Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

Roberta Bragg

نسخه متنی -صفحه : 194/ 136
نمايش فراداده

Maintenance Strategies for Patch Management

Patch management should be a part of your organization's formal change control process but should have its own set of rules and processes. Patch management should be defined separately because it is much more time-dependent than most change requirements. A new software upgrade often has some flexibility in its implementation plan. However, an announced vulnerability is often followed by an attack that uses it. The timeframe allowed for the application of security patches is the time between the patch availability and the attack. However, no one knows when an attack will occur, and the timeframe is getting increasingly shorter. Patch management should include processes to update all servers, devices, and applications on your network; however, the tools described here are native Windows tools that can be used to update Windows Server 2003.

Patch Management Process

Many products and software processes can be used to update Windows Server 2003 with security patches. However, the process of patch management is not just patch application. The process of patch management can be split into three steps:

1.

Monitor

2.

Evaluate

3.

Act

Monitor

The first step is gaining knowledge by monitoring security sites and lists. Sign up for Microsoft security bulletins at Chapter 18.

Best Practices for Managing Security Vulnerability Announcements

1.

Verify the source. For example, Microsoft bulletins never include attachments. Microsoft bulletins are signed using Pretty Good Privacy (PGP). You can download the Microsoft Security Bulletin key from www.microsoft.com/technet/security/bulletin/notify.asp. You need PGP software to verify the authenticity of the PGP bulletin signature, but PGP software can be obtained for free.

2.

Paste links within publications in a browser instead of clicking them directly. This helps ensure that the links direct you to a Microsoft or other site that you trust.

3.

If you have any questions, visit the Microsoft web site and read the bulletin there.

4.

Always locate and read any supporting documentation that will help you understand the nature of the potential vulnerability.

5.

Monitor security lists for any discussions of the vulnerabilities, including problems with patches, workarounds, etc.

6.

Seek understanding of the vulnerability and the possibility of workarounds, external protection, or other circumstances that may extend the time available to consider the need for the change.

7.

Consider the impact of the vulnerability. Not all vulnerabilities are rated the same.

8.

Consider the recommendation. If vulnerabilities are severe or if there is a greater likelihood for exploitation, advice on immediate installation will be included.

Evaluate

Whether or not you should make a change or apply a patch is based on a number of factors, including your organization's policy on security maintenance. In general, the decision of whether and when is based on evaluating the following issues:

Does the security issue apply to your systems? For example, a change that should be made to Windows 2000 systems is of no concern if Windows 2000 computers are not part of your network. Nor is change for Microsoft Office of interest to you if your only responsibilities are Windows Server 2003 servers, unless these servers in some way are responsible for the security of desktops that run Microsoft Office, such as if Group Policybased Microsoft Office administrative templates are used to assist in the lockdown of Office applications, and the modification is related to those administrative templates. Any reported Windows Server 2003 operating system vulnerabilities and applicable patches or configuration changes, however, must be evaluated.

Will the recommended change or patch cause other problems? The change, for example, may recommend disabling a specific service. However, you may rely on that service for critical operations. There is also no guarantee that a patch will not cause a new problem or issue. Although patches are thoroughly tested, it would be impossible to guarantee that no conflict or possible problem will result from the application of the patch. To determine if a patch is safe for use across all servers, test them on servers configured in the same manner.

How immediate is the need for the patch? In most cases, the announcement of vulnerability is based on research into the possibility of an exploit, not the existence of attacks in the wild. This means that although there is a need to respond, there is time to evaluate, test, and make the change as part of a regularly scheduled change process, instead of a knee-jerk reaction. In addition, many recommended changes or patches will be rated and a distinction made between a critical patch that needs to be made quickly and a patch or change that has less immediacy.

Zero-Day Attacks

A zero-day attack is one in which the attack code is used to attack systems either before or on the same day that the vulnerability is announced. A patch may or may not be ready. Therefore, there is no time to test a patch. The risk of possible patch issues must be weighed against the risk of a successful attack. The risk may be mitigated by other security practices.

What additional protective measures or workarounds can be put into place? In many cases, firewalls can protect systems from an external attack. This does not mean that the recommended change or patch should not be applied; instead, it means that the other protection can buy time while the change is appropriately researched.

In addition to these considerations, if it is decided that the patch should be applied, before you apply it in a production environment, test its application and function on test computers configured similarly to your production systems.

Act

Patches and changes always will need to be made before any action is required, although you should determine how the changes will be made and put into place in any necessary infrastructure. Several possible methods exist for each type of change in:

Direct application to a single machine by running the executable provided

Using Windows Update site

Using Automatic Updates

Using Software Update Services

Using Systems Management Server (SMS) to apply the patch

Should You Update Computers That Are Not Exposed to the Internet?

Some will ask why updates are important on a network that is not exposed to the Internet. Updates correct software errors that might be exploited, thereby compromising the computer. They may also simply prevent annoying problems with software, problems that might cause a reboot or cause some software to fail. For these reasons alone, it may be desirable to apply applicable updates after testing. However, there is another reason for applying updates: the source of an exploit might not be the Internet.

Patching Processes

Part of your security maintenance plan should be the establishment of policy and procedures for applying patches.

Directly Applying Patches

You can directly apply a single patch to a single machine or create your own scripts for applying multiple patches. In most cases, applying a single patch is accomplished by double-clicking the patch executable. Patches can be obtained by visiting the Windows Update site or by visiting the Microsoft Download Center. To obtain a patch from the download center, follow these steps:

1.

Enter the URL for the download center or select Download from the menu on the Microsoft home page.

2.

In the Keywords box, enter the Knowledge Base (KB) number from the article that describes the patch. Alternatively, you can select the product from the Product/Technology drop-down list and click Go to see a list of the available downloads.

3.

Click the software update desired.

4.

Click the download link or follow the instructions on the download page.

Using the Windows Update Site

The Windows Update Site is a reasonable solution for small businesses with a couple of Windows Server 2003 computers. However, these businesses will have to schedule a time when they manually request the updates. The site allows an individual to automatically have a single system evaluated for the need to update and then, with a click of a button, have the updates downloaded and applied. The major advantages of Windows Update are that additional updates and drivers are also identified and that you can select which updates to apply. The disadvantage is that you must manually request the scan, which is a time-consuming operation if more than a couple of servers must be updated. Other drawbacks include the fact that the user must have administrative privileges on the computer, the user must be knowledgeable about his systems to consider which changes should be made, and no local testing is done.

To use Windows Update, follow these steps:

1.

If necessary, adjust the security settings in IE. You may need to add the Windows Update site *.windowsupdate.com to the TRusted Zone. You may need to adjust the Custom settings for the trusted Zone to accommodate this. Specifically, to use the Windows Update site, the use of an ActiveX control is necessary (by default, the TRusted Zone allows this).

2.

Use the Internet Explorer Tools menu and click Windows Update.

3.

Click Scan For Updates. After the scan is complete, a list of critical updates (security patches), Windows Server 2003 updates (updates to operating system utilities such as DirectX), and drivers is shown. To review the list, click the Review and install updates arrow, and they will be displayed, as shown in Figure 16-2.

Figure 16-2. The results of a Windows Update scan can be reviewed before installation.

[View full size image]

4.

Click Review and install updates.

5.

Review the proposed updates and click Remove to prevent the installation of any updates that you do not want to apply at this time.

6.

Click Install Now to install the updates.

7.

Review any supplemental EULAs presented and click Accept. (If you do not agree with the EULA, do not click Accept, but the update will not be installed.)

8.

Review any additional drivers or software updates and install if desired.

9.

When the update process is complete, close IE.

Using Automatic Updates

Automatic Updates can be configured to automatically download and install new updates to Windows Server 2003 from the Microsoft web site or from a local SUS server. Automatic Updates for Windows Server 2003 can be configured directly or managed via Group Policy. In fact, Group Policy can be used to manage Automatic Updates for many Windows systems if they are joined to the domain, including, the following:

Windows Server 2003

Windows XP Professional

Windows 2000 Service Pack 3 and above

Windows 2000 Service Pack 2 and Windows Automatic Update client

Manual Configuration

Manual configuration is via the Automatic Update Property page of the Control Panel System applet, as shown in Figure 16-3. The choices are as follows:

Turn on or turn off automatic updating.

Notify the logged on user when updates are available and notify before installing.

Automatically download updates and notify when they are ready for installation.

Automatically download and install updates according to a selected schedule.

Figure 16-3. Manually configure a single server for Automatic Updates using the Control Panel.

If the last option is selected, updating is totally automatic. You should, however, audit the application of updates. Periodic use of a tool such as Microsoft Security Baseline Analyzer should be used.

Automatic updating of servers, however, may not be a perfect solution. Although most patches do not cause problems, there will be occasional problems that may result in system downtime. This is not a good idea, especially if the servers involved are running mission-critical services or applications. It is always wise to test the addition of any patch on test systems before applying it in a production environment. However, in smaller organizations where test staff and systems do not exist, the risk of downtime due to malware or attacks that may take advantage of unprotected systems is far greater than the risk of downtime due to a problem with a patch.

Group Policy Configuration

The Group Policy Windows Update configuration is located in the Computer Configuration, Administrative Templates, Windows Components, Windows Updates section, as displayed in Figure 16-4.

Figure 16-4. Group Policy offers four categories of update configuration

[View full size image]

NOTE: SUS and Windows 2000

If Windows 2000 is used as the host for SUS, the wuau.adm administrative template must be added to the Group Policy to use these settings.

Each section is described in Table 16-1, which is followed by screenshots of each option.

Table 16-1. Windows Update Group Policy Configuration

Selection

Explanation

Configure automatic updates

If enabled, select one of three options:

1 Notify before download and before install

2 Download and notify before install (the default)

3 Automatically download and install according to entered schedule

Specify intranet Microsoft update service location

This option is used to point computers to an intranet location of a SUS server. If configured, the computer will use the SUS server to automatically download updates. If not configured, the computer will use Microsoft's update site for automatic updating.

Reschedule Automatic Updates scheduled installations

If enabled, and a scheduled update is not completed, the computer will attempt another update the number of minutes after reboot specified in this setting. If not configured or disabled, missed updates will be attempted at the next scheduled update. (If updates are not scheduled, this setting has no effect.)

No auto-restart for scheduled Automatic Updates installations

Some updates require reboots. This setting can be used to prevent an automatic restart. The computer will need to be manually restarted to complete the installation of the update. (If updates are not scheduled, this setting has no effect.)

Configuring Automatic Updates is displayed in Figure 16-5, SUS server location in Figure 16-6, updating missed updates in Figure 16-7, and preventing auto-restarts in Figure 16-8.

Figure 16-5. Configure Automatic Updates.

Figure 16-6. Change to a SUS server as the location for updates.

Figure 16-7. Update missed scheduled updates.

Figure 16-8. Prevent auto-restarts after scheduled updates.

Using SUS

Software Update Services (SUS) is a free security patch updating system that offers the best features of automatic updating and yet provides the opportunity to select which updates will be applied. Using SUS can also reduce bandwidth requirements for Internet access because only one computer needs to download patches over the Internet. In its simplest form, a single SUS server exists as a locally approved source of official Microsoft operating system security patches that can be used by configured clients for automatic updates. Windows XP, Windows 2000, and Windows Server 2003 computers can be updated. Organizations with complex, large, or geographically dispersed networks can use multiple SUS servers to meet their needs. It is possible to link SUS servers in SUS hierarchies and manually transfer approved updates to a SUS server that exists within an isolated network (a network with no Internet connectivity).

TIP: SUS Only Applies MS Updates

SUS cannot be used to apply configuration changes or to apply software updates that are not provided by Microsoft. All updates are signed. If you attempt to manually add an update to the SUS server, the update will not be applied to clients.

The basic scenario works like this:

1.

SUS server software is installed on a Windows Server 2003 (or Windows 2000 server) computer and configured to download Microsoft security patches and service packs.

2.

After the initial download in which all current patches and service packs are downloaded via the Internet (a choice of languages is provided), the SUS server can be scheduled to automatically download all security updates from Microsoft as they become available or set for manually update only. An administrator can sign up for email notification of new downloads.

3.

An administrator selects which security patches and service packs the SUS server will allow clients to obtain. (Updates should be tested via the organization's normal test process before they are approved for the production network.)

4.

An administrator configures clients for automatic updating and points them to the SUS server using either the local Control Panel configuration or Group Policy.

5.

Clients connect to the SUS server and download and apply updates.

6.

An administrator must develop a way to audit whether patches are being applied.

Using SUS Hierarchies

SUS hierarchies are collections of SUS servers that are linked together to better serve an organization's update requirements. The root or parent SUS server downloads the security patches from Microsoft. Other SUS servers use this server as their source for updates. Each server can be configured to provide a different set of security patches or can simply provide alternative local locations for obtaining patches. Group Policy can be used to point the computers with accounts in different OUs to different SUS servers, thus distributing the download load. A simple SUS hierarchy is displayed in Figure 16-9.

Figure 16-9. A SUS hierarchy can be used to provide multiple locations for local patch downloads.

[View full size image]

Figure 16-10 illustrates another use for a SUS hierarchy. In this figure, a parent SUS server downloads patches from Microsoft while two child SUS servers offer updates to either a test network or the production network. The test network SUS server is used to make available patches for the clients on the test network. After the patches are tested, they are approved for download on the production network SUS server. This arrangement allows automatic updating of multiple test clients that match production configuration. Patches can be tested on many different configurations automatically, thus making the testing process more efficient.

Figure 16-10. Use a SUS hierarchy when a large test network is used.

Securing the SUS Server

The SUS server should be secured to prevent possible compromise or simple accidental misuse. In addition to keeping the SUS server behind a firewall and hardening it in the normal fashion, three specific operations should be considered.

Limit the number of administrators Only those administrators who are members of the local SUS server Administrators group can administer SUS. Because the Domain Admins group is a de facto member of the local Administrators group, consider removing it, and in its place, add a custom local group to which you add approved SUS administrators. Don't forget to add the new group to the local Administrators group.

Don't host other web sites on the SUS server The SUS server is the source of your approved patches, and access to this server should be restricted. When additional web sites are authorized on this server, users will have the right to log on locally, anonymous access may be provided, and the risk of compromise increases.

Use SSL to protect the update process Using SSL ensures that the server is authenticated. Because clients are configured to use a specific SUS server, if SSL is required, the SUS site cannot be spoofed, and clients will not download updates from a SUS server that cannot provide the proper credentials. Obtain an SSL certificate for and add to the local IIS. Do not require SSL for the web site; instead, require SSL for access to the following directories:

\autoupdate\administration

\autoupdate\dictionaries

\Shared

\Content\EULA

\Content\RTF

Installing and Configuring SUS

SUS is not difficult to install and configure. The software can be downloaded for free from the Windows download site for use on a licensed server. Before installing SUS, check to ensure that the server meets SUS requirements. The requirements are as follows:

A minimum of a Pentium 700 MHz or equivalent.

512 MB RAM.

Network adapter.

NTFS partition of at least 100 MB free space for SUS installation.

Minimum of 6 GB storage for updates.

Microsoft Windows 2000 Server service pack 2 or later or Windows Server 2003. The server can be a member server, a domain controller, or a Windows Small Business Server.

Microsoft Internet Information Services.

Microsoft Internet Explorer 5.5 or later.

TIP: SUS Demo

You can watch a demo of the SUS installation at http://www.microsoft.com/seminar/shared/asp/view.asp?url=/Seminar/en/20030925TNT1_95d1/manifest.xml.

To install SUS, follow these steps:

1.

Turn off anti-virus software during the installation of SUS software.

2.

If the SUS server will be a domain controller, promote the computer to domain controller before installing SUS. (Otherwise, you will not be able to uninstall SUS should this become necessary.)

3.

If you do not want the default web site to host the SUS server, disable or remove the default web site and create a site to host SUS. The SUS server should not host another web site.

4.

Double-click the SUS software executable. After a couple of minutes, the Welcome screen of the installation wizard appears. Click Next.

5.

Read the license agreement if you agree, check I accept the terms in the License Agreement, and then click Next.

6.

Chose Typical or Custom installation and click Next. The custom installation process allows you to select the location for installation SUS and SUS updates or direct SUS clients to a Microsoft Windows Update Server, as shown in Figure 16-11. (You can still indicate which security patches clients should download and install.)

Figure 16-11. Select a custom installation in order to change SUS installation location or redirect clients.

7.

Choose the languages of the patches that you want to download, as shown in Figure 16-12. If you do not specify, all updates in all languages will be downloaded by default. Choices are English, all languages, or specifying the languages to download.

Figure 16-12. Choose the language of software updates to download.

8.

Click Next.

9.

Select Update approval settings, either automatically approve new versions of previously approved updates or require manual approval of new versions of approved updates.

10.

Review the download URL. Client computers should use the URL to download updates; typically, the name is http://name of the SUS server.

11.

Click Install to install SUS. Installation may take several minutes.

12.

At the completion screen, click Finish, and Internet Explorer opens to the SUS site on the SUS server at http://localhost/SUSAdmin/, as shown in Figure 16-13.

Figure 16-13. The SUS Administration site.

[View full size image]

To configure SUS, follow these steps:

1.

Open IE and use the URL http://localhost/SUSAdmin.

2.

Click Set Options to review and configure settings.

3.

If required, configure proxy settings, as shown in Figure 16-14. By default, SUS is set to automatically detect proxy server settings. You may also click Do not use a proxy server to access the Internet if you do not use a proxy server.

Figure 16-14. Review settings and modify as necessary.

[View full size image]

4.

In the Select which server to synchronize content from: area, check the computer name that clients will use in their automatic update configuration.

5.

Scroll down if necessary and, if required, point the SUS server to another SUS server.

6.

Check language settings.

7.

Click the Apply button if settings have been changed. A popup confirms that settings have been saved. Click OK.

8.

Click Synchronize server, and then click the Synchronization Schedule button.

9.

Create a schedule for downloading patches or set SUS to Do not synchronize on a schedule as shown in Figure 16-15, and then click OK.

Figure 16-15. Set a schedule, or no schedule, for downloading updates.

10.

Click the Synchronize Now button to download the current security patches. Because this is the first download, this process can take a long time.

11.

Test updates.

12.

After testing specific updates, use the Approve Updates section and click to select the updates that clients should download and install.

WARNING: Choose the Language for SUS Downloads

Microsoft produces updates in many languages. The default setting for SUS is to download all updates in all languages. To reduce the time it takes to download changes, and to reduce the disk space necessary for updates, download only the languages that you need.

Configure Clients for SUS Automatic Updates

Windows XP Professional and Windows Server 2003 have Automatic Update clients installed as part of the OS, but earlier versions do not. A version of the client for Windows 2000, however, is available for download. SUS service pack 1 requires updates to some original Automatic Update clients. Table 16-2 lists Windows clients that can receive automatic updates via SUS and those that may need an additional update when SUS SP1 is used. If Windows systems have been kept updated with service packs, no download is required.

Table 16-2. Client Requirements for SUS and SUS SP1

Client

Automatic Update for SUS

Automatic Update for SUS SP1

Windows 2000

Download available when SUS released

Windows 2000 clients with out service pack 2 need the new client download.

Windows XP Professional

Built into OS

Windows XP without SP1 need the new client download.

Windows Server 2003

Built into OS

Built into OS.

If Automatic Update clients are up-to-date, configure them to point to SUS. You need the wuau.adm administrative template file. This file is installed in the %systemdrive%\inf folder when Automatic Updates is installed.

In a managed environment, update clients are configured using Group Policy. However, the Local Group Policy object can be used in test or non-Active Directory environments. To use the Local Group Policy object, open it in the Group Policy console. In an Active Directory environment, create and link a GPO to the OU where computer accounts to be updated live:

1.

From Start, Run enter gpedit.msc to load the Group Policy console. (Alternatively, use the Group Policy Property page of the OU in Active Directory or the Group Policy Management console to work in an Active Directory domain.)

2.

Expand the Computer Configuration node and right-click Administrative Templates.

3.

Click Add/Remove Templates and click Add.

4.

Enter the path for the wuau.adm file (%systemdrive%\ %windir%\inf\wuau.adm).

5.

Click Open and click Close to load the file.

6.

Navigate to the Windows Components container under Administrative Templates and select the Windows Update node.

7.

The settings for each policy are defined in Table 16-1. Set the download options as defined in Table 16-2. If this policy is configured, Automatic Update settings on the client are disabled. If this policy is disabled, automatic updates cannot occur, and updates must be added in another manner.

8.

Open the Specify intranet Microsoft update service location policy and enter the URL for the SUS server in the Set the intranet update service for detecting updates: and Set the intranet statistics server: text boxes. (Statistics are logged in the IIS logs of the designated statistic server. This can be a different server than the SUS server, but it must be running IIS. If multiple SUS servers are used, you may want to point them all to a single IIS server for centralized logging.)

If Active Directory will not or cannot be used to set update configuration, registry entries can be used. You need to manually create the RegDWORD keys, shown in Table 16-3, at the location HKEY_LOCAL_ MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU.

Table 16-3. Registry Keys for Updates

Key

Description

Range

RescheduleWaitTime

Enter the time in minutes to wait before beginning an installation after the scheduled time for the installation has passed.

160

NoAutoRebootWith LoggedOnUsers

Offers logged on users a choice.

Set to 1 to allow them a choice in rebooting or not.

NoAutoUpdate

Enable or disable AutoUpdates.

1 = disabled; 0 = enabled

AUOptions

Downloading options.

2 = Notify of download and installation; 3 = Automatically download and notify of installation; 4 = Automatic download and schedule installation

ScheduledInstallDay

Set a day for installation.

0 = Every day; 1 to 7 = Day of week from Sunday = 1 to Saturday = 7.

ScheduledInstallTime

Set a time for installation.

Time of day in 24 hour format.

UseWUServer

Enable use of SUS server entered in the Windows Update section.

1 = enabled.

To set the location of the SUS server, two keys at HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows\WindowsUpdate must be set:

The URL of the SUS server should be entered in the key WUServer.

The URL of the SUS statistic server should be entered in the key WUStatusServer.

Preparing and Using an Offline SUS

An offline SUS server is a SUS server with no connection to the Internet. This SUS server does not require IIS and is configured to use updates provided by a content management server. This server can be used to provide update access to clients on a network that is not connected to the Internet. To configure such a server, follow these steps:

1.

Prepare a content management server by installing IIS 5.0 or later. The content management server acts as a SUS distribution point. It is a server that will run IIS 5.0 or later, but not necessarily SUS.

2.

Create an IIS virtual directory named Content. (Create a \Content folder on a drive and use this for the virtual directory. The drive should have sufficient space for the updates.)

3.

Copy the following content from a running SUS server to the content management server's \Content folder.

From the root of the SUS web site, copy the autocatalog.cab, approveditems.txt, and aurtf.cab files.

From the SUS web site, copy files and folders from the \Content\cabs folder.

4.

Install a SUS server on the isolated network.

5.

On the SUSAdmin page, click Set options, and scroll to the Select which server to synchronize content from area. Enter the name of the content management server, as shown in Figure 16-16.

Figure 16-16. Point the isolated SUS server to the content management server.

[View full size image]

6.

Configure computers on the isolated network to obtain their updates from the SUS server located on the isolated network.

WUSAn Improved SUS

A new version of SUS called Windows Update Services (WUS) will soon be available. It offers more functionality and the ability to provide patches for more Microsoft applications.

Changes to Client Patch Management Strategies with Windows XP SP2

Although this book is about Windows Server 2003, many of its features work best with Windows XP, and changes announced and released for Windows XP in SP2 will probably be available in SP1 for Windows Server 2003. Patch management via SUS is enhanced with Windows XP SP2, although many features cannot be used until the release of WUS. The following new features are part of Windows XP SP2:

Windows updates for drivers and other applications are supported.

A new option, Install updates and shutdown option to the Shut Down Windows and Turn off Computer dialog box, makes it easier to deploy updates with less inconvenience for users.

Improvements to Background Intelligent Transfer Service (BITS), which is used during patch download, means improved bandwidth efficiency. BITS can be configured to download updates during a specific time, which means they can be scheduled for periods of lower network use. BITS can be configured to use only a portion of the available bandwidth and only the part of a file that has changed. BITS can recover from network failures.

Additional scheduling options are available, such as administrator notification and the receipt of previously declined and hidden updates.

Updates to the Automatic Updates components can be done automatically.

Updating rules provide better filtering of updates, such as preventing the download of an update meant for a different version of the OS.

These new update configurations are represented by new registry key changes and updates to Group Policy. For a complete list of registry keys and values for these settings, see the document "Changes to Functionality in Microsoft Windows XP Service Pack 2" at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2maint.mspx. There are four changes configurable by using Group Policy: three new policies under the Windows Components\Windows Update folder, and one in the Network\Background Intelligent Transfer Service node. The new Windows Updates policies are listed in Figure 16-17. Registry keys and Group Policy settings are only applicable for Windows XP SP2 computers.

Figure 16-17. Three new Windows XP SP 2 Group Policy options for Windows Update.

[View full size image]

Do not display "Install Updates and Shut Down" option in Shut Down Windows dialog box determines if this new options appears when the Shut Down box is displayed. When this option is enabled, the new shut down option is not displayed; if disabled or not configured, the option is displayed.

Do not adjust default option to "Install Updates and Shut Down" in Shut Down Windows dialog box controls what shut down option is the default. If this option is enabled, the user's last shut down choice is the default; if disabled, the Install Updates and Shut Down option is the default.

Enable client-side targeting determines the update group assigned to the client. If enabled, the update group can be included, as shown in Figure 16-18. The client update group is only used if the WUS is installed and configured to use update groups. Update groups enable targeting of clients for specific updates.

Figure 16-18. The client update group is only used if WUS is installed.

The Maximum network bandwidth that BITS uses policy enables configuration of bandwidth management, as shown in Figure 16-19.

Figure 16-19. Manage update bandwidth utilization using BITS.

[View full size image]

Using SMS

SMS 2003 adds and improves upon the patch management features made available for SMS 2.0 in the Software Update Services Features Pack. The feature pack added security patch management capability to the Microsoft Systems Management Server 2.0 server. Security patch management is integrated with SMS inventory and software distribution and provides automated deployment of Microsoft Office and operating system software updates and is integrated with SUS. Administrators must still test and approve patches. The Microsoft Baseline Security Analyzer (MBSA) can also be distributed via SMS, as can the client for patch downloads. The command-line version of MSBA is used by the client to do a patch inventory (using the list approved by SMS administrators) and provide that information to SMS. The SMS client can be used to download and install the appropriate patches. Only authorized updates will be applied. The status of updates, including successful and failed updates, is also reported. The advantage of using SMS for patch management is that SMS provides patch inventory information. This information allows the administrator to see which computers need which patches, but it also allows him or her to discover problems. If patches are not being installed, the inventory will still show unpatched systems, even though the patches have been approved.

Best Practices for Service Pack and Security Patch Application

Consider risk. The risk of applying the service pack or security patch should be less than the risk of not applying it. In most cases, the risk is greater if they are not installed; however, you should test patches and service packs in your organization before deploying them.

Devise and follow a change control practice.

Read all documentation.

Apply updates as needed. Evaluate whether all products need the updates.

Test.

Have a plan for recovering in case there are problems. Understand how to uninstall the patch or service pack and, in worse cases, how to recover the system from a backup.

Ensure consistency across domain controllers; in other words, if there is some reason for not applying a service pack or update on one domain controller, do not apply it on others. You should follow this practice to eliminate possible replication and synchronization problems.

Where possible, provide consistency across member servers and domain controllers.

Schedule backups of systems before patch application.

Warn help desks and user groups of potential server downtime.

Make patch and pack management proactive. Schedule service pack and patch maintenance as a regular part of network administration, not as a reactive process.

Target non-critical servers first after testing. However, keep in mind that when a large number of servers must be updated, and the risk of compromise is high, servers at higher risk may need to be updated before those at less risk, even though at-risk servers may be critical servers. Again, weigh the risk of applying the patch against the risk of not applying it.

Ensure that security patches are applied to servers that already have the correct service pack deployed. Security patches are eventually included as part of a service packif the service pack has been installed, there is no need to install the patches. The reverse is true as wellsecurity patches may assume that a specific service pack has been installed. They should not be installed if the service pack has not been. In most cases, if you attempt to install patches when they are not necessary or when the requisite service pack is not installed, you will be warned, and the installation will fail. However, you should do your part.

When possible, install service packs instead of multiple security patches, but do not wait for service packs when security patches are announced. Evaluate the need for their application.