18.2 Security patch management

Keeping your systems up-to-date from a security patch point of view is a critical security requirement. Microsoft provides several tools to help with efficient security patch management: the Microsoft Baseline Security Analyzer (MBSA), Windows Update, the Software Update Services (SUS), SUS Feature Pack for SMS 2.0, and the qchain tool. All tools are discussed in more detail next.

All of these tools rely on the Security Patch Bulletin Catalog (mssecure.xml) to decide upon which security patches are already installed and which patches are required on a system. Every time a patch is installed, all of the tools call on hfnetchk.exe (explained below) to download the latest version of mssecure.xml from the Microsoft Web site.

18.2.1 Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) was discussed earlier in Section 18.1.5. It also provides security patch scanning functionality. When starting a scan from the MBSA GUI, you have the option to check for security updates (as illustrated in Figure 18.10). When running MBSA from the command line (using mbsacli.exe), you must use the /hf switch to scan a machine’s security patch status. Once a system is analyzed using MBSA, you must use other tools to deploy the missing patches to the system. To do so, you can use one of the tools explained next.

Figure 18.10: Checking for security updates from the MBSA.

The command-line version of MBSA (mbsacli.exe) builds on an earlier MS scan tool, HFnetchk.exe, for its security patch management functionality. HFnetchk.exe is also known as the hotfix network checker. This tool was developed for Microsoft by a company called Shavlik. Microsoft does not provide updates to HFnetchk anymore; however, an up-to-date version of the tool can be downloaded from the Shavlik Web site at http:// www.shavlik.com. Shavlik also provides an advanced version of the HFnetchk tool, called HFnetchkPro. This is a GUI tool that allows for the distribution and installation of missing security patches after an HFnetchk scan (something that cannot be done with MBSA).

MBSA can be integrated with the Microsoft Software Update Services (SUS)—SUS is explained in more detail in Section 18.2.3. This means that MBSA can check the enterprise SUS server for security updates instead of going to the Microsoft Web site. MBSA will automatically call upon the enterprise SUS server when its location has been configured in the system registry (this can be done using GPOs; see SUS section below). You can also force MBSA to go to a particular SUS server by typing the following at the command line:

Mbsacli.exe /hf /sus “http://<SUS_server_FQDN>”.

The key difference with using MBSA without SUS is that SUS-rooted MBSA scans will only include enterprise-level approved security updates as they are available on the SUS server rather than all available updates available on the Windows Web site.

MBSA is also compatible with the SMS SUS feature pack (explained in Section 18.2.4). SMS can be used to push mbsacli.exe to all clients and perform a local security patch scan. SMS can then distribute all missing security patches to the clients.

18.2.2 Windows Update

The Windows Update service allows Windows 98, Windows 2000, Windows Me, Windows XP, and Windows Server 2003 users to easily download and install the latest Microsoft security patches. User can manually initiate a Windows Update sequence by selecting Windows Update from the Windows Start Menu, by going to the http://windowsupdate.microsoft.com URL in Internet Explorer or by running wupdmgr.exe from the command line. Windows Update will then connect to the Microsoft Windows Update Web site (illustrated in Figure 18.11) on the Internet. On this Web site, users must run through a set of steps to update their system: Initiate a scan (by clicking “Scan for updates”), pick the updates to install, review them, and then install the updates. Windows Update provides a patch classification system: Users must make sure they always install at least the critical patches.

Figure 18.11: Windows Update.

Because Windows Update is a Web-based tool, it can only work if the following conditions are met:

• Internet Explorer must support cookies. IE cookie-related behavior is configured from the Privacy tab in the IE Internet Options.

• Internet Explore must allow ActiveX controls. IE ActiveX-related behavior is configured in the IE Security Zone properties.

• The user initiating a Windows Update sequence must be a member of the local Administrators group.

Windows Update can also be configured to run automatically at predefined intervals. This feature is referred to as automatic patch updating and is only available on Windows 2000 Service Pack 3 and later, Windows XP, and Windows Server 2003 systems. Automatic patch updating can be configured in different ways:

• From the properties of the My Computer object in Windows XP, Windows 2000, and Windows Server 2003. These properties are also accessible from the System Control Panel applet.

• From the Automatic Updates Control Panel applet in Windows 2000 Service Pack 3 or later

• From the system registry

• From the GPO settings (as illustrated in Figure 18.12) in Windows Server 2000 and Windows Server 2003

  
  Figure 18.12: Configuring automatic patch updates using GPO.

In all four cases, you have the option to enable or disable automatic patch updating. If you enable it, the Windows Update can notify users for both patch download and install, notify only for install, or automatically perform both the patch download and install.

To configure automatic updates from the registry (e.g., in non-AD environments), use the keys listed in Table 18.7. These keys are all located in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ WindowsUpdate registry container. When automatic update has been configured for notification when installing only (AUOptions value 3), a dialog box similar to the one in Figure 18.13 will be presented to the user.

Figure 18.13: Automatic updates dialog box.

18.2.3 Software Update Services

Software Update Services (SUS) builds on the Windows Update service. It gives enterprise administrators the ability to provide Windows Update– based security patch services in a controlled and secure manner. SUS can be used to set up an enterprise Windows Update server from which internal

Windows clients can download the latest patches. To receive security patch updates, the internal Windows Update server obviously links up to the MS Windows Update infrastructure.

The SUS software is a free download available from http://www.microsoft.com/downloads/recommended/susserver. SUS requires IE 5.5 or later, IIS 5.0 or IIS 6.0, Windows 2000, or Windows Server 2003 and cannot be installed on a domain controller. It can distribute patches to Windows 2000, Windows XP, and Windows Server 2003 platforms.

SUS configuration and administration options are accessible from the SUS Administration Web page (/susadmin">http://<SUSServerName>/susadmin). To set configuration options, click the Set Options hyperlink (illustrated in Figure 18.14). To update the SUS server patch data, click the Synchronize Server hyperlink.

Figure 18.14: SUS administration interface.

SUS also provides a security patch staging solution: It allows the SUS administrator to define which security patches are approved for distribution to its Windows clients. To approve patches, click the Approve Updates hyperlink on the SUS Administration Web page. Unlike the SUS Feature Pack for SMS 2.0 (explained next), SUS cannot define which client gets which updates. Every client that connects to the SUS server gets all approved security patches.

The SUS server used by a Windows client can be configured using GPO settings (Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location). In non-AD environments, you can configure the Windows clients’ SUS server using the registry keys illustrated in Table 18.8. These keys are all located in the HKEY_LOCAL_MACHINE\Software\ Policies\Microsoft\Windows\WindowsUpdate registry container.

18.2.4 SUS Feature Pack for SMS 2.0

The SMS Software Update Services (SUS) Feature Pack is Microsoft’s most advanced security patch management tool. It provides the ability to determine security patch status, distribute patches, install patches, and generate reports on the patch status. Unlike any of the other patch management tools discussed so far, the SMS SUS Feature Pack allows an administrator to identify and target specific computers for security patch updates. For example, it allows for the deployment of a specific set of patches to a subset of the machines in an enterprise.

SMS SUS Feature Pack also provides security patch update facilities for Windows platforms other than Windows XP, Windows 2000, and Windows Server 2003. Unlike SUS, SMS can also distribute and install service packs (SPs). Microsoft recommends using SMS and the SMS SUS Feature Pack when distributing patches to more than 5,000 computers. The SUS Feature Pack is specifically made for SMS version 2.0 Service Pack 3 or later. The complete Feature Pack’s functionality will be an integral part of the SMS 2003 release.

The SMS SUS Feature Pack consists of four major components: the Security Update Inventory tool (uses MBSA 1.1), the MS Office Inventory tool, the Distribute Software Updates wizard, the Software Updates Installation Agent and the SMS Web Reporting tool. The SUS Feature Pack can be downloaded for free from http://www.microsoft.com/smserver/downloads/20/featurepacks/suspack/. This URL also includes pointers to the SUS Feature Pack deployment guide.

18.2.5 Qchain

Qchain allows you to install multiple security patches in a single installation run. This eliminates the need for several system reboots. Qchain works for NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. The tool evaluates all of the patch components (DLLs, executables, and so forth) and makes sure that only the most recent versions of the components are installed. The following is a sample batch file script that can be used to install two security patches using qchain:

@echo off setlocal set PATHTOFIXES=c:\systemfixes %PATHTOFIXES%\Q123456_w2k_sp1_x86.exe –z–m %PATHTOFIXES%\Q123457_w2k_sp1_x86.exe -z –m %PATHTOFIXES%\qchain.exe 

In this command the –z switch prevents reboots, and the –m switch enables unattended installation. More information on the tool is available in MS Knowledge Base article Q296861.

18.2.6 Third-party security patch management tools

Table 18.9 gives an overview of third-party security patch management tools. It is beyond the goals of this book to cover these products in more detail.