Slide 1AgendaWhat is wrong?Why are these items problematic?Infrastructure OverviewWorkstation statisticsDeployment Mechanism - AltirisAltiris ReportingAlternative Deployment Mechanism - SUSSUS ReportingAltiris/SUS Pros and ConsLogisticsGlossaryScheduleFebruary DeploymentCurrent Analysis MethodsanalysisSlide 18Are patches actually executing?What happens after patches have executed?What happens after patches are applied?Summary and SolutionsProblemsProposed Future DeploymentsImplementation ObstaclesMotivationIT CostsCost Per EmployeeLegal Costs/Liability$$ Damages $$Questions?Effectively Managing System ConfigurationFantastic FourCasey FordMike LombardoRagnar OlsonManinder SinghAgenda•Introduction•Infrastructure Overview•Logistics•Analysis•Problems/Solutions•MotivationWhat is wrong?•Monthly Windows Operating System workstation patching policies are not clearly defined•Significant numbers of machines have not been patched over a month after patches have been releasedWhy are these items problematic?•Once Microsoft addresses specific vulnerabilities with monthly operating system updates, hackers can immediately begin work to exploit those vulnerabilities with malicious code.•Slow or ineffective patch distribution leaves endpoints vulnerable to attackINFRASTRUCTURE OVERVIEWWorkstation statistics•K&E has around 1,800 laptop computers that have potential to leave the confines of the corporate network and risk infection•K&E has around 1,600 desktop computers that are also at risk even though they are less mobileDeployment Mechanism - AltirisSource: Altiris Patch Management 6.0 Solution Guide , https://kb.altiris.com/display/1n/kb/article.asp?aid=18720&n=60&s=Altiris ReportingAlternative Deployment Mechanism - SUSSUS ReportingAltiris/SUS Pros and ConsPros ConsAltiris•In-place solution•In-house expertise•Open DB access with SQL•Adequate feedback•Holistic Solution•No cost for adoption•Delayed reporting•Potential ambiguity with results•Limited remediation toolsMS Server Update Service•Free with server license•"Supported OS: Win2k, 2k pro,XP pro, Win 2003, XP-64 Bit"•Supported Apps: MS Office'03, Exchange '03, Exchange '00•Downloading automatic or manual, with frequency, and product content specs•Patch type: Security, non-security updates, service packs, feature packs, driver updates, tools, guidance, dev kits, connectors•Robust reporting•Requires 8GB free space•IE 6.0 required for running admin console, Poor logging•Agent based, cannot push patch instantly, must wait for check in•Does not support NT 4.0 SP4 and older, Office 2k, SQL Server, MSDE, Commerce Server 2k/2003, ISA Server, Biztalk, CMSHIS, IE, IIS, MDAC, XML, Java VM•No exporting to different formats of reporting•Complicated Patch Process, No rebootLOGISTICSGlossary•Compliant – Machine has received monthly update(s)•Vulnerable – Machine has not received monthly update(s)•Bulletin – A collection of related OS updates that have been bundled together by MicrosoftSchedule•Vulnerability analyses are conducted on each workstation every four hours–Results are reported into the Altiris server•Patches are immediately delivered to machines with vulnerabilities•Delivered patches are executed at 4PM local time each day–Execution schedule is flexible•To avoid user interruption, we do not force a reboot after patches have been applied, regardless of whether or not it is required.February DeploymentInactivity!Patches ReleasedCommittee Decision4PM DeploymentDeploy & Test4PM DeploymentCurrent Analysis Methods•Compliance statistics are observed but there are no established metrics against which to measure them.–No measures for successful or unsuccessful patch distributions•There are no clearly-defined remediation policies.ANALYSISWhy are there large numbers of vulnerable machines weeks after patches have been applied?How long does it take for Altiris to notify a machine that it has work to do?0:00:010:00:020:00:030:00:040:00:050:00:060:00:070:00:080:00:090:00:100:00:110:00:120:00:130:00:140:00:150:00:160:00:170:00:180:00:190:00:200:00:210:00:220:00:230:00:240:00:250:00:260:00:270:00:280:00:3001002003004005006000.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%80.0%90.0%100.0%94.9%Scheduled Distribution - First 30 SecondsExecutionsCumulative % ExecutedTime Lapsed (Seconds)Number of ExecutionsArrival times are very fast! Are the patches actually executing?If a task is scheduled to execute at 4pm, at what time does it actually execute?Are patches actually executing?MS10-006 MS10-007 MS10-011 MS10-012 MS10-0150500100015002000250030003500400033373341334033443341Number of Patch Executions by UpdateTotalPatchesCount of MachinesPatches arrive quickly and have a nearly 95% rate of execution.If 95% of machines have executed patches, why haven’t they applied?What happens after patches have executed?MS10-006 MS10-007 MS10-011 MS10-012 MS10-0150500100015002000250030003500400033373341 33403344334114541398145314541459Installed Patches In Reboot Pending StatusAggregate ExecutionsReboot Pending 3/2/2010Reboots Pending by Update by DayCount of MachinesWill this naturally resolve as machines reboot over time?What happens after patches are applied?After day 1, the number of reboots decreases dramatically.Without intervention, it will take over a month for all machines to reach compliance.MS10-006 MS10-007 MS10-011 MS10-012 MS10-0150500100015002000250030003500400014541398145314541459658621657658 658Installed Patches In Reboot Pending StatusAggregate ExecutionsReboot Pending 3/2/2010Reboot Pending 3/3/2010Reboot Pending 3/4/2010Reboot Pending 3/5/2010Reboot Pending 3/8/2010Reboot Pending 3/9/2010Reboot Pending 3/11/2010Reboots Pending by Update by DayCount of MachinesSUMMARY AND SOLUTIONSProblems•Patches reach production too slowly–Eliminate two week idle period•Too many machines in ‘Reboot Pending’ status–Reducing the number of reboot pending machines will reduce exposure to malicious exploits•Metrics have not been defined–Continue effort to determine benchmark levelsProposed Future DeploymentsPatches ReleasedCommittee Decision4PM DeploymentTest4PM DeploymentRemediationFirm-wide RebootImplementation Obstacles•Current culture seeks to limit technology impact on user productivity–IT changes should occur without user interruption•Effectiveness of firmwide communications not easily measurable–Are users reading communication emails?–Limited precedent for user
View Full Document
Unlocking...