Case Scenario Exercise

In this exercise, you will read a scenario about a company's patch management challenge and then answer the questions that follow. The questions are intended to reinforce key information presented in this chapter. If you are unable to answer a question, review the lessons and try the question again. You can find answers to the questions in the 'Questions and Answers' section at the end of this chapter.

Scenario

You were recently hired by the chief security officer (CSO) of Wide World Importers to improve the overall security of their Windows network. Up until about two years ago, World Wide Importers had a large staff of systems engineers responsible for maintaining the security on the network. Unfortunately, budget cutbacks caused World Wide Importers to lay off most of the staff. With fewer staff, the engineers were forced to focus on troubleshooting problems. Security became a secondary priority, especially auditing and maintaining patch levels.

During the past two years, several worms and viruses have infected large numbers of both desktop and server computers. The CSO wants you to first implement an effective update deployment and maintenance infrastructure. Currently, Wide World Importers has one Active Directory domain, 30 servers, and about a thousand desktop and mobile computers at seven locations around the world. All computers are running Windows 2000, Windows XP, or Windows Server 2003.

Questions

1. What method will you implement to deploy updates?

   1. Provide detailed instructions to end users on how to download and install updates from the Microsoft Web site as they become available.

   2. Configure the Automatic Updates client to download and install updates from Windows Update when they become available.

   3. Deploy an SUS server at each location, and configure the Automatic Updates client to download and install updates from the local SUS server.

   4. Deploy updates using the Software Installation functionality built into GPOs.

2. How will you configure the Automatic Updates client?

   1. Provide detailed instructions to end users, instructing them to right-click My Computer, click Properties, click the Automatic Updates tab, and then specify the configuration settings.

   2. Provide detailed instructions to end users, instructing them to use the registry editor to modify the registry values to configure the Automatic Updates client.

   3. Use GPOs to deploy a .reg file containing registry values to configure the Automatic Updates client.

   4. Use GPOs to configure the Windows Update administrative template to configure the Automatic Updates client.

3. How will you ensure that newly installed computers are updated?

4. How will you determine whether clients are being successfully updated?

   1. Provide detailed instructions to end users, instructing them to use Add/ Remove Programs to identify updates that have been installed and compare that list against the list of available updates on Windows Update.

   2. Visit random computers, and view the version numbers of system files to verify that updates have been applied.

   3. Use the graphical MBSA console to scan when you have free time available. Configure MBSA to check only the updates that have been approved on SUS servers.

   4. Schedule the command-line MBSACLI utility to scan all of Wide World Importers subnets once per week, and examine the reports the following morning. Use the /sus command-line parameter to force MBSACLI to check only those updates approved on your SUS servers.