The Process of Updating Network Software CHapTER 23 1107Discovering Updates The security update process starts when Microsoft releases or updates a security bulletin.. If Microsoft relea
Trang 1Troubleshooting the Windows Update Client CHapTER 23 1103
4. If you can reach the WSUS server, verify that the client is configured correctly If you are using Group Policy settings to configure Windows Update, use the Resultant Set of Policy (RSOP) tool (Rsop msc) to check the computer’s effective configuration Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings Figure 23-5 shows the RSOP snap-in
FIgURE 23-5 Use the RSOP snap-in to verify Windows Update configuration
5. If you think WSUS is not configured correctly, verify the IIS configuration WSUS uses IIS to update most client computers automatically to the WSUS-compatible Automatic Updates To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate under the Web site running on port 80 of the computer on which you install WSUS This
virtual directory, called the self-update tree, holds the latest WSUS client For this reason,
a Web site must be running on port 80, even if you put the WSUS Web site on a custom port The Web site on port 80 does not have to be dedicated to WSUS In fact, WSUS uses the site on port 80 only to host the self-update tree To ensure that the self-update tree is working properly, first make sure a Web site is set up on port 80 of the WSUS server Next, type the following at the command prompt of the WSUS server
cscript <WSUSInstallationDrive>:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs
MoRe inFo For more information about troubleshooting WSUS, visit
http://technet.microsoft.com/en-us/library/cc708554.aspx.
If you identify a problem and make a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle You can do this using the Services console or by running the following two commands
net stop wuauserv net start wuauserv
Within 6 to 10 minutes, Windows Update will attempt to contact your update server
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 2CHapTER 23 Managing Software Updates
1104
The Process of Updating Network Software
You must plan to update every network feature that uses software This naturally includes client and server operating systems and applications, but it also includes routers, firewalls, wireless access points, and switches To keep your systems up to date, follow these steps:
1. Assemble an update team
2. Inventory all software in your organization, and then contact each software vendor and determine its process of notifying customers of software updates Some vendors will notify you of updates directly via e-mail, but others require you to check a Web site regularly Assign individuals to identify software updates on a regular basis For example, someone on your team should be responsible for checking every software vendor’s Web site for new updates on at least a weekly basis
3. Create an update process for discovering, evaluating, retrieving, testing, installing, auditing, and removing updates Although most of the process will be the same for all vendors, you might have to customize parts of the process to accommodate different uptime and testing requirements for servers, clients, and network equipment As an example, this chapter will thoroughly document the update process to use for Microsoft operating system updates
This resource kit focuses only on updating the Windows 7 operating system However, your process should include the ability to manage updates for other operating systems, ap-plications, and network devices The sections that follow discuss these steps in more detail
assembling the Update Team
Identifying individuals with the right mix of technical and project management skills for deploying updates is one of the first decisions that you and your company’s management will make Even before staffing can begin, however, you need to identify the team roles,
or areas of expertise, required for update management Microsoft suggests using the Microsoft Solutions Framework (MSF) team model, which is based on six interdependent, multidisciplinary roles: product management, program management, development, testing, user experience, and release management This model applies equally well to both Microsoft and non-Microsoft software
n Program management The program management team’s goal is to deliver updates
within project constraints Program management is responsible for managing the update schedule and budget, reporting status, managing project-related risk factors (such as staff illnesses), and managing the design of the update process
n Development The development team builds the update infrastructure according to
specification The team’s responsibilities include specifying the features of the update infrastructure, estimating the time and effort required to deploy the update infrastruc-ture, and preparing the infrastructure for deployment
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 3The Process of Updating Network Software CHapTER 23 1105
n Testing The testing team ensures that updates are released into the production
en-vironment only after all quality issues are identified and resolved The team’s bilities include developing the testing strategy, designing and building the update lab, developing the test plan, and conducting tests
responsi-n User experience The user experience team ensures that the update process meets
the users’ needs The team gathers, analyzes, and prioritizes user requirements and complaints
n Release management The release management team is responsible for deploying
the updates In large environments, the release management team also designs and manages a pilot deployment of an update to ensure that the update is sufficiently stable for deployment into the production environment
The MSF team roles are flexible; they can be adapted to your organization’s own processes and management philosophy In a small organization or a limited deployment, one individual might play multiple roles In larger organizations, a team might be required to perform all of the tasks assigned to each role
MoRe inFo For more information about the MSF team model, visit
2083c768e9ab.
For each computer in your environment, gather the following information:
n Operating system Document the operating system version and update level
Remember that most routers, firewalls, and switches have operating systems Also document which optional features, such as IIS, are installed
n Applications Document every application installed on the computer, including
versions and updates
n Network connectivity Document the networks to which the computer is connected,
including whether the computer is connected to the public Internet, whether it connects
to other networks across a virtual private network (VPN) or dial-up connection, and whether it is a mobile computer that might connect to networks at other locations
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 4CHapTER 23 Managing Software Updates
1106
n Existing countermeasures Firewalls and virus checkers might already protect a
computer against a particular vulnerability, making the update unnecessary For walls, document the firewall configuration, including which ports are open
fire-n Site If your organization has multiple sites, you can choose to deploy updates to
computers from a server located at each site to optimize bandwidth usage Knowing at which site a computer or piece of network equipment is located allows you to deploy the updates efficiently
n Bandwidth Computers connected across low-bandwidth links have special
require-ments You can choose to transfer large updates during nonbusiness hours For dial-up users, it might be more efficient to bypass the network link and transfer updates on removable media, such as CD-ROMs
n Administrator responsibility You must understand who is responsible for
deploy-ing updates to a particular device and who will fix a problem if the device fails durdeploy-ing the update process If others are responsible for individual applications or services, make note of that as well
n Uptime requirements Understand any service-level agreements or service-level
guarantees that apply to a particular device and whether scheduled downtime counts against the total uptime This will enable you to prioritize devices when troubleshoot-ing and testing updates
n Scheduling dependencies Applying updates requires planning systems to be
offline This can be a disruption for users, even if the device requires only a quick reboot Understand who depends on a particular device so that you can clear downtime with that person ahead of time
Some of this information, including operating system and installed applications, can be gathered in an automated fashion Most network management tools have this capability, including Configuration Manager 2007 R2 You can also inventory Microsoft software on a computer by using Microsoft Software Inventory Analyzer (MSIA), a free download
MoRe inFo For information about MSIa, visit http://www.microsoft.com/resources/sam
/msia.mspx.
Creating an Update process
Deploying updates involves more than just choosing a technology to install the updates An effective update process involves planning, discussion, and testing Although you should use your organization’s existing change-management process (if one exists), this section will describe the fundamental steps of an update process The sections that follow describe each
of these steps in more detail
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 5The Process of Updating Network Software CHapTER 23 1107
Discovering Updates
The security update process starts when Microsoft releases or updates a security bulletin Reissued bulletins that have a higher severity rating should be evaluated again to determine whether an already-scheduled security release should be reprioritized and accelerated You might also initiate the security update process when a new service pack is released
You can be notified of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services You can register for this service from the following
Web site: http://www.microsoft.com/technet/security/bulletin/notify.mspx If you subscribe to
this service, you will receive automatic notification of security issues by e-mail Note that you will never receive the update as an attachment from Microsoft E-mail is easy to spoof, so Microsoft includes a digital signature that can be verified However, it’s generally easier to simply check the Microsoft Web site to ensure that the bulletin is officially listed
In addition, use non-Microsoft sources to receive an objective opinion of vulnerabilities The following sources provide security alert information:
n Security alert lists, especially SecurityFocus (http://www.securityfocus.com)
n Security Web sites, such as http://www.sans.org and http://www.cert.org
n Alerts from antivirus software vendors
Evaluating Updates
After you learn of a security update, you need to evaluate the update to determine which computers at your organization, if any, should have the update applied Read the information that accompanies the security bulletin and refer to the associated Knowledge Base article after it is released
Next, look at the various parts of your environment to determine whether the vulnerability affects the computers on your network You might not be using the software that is being updated, or you might be protected from the vulnerability by other means, such as a fire-wall For example, if Microsoft releases a security update for Microsoft SQL Server and your company doesn’t use SQL Server (and it’s not a requirement for other installed applications), you don’t need to act If Microsoft releases a security update for the Server service but you have blocked the vulnerable ports by using Windows Firewall, you don’t necessarily need to apply the update (although applying the update will provide an important additional layer
of protection) As an alternative, you might decide that applying the update is not the best countermeasure for a security vulnerability Instead, you might choose to add a firewall or adjust firewall filtering rules to limit the vulnerability’s exposure
Determining whether an update should be applied is not as straightforward as you might think Microsoft updates are free downloads, but applying an update does have a cost: You will need to dedicate time to testing, packaging, and deploying the update In larger orga-nizations, applying a software update to a server requires that many hours be dedicated to justifying the update and scheduling the associated downtime with the groups who use the server
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 6CHapTER 23 Managing Software Updates
1108
Any type of update also carries the risk of something going wrong when the update is applied In fact, any time you restart a computer, there is a small risk that the computer won’t start up successfully There’s also the very real risk that the update will interfere with exist-ing applications This risk, fortunately, can be offset by extensively testing the update before applying it Deciding not to apply a security update also has a cost: an increased risk of a security vulnerability being exploited
Besides testing, you can offset the risk that an update will cause problems by having a plan to roll back the update When evaluating an update, determine whether the release can
be easily uninstalled if it causes a problem that isn’t identified during testing Functionality for uninstalling updates can vary from fully automated uninstall support, to manual uninstall procedures, to no uninstall If an update cannot be uninstalled, your only option might be
to restore the computer from a recent backup Regardless of the uninstall method required for an update, ensure that you have a defined rollback plan in case the deployment doesn’t match the success encountered in the test environment
To be prepared for the worst, verify that you have recent backups of all computers that will be updated and that you are prepared to restore those systems if the update cannot be removed successfully It’s not likely that an update will cause your systems to fail completely and require them to be restored from backup, but it is a circumstance that you must be prepared to handle Choosing whether to apply an update is such a complicated, yet critical, decision that larger organizations should create a security committee that collectively determines which updates should be applied The committee should consist of employees who are familiar with the update requirements of each different type of computer on your network For example, if you have separate organizations that manage desktop and client computers, both organiza-tions should have a representative on the committee If separate individuals manage each of the Web, messaging, and infrastructure servers on your network, each person should have input into whether a particular update is applied Ask members from your database teams, networking groups, and internal audit teams to play an active role—their experience and expertise can be an asset in determining risk Depending on your needs, the committee can discuss each update as it is released, or it can meet on a weekly or biweekly basis
If the committee determines that an update needs to be deployed, you then need to termine the urgency In the event of an active attack, you must make every effort to apply the update immediately before your system is infected If the attack is severe enough, it might even warrant removing vulnerable computers from the network until the update can be applied
de-Speeding the Update Process
If it usually takes your organization more than a few days to deploy an update, ate an accelerated process for critical updates Use this process to speed or bypass time-consuming testing and approval processes If a vulnerability is currently being exploited by a quickly spreading worm or virus, deploying the update immediately could save hundreds of hours of recovery time.
cre-Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 7The Process of Updating Network Software CHapTER 23 1109
Retrieving Updates
After you decide to test and/or deploy an update, you must retrieve it from Microsoft If you are using WSUS as your deployment mechanism, WSUS can download the update automatically If you are deploying updates by using another mechanism, download the update from a trusted Microsoft server
Testing Updates
After applying an update or group of updates to your test computers, test all applications and functionality The amount of time and expense that you dedicate to testing the update should be determined by the potential damage that can be caused by a problematic update deployment There are two primary ways you can test an update: in a test environment and
in a pilot deployment A test environment consists of a test lab or labs and includes test plans, which detail what you will test, and test cases, which describe how you will test each feature Organizations that have the resources to test updates in a test environment should always
do so because it will reduce the number of problems caused by update incompatibility with applications Even if your organization does not have the resources to test critical updates and security updates, always test service packs before deploying them to production computers The test lab can be made up of a single lab or of several labs, each of which supports test-ing without presenting risk to your production environment In the test lab, members of the testing team can verify their deployment design assumptions, discover deployment problems, and improve their understanding of the changes implemented by specific updates Such activities reduce the risk of errors occurring during deployment and allow the members of the test team to rapidly resolve problems that might occur while deploying an update or after applying an update
Many organizations divide their testing teams into two subteams: the design team and the deployment team The design team collects information that is vital to the deployment process, identifies immediate and long-term testing needs, and proposes a test lab design (or recommends improvements to the existing test lab) The deployment team completes the process by implementing the design team’s decisions and then testing new updates on an ongoing basis
During the beginning of the lifetime of the update test environment, the deployment team will test the update deployment process to validate that the design is functional Later, after your organization identifies an update to be deployed, the deployment will test the individual updates to ensure that all of the updates are compatible with the applications used in your environment
An update test environment should have computers that represent each of the major computer roles in your organization, including desktop computers, mobile computers, and servers If computers within each role have different operating systems, have each operating system available on either dedicated computers, a single computer with a multiboot configu-ration, or in a virtual desktop environment
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 8CHapTER 23 Managing Software Updates
1110
After you have a set of computers that represent each of the various types of computers
in your organization, connect them to a private network You will also need to connect test versions of your update infrastructure computers For example, if you plan to deploy updates
by using WSUS, connect a WSUS server to the lab network Load every application that users will use onto the lab computers and develop a procedure
to test the functionality of each application For example, to test the functionality of Internet Explorer, you can visit both the Microsoft Web site and an intranet Web site Later, when test-ing updates, you will repeat this test If one of the applications fails the test, the update you are currently testing might have caused a problem
note If you will be testing a large number of applications, identify ways to automate the testing of updates by using scripting.
In addition to testing your implementation of an update, conducting a pilot deployment provides an opportunity to test your deployment plan and the deployment processes It helps you to determine how much time is required to install the update as well as the personnel and tools needed to do so It also provides an opportunity to train support staff and to gauge user reaction to the update process For example, if a particular update takes an hour for a dial-up user to download, you might have to identify an alternative method for delivering the update to the user
note The more significant the update, the more important it is to use a pilot program Service packs, in particular, require extensive testing both in and out of the lab.
Besides testing the update yourself, subscribe to mailing lists and visit newsgroups quented by your peers People tend to report problems with updates to these forums before
fre-an official fre-announcement is made by Microsoft If you do discover a problem, report it to Microsoft Historically, Microsoft has fixed and re-released security updates that have caused serious problems On the other hand, Microsoft support might be able to suggest an alterna-tive method for reducing or eliminating the vulnerability
Installing Updates
After you are satisfied that you have sufficiently tested an update, you can deploy it to your production environment During the installation process, be sure to have sufficient support staff to handle problems that might arise Have a method in place to monitor the progress
of the updates, and have an engineer ready to resolve any problems that occur in the update deployment mechanism Notify network staff that an update deployment is taking place so that they are aware of the cause of the increased network utilization
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 9The Process of Updating Network Software CHapTER 23 1111
3. Uninstall updates if necessary Updates that introduce instabilities to your production environment should be removed if possible For instructions, refer to the section titled
“How to Remove Updates” earlier in this chapter
4. Reactivate release mechanisms After resolving update issues, reactivate the ate release mechanism to redeploy updates Security bulletins issued by Microsoft will always indicate whether an update can be uninstalled Because reverting computers to
appropri-a previous stappropri-ate is not appropri-alwappropri-ays possible, pappropri-ay close appropri-attention to this detappropri-ail before deploying
an update that cannot be uninstalled When a simple uninstall process is not available for a security update, ensure that the nec-essary provisions are in place for reverting your critical computers back to their original states
in the unlikely event that a security update deployment causes a computer to fail These visions might include having spare computers and data backup mechanisms in place so that a failed computer can be rebuilt quickly
pro-auditing Updates
After you deploy an update, it is important to audit your work Ideally, someone who is not responsible for deploying the update should perform the actual audit This reduces the possibility that the person or group responsible for deploying the update would unintentionally overlook the same set of computers during both update deployment and auditing; it would also reduce the likelihood of someone deliberately covering up oversights
or mistakes Auditing an update that resolves a security vulnerability can be done in one of two ways The simplest way to audit is to use a tool, such as MBSA, to check for the presence of the update This can also be done by checking the version of updated files and verifying that the version matches the version of the file included with the update
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 10CHapTER 23 Managing Software Updates
to computers that do not meet specific security requirements, such as having the latest updates, and to distribute the updates to the client computer so that they can safely join the intranet For more information about Network access protection, refer to Chapter 25 You can use Nap with a Windows Server 2008 infrastructure as
described in Windows Server 2008 networking and network Access Protection (nAP)
(Microsoft press, 2008).
How Microsoft Distributes Updates
Microsoft continually works to reduce the risk of software vulnerabilities in its software, including Windows 7 This section describes the different types of updates released
by Microsoft It also describes the Microsoft product life cycle, which affects update management because Microsoft stops releasing security updates for a product at the end
of its life cycle
Security Updates
A security update is an update that the Microsoft Security Response Center (MSRC) releases
to resolve a security vulnerability Microsoft security updates are available for customers
to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article
MoRe inFo For more information about the MSRC, visit http://www.microsoft.com
/security/msrc/default.mspx.
A Microsoft security bulletin notifies administrators of critical security issues and abilities and is associated with a security update that can be used to fix the vulnerability Security bulletins generally provide detailed information about whom the bulletin concerns, the impact and severity of the vulnerability, and a recommended course of action for affected customers
vulner-Security bulletins usually include the following pieces of information:
n Title The title of the security bulletin, in the format MSyy-###, where yy is the last
two digits of the year and ### is the sequential bulletin number for that year
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 11How Microsoft Distributes Updates CHapTER 23 1113
n Summary Information about who should read the bulletin, the impact of the
vulner-ability and the software affected, the maximum severity rating, and the MSRC’s mendation on how to respond to the bulletin The severity rating of a bulletin gauges the maximum risk posed by the vulnerability that the update fixes This severity level can be Low, Moderate, Important, or Critical The MSRC judges the severity of a vulner-ability on behalf of the entire Microsoft customer base The impact a vulnerability has
recom-on your organizatirecom-on might be more or less serious than this severity rating
n Executive summary An overview of the individual vulnerabilities discussed in the
security bulletin and their severity ratings One security bulletin might address multiple, related vulnerabilities that are fixed with a single update
n Frequently asked questions Discusses updates that are replaced, whether you can
audit the presence of the update using MBSA or Configuration Manager 2007 R2, cycle information, and other relevant information
life-n Vulnerability details The technical details of the vulnerabilities, a list of mitigating
factors that might protect you from the vulnerability, and alternative workarounds that you can use to limit the risk if you cannot install the update immediately One of the most important pieces of information in this section is whether there are known, active exploits that attackers can use to compromise computers that haven’t been updated If you are unable to install the update immediately, you should read this section carefully
to understand the risk of managing a computer that hasn’t been updated
n Security update information Instructions on how to install the update and what
files and configuration settings will be updated Refer to this section if you need to deploy updated files manually or if you are configuring custom auditing to verify that the update has been applied to a computer
MoRe inFo If you are not familiar with the format of security bulletins, take some time
to read current bulletins You can browse and search bulletins at http://www.microsoft.com
/technet/security/current.aspx.
In addition to security bulletins, Microsoft also creates Knowledge Base articles about security vulnerabilities Knowledge Base articles generally include more detailed information about the vulnerability and step-by-step instructions for updating affected computers From time to time, Microsoft releases security advisories Security advisories are not as-sociated with a security update Instead, advisories communicate security guidance that might not be classified as a vulnerability to customers
Update Rollups
At times, Microsoft has released a significant number of updates between service packs It is cumbersome to install a large number of updates separately, so Microsoft releases an update rollup to reduce the labor involved in applying updates An update rollup is a cumulative
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 12CHapTER 23 Managing Software Updates
Service packs
A service pack is a cumulative set of all of the updates that have been created for a Microsoft product A service pack also includes fixes for other problems that have been found by Microsoft since the release of the product In addition, a service pack can contain customer-requested design changes or features Like security updates, service packs are available for download and are accompanied by Knowledge Base articles
The chief difference between service packs and other types of updates is that service packs are strategic deliveries, whereas updates are tactical That is, service packs are carefully planned and managed—the goal is to deliver a well-tested, comprehensive set of fixes that is suitable for use on any computer In contrast, security updates are developed on an as-needed basis to combat specific problems that require an immediate response
note Service packs undergo extensive regression testing that Microsoft does not form for other types of updates However, because they can make significant changes to the operating system and add new features, they still require extensive testing within your environment.
per-Microsoft does not release a service pack until it meets the same quality standards as the product itself Service packs are constantly tested as they are built, undergoing weeks or months
of rigorous final testing that includes testing in conjunction with hundreds or thousands of Microsoft products Service packs also undergo a beta phase, during which customers participate
non-in the testnon-ing If the testnon-ing reveals bugs, Microsoft will delay the release of the service pack Even though Microsoft tests service packs extensively, they frequently have known ap-plication incompatibilities However, they are less likely to have unknown application incom-patibilities It is critical that you review the service pack release notes to determine how the service pack might affect your applications
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 13How Microsoft Distributes Updates CHapTER 23 1115
Because service packs can make substantial changes to Windows 7, thorough testing and
a staged deployment are essential After Microsoft releases a service pack for beta, begin testing it in your environment Specifically, test all applications, desktop configurations, and network connectivity scenarios If you discover problems, work with Microsoft to identify the problem further so that Microsoft can resolve the issues before the service pack is released After the service pack is released, you need to test the production service pack carefully before deploying it
While testing a newly released service pack, stay in touch with the IT community to understand the experiences of organizations that deploy the service pack before you Their experiences can be valuable for identifying potential problems and refining your deployment process to avoid delays and incompatibilities Microsoft security updates can be applied to systems with the current or previous service pack so you can continue with your usual Microsoft update process until after you have deployed the new service pack
MoRe inFo For more information about the Microsoft TechNet IT professional
Community, visit http://www.microsoft.com/technet/community/.
After testing, you should use staged deployments with service packs, just as you would for any major change With a staged deployment, you install the service pack on a limited number of computers first Then, you wait days or weeks for users to discover problems with the service pack If a problem is discovered, you should be prepared to roll back the service pack by uninstalling it Work to resolve all problems before distributing the service pack to a wider audience
Microsoft product Life Cycles
Every product has a life cycle, and, at the end of the product life cycle, Microsoft stops providing updates However, this doesn’t mean that no new vulnerabilities will be discovered
in the product To keep your network protected from the latest vulnerabilities, you will need
to upgrade to a more recent operating system Microsoft offers a minimum of five years of mainstream support from the date of a product’s general availability When mainstream support ends, businesses have the option
to purchase two years of extended support In addition, online self-help support, such as the Knowledge Base, will still be available
Security updates will be available through the end of the extended support phase at no additional cost for most products You do not have to have an extended support contract
to receive security updates during the extended support phase For more information on
the Windows 7 product life cycle, see http://support.microsoft.com/gp/lifeselectwin When
planning future operating system upgrades, you must keep the product life cycle in mind, particularly the period during which security updates will be released
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 14CHapTER 23 Managing Software Updates
1116
You have to stay reasonably current on updates to continue to receive Microsoft support because Microsoft provides support only for the current service pack and the one that im-mediately precedes it This support policy allows you to receive existing hotfixes or to request new hotfixes for the currently shipping service pack, the service pack immediately preceding the current one, or both during the mainstream phase
Summary
Networks and the Internet are constantly changing In particular, network security threats continue to evolve, and new threats are introduced daily Therefore, all software must change constantly to maintain high levels of security and reliability
Microsoft provides tools for managing Windows 7 software updates for home users, small organizations, and large enterprises Regardless of the organization, the Windows Update client in Windows 7 is responsible for downloading, sharing, and installing updates Small organizations can download updates directly from Microsoft to a Windows 7 computer, which will then share the update with other computers on the same LAN Larger organizations, as well as organizations that must test updates prior to installation, can use WSUS to identify, test, and distribute updates Combined with AD DS Group Policy settings, you can manage updates centrally for an entire organization
n See the MBSA 2 1 Web site at https://www.microsoft.com/mbsa for more information
and to download MBSA
n “MBSA 2 0 Scripting Samples” at http://www.microsoft.com/downloads /details.aspx?familyid=3B64AC19-3C9E-480E-B0B3-6B87F2EE9042 includes
examples of how to create complex auditing scripts using MBSA
n The Configuration Manager 2007 R2 Web site at https://www.microsoft.com/sccm
includes more information about using Configuration Manager 2007 R2
n “Microsoft Update Product Team Blog” at http://blogs.technet.com/mu provides the
latest Microsoft Update news direct from the Microsoft Update product team
n “WSUS Product Team Blog” at http://blogs.technet.com/wsus/ has the latest WSUS
news
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 15Additional Resources CHapTER 23 1117
On the Companion Media
Trang 17C H A P T E R 2 4
Managing Client protection
n Understanding the Risk of Malware 1119
n User Account Control 1121
n AppLocker 1142
n Using Windows Defender 1149
n Network Access Protection 1159
to provide better manageability of client security
Understanding the Risk of Malware
Malware (as described in Chapter 2, “Security in Windows 7”) is commonly spread in several different ways:
n Included with legitimate software Malware is often bundled with legitimate
software For example, a peer-to-peer file transfer application might include potentially unwanted software that displays advertisements on a user’s com-puter Sometimes, the installation tool might make the user aware of the malware (although users often do not understand the most serious compromises, such
as degraded performance and compromised privacy) Other times, the fact that unwanted software is being installed might be hidden from the user (an event
known as a non-consensual installation) Windows Defender, as described later
in this chapter, can help detect both the legitimate software that is likely to be bundled and the potentially unwanted software bundled with it, and it will notify Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 18CHapTER 24 Managing Client Protection
1120
the user about the software running on their system Additionally, when UAC is active, standard user accounts will not have sufficient privileges to install most dangerous applications
n Social engineering Users are often tricked into installing malware A common
technique is to attach a malware installer to an e-mail and provide instructions for installing the attached software in the e-mail For example, the e-mail might appear to come from a valid contact and indicate that the attachment is an important security update E-mail clients such as Microsoft Office Outlook now prevent the user from run-ning executable attachments Modern social engineering attacks abuse e-mail, instant messages, social networking, or peer-to-peer networks to instruct users to visit a Web site that installs the malware, either with or without the user’s knowledge The most effective way to limit the impact of social engineering attacks is to train users not to install software from untrustworthy sources and not to visit untrusted Web sites Addi-tionally, UAC reduces the user’s ability to install software, AppLocker can prevent users from running untrusted software, and Windows Defender makes users more aware of when potentially unwanted software is being installed For more information about social engineering, read “Behavioral Modeling of Social Engineering–Based Malicious
Software” at http://www.microsoft.com/downloads /details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73
note Windows Xp Service pack 2 (Sp2), Windows Vista, and Windows 7 support using Group policy settings to configure attachment behavior The relevant Group policy settings are located in User Configuration\administrative Templates
\Windows Components\attachment Manager.
n Exploiting browser vulnerabilities Some malware has been known to install itself
without the user’s knowledge or consent when the user visits a Web site To accomplish this, the malware needs to exploit a security vulnerability in the browser or a browser add-on to start a process with the user’s or system’s privileges, and then use those privileges to install the malware The risk of this type of exploit is significantly reduced
by Windows Internet Explorer Protected Mode in Windows Vista and Windows 7 ditionally, the new Internet Explorer 8 feature, SmartScreen, can warn users before they visit a malicious site For more information about Internet Explorer, read Chapter 20,
Ad-“Managing Windows Internet Explorer ”
n Exploiting operating system vulnerabilities Some malware might install itself by
exploiting operating system vulnerabilities For example, many worms infect computers
by exploiting a network service to start a process on the computer and then install the malware The risks of this type of exploit are reduced by UAC, explained in this chapter, and Windows Service Hardening, described in Chapter 26, “Configuring Windows Firewall and IPsec ”
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 19User Account Control CHapTER 24 1121
User Account Control
Most administrators know that users should log on to their computers using accounts that are members of the Users group, but not the Administrators group By limiting your user ac-count’s privileges, you also limit the privileges of any applications that you start—including software installed without full consent Therefore, if you can’t add a startup application, neither can a malicious process that you accidentally start
With versions of Windows prior to Windows Vista, however, not being a member of the Administrators group could be very difficult, for a few reasons:
n Many applications would run only with administrative privileges
n Running applications with elevated privileges required users to either right-click the icon and then click Run As or create a custom shortcut, which is inconvenient, requires training, and requires that the user has a local administrator account (largely defeating the purpose of limiting privileges)
n Many common operating system tasks, such as changing the time zone or adding a printer, required administrative privileges
UAC is a feature of Windows Vista and Windows 7 that improves client security by making
it much easier to use accounts without administrative privileges At a high level, UAC offers the following benefits:
n Most applications can now run without administrative privileges Applications
created for Windows Vista or Windows 7 should be designed to not require istrator credentials Additionally, UAC virtualizes commonly accessed file and registry locations to provide backward compatibility for applications created for earlier versions
admin-of Windows that still require administrator credentials For example, if an application attempts to write to a protected portion of the registry that will affect the entire com-puter, UAC virtualization will redirect the write attempt to a nonprotected area of the user registry that will affect only that single application
n Applications that require administrative privileges automatically prompt the user for administrator credentials For example, if a standard user attempts to
open the Computer Management console, a User Account Control dialog box pears and prompts for administrator credentials, as shown in Figure 24-1 If the current account has administrator credentials, the dialog box prompts to confirm the action before granting the process administrative privileges
ap-Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 20CHapTER 24 Managing Client Protection
1122
FIgURE 24-1 UAC prompts standard users for administrator credentials when necessary
n Users no longer require administrative privileges for common tasks Windows
Vista and Windows 7 have been improved so that users can make common types of configuration changes without administrator credentials For example, in earlier versions
of Windows, users needed administrator credentials to change the time zone In Windows Vista and Windows 7, any user can change the time zone, which is important for users who travel Changing the system time, which has the potential to be malicious, still requires administrator credentials, however
n Operating system features display an icon when administrator credentials are required In earlier versions of Windows, users were often surprised when an aspect
of the operating system required more privileges than they had For example, users might attempt to adjust the date and time, only to see a dialog box informing them that they lack necessary privileges In Windows Vista and Windows 7, any user can open the Date And Time properties dialog box However, users need to click a but-ton to change the time (which requires administrative privileges), and that button has
a shield icon indicating that administrative privileges are required Users will come to recognize this visual cue and not be surprised when they are prompted for credentials
n If you log on with administrative privileges, Windows Vista and Windows 7 will still run applications using standard user privileges by default Most users
should log on with only standard user credentials If users do log on with an account that has Administrator privileges, however, UAC will still start all processes with only user privileges Before a process can gain administrator privileges, the user must con-firm the additional rights using a UAC prompt
Table 24-1 illustrates the key differences in the behavior of Windows 7 with UAC installed when compared to Windows XP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 21User Account Control CHapTER 24 1123
TABlE 24-1 Behavior Changes in Windows 7 with UAC When Compared to Windows XP
When logged on as a standard user, istrators could run administrative tools by right-clicking the tool’s icon, clicking Run
admin-As, and then providing administrative credentials
Standard users open administrative tools without right-clicking UAC then prompts the user for administrator credentials All users can still explicitly start an application with administrator credentials by right-clicking, but it is rarely necessary
Using a standard user account could be a nuisance, especially for technical or mobile users
Standard accounts can perform many tasks that previously required elevation, and Windows 7 prompts users for administrator credentials when required
When a user was logged on as a standard user, an application that needed to change
a file or setting in a protected location would fail
When a user is logged on as a standard user, UAC provides virtualization for important parts of the system, allowing the applica-tion to run successfully while protecting the operating system integrity
If a specific Windows feature required administrative privileges, the entire tool required administrative privileges
Windows 7 displays the UAC shield on tons to warn users that the feature requires elevated privileges
but-When a user was logged on as an administrator, all applications ran with administrative privileges
When a user is logged on as an tor, all applications run with standard user privileges UAC confirms elevated privileges before starting a non-Windows tool that requires administrative privileges Windows features that require administrative privileges automatically receive elevated privileges without prompting the user
administra-As described in Chapter 2, Windows 7 can reduce the number of UAC prompts when compared to Windows Vista Instead of requiring multiple prompts for a file operation that performs multiple administrative tasks, all prompts are merged into a single prompt Similarly, prompts from Internet Explorer are merged When logged on as an administrator, you will no longer be prompted when Windows functions require administrator credentials Addition-ally, there are now four levels of UAC notifications to choose from, as discussed later in the chapter
The sections that follow describe UAC behavior in more detail
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 22CHapTER 24 Managing Client Protection
1124
UaC for Standard Users
Microsoft made many changes to the operating system so that standard users could perform almost any day-to-day task Tasks that standard users can do without receiving a UAC prompt that requires administrative privileges in Windows XP include:
n Viewing the system clock and calendar
n Changing the time zone
n Connecting to wired or wireless networks
n Connecting to virtual private networks (VPNs)
n Changing display settings and the desktop background
n Changing their own passwords
n Installing critical Windows updates
n Installing device drivers that have been staged
n Scheduling tasks
n Adding printers and other devices that have the required drivers installed on the computer or that are allowed by an administrator in Group Policy
n Installing ActiveX Controls from sites approved by an administrator
n Playing or burning CDs and DVDs (configurable with Group Policy settings)
n Connecting to another computer with Remote Desktop
n Configuring battery power options on mobile computers
n Configuring accessibility settings
n Configuring and using synchronization with a mobile device
n Connecting and configuring a Bluetooth device
n Restoring backed-up files from the same userAdditionally, disk defragmentation is scheduled to happen automatically in the back-ground, so users do not need privileges to initiate a defragmentation manually
Some of the common tasks standard users cannot do include:
n Installing and uninstalling applications
n Installing device drivers that have not been staged
n Installing noncritical Windows updates
n Changing Windows Firewall settings, including enabling exceptions
n Configuring Remote Desktop access
n Restoring system files from a backup
n Installing ActiveX controls from sites not approved by an administrator
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 23User Account Control CHapTER 24 1125
note To install activeX controls in Internet Explorer, start Internet Explorer by clicking the icon and then clicking Run as administrator after installing the activeX control, close Internet Explorer and reopen it using standard privileges after it is installed, the activeX control will be available to standard users.
right-The Power Users group still exists in Windows Vista and Windows 7 However, Windows Vista and Windows 7 remove the elevated privileges Therefore, you should make users members of the Users group and not use the Power Users group at all To use the Power Users group on Windows 7, you must change the default permissions on system folders and the registry to grant Power Users group permissions equivalent to Windows XP
diReCt FRoM tHe SoURCe
Bypassing UAC
aaron Margosis, Senior Consultant
Microsoft Consulting Services
The frequently asked question, “Why can’t I bypass the UaC prompt?” is often accompanied by statements like one or more of the following:
n “We want our application to run elevated automatically without prompting the user.”
n “I don’t get why I can’t authorize an application once and be done with it.”
n “UNIX has setuid root, which lets you run privileged programs securely.”
The designers of UaC expressly decided not to incorporate functionality like setuid/suid
or sudo found in UNIX and Mac OS X I think they made the right decision.
as I’m sure everyone knows, large parts of the Windows ecosystem have a long legacy of assuming that the user has administrative permissions, and consequently
a lot of programs work correctly only when they are run that way as computer security has become increasingly important, breaking that cycle with Windows Vista became absolutely imperative Indeed, the primary purpose of the technologies that comprise UaC is to enable standard user privileges to be the default for Windows, encouraging software developers to create applications that do not require administrative privileges.
If it were possible to mark an application to run with silently elevated privileges, what would become of all the existing applications that require administrative privileges? They’d all be marked to elevate silently How would future software for Windows be written? To elevate silently Few developers would fix their applica- tions, and user applications would continue to require and run with full administra- tive permissions unnecessarily.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 24CHapTER 24 Managing Client Protection
1126
“Well, so what? We’re only talking about applications I approved!” OK, let’s say that’s true, but how do you ensure that malware that has infected the user’s session cannot drive an application programmatically to take over the system? Ensuring strict behavioral boundaries for complex software running with elevated privileges
is incredibly difficult, and ensuring that it is free of exploitable design and mentation bugs is far beyond the capabilities of software engineering today The complexity and risk compounds when you consider how many applications have ex- tensibility points that load code that you or your IT administrator may not be aware
imple-of, or that can load code or consume data from user-writable areas with minimal if any validation.
We expect that in ordinary day-to-day usage, users should rarely, if ever, see tion prompts, because most should rarely, if ever, have to perform administrative tasks—and never in a well-managed enterprise Elevation prompts are to be ex- pected when setting up a new system or installing new software Beyond that, they should be infrequent enough that they catch your attention when they occur, and not simply trigger a reflexive approval response This will increasingly be the case
eleva-as more software conforms to leeleva-ast-privilege norms, and eleva-as improvements in the Windows user experience further reduces prompting.
Excerpted from http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/09
/faq-why-can-t-i-bypass-the-uac-prompt.aspx.
UaC for administrators
UAC uses Admin Approval Mode to help protect administrators from malicious and tially unwanted software When an administrator logs on, Windows 7 generates two access tokens:
poten-n Standard user access token This token is used to start the desktop (Explorer exe)
Because the desktop is the parent process for all user-initiated processes, any tions the user launches also use the standard user access token, which does not have privileges to install software or make important system changes
applica-n Full administrator access token This token has almost unlimited privileges to the
local computer This token is used only after the user confirms a UAC prompt
note as described in the section titled “How to Configure User account Control” later in this chapter, you can change the default behavior to suit your needs.
To test this, open two command prompts: one with standard privileges and one with
administrative privileges In each command prompt, run the command whoami /all The
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 25User Account Control CHapTER 24 1127
command prompt with administrative privileges will show a membership in the tors group The standard command prompt will not show that group membership
Administra-If the administrator attempts to start an application that requires administrative rights (as identified in the application’s manifest, described later), UAC prompts the administrator to grant additional rights using the consent prompt, as shown in Figure 24-2 If the user chooses
to grant elevated privileges to an application, the Application Information service creates the new process using the full administrator access token The elevated privileges will also apply
to any child processes that the application launches Parent and child processes must have the same integrity level For more information about integrity levels, read Chapter 20
FIgURE 24-2 By default, Admin Approval Mode prompts administrators to confirm elevated privileges
note The application Information service must be running to start processes with elevated privileges.
By default, Windows 7 silently elevates privileges for Windows features that require istrator credentials when an administrator is logged on Therefore, you can start the Computer Management console without responding to a UAC prompt if you are a member of the Administrators group If you attempt to start a non-Windows application or if you manually start a Windows feature with administrator credentials that is not manifested for auto-elevation, such as Paint or a command prompt, you will still receive a UAC prompt
admin-Command prompts require special consideration, because UAC will not prompt you to elevate privileges if you attempt to run a command that requires administrative rights To run
a command with administrative rights, right-click Command Prompt on the Start menu and then click Run As Administrator The command prompt that opens will include Administrator
in the title, helping you identify the window on your taskbar
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.