Progress to Date (July 2004)

Rationalized patch severity rating levels

Informed & Prepared Better security bulletins and KB articles
Customers Security Guidance Kit; Patch Management guidance, etc.
Security Mobilization Initiative – 500K IT Pros trained
Standardized patch and update terminology
Consistent & Superior Standardized patch naming and installer switch options*
Update Experience Installer consolidation plan in place – will go from ~8 to 2
Reduced patch release frequency from 1/week to 1/month

Improved patch testing process and coverage

Superior Patch Quality Expanded test process to include customers
Reduced reboots by 10%; reduced patch size by up to 75%**

Released SMS 2003 which delivers expanded patch and update

Best Patch & Update management capabilities
Management Solutions Released MBSA 1.2 which integrates Office inventory scanning
Windows Update Services in development

More on the deliverables of the Patch Management Initiative

in the Roadmap Section of this presentation…
*Update.exe now using standardized switches; Windows Installer will use these in MSI 3.0
**75% for Windows Update installs, more than 25% for other patches
Terminology
Name Description Distribution

An unofficial fix which may not be fully tested or packaged. It

Limited to the customer who reported the
Private Fix is released to the customer to verify that it solves the
problem.
problem before final testing & packaging.

Limited to customers who contact

A single cumulative package composed of one or more files
Hotfix used to address a defect in a platform.
Microsoft Product support services and
are experiencing the specific problem.

A broadly released fix for a specific problem addressing a

Update non-critical, non-security related bug.
Publicly available for download.

Critical A broadly released fix for a specific problem addressing a

Publicly available for download.
Update critical, non-security related bug.

Security A broadly released fix for a specific platform addressing a

Publicly available for download.
Patch security vulnerability.

A cumulative set of hotfixes, security patches, critical

Update updates and updates packaged together for easy
Publicly available for download.
Rollup deployment. A rollup targets a specific area such as
"security" or component of the platform such as "IIS".
A cumulative set of all hotfixes, security patches, critical
updates, and updates created and fixes for issues found
internally since the release of the platform. Service packs
Service Pack may also contain a limited number of customer requested
Publicly available for download.
design changes or features. Service packs are broadly
distributed and therefore tested heavily.
 Bulletin Severity Rating System

Rating Definition Customer Action

Exploitation could allow the propagation
Apply the patch or
Critical of an Internet worm such as Code Red or
workaround immediately
Nimda without user action
Exploitation could result in compromise of
the confidentiality, integrity, or availability Apply patch or workaround as
Important of users’ data, or of the integrity or soon as is feasible
availability of processing resources
Exploitability is mitigated to a significant
Evaluate bulletin, determine
degree by factors such as default
Moderate configuration, auditing, need for user
applicability, proceed as
appropriate
action, or difficulty of exploitation

Consider applying the patch

Exploitation is extremely difficult, or
Low impact is minimal
at the next scheduled update
interval

Revised November 2002

More information at
http://www.microsoft.com/technet/security/policy/rating.asp
Decreasing Time To Patch (Blaster)
July 1, 2003 July 16, 2003 July 25, 2003 Aug 11, 2003
Vulnerability Bulletin & patch
reported to us / available Exploit code in Worm in the wild
Patch in progress No exploit public

Report Bulletin Exploit Worm

 Vulnerability in  MS03-026 delivered  X-focus (Chinese  Blaster worm
RPC/DDOM to customers group) published discovered –;
reported (7/16/03) exploit tool variants and other
 MS activated  Continued outreach  MS heightened viruses hit
highest level to analysts, press, efforts to get simultaneously (i.e.
emergency community, information to “SoBig”)
response process partners, customers
government
agencies

Blaster shows the complex interplay between

security researchers, software companies, and
hackers
Decreasing Time To Patch (Sasser)
April 13 April 24-29 April 30
Bulletin & patch
available Exploit code in Worm in the wild
No exploit public

Bulletin Exploit Worm

 MS03-026 delivered  Reverse shell code  Sasser worm
to customers posted to various discovered.
(7/16/03) web sites  Multiple variants hit
 Continued outreach simultaneously
to analysts, press,
community,
partners,
government
agencies

Sasser shows the continually shrinking window

between the time a patch is released, exploit code is
generally available and a worm is written to exploit it.
Solution Components
Microsoft Guide to Security Patch Management
Prescriptive Patch Management Using SUS
Guidance
Patch Management Using SMS

Analysis Microsoft Baseline Security Analyzer (MBSA)

Tools Office Inventory Tool*

Online Update Windows Update

Services Office Update

Windows Update Catalog

Content Office Download Catalog
Repositories
Microsoft Download Center

Automatic Updates (AU) feature in Windows

Management Software Update Services (SUS)
Tools
Systems Management Server (SMS)

*Office Inventory Tool is no longer needed – MBSA 1.2 (released in January 2004) includes Office scanning functionality
 Update Management Guidance
Implementing a consistent, high quality update management
process is the key to successful update management

Microsoft delivers best practices prescriptive guidance for

effective update management

Uses Microsoft Operations Framework (MOF)

Assess Identify
Based on ITIL* (defacto standard for IT best practices)
Details requirements for effective update management:
Technical & operational pre-requisites
Operational processes & how technology supports them
Deploy Evaluate Daily, weekly, monthly & as-needed tasks to be performed
& Plan
Testing options

Three update management guidance offerings

Microsoft Guide to Security Patch Management**
Patch Management using Software Update Services***
Patch Management using Systems Management Server***

*Information Technology Infrastructure Library

**Emphasizes security patching & overall security management
***Comprehensive coverage of patch management using the specified technology
MBSA: How It Works*
MSSecure.xml contains
1. Run MBSA on Admin • Security Bulletin names
system, specify targets • Product specific updates
Microsoft • Version and checksum info
2. Downloads CAB file with • Registry keys changed
MSSecure.xml & verifies Download Center
digital signature
• KB article numbers
MSSecure.xml
• Etc.
3. Scans target systems for
OS, OS components, &
applications

4. Parses MSSecure to
see if updates
available

5. Checks if required
updates are missing
MBSA
6. Generates time
stamped report of Computer
missing updates

SUS Server
*Only covers security patch scanning capabilities, not security configuration detection issues
SUS 1.0: How It Works
Windows Windows
Update Service Update Service

1. SUS Server check for updates

every 24 hours*
2. Administrator reviews,
evaluates, and approves
updates
3. Approvals & updates
synced with child Child
SUS servers** SUS Server
Parent
4. AU (the SUS client) SUS Server
gets approved updates
list from SUS server
5. AU downloads approved updates Child
from SUS server or Windows SUS Server
Update
6. AU either notifies user or auto-
installs updates
7. AU records install history

*Configurable 1/day or 1/week **SUS maintains approval logs & download, sync, & install statistics
SMS 2003 Patch Management:
How It Works Microsoft
Download Center
1. Setup: Download Security Update
Inventory and Office Inventory Tools;
run inventory tool installer

2. Scan components replicate

to SMS clients

3. Clients scanned; scan results

merged into SMS hardware SMS Distribution
inventory data Point
SMS
4. Administrator uses Distribute Site Server SMS Clients
Software Updates Wizard to
authorize updates

5. Update files downloaded; packages, SMS Distribution

programs & advertisements Point
created/updated; packages replicated &
programs advertised to SMS clients

6. Software Update Installation Agent on SMS Clients

clients deploy updates

7. Periodically: Sync component checks for

new updates; scans clients; and deploys
SMS Clients
necessary updates
 Choosing A Patch Management Solution
Needs-Based Selection
Adopt the solution that best meets the needs of your organization

Capability Windows Update SUS 1.0 SMS 2003

Supported Platforms NT 4.0, Win2K, WS2003, NT 4.0, Win2K, WS2003, WinXP,
Win2K, WS2003, WinXP
for Content WinXP, WinME, Win98 Win98*
Core Patch Management Capabilities

All patches, updates

Only security & security rollup All patches, SPs & updates for the
(including drivers), &
Supported Content Types patches, critical updates, & above; supports patch, update, &
service packs (SPs) for
SPs for the above app installs for MS & other apps
the above
Granularity of Control
Targeting Content
No No Yes
to Systems
Network Bandwidth Yes Yes
No
Optimization (for patch deployment) (for patch deployment & server sync)
Patch Distribution Control No Basic Advanced
Patch Installation & Manual, end user Admin (auto) or user (manual) Administrator control with
Scheduling Flexibility controlled controlled granular scheduling capabilities
Patch Installation Status Assessing computer Limited Comprehensive
(client install history & server (install status, result, and compliance
Reporting history only based install logs) details)
Additional Software Distribution Capabilities
Deployment Planning N/A N/A Yes
Inventory Management N/A N/A Yes
Compliance Checking N/A N/A Yes
*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
 Choosing A Patch Management Solution
Typical Customer Decisions

Customer Customer
Scenario
Type Chooses
Want single flexible patch management solution with extended
Large or level of control to patch & update (+ distribute) all software SMS
Medium
Enterprise Want patch management solution with basic level of control that
SUS
updates Windows 2000 and newer versions* of Windows**

Have at least 1 Windows server and 1 IT administrator** SUS

Small
Business All other scenarios
Windows
Update
Windows
Consumer All scenarios
Update

*Windows 2000, Windows XP, Windows Server 2003

**Customer uses Windows Update or manual process for other OS versions & applications software
Windows Update Services*
The update management component of Windows Server that
enables IT administrators to more easily assess, control and
automate the deployment of Microsoft software updates
Update management solution for all Microsoft products
Initially supports Windows XP Pro, Windows 2000 Pro, Windows 2000 Server,
Windows Server 2003, Office XP, Office 2003, SQL Server 2000, MSDE 2000,
Exchange 2003, + additional products over time**
Support for additional update types – security, critical and non-critical updates, update
rollups, service packs, feature packs, and critical driver updates

Core update management infrastructure in Windows

Data Model - supersedence, update dependency & bundle relationships
Built-in update scanning engine to detect missing updates
Server APIs (.NET) and remoteable Client APIs (COM)

Enhanced bandwidth optimization

Uses BITS for client-server and server-server communication
‘Binary delta compression’ technologies dramatically reduce data transfer needs
Configurable update subscriptions -- specify subset of content to be downloaded

*WUS is currently in beta. Microsoft does not guarantee that all capabilities listed will be in the released version.
Datasheet and sign up for the Open Evaluation Program at: www.microsoft.com/wus
**Without the need to upgrade or redeploy WUS
 Comparing Microsoft Update, Windows
Update Services, and SMS 2003
Adopt the solution that best meets the needs of your organization
Capability Microsoft Update Windows Update Services SMS 2003
Supported Software and Content
Win2K, WS2003, WinXP Pro, Office Same as Windows Update Services +
Supported Software for Same as Windows Update
2003, Office XP, Exchange 2003, NT 4.0 & Win98* + can update any
Content Services + WinXP Home
SQL Server 2000, MSDE other Windows based software
Supported Content All software updates, critical All updates, SPs, & FPs + supports
All software updates, critical driver
Types for Supported driver updates, service packs update & app installs for any Windows
updates, SPs, & FPs
Software (SPs), and feature packs (FPs) based software
Update Management Capabilities
Targeting Content
N/A Simple Advanced
to Systems
Network Bandwidth
Yes Yes Yes
Optimization
Patch Distribution
N/A Simple Advanced
Control
Patch Installation &
Manual & end user controlled Simple Advanced
Scheduling Flexibility
Install errors reported to user.
Patch Installation Status
Lists missing updates for Simple Advanced
Reporting
accessing computer
Deployment Planning N/A Simple Advanced
Inventory Management N/A No Yes
Compliance Checking N/A No – status reporting only Advanced

*MBSA does not support scanning Win98 – Win98 can be updated using SMS2003 inventory management and software distribution capabilities
 Choosing A Patch Management Solution
Typical Customer Decisions

Customer Customer
Scenario
Type Chooses
Want single flexible update management solution with
extended level of control to update (+ distribute) ALL
Windows OSes and Applications, as well as an integrated SMS 2003
Large or asset management solution
Medium
Enterprise Want update management-only solution that provides simple
updating for Microsoft software and initially supports Windows Update
Windows (Win2K & later versions), Office (2003 & XP), Services*
Exchange 2003, SQL Server 2000, and MSDE 2000

Have at least 1 Windows server and 1 IT administrator

Windows Update
Small Services*
Business
All other scenarios Microsoft Update*

Consumer All scenarios Microsoft Update*

*Customer uses Windows Update, another update tool, or manual update process for
OS versions & applications not supported by Windows Update Services or Microsoft Update
 Consolidated Solutions Roadmap
Longhorn
Q4/2003 H1/2005 Time frame
Update Content Repositories and Online Services

Download Download
Windows Center Windows Center Windows
Update Update Update
Office Microsoft Microsoft
Update Update Update

Standalone Update Scanning Tools 3rd party apps

Office update repository
Inventory
Tool MBSA 1.2 MBSA 2.0 In-house
(includes OIT) developed
MBSA 1.1.1 apps update
repository

SMS 2.0 with SMS 2003/ SMS v4 3rd Party /

Feature Pack WUS phase In-house Tools
1 integration WUS N.0
SMS 2003
Windows Server
WUS WUS Longhorn
SUS 1.0 Server Client Update Management Products
Manual / Script
Based Updating
Adopt a Patch Management Solution
At Microsoft, our #1 concern is the security and
availability of your IT environment
If none of the Microsoft patch management solutions meet your needs
consider implementing a solution from another vendor
Partial list* of available products:

Company Name Product Name Company URL

Altiris, Inc.
BigFix, Inc.
Configuresoft, Inc.
Ecora, Inc.
GFI Software, Ltd.
Gravity Storm Software, LLC
LANDesk Software, Ltd
Novadigm, Inc.
PatchLink Corp.
Shavlik Technologies
St. Bernard Software
Altiris Patch Management http://www.altiris.com
BigFix Patch Manager http://www.bigfix.com
Security Update Manager http://www.configuresoft.com
Ecora Patch Manager http://www.ecora.com
GFI LANguard Network Security Scanner http://www.gfi.com
Service Pack Manager 2000 http://www.securitybastion.com
LANDesk Patch Manager http://www.landesk.com
Radia Patch Manager http://www.novadigm.com
PatchLink Update http://www.patchlink.com
HFNetChk Pro http://www.shavlik.com
UpdateExpert http://www.stbernard.com

*Microsoft does not endorse or recommend a specific patch management product or company
Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView
may also provide patch management functionality