Planning and Implementing a Security Update Infrastructure

Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.

As administrators, we constantly strive to maintain a secure and functional computing environment for our users. In the perfect world, administrators would never have to update an installation of Windows ; unfortunately , this is just not the case. Between weaknesses that are inherent to Windows (through coding mistakes or other issues) and the insatiable desire of Black Hats (bad hackers, as opposed to White Hats, which are good hackers) to find new and more devious ways to open up your network like a can sardines, you will soon have your hands full trying to keep your network's security stance up to date with the latest patches and hot fixes.

Realizing that it needed to become more proactive in helping Windows network administrators understand and correct the issues associated with the various security flaws that occur in the Windows operating systems, Microsoft has provided you with several tools that you can use to identify, categorize, and correct security- related issues on your network. The choice of what tool you use really depends on how you want to go about keeping your network updated. The following options are available for you to use in identifying and installing required security updates on your network's computers:

• Microsoft Baseline Security Analyzer (MBSA) ” MBSA is an enhanced GUI version of the popular command-line HFNetChk application that can be used on Windows 2000, Windows XP, and Window Server 2003 computers to look for missing security updates, missing service packs , and weak security configurations in the supported Windows operating systems, Office, IIS, Structured Query Language (SQL) Server, and several other popular Microsoft applications. Even though MBSA cannot be run on a Windows NT 4.0 computer, it can be used remotely to scan a Windows NT 4.0 computer. MBSA does a good job of identifying and categorizing missing updates and security problems that it finds, but it does not provide any direct means to update required patches. The real strength of MBSA is that it can be used to scan many computers, even remote ones, at a time, providing a quick and easy-to-interpret graphical output.

• Windows Update ” Windows Update, which has been around since Windows 98 arrived, provides an easy-to-use (although not always accurate) Web-based tool for determining the need to install newly available updates on a local computer. Automatic Update works in conjunction with Windows Update in instances where SUS has not been installed; it provides automatic downloading and installation of required updates.

• Software Update Services (SUS) ” Introduced for Windows 2000 and improved for Windows Server 2003, SUS allows you to provide one or more Windows Update servers that run inside your protected internal network. SUS allows the administrator to exercise granular control over which updates are installed and which aren't. Only those updates specifically approved will be installed on network computers configured to use an SUS server for updating. After installing SUS, you perform all its management and configuration from within your Web browser for ease of administration.

• Automatic Updates ” Automatic Updates is a new component of Windows XP SP1 and Windows 2000 SP3 that can download and install required updates from either the Windows Update Web servers or your internal SUS servers, depending on how it has been configured; the default configuration is to use the Windows Update Web servers. Automatic Updates is included in the default installation of Windows Server 2003. To configure Automatic Updates to use an internal SUS server, you must first install and configure at least one SUS server and then configure the appropriate Group Policy settings to require clients to use the designated SUS servers.

• Systems Management Server ” SMS 2.0 was in use by a large number of organizations well before the release of Windows 2000 and its IntelliMirror and Active Directory technologies ”the heart of software installation via Active Directory. SMS has been updated recently with the SMS 2.0 Software Update Services Feature Pack, which allows it to integrate into a SUS implementation without changing the configuration of the network clients. For many years , administrators have used SMS to manually push updates to clients; the feature pack allows this function to become more automatic. The new version of SMS is Active Directory integrated and promises many new features for software management and maintenance.

Planning for Software Update Services

Although Windows Server 2003 provides native support for Software Update Services, it does not by default include SUS. You can easily enough acquire the SUS installation package, however, and begin work configuring and implementing SUS on a network. But what, really, is SUS? It is nothing more than a locally controlled and managed Windows Update server. Instead of configuring the Automatic Updates client on your client workstations to download updates directly from the Microsoft Windows Update servers, you can install and configure one or more SUS servers on your internal network and point your client workstations toward those servers.

As you might imagine, the ability to have your client workstations use an internal server for Windows Update can be a tremendous benefit to you because it means decreased bandwidth usage. As important as bandwidth savings might be, there is actually a larger benefit to be realized by implementing a SUS solution on your internal network: the ability to approve specific updates that are to be installed on your clients. When you use Windows Update, your client computers install any available update that matches their needs, but with SUS you can specify which of the available updates are authorized to be pushed to the clients after you are satisfied that the update will pose no problems for the systems. This is a tremendous benefit that often goes unrealized.

As previously implied , SUS is actually one part of a two-part system. The other part, the Automatic Updates client, runs on the servers and client workstations that you want to download updates. Although the Automatic Updates client was included in Windows XP (pre “Service Pack 1), it was not the correct version to participate in SUS. You need to install Windows 2000 Service Pack 3 (or higher) or Windows XP Service Pack 1 (or higher) on client workstations to get the updated version that can interact with SUS. Alternatively, you can install the updated version of the Automatic Updates client, which you can download from www.microsoft.com/windows2000/windowsupdate/sus/default.asp.

You can also download the SUS installation package from this location. Unlike the previously released version of SUS, this one can be installed on a domain controller, which provides a great benefit to small organizations in which only one server is in use at some locations. The requirements to install SUS on a Windows Server 2003 computer are as follows :

• Pentium III 700MHz or higher CPU

• 512MB RAM

• 6GB free disk space on an NTFS partition (and the system partition on the SUS server must also be formatted with NTFS)

SUS provides the following client-side features:

• Requires local administrative privileges ” Only those users who have local administrative privileges can change the settings of Automatic Updates. This prevents all other users from changing the configuration and possibly preventing required updates from being installed.

• Requires digital signatures ” Only those updates that have a valid Microsoft digital signature can be downloaded and installed.

• Uses just-in-time validation ” Automatic Updates can determine which of the available updates are required for the computer.

• Uses minimized bandwidth ” Through the use of the Background Intelligent Transfer Service (BITS), Automatic Updates uses only idle (unused) bandwidth to download available updates, thus preventing the downloading of updates from slowing down other network activities.

• Safely installs multiple updates simultaneously ” Using the same Windows Update technologies that allow for multiple updates to be installed with only a single restart, Automatic Updates can install multiple updates and request only one restart, thus improving computer availability. This feature works similarly to the way the QChain utility was used previously from the command line.

SUS provides the following server-side features:

• Requires local administrative privileges ” Only those users who have local administrative privileges can change the settings of SUS. This prevents all other users from changing the configuration and possibly preventing required updates from being installed.

• Requires digital signatures ” Only those updates that have a valid Microsoft digital signature can be downloaded and installed.

• Update approval ” Only those updates that you have manually approved are made available to your Automatic Updates clients for download and installation. This provides for increased reliability of your network by allowing you to thoroughly test each update in a nonproduction environment before releasing it onto your live network.

• Update availability ” Because the SUS server synchronizes with the Windows Update Web servers, you always have the most current list of updates available.

• Remote administration ” SUS is administered from IE 5.5 or higher using either HTTP or HTTPS, allowing for an easy-to-administer interface. You need to install and configure an SSL certificate on the SUS Web site before using HTTPS connections.

• Logging ” A Web server running IIS on your network can be specified as the log server and will receive statistics about updates that have been downloaded and whether the updates were installed. These statistics are placed in the log file of the configured Web server and can be used to monitor and troubleshoot the performance of SUS and Automatic Updates.

• Server synchronization ” You may need to install and configure multiple SUS servers to meet the needs of your network. SUS allows you to configure SUS servers to receive its update packages from another SUS server if you choose.

• Multiple language support ” SUS can be configured to make available different language versions of updates. To do so, you configure it to download specific language versions.

• Diversified update hosting ” Depending on the specific needs of your network, you can configure your SUS servers to download the actual update packages or to have SUS servers pointing to the Windows Update Web servers for the downloading of approved updates as required.

The actual process to install and configure SUS and Automatic Updates is covered in Exam 70-291, "Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure." Refer to the MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure (2003, Que Publishing; ISBN: 0789729482) by Dave Bixler and Will Schmied for more information on installing and configuring your SUS solution.

Using the Microsoft Baseline Security Analyzer

You can quickly learn to use the Microsoft Baseline Security Analyzer. After downloading the most current version from www.microsoft.com/technet/security/tools/tools/mbsahome.asp and installing it, you are just a few mouse clicks away from performing security analysis of your network's computers.

When you launch the MBSA utility, you are presented with the option to scan one computer, scan multiple computers, or review previous scan reports , as shown in Figure 8.30.

By clicking the Scan More Than One Computer link, you can enter the NetBIOS domain name or IP address range that you want scanned, as shown in Figure 8.31.

After the scan has been completed, you can see the results of each computer's scan, as shown in Figure 8.32. As you can see, this computer is missing a critical security update that creates a severe risk situation on the computer.

As mentioned previously, MBSA scans your computers not only for Windows security updates, but also for updates associated with other Microsoft products. MBSA 1.1.1 (the current version as of this writing) scans for security updates in the following products:

• Windows NT 4.0

• Windows 2000

• Windows XP

• Windows Server 2003

• Internet Explorer 5.01 and higher

• Windows Media Player 6.4 and higher

• IIS 4.0 and higher

• SQL Server 7.0 and 2000 (including Microsoft Data Engine)

• Exchange 5.5 and 2000 (including Exchange Admin Tools

Maintaining a Security Update Infrastructure

In newly implemented Windows Server 2003 Active Directory networks, implementing a SUS solution to download and install approved security updates is most likely going to be your best bet. If you have an existing security update architecture in place, such as SMS or some other third-party solution, you may need to evaluate the benefits and costs of changing over to SUS. If you are relying only on Windows Update or Automatic Updates (without SUS) to keep your systems up to date, you need to seriously look into rolling out SUS.

One possible scenario for using SUS and MBSA on your network to monitor and maintain security goes like this: You install and configure one or more SUS servers on your network, as determined by the number of clients that will be accessing them (each server can handle approximately 15,000 clients) and the geographical dispersion of your network. You configure SUS to automatically synchronize content nightly when network traffic is at its lowest . You also configure Automatic Updates via a GPO to download, install, and restart computers as required nightly, thus installing any newly approved updates. You also make it a habit to review, test, and approve new security updates one or more times a week to keep your systems up to date. Lastly, you could run MBSA against your network computers twice monthly to spot-check the effectiveness of SUS in keeping your computers updated with the patches you have approved.