Windows System Patch Management Policy

Windows System Patch Management Policy

(Note: I have been sorting out some of my previous articles over the past few days. Some of them may be outdated and may not be strange, but they still have some reference value)

 

Most of my friends who are familiar with computers know that one thing that is often done after the Windows operating system is installed is to install patches for windows on the Windows Update Website, otherwise, various vulnerabilities pose a major threat to the system. However, unfortunately, many people do not have such awareness and have neglected to patch the system. This also indirectly caused the virus to run rampant. For example, the previous "Shock Wave" virus used the RPC vulnerability of Microsoft software to write and spread the virus, however, before these viruses spread widely, Microsoft released patches for the corresponding software and provided free downloads. As long as users can regularly access the Windows Update Website to install patches, these viruses will not be infected, but many people have neglected this. Fortunately, after this lesson, more people know the importance of "Patching", but the problem is coming again.

Microsoft's upgraded servers are deployed abroad. Sometimes, due to network reasons, the speed for domestic users to connect to servers is very slow. It takes more than an hour to download patches, low efficiency. On the other hand, for enterprises with a large number of computers, each computer is connected to Microsoft's server to download a large number of patches, which is also a great burden on the network bandwidth of enterprises, moreover, enterprises with high security requirements do not allow clients to access the Internet. Therefore, Windows Patch Management requires manual operations by network administrators, which is not only troublesome but also inefficient, from the management perspective, there are too many uncontrollable contents.

After a period of research, we have found some methods and means to solve this problem.

1. Use the SUS service provided by Microsoft

Microsoft's SUS (Software Update Service) service can build a server similar to the Update Server provided by Microsoft in the enterprise. The current sus version is 1.0 SP1, sus2.0 will be available next year.

SUS is divided into server and client.

The server software is mainly used to synchronize with Microsoft's Update Server and complete the patch distribution function to clients in the enterprise.

The client is mainly used to query the patches to be updated from the Update Server and complete the corresponding installation process.

 

Server program installation overview.

Can Users download http://www.microsoft.com/downloads/details.aspx at the following URL? Familyid = A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C & displaylang = en

 

During installation, Microsoft recommends the following configurations:

Hardware: CPUs above MHz clock speed, memory above MB, hard disk space above 6 GB

Software: Windows 2000 Server SP2 or a later operating system, Windows Server 2003, IIS 5 or later, and IE 5.5 or later

SUS has high hardware requirements, but the hardware configuration recommended by Microsoft can provide upgrade services for 15000 computers at the same time. Therefore, if your network is not so large, the hardware conditions can be relaxed as appropriate. On the other hand, for 6 GB hard disk space, this is used to save patch files in all languages, if your network only has a computer in the Simplified Chinese version or English version of the operating system, then you can save hard disk space by setting and not downloading patch files in other languages. (However, I think that the 6 GB hard disk is relatively small in actual use, and the patch in two languages occupies 1 GB space, the space for installing the operating system is hard to say)

You can directly double-click the installation program sus10sp1.exe to start the installation process. Note that for security reasons, the system disk of the SUS server and the hard disk partition that stores the SUS patch files must be the NTFS file system. In addition, if you install sus on the Windows 2000 server operating system, the installer will also install the IIS Lockdown tool for you. This is a software to improve IIS security.

After the installation is successful, you only need to locally or remotely type http: // server name/susadmin in IE. (if it is remote, enter the corresponding user name and password) you can open the SUS server management interface. (See figure 1)

 

 

First, configure the server, click "set options" under the "Other Options" menu on the left side of the main interface, and then open the configuration interface (see figure 2 ).

 

In general, we do not need to modify anything. Note the following two items:

1. "select how you want to handle new versions of previusly approved updates ". Under this option, we can set the actions to be taken after a patch that has been reviewed and released has a new version. If you think that all new patches can be directly released without testing, select "automatically approve new versions of previusly approved updates" here "; otherwise, select "do not automatically approve new versions of approved updates. I will manually approve these updates later ", so that if there are new versions of the patch, these new versions of the program will not be released immediately, wait for the Administrator to verify, and then manually release.

2. "select where you want to store updates ". Under this configuration option, you can set how to save the patch. You can simply select "maintain the updates on a Microsoft Windows Update Server", so that the patch download of the SUS server will be fully synchronized with the Microsoft Server, we recommend that you select "Save the updates to a local folder" and select only the patch language you need. This will reduce additional downloads.

 

 

After the server configuration is complete, you need to synchronize the server. Click "Synchronize server" on the left of the main interface to open the synchronization interface (see figure 3)

 

Click "Synchronize now" to start synchronization immediately. Click "synchronization schedule" to open the scheduled synchronization interface. You can choose to start the synchronization process at the appropriate time.

After synchronization, if you select "automatically approve new versions of previusly approved updates" during the configuration process, the new patch can be released immediately, otherwise, click "approve updates" on the left of the main interface to open the patch release interface (see figure 4 ).

 

All the downloaded patches are listed here. The status of the patch is displayed on the right of each patch. If it is "approved", it indicates that the patch has been tested, and approve the release. If a patch is in the "not approved" status, you need to test and install the patch. If everything works properly, select the check box before the patch name, click the "approve" button in the lower right corner to complete the release process.

 

In this way, the SUS server configuration is basically completed.

 

Client Program configuration overview.

Windows 2000 SP2 and Windows XP, first you need to install a sus client program, the user can go to the following URL to download (http://download.microsoft.com/download/win2000platform/Update/June2002/NT5/CN/WUAU22CHS.msi); for Windows 2000 SP3 and later versions, for Windows XP SP1 and later versions and Windows Server 2003, you do not need to install the client. You can directly set it in the Group Policy.

Enter "gpedit. MSC open the Group Policy Editor, expand "Computer Configuration"-"manage template" in sequence, right-click "manage template", and select "Add/delete template ", click "add" and find the wuau under the % WINDIR % "INF directory. ADM file, double-click Add. Continue to open "Windows Components"-"Windows Update" (this item only appears after the client software is installed and added ), two available policies are displayed on the right side of the window. "Automatic configuration Update" allows you to set the Update Time and processing method, and "specify the internal Internet of the Enterprise ..." This parameter is used to specify the server location. You can enter the server location in the form of "http: // server name" or "http: // server IP Address.

If your network size is large and you use Active Directory management, the setting is more convenient.

Enter "DSA. MSC and press enter to open the Active Directory user and computer settings window, right-click the desired domain, select "properties", and then open the "Group Policy" tab in the Properties window, click "new" to name the new policy. Select the new group policy and click "edit". A group policy setting window is displayed, which is similar to running gpedit. the window opened by MSC is similar. However, you can set group policies for all computers in the entire domain. In this window, expand "Computer Configuration"-"management template"-"Windows Components"-"Windows Update ", then, by setting the policy, you can set the SUS client configuration parameters for all computers in the login domain.

After some of the above settings, the patch management of the entire enterprise network is more convenient and easy.

The following are some precautions during the configuration process.

1. Sus can only provide key updates and service packs for Windows operating systems. drivers and other updates are not included. Other Microsoft products, such as office and exchange, are not upgraded.

2. After the SUS server is installed, other IIS applications may be affected. Therefore, it is best to use an independent server.

3. The client must open the BITS Service. Otherwise, the client cannot download the patch package.

4. client users can go to the following URL (http://ftp.nextwish.org/utils/nwsusutil.zip) to download a tool, extract and directly execute "nwsusutil sus server name" in the console window can directly complete the Group Policy Modification, at the same time, the automatic update process can be started in real time.

 

 

 

2. Use third-party software

SUS can only provide key updates and service packs for Windows operating systems. drivers and other updates are not included. Other Microsoft products, such as office and exchange, are not upgraded. Therefore, we can also use some third-party software to complete the system patch management function.

Third-party software mainly includes Agent installation on the client and no Agent installation.

The Agent installation methods are mainly provided by the following vendors: BigFix's enterprise suite, PatchLink's update and updateexpert. Interested users can download the trial version for testing.

The following describes how to install the agent-free patch upgrade management program.

1. Service Pack manager 2000

Users can go to the following URL to download the use of version (http://www.securitybastion.com/), use version can use 7 days. After the download is complete, install the package directly. After the installation is complete, double-click the "Service Pack manager 2000" shortcut on the desktop to open the main interface of Service Pack manager 2000 (see figure 5 ).

 

The main interface consists of seven parts: OS status, OS info, product status, Product Info, Hotfix profiler, Eventlog, and configuration options.

In OS status, you can select a node in the network and click netquery to query the patch installation status of the node. The premise of the query is that the user gives the corresponding permissions to the node.

After the query scan is complete, the available installation patches will be listed in the window at the lower right corner. You can choose to install.

The system patches of different versions are listed in OS info.

The product status and Product Info lists the patch installation status and patch list of user-defined individual products.

In general, this tool is relatively easy to use and can meet the needs of different users.

2. HFNetChk pro

Users can download the version (http://www.securitybastion.com/) at the following URL, the version can be used for 30 days. After the download is complete, install it directly. For more installation requirements, refer to the installation instructions. Then, double-click the "hfnetchkpro4" shortcut on the desktop to open the main interface of hfnetchkpro4 (see figure 6 ).

 

In the function list on the left, "scan what" can select the machine to be scanned. "scan now" starts the scanning process and pulls the scroll bar to the bottom to view the patch information, select a product of different types to view the patch list of the product.

In addition to the above functions, the tool also includes patch download, distribution, system testing, and other functions. You need to try the specific functions on your own.

In addition to the above two types of software, some free tools such as Microsoft baseline security analyzer or HFNetChk provided by windows can be downloaded from Microsoft's website, it can also detect and manage system patches, but its functions are relatively simple.

The above content is relatively simple and only serves as an example. You can download and try it out.