevingen.
• Rapportering• Rapportering
• Mogelijks minder trafiek over de internetlijn, indien gebruik makend van centraal repository
Centrum voor Informatica NV
SCCM
Centrum voor Informatica NV
SCCM
SCCM is eigenlijk grote broer van WSUS. De extra features in SCCM zijn:
• Inventaris management• Inventaris management
• Geavanceerde rapportering
• Mogelijkheden om systemen te beheren vanopafstand
Centrum voor Informatica NV
SCCM
Centrum voor Informatica NV
Microsoft Update Catalog
Centrum voor Informatica NV
Windows Update Catalog
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
Centrum voor Informatica NV
AUTOMATIC UPDATES OF WSUS?
Centrum voor Informatica NV
The Microsoft way…
CustomerType
ScenarioCustomerChoice
Large or
The organization wants a single, flexible
update management solution with an Large or Medium
Enterprise
update management solution with an
extended level of control that enables them to update (and distribute) all Windows operating
systems and applications and also includes
an integrated asset management solution.
SCCM
Large or Medium
Enterprise
The organization wants a solution for update
management only that provides simple
updating for Microsoft software—initially supporting Windows 2000 and later
supporting Office 2003, Office XP, Exchange Server 2000 and later, SQL Server 2000 and later.
WSUS
Centrum voor Informatica NV
The Microsoft way…
Customer Type Scenario Customer Choice
Small Business
The business has at least
one Windows server and
one IT administrator.
WSUS
one IT administrator.
Small Business All other scenariosMicrosoft Update or
Windows Update
Consumer All other scenariosMicrosoft Update or
Windows Update
Centrum voor Informatica NV
Automatic Updates
Centrum voor Informatica NV
Best practise indien: “Automatic Updates”
Installeer overal de
Microsoft Update
agent (zodat alle agent (zodat alle
software wordt ge-
update)
Centrum voor Informatica NV
WSUS
• Meer mogelijkheden
• Vergt ook onderhoud
• Server nodig• Server nodig
Centrum voor Informatica NV
WSUS
Centrum voor Informatica NV
Over WSUS
Centrum voor Informatica NV
Over WSUS
• BITS = Background Intelligent Transfer Service
• WSUS bevat rapportagemogelijkheden
• WSUS kan op 2 manieren werken: • WSUS kan op 2 manieren werken: updates van WSUS halenupdates van internet halen
• Command Line mogelijkheden (wsusutil.exe)
Centrum voor Informatica NV
Installatie documentatie
� Step-by-step guide
� http://www.microsoft.com/downloads/details.aspx?FamilyID=C8FA2FD1-72F6-4F19-A1B0-FamilyID=C8FA2FD1-72F6-4F19-A1B0-
F689DAE14BE6&displaylang=en
Centrum voor Informatica NV
Installatie
Centrum voor Informatica NV
Installatie
• Keuze poort is by default 80 maar kan 8530 zijn
Centrum voor Informatica NV
Configuratie
Firewall!
• http://windowsupdate.microsoft.com
• http://*.windowsupdate.microsoft.com
• https://*.windowsupdate.microsoft.com • https://*.windowsupdate.microsoft.com
• http://*.update.microsoft.com
• https://*.update.microsoft.com
• http://*.windowsupdate.com
• http://download.windowsupdate.com
• http://download.microsoft.com
• http://*.download.windowsupdate.com
• http://wustat.windows.com
• http://ntservicepack.microsoft.com
Centrum voor Informatica NV
Configuratie
Centrum voor Informatica NV
Configuratie
Groepen…
Centrum voor Informatica NV
Configuratie
De keuze is aan u:
Centrum voor Informatica NV
Configuratie TIP
Centrum voor Informatica NV
Configuratie TIP
• SSL?
• Do not store update file locally?• Do not store update file locally?
� Remote workers
Centrum voor Informatica NV
Meer documentatie
• Operations Guide:http://www.microsoft.com/downloads/details.aspx?familyid=66D250FA-670F-4A49-95EC-
2FFDA7691F55&displaylang=en
Centrum voor Informatica NV
WSUS Tips
Centrum voor Informatica NV
WSUS Tips: Cloning machines
• Als een voor WSUS geconfigureerde machine wordt gecloned (via Ghost,…) dan moet er een registry keys worden verwijderd:
• HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
• HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
Centrum voor Informatica NV
WSUS Tips: Forefront
• Forefront gebruikt WSUS voor zijn updates. Dus GPO setting bepaald frequentie voor het zoeken naar nieuwe virusdefinities. Standaard 22u, best
op 1u zetten.
• Optie “Allow automatic update immediateinstallation” enabled. Zodat de virusdefinities worden geïnstalleerd zonder schedule in te stellen
• Zet wel nog een (dagelijkse?) schedule in voor de product updates.
Centrum voor Informatica NV
WSUS Tips: Performantie issues
• svchost/msi performance issue both KB927891 and the new 3.0 client needed
• http://blogs.technet.com/wsus/archive/2007/04/28/
update-on.aspx
Centrum voor Informatica NV
WSUS Tips: Client logging
• Start, then click Run, type WINDOWSUPDATE.LOG and then click OK.Logging from bottom up.
• WindowsUpdate.log • Is the v6 version
• windows update.log
• Is the v4 version
http://support.microsoft.com/kb/902093
Centrum voor Informatica NV
WSUS Tips
• 0x80072EE2 – 0x80072F78 – 0x80072F76 –0x80072EFD� 836941 - You receive an "Error 0x80072EE2" or � 836941 - You receive an "Error 0x80072EE2" or
"Error 0x80072EFD" error message when you try to
use Windows Update
� Add Windows Update Web sites to the Trusted
Sites list
Centrum voor Informatica NV
WSUS Tips
• 0x80070424� How to troubleshoot problems accessing secure
Web pages with Internet Explorer 6 Service Pack 2 Web pages with Internet Explorer 6 Service Pack 2
(870700)
� This Windows Update error code is caused by
unregistered DLL files for Windows Update or
Internet Explorer. On Windows XP SP2 and later
this may be resolved using the “iexplore /rereg”
command.
Centrum voor Informatica NV
WSUS Tips
• 0x80244001/0x800A01AD� These Windows Update error codes can be caused
by a damaged Windows XP XML subsystem. The by a damaged Windows XP XML subsystem. The
first step to take is to reregister this component
using the command “regsvr32 msxml3.dll”. If this
does not resolve the issue, check for more recently
updated MSXML Parser and MSXML components
from the following link:
http://www.microsoft.com/downloads/results.aspx?productID=&freetext=msxml&DisplayLang=en
Centrum voor Informatica NV
WSUS Tips
• When accessing the Update site, you receive the 0x800A01AE error.� This issue may happen if the current session of Internet
Explorer has cached an older version of Wuapi.dll� Re-register the Windows Update DLL with the commands � Re-register the Windows Update DLL with the commands
below � Click Start, click Run, type cmd, and then click OK.
� Type the following commands. Press ENTER after each command.regsvr32 wuapi.dllregsvr32 wuaueng.dllregsvr32 wuaueng1.dllregsvr32 wucltui.dllregsvr32 wups.dllregsvr32 wups2.dllregsvr32 wuweb.dll
Centrum voor Informatica NV
WSUS Tips
• 0x80248011� This Windows Update error code is normally related
to inconsistent or damaged information in the to inconsistent or damaged information in the
c:\windows\softwaredistribution folder. Stopping the
Automatic Updates service then renaming the
c:\windows\softwaredistribution folder to SDOLD
then restarting the Automatic Updates service
normally is the fix for this issue.
Note: Renaming this folder will clear the display of
previous successful and failed updates.
Centrum voor Informatica NV
WSUS Tips
• 0x800B0001� This Windows Update error code is related to 3
particular DLL files that are not registered in particular DLL files that are not registered in
windows correctly. Registering the following files
with REGSVR32 normally fixes this issue:
� Softpub.dll
� Mssip32.dll
� Initpki.dll
Centrum voor Informatica NV
WSUS Tips
• 0x8024402C� This Windows Update error can be caused by a
damaged installation of BITS and corrupted damaged installation of BITS and corrupted
information in the SoftwareDistribution folder. The
solution is normally to re-download the BITS
updates (KB883357 and KB842773) from the
Microsoft.com website, then stop the Automatic
Updates service and rename the
SoftwareDistribution folder to SDOLD. Reboot the
computer and return to Windows Update.
Centrum voor Informatica NV
WSUS Tips: Client Firewalls
• Most third party firewalls such as Norton Personal Firewall block SVCHOST (Generic Host Process Win32) communication by default. This can cause
issues with Windows Update as SVCHOST communication is required by the Windows Update client to connect to the Windows Update Servers on the internet.
Centrum voor Informatica NV
WSUS Tips: Diag tools
• Client diag tool
• Server diag tool
http://technet.microsoft.com/en-us/wsus/bb466192.aspx
Centrum voor Informatica NV
Centrum voor Informatica NV
WSUS Tips
• To enable site tracing for a single visit to the Windows Update site, add “&dev=true” to the end of the URL, as in the example below:
http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en&dev=true
Centrum voor Informatica NV
WSUS Tips
• Backup?
Centrum voor Informatica NV
WSUS Links
• http://technet.microsoft.com/en-us/wsus/default.aspx
• http://www.wsus.info/• http://www.wsus.info/
• http://blogs.technet.com/wsus/default.aspx
• http://www.wsuswiki.com/
Centrum voor Informatica NV
WSUS 3.0 SP2 Beta Overview
New Windows Server and Client Version Support
• Integration with Windows Server® 2008 R2
• Support for Windows 7® client• Support for Windows 7® client
• Support for the BranchCache feature on Windows Server® 2008 R2
Centrum voor Informatica NV
WSUS 3.0 SP2 Beta Overview
WSUS Beta Feature Improvements and Fixes
Auto-Approval Rules
• New functionality lets you specify the approval • New functionality lets you specify the approval deadline date and time.
• You can now apply a rule to all computers or to specific computer groups.
Cross-Version Compatibility
• The user interface is compatible between Service Pack 1 and Service Pack 2 for WSUS 3.0 on both the client and the server.
Centrum voor Informatica NV
WSUS 3.0 SP2 Beta Overview
Software Updates
• Stability and reliability fixes for the WSUS server, such as support for IPV6 addresses greater than such as support for IPV6 addresses greater than
40 characters.
• The approval dialog now sorts computer groups alphabetically by group name.
• Computer status report sorting icons are now functional in x64 environments.
• Fixed setup issues with database servers running Microsoft® SQL Server® 2008.
Centrum voor Informatica NV
EXTRA’S
Centrum voor Informatica NV
• MBSA: Scan for vulnerabilites and look for patches
• Malicious Software Removal Tool
• Microsoft Security Assessment Tool• Microsoft Security Assessment Tool
Centrum voor Informatica NV
Microsoft Technical SecurityNotifications
• http://technet.microsoft.com/nl-be/security/dd252948(en-us).aspx
Centrum voor Informatica NV
EINDE