wat is nu eigenlijk: windows update en wsus - cevi-users

Centrum voor Informatica NV

Wat is nu eigenlijk:"Windows Update" en "WSUS"

Van Hecke Vincent


Microsoft Patch Management

Van Hecke Vincent


Topics

� Terminologie

� Hoe Microsoft zijn software “fixed”.

� Overzicht technologiën en producten:� Overzicht technologiën en producten:

� “Automatic Updates” of “WSUS”?

� WSUS

� Extra’s: MBSA,…


TERMINOLOGIE

http://technet.microsoft.com/en-us/library/cc700845.aspx

http://support.microsoft.com/kb/824684


Important Security Terms

Term Definition

Vulnerability Software, hardware, a procedural weakness, a

feature, or a configuration that could be a weak point exploited during an attack. Also called an exposure.exploited during an attack. Also called an exposure.

Threat A source of danger.

Attack A threat agent attempting to take advantage of

vulnerabilities for unwelcome purposes.

Countermeasure Software configurations, hardware, or procedures

that reduce risk in a computer environment. Also

called a safeguard or mitigation.


Software Vulnerabilities

Term Definition

Buffer overrun

(overflow)

An unchecked buffer in a program that can

overwrite the program code with new data. If the program code is overwritten with new executable program code is overwritten with new executable

code, the effect is to change the program's operation as dictated by the attacker.

Privilege elevation

(escalation)

Allows users or attackers to attain higher privileges

in certain circumstances.

Validation error

(source code)

Allows malformed data to have unintended

consequences.


Vulnerability Severity Ratings

Rating Definition

CriticalA vulnerability whose exploitation could allow the

propagation of an Internet worm without user action.

A vulnerability whose exploitation could result in

Important

A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability

of users' data, or of the integrity or availability of

processing resources.

ModerateExploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of

exploitation.

LowA vulnerability whose exploitation is extremely difficult, or whose impact is minimal.


STRIDE Model of Threat Categories (1/2)

Term Definition

Spoofing

identity

Illegally obtaining access and use of another person's

authentication information, such as a user name or password.password.

Tampering

with dataThe malicious modification of data.

Repudiation

Associated with users who deny performing an action,

yet there is no way to prove otherwise.(Non-repudiation refers to the ability of a system to counter repudiation

threats, and includes techniques such as signing for a

received parcel so that the signed receipt can be used as evidence.)


STRIDE Model of Threat Categories(2/2)

Term Definition

Information

disclosure

The exposure of information to individuals who are not

supposed to have access to it, such as accessing files without having the appropriate rights.without having the appropriate rights.

Denial of

service

An explicit attempt to prevent legitimate users from

using a service or system.

Elevation (Escalation) of

privilege

Where an unprivileged user gains privileged access. An

example of privilege elevation would be an unprivileged user who contrives a way to be added to the

Administrators group.


Threat Agents (1/3)

Term Definition

Virus

An intrusive program that infects computer files by

inserting copies of self-replicating code, and deletes critical files, makes system modifications, or performs

Viruscritical files, makes system modifications, or performs

some other action to cause harm to data on the computer or to the computer itself. A virus attaches

itself to a host program.

WormA self-replicating program, often malicious like a virus, that can spread from computer to computer without

infecting files first.

Trojan horseSoftware or e-mail that professes to be useful and benign, but which actually performs some destructive

purpose or provides access to an attacker.


Threat Agents (2/3)

Term Definition

Mail bomb

A malicious e-mail sent to an unsuspecting recipient.

When the recipient opens the e-mail or runs the program, the mail bomb performs some malicious program, the mail bomb performs some malicious

action on their computer.

Adware

Any software application or program in which

advertising banners are displayed or Pop-up windows

appear while the program is running. Adware is considered "Spyware" and is installed without the

user's knowledge.


Threat Agents (3/3)

Term Definition

Any software that covertly gathers user information

through the user's Internet connection without his or her knowledge, usually for advertising purposes. … Once

Spyware

knowledge, usually for advertising purposes. … Once

installed, the Spyware monitors user activity on the Internet and transmits that information in the

background to someone else. Spyware can also gather

information about e-mail addresses and even passwords and credit card numbers. Spyware is similar

to a Trojan horse in that users unwittingly install the

product when they install something else. A common

way to become a victim of Spyware is to download certain peer-to-peer file swapping products that are available today.


“Microsoft is committed to protecting customers from security

HOE MICROSOFT ZIJN SOFTWARE “FIXED”

“Microsoft is committed to protecting customers from security vulnerabilities. As part of this effort, Microsoft makes available periodic releases of software”.

Meer info: Google "Trustworthy Computing"


MSRC Security Bulletin


OVERZICHT TECHNOLOGIEËN EN PRODUCTEN


• WU: Windows Update

• MU: Microsoft Update

• MOU: Microsoft Office Update• MOU: Microsoft Office Update

• WSUS: Windows Server Update Services

• SCCM: System Center Configuration Manager

• MUC: Microsoft Update Catalog


Windows Update


Microsoft Update


Via Office toepassing


Via Windows Update

Centrum voor Informatica NV Vergelijking

Microsoft Update Windows Update


De weg terug naar Windows Update

Want eens de agent gekozen voor MU, blijft deze actief tot de WU agent terug wordt geïnstalleerd.


Microsoft Office Update


Via Windows Update


Het update proces


Het update proces: type updates

• High priorityCritical updates, security updates, service packs, and update rollups.

• Software (optional)Non-critical fixes for Windows programs

• Hardware (optional)Non-critical fixes for drivers and other hardware devices


Express vs Custom

• Express (recommended) displays all high priority updates for your computer so that you can install them with one click. This is the quickest and

easiest way to keep your computer up to date.

• Custom displays high priority and optional updates for your computer. You review and select the updates that you want to install, one by one.


De (ongekende?) opties


WSUS


Situering


Meerdere WSUS servers


Voordelen WSUS

• Beter beheer van Microsoft Updates, vooral in grotere omgevingen.

• Rapportering• Rapportering

• Mogelijks minder trafiek over de internetlijn, indien gebruik makend van centraal repository


SCCM


SCCM

SCCM is eigenlijk grote broer van WSUS. De extra features in SCCM zijn:

• Inventaris management• Inventaris management

• Geavanceerde rapportering

• Mogelijkheden om systemen te beheren vanopafstand


SCCM


Microsoft Update Catalog


Windows Update Catalog


AUTOMATIC UPDATES OF WSUS?


The Microsoft way…

CustomerType

ScenarioCustomerChoice

Large or

The organization wants a single, flexible

update management solution with an Large or Medium

Enterprise

update management solution with an

extended level of control that enables them to update (and distribute) all Windows operating

systems and applications and also includes

an integrated asset management solution.

SCCM

Large or Medium

Enterprise

The organization wants a solution for update

management only that provides simple

updating for Microsoft software—initially supporting Windows 2000 and later

supporting Office 2003, Office XP, Exchange Server 2000 and later, SQL Server 2000 and later.

WSUS


The Microsoft way…

Customer Type Scenario Customer Choice

Small Business

The business has at least

one Windows server and

one IT administrator.

WSUS

one IT administrator.

Small Business All other scenariosMicrosoft Update or

Windows Update

Consumer All other scenariosMicrosoft Update or

Windows Update


Automatic Updates


Best practise indien: “Automatic Updates”

Installeer overal de

Microsoft Update

agent (zodat alle agent (zodat alle

software wordt ge-

update)


WSUS

• Meer mogelijkheden

• Vergt ook onderhoud

• Server nodig• Server nodig


WSUS


Over WSUS


Over WSUS

• BITS = Background Intelligent Transfer Service

• WSUS bevat rapportagemogelijkheden

• WSUS kan op 2 manieren werken: • WSUS kan op 2 manieren werken: updates van WSUS halenupdates van internet halen

• Command Line mogelijkheden (wsusutil.exe)


Installatie documentatie

� Step-by-step guide

� http://www.microsoft.com/downloads/details.aspx?FamilyID=C8FA2FD1-72F6-4F19-A1B0-FamilyID=C8FA2FD1-72F6-4F19-A1B0-

F689DAE14BE6&displaylang=en


Installatie


Installatie

• Keuze poort is by default 80 maar kan 8530 zijn


Configuratie

Firewall!

• http://windowsupdate.microsoft.com

• http://*.windowsupdate.microsoft.com

• https://*.windowsupdate.microsoft.com • https://*.windowsupdate.microsoft.com

• http://*.update.microsoft.com

• https://*.update.microsoft.com

• http://*.windowsupdate.com

• http://download.windowsupdate.com

• http://download.microsoft.com

• http://*.download.windowsupdate.com

• http://wustat.windows.com

• http://ntservicepack.microsoft.com


Configuratie


Configuratie

Groepen…


Configuratie

De keuze is aan u:


Configuratie TIP


Configuratie TIP

• SSL?

• Do not store update file locally?• Do not store update file locally?

� Remote workers


Meer documentatie

• Operations Guide:http://www.microsoft.com/downloads/details.aspx?familyid=66D250FA-670F-4A49-95EC-

2FFDA7691F55&displaylang=en


WSUS Tips


WSUS Tips: Cloning machines

• Als een voor WSUS geconfigureerde machine wordt gecloned (via Ghost,…) dan moet er een registry keys worden verwijderd:

• HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

• HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate


WSUS Tips: Forefront

• Forefront gebruikt WSUS voor zijn updates. Dus GPO setting bepaald frequentie voor het zoeken naar nieuwe virusdefinities. Standaard 22u, best

op 1u zetten.

• Optie “Allow automatic update immediateinstallation” enabled. Zodat de virusdefinities worden geïnstalleerd zonder schedule in te stellen

• Zet wel nog een (dagelijkse?) schedule in voor de product updates.


WSUS Tips: Performantie issues

• svchost/msi performance issue both KB927891 and the new 3.0 client needed

• http://blogs.technet.com/wsus/archive/2007/04/28/

update-on.aspx


WSUS Tips: Client logging

• Start, then click Run, type WINDOWSUPDATE.LOG and then click OK.Logging from bottom up.

• WindowsUpdate.log • Is the v6 version

• windows update.log

• Is the v4 version

http://support.microsoft.com/kb/902093


WSUS Tips

• 0x80072EE2 – 0x80072F78 – 0x80072F76 –0x80072EFD� 836941 - You receive an "Error 0x80072EE2" or � 836941 - You receive an "Error 0x80072EE2" or

"Error 0x80072EFD" error message when you try to

use Windows Update

� Add Windows Update Web sites to the Trusted

Sites list


WSUS Tips

• 0x80070424� How to troubleshoot problems accessing secure

Web pages with Internet Explorer 6 Service Pack 2 Web pages with Internet Explorer 6 Service Pack 2

(870700)

� This Windows Update error code is caused by

unregistered DLL files for Windows Update or

Internet Explorer. On Windows XP SP2 and later

this may be resolved using the “iexplore /rereg”

command.


WSUS Tips

• 0x80244001/0x800A01AD� These Windows Update error codes can be caused

by a damaged Windows XP XML subsystem. The by a damaged Windows XP XML subsystem. The

first step to take is to reregister this component

using the command “regsvr32 msxml3.dll”. If this

does not resolve the issue, check for more recently

updated MSXML Parser and MSXML components

from the following link:

http://www.microsoft.com/downloads/results.aspx?productID=&freetext=msxml&DisplayLang=en


WSUS Tips

• When accessing the Update site, you receive the 0x800A01AE error.� This issue may happen if the current session of Internet

Explorer has cached an older version of Wuapi.dll� Re-register the Windows Update DLL with the commands � Re-register the Windows Update DLL with the commands

below � Click Start, click Run, type cmd, and then click OK.

� Type the following commands. Press ENTER after each command.regsvr32 wuapi.dllregsvr32 wuaueng.dllregsvr32 wuaueng1.dllregsvr32 wucltui.dllregsvr32 wups.dllregsvr32 wups2.dllregsvr32 wuweb.dll


WSUS Tips

• 0x80248011� This Windows Update error code is normally related

to inconsistent or damaged information in the to inconsistent or damaged information in the

c:\windows\softwaredistribution folder. Stopping the

Automatic Updates service then renaming the

c:\windows\softwaredistribution folder to SDOLD

then restarting the Automatic Updates service

normally is the fix for this issue.

Note: Renaming this folder will clear the display of

previous successful and failed updates.


WSUS Tips

• 0x800B0001� This Windows Update error code is related to 3

particular DLL files that are not registered in particular DLL files that are not registered in

windows correctly. Registering the following files

with REGSVR32 normally fixes this issue:

� Softpub.dll

� Mssip32.dll

� Initpki.dll


WSUS Tips

• 0x8024402C� This Windows Update error can be caused by a

damaged installation of BITS and corrupted damaged installation of BITS and corrupted

information in the SoftwareDistribution folder. The

solution is normally to re-download the BITS

updates (KB883357 and KB842773) from the

Microsoft.com website, then stop the Automatic

Updates service and rename the

SoftwareDistribution folder to SDOLD. Reboot the

computer and return to Windows Update.


WSUS Tips: Client Firewalls

• Most third party firewalls such as Norton Personal Firewall block SVCHOST (Generic Host Process Win32) communication by default. This can cause

issues with Windows Update as SVCHOST communication is required by the Windows Update client to connect to the Windows Update Servers on the internet.


WSUS Tips: Diag tools

• Client diag tool

• Server diag tool

http://technet.microsoft.com/en-us/wsus/bb466192.aspx


WSUS Tips

• To enable site tracing for a single visit to the Windows Update site, add “&dev=true” to the end of the URL, as in the example below:

http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en&dev=true


WSUS Tips

• Backup?


WSUS Links

• http://technet.microsoft.com/en-us/wsus/default.aspx

• http://www.wsus.info/• http://www.wsus.info/

• http://blogs.technet.com/wsus/default.aspx

• http://www.wsuswiki.com/


WSUS 3.0 SP2 Beta Overview

New Windows Server and Client Version Support

• Integration with Windows Server® 2008 R2

• Support for Windows 7® client• Support for Windows 7® client

• Support for the BranchCache feature on Windows Server® 2008 R2



WSUS Beta Feature Improvements and Fixes

Auto-Approval Rules

• New functionality lets you specify the approval • New functionality lets you specify the approval deadline date and time.

• You can now apply a rule to all computers or to specific computer groups.

Cross-Version Compatibility

• The user interface is compatible between Service Pack 1 and Service Pack 2 for WSUS 3.0 on both the client and the server.



Software Updates

• Stability and reliability fixes for the WSUS server, such as support for IPV6 addresses greater than such as support for IPV6 addresses greater than

40 characters.

• The approval dialog now sorts computer groups alphabetically by group name.

• Computer status report sorting icons are now functional in x64 environments.

• Fixed setup issues with database servers running Microsoft® SQL Server® 2008.


EXTRA’S


• MBSA: Scan for vulnerabilites and look for patches

• Malicious Software Removal Tool

• Microsoft Security Assessment Tool• Microsoft Security Assessment Tool


Microsoft Technical SecurityNotifications

• http://technet.microsoft.com/nl-be/security/dd252948(en-us).aspx


EINDE

wat is nu eigenlijk: windows update en wsus - cevi-users

Documents