Patch Management in Six Steps

Patch Management in Six Steps

Microsoft recommends a six-step process for patch management. This process ensures that you apply the patches in a organized way that prevents other applications on the network from failing. This is the recommended six-step process for patch management:

1. Notification

   You must be aware of new security updates or service packs to ensure that the updates or service packs are installed in a timely manner.

2. Assessment

   You must identify which computers on the network require the security update or service pack.

3. Obtainment

   You must acquire the security update or service pack installation files from Microsoft.

4. Testing

   You must test the security updates or service pack before you apply them to all affected computers on your network to ensure that undesired effects do not occur.

5. Deployment

   You must deploy the security updates or service pack to the affected computers in a timely manner, taking advantage of tools to assist in the deployment.

6. Validation

   You must ensure that the security updates or service pack are successfully installed on all affected computers.

Step 1. Notification

The first step in patch management is being aware of when Microsoft releases security patches. When a security patch is released, Microsoft issues a security bulletin that details the vulnerability fixed by the security patch as well as a vulnerability rating so that you can assess whether to deploy the security patch immediately after testing.

One way to stay on top of releases is to subscribe to the Microsoft Security Notification Service, which you access at http://register.microsoft.com/subscription/subscribeme.asp?ID=135. The notification service sends you an e-mail when a new security bulletin is released.

All e-mails from the Microsoft Security Notification Service are signed with a Pretty Good Privacy (PGP) key. The Microsoft PGP key is available at http://www.microsoft.com/technet/security/MSRC.asc. You can verify Microsoft s PGP key by inspecting its fingerprint, which is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432.

In addition to the Microsoft Security Notification Service, several other notification services can inform you when new security issues arise for Windows NT 4.0, Windows 2000, and Windows XP:

• NTBugtraq

  The http://www.ntbugtraq.com Web site, hosted by Russ Cooper, maintains a mailing list that discusses security bugs and exploits in Microsoft Windows NT 4.0, Windows 2000, and Windows XP.

• Computer Emergency Response Team (CERT) Advisory Mailing List

  CERT maintains its own mailing list that notifies participants when computer-related security problems arise. You can subscribe to the CERT Advisory Mailing List at http://www.cert.org/contact_cert/certmaillist.html.

Step 2. Assessment

Once you identify the release of a security patch, you must determine whether the vulnerability affects your company and whether your computers require the patch. As mentioned earlier, you can utilize the Microsoft security bulletin rating system to assist in this decision. If a security bulletin is rated as critical or important, you should consider immediately applying the patch once you have tested it.

After testing, you must identify which computers require patch application. In many ways, this is the most difficult part of patch management. Keeping manual records of which patches and service packs are applied to every network computer is not possible if you have a large number of computers. Sometimes just determining which OS a computer is running is a challenge, never mind which service packs and security patches are applied.

Keeping an inventory of your systems assists you in planning patch deployment. By categorizing your computer systems, you can quickly identify how many computers are affected by a reported vulnerability. For example, if Microsoft releases a new security bulletin relating to a bug in Microsoft Exchange 2000 Server, it will be useful to know how many instances of Exchange 2000 Server are on the network, as well as their physical location and which service packs and hotfixes are current.

By utilizing software, such as Microsoft s Systems Management Server (SMS), you can create a detailed inventory of network computers. The inventory information should help you determine which service packs and hotfixes are applied to each computer.

For detailed information on the SMS Software Update Services Feature Pack, see the SMS Software Update Services Feature Pack section in Chapter 23, Using Patch Management Tools.

Based on the inventory, you can categorize computers into common collections for deploying service packs and hotfixes. For example, creating a collection of all Windows 2000 based computers will assist in the deployment of the latest Windows 2000 Service Pack.

Step 3. Obtainment

Once you identify the computers you must patch, you must obtain the patches or service pack files. The online location you choose to download from will depend on several factors, including which application or OS is affected by the patch, whether all network computers are connected to the Internet, and whether you have a service pack or hotfix deployment solution in operation.

The following locations are available for downloading service packs and hotfixes:

• Microsoft Windows Update

• Microsoft Office Product Updates

• Microsoft Download Center

Windows Update

Windows Update is available for the download and application of Windows 2000 security updates, hotfixes, and service packs. In addition to downloading and installing patches, you can also use the Windows Update Catalog to download patches for future application. The Windows Update Catalog provides a searchable collection of updates that can be installed on Windows-based computers across your home network or corporate network. The Windows Update Catalog allows you to download service packs, security updates, and driver updates without installing them on the local computer. Instead, the files are downloaded into a folder containing instructions for future installations.

Enabling the Windows Update Catalog

By default, the Windows Update Catalog is not enabled when you connect to the Windows Update Web site (http://windowsupdate.microsoft.com). To enable the Windows Update Catalog, you must use the following procedure:

1. Open Microsoft Internet Explorer.

2. Open http://windowsupdate.microsoft.com.

3. In the left-hand pane of the Microsoft Windows Update site, click Personalize Windows Update.

4. In the details pane, enable the Display The Link To The Windows Update Catalog Under See Also check box.

5. In the details pane, click the Save Settings button.

This procedure will add a link to the Windows Update Catalog in the left-hand pane of the Microsoft Windows Update site, under the heading of See Also.

Using the Windows Update Catalog

The Windows Update Catalog allows you to find patches for Microsoft Windows operating systems and hardware device drivers. You can download updates for specific operating systems, including the following:

• The 64-bit version of the Windows Server 2003 family

• Windows Server 2003 family

• The 64-bit version of Windows XP

• Windows XP family

• Windows 2000 family

• Windows Me

• Windows 98

In addition to selecting the OS version, you can choose to download localized versions of the updates by indicating the preferred language for the updates. You can search for updates based on the date they were posted to the Windows Update Web site, on the keywords in the update descriptions, and by the type of update (such as critical updates, service packs, and recommended updates).

As mentioned, you can also use the Windows Update Catalog to download updated device drivers. You can select these device drivers based upon the type of hardware. For example, you can select network drivers by manufacturer, OS, language, date posted, and specific keywords.

Once you select the desired OS and device driver updates, you can download updates to your download basket. The Windows Update Catalog allows you to designate a local folder for downloads. The files are stored in the folder structure shown in Figure 22-1.

Figure 22-1. The folder structure created for the Windows Update Catalog

The folder structure created by the Windows Update Catalog depends upon whether you download a Windows OS or device driver update. Below the folder you select as the download location in this example, \Download the Windows Update Catalog creates one of two folders. For OS updates, a folder named Software is created, as shown in Figure 22-1. For device driver updates, a folder named Drivers is created.

Below this top-level folder, the next level of folders is based on the language selected. As Figure 22-1 shows, the English (EN) version of the update was downloaded. The next two levels of folders designate the update s OS version. The example shown in Figure 22-1 is a Windows 2000 update designated by two folders: com_microsoft.windows2000 and x86win2k.

The final folder designates the actual downloaded update. The update s name indicates the related Microsoft Knowledge Base article, the update s intended OS, the update s service pack version, and a unique identifier number. As shown in Figure 22-1, the update relates to 311967, Unchecked Buffer in the Multiple UNC Provider. The update is intended for Windows 2000 computers and is included in Windows 2000 Service Pack 3. If the update is an updated device driver, the final folder s name is assigned by the updated device driver s manufacturer.

Microsoft Office Product Updates

The Microsoft Office Product Updates provides updates, add-ins, extras, converters, and viewers for Microsoft Office 97, Office 98, Office 2000, and Office 2002. The updates can be selected by individual Office software components or by the entire Office suite.

To download Microsoft Office updates to your computer, use the following procedure:

1. Open Internet Explorer.

2. Open http://office.microsoft.com/ProductUpdates/default.aspx.

3. Select the Office product and version updates you want to download.

4. Select whether to download updates, add-ins and extras, or converters and viewers for the selected Office component.

5. Select the individual updates from the list of available downloads.

   You also have the option to view downloads from other providers. The Microsoft Office Product Updates site also displays a list of third-party updates for the Office suite components.

The Microsoft Office Product Updates site does not download the update files into any specific folder structure. You must designate a custom location for the download.

Microsoft Download Center

The Microsoft Download Center (www.microsoft.com/downloads/) allows you to search for other software and updates from Microsoft. As with the Microsoft Office Product Updates, you must manually designate a download location.

The following update categories are available from the Microsoft Download Center:

• Games

  Includes trial versions and updates for games from Microsoft.

• Microsoft DirectX

  Includes updates and the latest versions of DirectX. DirectX provides innovations in graphics, sound, music, and 3-D animation for gaming and graphics.

• Internet

  Includes updates for all Internet-based applications, such as Windows Messenger and Internet Explorer.

• Windows (security and updates)

  Includes security updates for any components of Windows. This includes service packs, Internet Explorer updates, and security updates.

• Windows Media

  Includes updates and codecs for Windows Media Player for various operating systems.

• Drivers

  Includes updated drivers for Microsoft hardware, as well as updates for common OS components, such as Microsoft Data Access Components (MDAC).

• Office and home applications

  Includes updates for Microsoft Office and other home applications, such as Microsoft MapPoint.

• Mobile devices

  Includes updates for the Palm PC, Microsoft ActiveSync, and Windows CE.

• Macintosh and other platforms

  Includes updates of software for Macintosh, Solaris, and Unix computers.

• Server applications

  Includes updates for Microsoft BackOffice components, such as Microsoft SQL Server, Microsoft Exchange Server, Microsoft Systems Management Server (SMS), and Microsoft SharePoint Portal Server.

• System management tools

  Includes updates for Windows management, including Windows Installer, the Internet Information Services (IIS) Lockdown Tool, and Sysprep.

• Development resources

  Includes updates for Microsoft Visual Basic, the Microsoft .NET Framework, and Microsoft Visual Studio.

Each download category presents a list of the five most popular downloads. You can also search for a download by specific products, technologies, and keywords.

Step 4. Testing

In an enterprise network, you cannot take the risk of deploying service packs or hotfixes without testing them in your environment. Testing ensures that the application of a service pack or hotfix does not create any undesired side effects.

To ensure that the testing is valid, consider implementing the following measures:

• Deploy a test network.

  A test network contains computers with the standard configuration used on your network. This ensures that a hotfix or service pack will not cause issues with other applications installed on a standard desktop computer.

• Implement a pilot project.

  Service packs should be tested by a subset of your network computers. The subset will determine whether the service pack causes any issues on the corporate network for the affected computers.

  Typically, you should perform pilot projects only for service packs, not for hotfixes or security roll-ups.

Once this initial testing is completed, you can start the deployment of the service pack or hotfix to all affected computers.

Step 5. Deployment

Once you download and test the necessary hotfixes or service pack, you must install them on the affected computers. As mentioned earlier, you can determine the affected computers on your network by reviewing your computer inventory. The method you use to deploy a hotfix or service pack will depend on whether your company uses manual or automated distribution.

This chapter discusses only the manual deployment of service packs or hotfixes. For detailed information on automating service pack or hotfix distribution, see Chapter 23.

Installing Service Packs

The latest Windows 2000 Service Pack can be downloaded from http://www.microsoft.com/windows2000/downloads/servicepacks/ This site lists all available Windows 2000 service packs, including the latest version.

Once you choose the latest version of the Windows 2000 Service Pack, you must decide whether to download the Express Installation or Network Installation version. Express Installation detects the target computer s system components and then downloads the required components. For example, if the computer is running Windows 2000 Professional, updates exclusively for Windows 2000 Server are not downloaded. The Network Installation download includes all updated files for Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server. This version is recommended for multiple network updates.

To install the latest service pack by using Express Installation, use the following process:

1. In Internet Explorer, open http://www.microsoft.com/windows2000/downloads/servicepacks.

2. In the list of service packs, click the link for the most recent Windows 2000 Service Pack.

3. To download the latest version of the Windows 2000 Service Pack, click the Download link.

   You can also order the latest Windows 2000 Service Pack on CD.

4. In the ensuing Web page, choose the language version of the service pack and click Go.

5. To install a Windows 2000 Service Pack by using Express Installation, click the Express Installation link. If you want to download the Network Installation version of the service pack, click the Network Installation link. If you click the Express Installation link, a minimal installation file is downloaded to the local computer. This launches the Windows 2000 Service Pack Setup Wizard.

6. On the Welcome To The Windows 2000 Service Pack Setup Wizard page, click Next.

7. On the License Agreement page, read the agreement and click I Agree and then click Next.

8. In the Select Options dialog box, click Archive Files and then click Next.

9. When the installation is complete, click Restart Now.

   This option archives all replaced files in the %windir%\$NTServicePackUninstall$ folder, allowing you to uninstall the service pack if post-installation issues arise. The installation then proceeds with an inspection of the current configuration to determine which files are required for the service pack installation.

Other Methods of Installing a Service Pack

If you download the Network Installation version of a service pack, you can extract the service pack files from the downloaded executable by running w2ksp#.exe -x (where # is the service pack version number). Once you extract the service pack files, you can run \download folder\i386\Update\Update.exe to install. If you have not extracted the service pack files, run \download folder\w2ksp#.exe (where # is the service pack version number).

Alternatively, you can use the packaged \download folder\i386\Update\Update.msi file to deploy the service pack to Windows 2000 computer accounts in a software installation Group Policy object (GPO). By assigning the Update.msi package to a GPO applied to an OU with computer accounts, you can deploy the service pack through Group Policy.

Installing Hotfixes

All Windows 2000 hotfixes whether released prior to or since Windows 2000 Service Pack 3 are packaged in a format that automatically installs the service pack when you run the downloaded hotfix executable. The executable automatically extracts all files related to the hotfix and installs them. The following two subsections discuss the manual installation of hotfixes to computers.

Installing Hotfixes Released Prior to Windows 2000 Service Pack 3

Hotfixes released prior to Windows 2000 Service Pack 3 are installed by using Hotfixe.exe. When you install a hotfix, you can use several command-line switches to customize installation. The available command-line switches for hotfixes released prior to Windows 2000 Service Pack 3 include:

• /f

  Causes all other programs to quit when the computer is shut down.

• /l

  Displays a list of all hotfixes currently installed on the computer.

• /m

  Performs an unattended hotfix installation.

• /n

  Prevents the computer from archiving previous versions of files replaced by the hotfix. (This switch prevents the uninstallation of the hotfix.)

• /q

  Performs the installation in quiet mode. (Quiet mode does not require user interaction.)

• /y

  Uninstalls the hotfix. (This option must be used with /m or /q.)

• /z

  Prevents the computer from restarting after installation.

When performing an unattended hotfix installation, you typically use the following command line:

Hotfix.exe /m /q /z

This command line allows the installation of multiple hotfixes in a single batch file.

Hotfix.exe does not perform version control when you install multiple hotfixes. If you create a batch process that installs multiple hotfixes, you must ensure that the last line of the batch file is QChain.exe. QChain.exe ensures that if a file is modified by multiple hotfixes, the most recent version is maintained when the computer restarts. For more information on QChain.exe, see 296861, Use QChain.exe to Install Multiple Hotfixes with Only One Reboot.

Installing Hotfixes Released Since Windows 2000 Service Pack 3

Hotfixes released after Windows 2000 Service Pack 3 are installed by using the Update.exe program. The Update.exe program includes the QChain.exe functionality, eliminating the need to run QChain.exe if multiple hotfixes are installed by a batch-file method. Update.exe is also used as the hotfix installation method for Windows XP hotfixes.

The following command-line switches are available when you install a hotfix released since Windows 2000 Service Pack 3:

• -u

  Performs the installation in unattended mode.

• -f

  Forces all other programs to quit when the computer shuts down.

• -n

  Prevents the archiving of previous versions of files replaced by the hotfix. (This switch prevents the uninstallation of the hotfix.)

• -o

  Overwrites original equipment manufacturer (OEM) files without prompting.

• -z

  Prevents the computer from restarting after the hotfix installation. (This option allows the application of multiple hotfixes without rebooting.)

• -q

  Performs an unattended installation but does not show the user interface during the installation process.

• -l

  Lists all hotfixes currently installed on the computer.

Step 6. Validation

Once you complete the hotfix installation, verify that it was installed successfully. Numerous methods to determine whether a hotfix is correctly applied to a computer exist, including the following:

• Inspect the file system.

  When a hotfix is installed so that the previous versions of replaced files are archived, the archived files are stored in the %windir%\$NTUninstallQ######$ folder, where ###### is the related Microsoft Knowledge Base article number. If the folder exists, you can assume the hotfix was applied correctly. Be aware that this does not prevent the updated version from being replaced by an incorrect version at a later time, especially with hotfixes released prior to Service Pack 3 that do not have QChain.exe functionality.

• Inspect the registry.

  When a hotfix is successfully installed, the installation program registers the hotfix in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q###### registry key, where ###### is the related Microsoft Knowledge Base article. As with inspecting the file system, examining the registry does not detect whether updated files are later replaced.

• Use hotfix diagnosis tools.

  To inspect the system for currently applied hotfixes and determine which hotfixes are required for your computer, you can use hotfix diagnosis tools, such as the Microsoft Baseline Security Analyzer command-line version executable Mbsacli.exe, Shavlik s hotfix network checker HfNetChk.exe (found at http://www.shavlik.com), and those found on the Microsoft Windows Update Web site (http://windowsupdate.microsoft.com). These tools can determine whether the hotfix needs reapplication by inspecting the checksums on the updated files.

  For more information on using these patch management tools, see Chapter 23.