Troubleshooting the Windows Update Client CHAPTER 23 1103 4. If you can reach the WSUS server, verify that the client is configured correctly. If you are using Group Policy settings to configure Windows Update, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to check the computer’s effective configuration. Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings. Figure 23-5 shows the RSOP snap-in. FIGURE 23-5 Use the RSOP snap-in to verify Windows Update configuration. 5. If you think WSUS is not configured correctly, verify the IIS configuration. WSUS uses IIS to update most client computers automatically to the WSUS-compatible Automatic Updates. To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate under the Web site running on port 80 of the computer on which you install WSUS. This virtual directory, called the self-update tree, holds the latest WSUS client. For this reason, a Web site must be running on port 80, even if you put the WSUS Web site on a custom port. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree. To ensure that the self-update tree is working properly, first make sure a Web site is set up on port 80 of the WSUS server. Next, type the following at the command prompt of the WSUS server. cscript <WSUSInstallationDrive>:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs MoRe inFo For more information about troubleshooting WSUS, visit http://technet.microsoft.com/en-us/library/cc708554.aspx. If you identify a problem and make a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle. You can do this using the Services console or by running the following two commands. net stop wuauserv net start wuauserv Within 6 to 10 minutes, Windows Update will attempt to contact your update server. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 23 Managing Software Updates 1104 The Process of Updating Network Software You must plan to update every network feature that uses software. This naturally includes client and server operating systems and applications, but it also includes routers, firewalls, wireless access points, and switches. To keep your systems up to date, follow these steps: 1. Assemble an update team. 2. Inventory all software in your organization, and then contact each software vendor and determine its process of notifying customers of software updates. Some vendors will notify you of updates directly via e-mail, but others require you to check a Web site regularly. Assign individuals to identify software updates on a regular basis. For example, someone on your team should be responsible for checking every software vendor’s Web site for new updates on at least a weekly basis. 3. Create an update process for discovering, evaluating, retrieving, testing, installing, auditing, and removing updates. Although most of the process will be the same for all vendors, you might have to customize parts of the process to accommodate different uptime and testing requirements for servers, clients, and network equipment. As an example, this chapter will thoroughly document the update process to use for Microsoft operating system updates. This resource kit focuses only on updating the Windows 7 operating system. However, your process should include the ability to manage updates for other operating systems, ap- plications, and network devices. The sections that follow discuss these steps in more detail. Assembling the Update Team Identifying individuals with the right mix of technical and project management skills for deploying updates is one of the first decisions that you and your company’s management will make. Even before staffing can begin, however, you need to identify the team roles, or areas of expertise, required for update management. Microsoft suggests using the Microsoft Solutions Framework (MSF) team model, which is based on six interdependent, multidisciplinary roles: product management, program management, development, testing, user experience, and release management. This model applies equally well to both Microsoft and non-Microsoft software. n Program management The program management team’s goal is to deliver updates within project constraints. Program management is responsible for managing the update schedule and budget, reporting status, managing project-related risk factors (such as staff illnesses), and managing the design of the update process. n Development The development team builds the update infrastructure according to specification. The team’s responsibilities include specifying the features of the update infrastructure, estimating the time and effort required to deploy the update infrastruc- ture, and preparing the infrastructure for deployment. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The Process of Updating Network Software CHAPTER 23 1105 n Testing The testing team ensures that updates are released into the production en- vironment only after all quality issues are identified and resolved. The team’s responsi- bilities include developing the testing strategy, designing and building the update lab, developing the test plan, and conducting tests. n User experience The user experience team ensures that the update process meets the users’ needs. The team gathers, analyzes, and prioritizes user requirements and complaints. n Release management The release management team is responsible for deploying the updates. In large environments, the release management team also designs and manages a pilot deployment of an update to ensure that the update is sufficiently stable for deployment into the production environment. The MSF team roles are flexible; they can be adapted to your organization’s own processes and management philosophy. In a small organization or a limited deployment, one individual might play multiple roles. In larger organizations, a team might be required to perform all of the tasks assigned to each role. MoRe inFo For more information about the MSF team model, visit http://www.microsoft.com/downloads/details.aspx?FamilyID=c54114a3-7cc6-4fa7-ab09- 2083c768e9ab. Inventorying Software After you create an update team, you must inventory the software on your network. Specifically, you need to know which operating systems and applications you have installed to identify updates that need to be deployed. You also need to understand the security requirements for each computer system, including which computers store highly confidential information, which are connected to the public Internet, and which will connect to exterior networks. For each computer in your environment, gather the following information: n Operating system Document the operating system version and update level. Remember that most routers, firewalls, and switches have operating systems. Also document which optional features, such as IIS, are installed. n Applications Document every application installed on the computer, including versions and updates. n Network connectivity Document the networks to which the computer is connected, including whether the computer is connected to the public Internet, whether it connects to other networks across a virtual private network (VPN) or dial-up connection, and whether it is a mobile computer that might connect to networks at other locations. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 23 Managing Software Updates 1106 n Existing countermeasures Firewalls and virus checkers might already protect a computer against a particular vulnerability, making the update unnecessary. For fire- walls, document the firewall configuration, including which ports are open. n Site If your organization has multiple sites, you can choose to deploy updates to computers from a server located at each site to optimize bandwidth usage. Knowing at which site a computer or piece of network equipment is located allows you to deploy the updates efficiently. n Bandwidth Computers connected across low-bandwidth links have special require- ments. You can choose to transfer large updates during nonbusiness hours. For dial-up users, it might be more efficient to bypass the network link and transfer updates on removable media, such as CD-ROMs. n Administrator responsibility You must understand who is responsible for deploy- ing updates to a particular device and who will fix a problem if the device fails during the update process. If others are responsible for individual applications or services, make note of that as well. n Uptime requirements Understand any service-level agreements or service-level guarantees that apply to a particular device and whether scheduled downtime counts against the total uptime. This will enable you to prioritize devices when troubleshoot- ing and testing updates. n Scheduling dependencies Applying updates requires planning systems to be offline. This can be a disruption for users, even if the device requires only a quick reboot. Understand who depends on a particular device so that you can clear downtime with that person ahead of time. Some of this information, including operating system and installed applications, can be gathered in an automated fashion. Most network management tools have this capability, including Configuration Manager 2007 R2. You can also inventory Microsoft software on a computer by using Microsoft Software Inventory Analyzer (MSIA), a free download. MoRe inFo For information about MSIA, visit http://www.microsoft.com/resources/sam /msia.mspx. Creating an Update Process Deploying updates involves more than just choosing a technology to install the updates. An effective update process involves planning, discussion, and testing. Although you should use your organization’s existing change-management process (if one exists), this section will describe the fundamental steps of an update process. The sections that follow describe each of these steps in more detail. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The Process of Updating Network Software CHAPTER 23 1107 Discovering Updates The security update process starts when Microsoft releases or updates a security bulletin. Reissued bulletins that have a higher severity rating should be evaluated again to determine whether an already-scheduled security release should be reprioritized and accelerated. You might also initiate the security update process when a new service pack is released. You can be notified of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services. You can register for this service from the following Web site: http://www.microsoft.com/technet/security/bulletin/notify.mspx. If you subscribe to this service, you will receive automatic notification of security issues by e-mail. Note that you will never receive the update as an attachment from Microsoft. E-mail is easy to spoof, so Microsoft includes a digital signature that can be verified. However, it’s generally easier to simply check the Microsoft Web site to ensure that the bulletin is officially listed. In addition, use non-Microsoft sources to receive an objective opinion of vulnerabilities. The following sources provide security alert information: n Security alert lists, especially SecurityFocus (http://www.securityfocus.com) n Security Web sites, such as http://www.sans.org and http://www.cert.org n Alerts from antivirus software vendors Evaluating Updates After you learn of a security update, you need to evaluate the update to determine which computers at your organization, if any, should have the update applied. Read the information that accompanies the security bulletin and refer to the associated Knowledge Base article after it is released. Next, look at the various parts of your environment to determine whether the vulnerability affects the computers on your network. You might not be using the software that is being updated, or you might be protected from the vulnerability by other means, such as a fire- wall. For example, if Microsoft releases a security update for Microsoft SQL Server and your company doesn’t use SQL Server (and it’s not a requirement for other installed applications), you don’t need to act. If Microsoft releases a security update for the Server service but you have blocked the vulnerable ports by using Windows Firewall, you don’t necessarily need to apply the update (although applying the update will provide an important additional layer of protection). As an alternative, you might decide that applying the update is not the best countermeasure for a security vulnerability. Instead, you might choose to add a firewall or adjust firewall filtering rules to limit the vulnerability’s exposure. Determining whether an update should be applied is not as straightforward as you might think. Microsoft updates are free downloads, but applying an update does have a cost: You will need to dedicate time to testing, packaging, and deploying the update. In larger orga- nizations, applying a software update to a server requires that many hours be dedicated to justifying the update and scheduling the associated downtime with the groups who use the server. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 23 Managing Software Updates 1108 Any type of update also carries the risk of something going wrong when the update is applied. In fact, any time you restart a computer, there is a small risk that the computer won’t start up successfully. There’s also the very real risk that the update will interfere with exist- ing applications. This risk, fortunately, can be offset by extensively testing the update before applying it. Deciding not to apply a security update also has a cost: an increased risk of a security vulnerability being exploited. Besides testing, you can offset the risk that an update will cause problems by having a plan to roll back the update. When evaluating an update, determine whether the release can be easily uninstalled if it causes a problem that isn’t identified during testing. Functionality for uninstalling updates can vary from fully automated uninstall support, to manual uninstall procedures, to no uninstall. If an update cannot be uninstalled, your only option might be to restore the computer from a recent backup. Regardless of the uninstall method required for an update, ensure that you have a defined rollback plan in case the deployment doesn’t match the success encountered in the test environment. To be prepared for the worst, verify that you have recent backups of all computers that will be updated and that you are prepared to restore those systems if the update cannot be removed successfully. It’s not likely that an update will cause your systems to fail completely and require them to be restored from backup, but it is a circumstance that you must be prepared to handle. Choosing whether to apply an update is such a complicated, yet critical, decision that larger organizations should create a security committee that collectively determines which updates should be applied. The committee should consist of employees who are familiar with the update requirements of each different type of computer on your network. For example, if you have separate organizations that manage desktop and client computers, both organiza- tions should have a representative on the committee. If separate individuals manage each of the Web, messaging, and infrastructure servers on your network, each person should have input into whether a particular update is applied. Ask members from your database teams, networking groups, and internal audit teams to play an active role—their experience and expertise can be an asset in determining risk. Depending on your needs, the committee can discuss each update as it is released, or it can meet on a weekly or biweekly basis. If the committee determines that an update needs to be deployed, you then need to de- termine the urgency. In the event of an active attack, you must make every effort to apply the update immediately before your system is infected. If the attack is severe enough, it might even warrant removing vulnerable computers from the network until the update can be applied. Speeding the Update Process I f it usually takes your organization more than a few days to deploy an update, cre- ate an accelerated process for critical updates. Use this process to speed or bypass time-consuming testing and approval processes. If a vulnerability is currently being exploited by a quickly spreading worm or virus, deploying the update immediately could save hundreds of hours of recovery time. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The Process of Updating Network Software CHAPTER 23 1109 Retrieving Updates After you decide to test and/or deploy an update, you must retrieve it from Microsoft. If you are using WSUS as your deployment mechanism, WSUS can download the update automatically. If you are deploying updates by using another mechanism, download the update from a trusted Microsoft server. Testing Updates After applying an update or group of updates to your test computers, test all applications and functionality. The amount of time and expense that you dedicate to testing the update should be determined by the potential damage that can be caused by a problematic update deployment. There are two primary ways you can test an update: in a test environment and in a pilot deployment. A test environment consists of a test lab or labs and includes test plans, which detail what you will test, and test cases, which describe how you will test each feature. Organizations that have the resources to test updates in a test environment should always do so because it will reduce the number of problems caused by update incompatibility with applications. Even if your organization does not have the resources to test critical updates and security updates, always test service packs before deploying them to production computers. The test lab can be made up of a single lab or of several labs, each of which supports test- ing without presenting risk to your production environment. In the test lab, members of the testing team can verify their deployment design assumptions, discover deployment problems, and improve their understanding of the changes implemented by specific updates. Such activities reduce the risk of errors occurring during deployment and allow the members of the test team to rapidly resolve problems that might occur while deploying an update or after applying an update. Many organizations divide their testing teams into two subteams: the design team and the deployment team. The design team collects information that is vital to the deployment process, identifies immediate and long-term testing needs, and proposes a test lab design (or recommends improvements to the existing test lab). The deployment team completes the process by implementing the design team’s decisions and then testing new updates on an ongoing basis. During the beginning of the lifetime of the update test environment, the deployment team will test the update deployment process to validate that the design is functional. Later, after your organization identifies an update to be deployed, the deployment will test the individual updates to ensure that all of the updates are compatible with the applications used in your environment. An update test environment should have computers that represent each of the major computer roles in your organization, including desktop computers, mobile computers, and servers. If computers within each role have different operating systems, have each operating system available on either dedicated computers, a single computer with a multiboot configu- ration, or in a virtual desktop environment. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 23 Managing Software Updates 1110 After you have a set of computers that represent each of the various types of computers in your organization, connect them to a private network. You will also need to connect test versions of your update infrastructure computers. For example, if you plan to deploy updates by using WSUS, connect a WSUS server to the lab network. Load every application that users will use onto the lab computers and develop a procedure to test the functionality of each application. For example, to test the functionality of Internet Explorer, you can visit both the Microsoft Web site and an intranet Web site. Later, when test- ing updates, you will repeat this test. If one of the applications fails the test, the update you are currently testing might have caused a problem. note If you will be testing a large number of applications, identify ways to automate the testing of updates by using scripting. In addition to testing your implementation of an update, conducting a pilot deployment provides an opportunity to test your deployment plan and the deployment processes. It helps you to determine how much time is required to install the update as well as the personnel and tools needed to do so. It also provides an opportunity to train support staff and to gauge user reaction to the update process. For example, if a particular update takes an hour for a dial-up user to download, you might have to identify an alternative method for delivering the update to the user. note The more significant the update, the more important it is to use a pilot program. Service packs, in particular, require extensive testing both in and out of the lab. Besides testing the update yourself, subscribe to mailing lists and visit newsgroups fre- quented by your peers. People tend to report problems with updates to these forums before an official announcement is made by Microsoft. If you do discover a problem, report it to Microsoft. Historically, Microsoft has fixed and re-released security updates that have caused serious problems. On the other hand, Microsoft support might be able to suggest an alterna- tive method for reducing or eliminating the vulnerability. Installing Updates After you are satisfied that you have sufficiently tested an update, you can deploy it to your production environment. During the installation process, be sure to have sufficient support staff to handle problems that might arise. Have a method in place to monitor the progress of the updates, and have an engineer ready to resolve any problems that occur in the update deployment mechanism. Notify network staff that an update deployment is taking place so that they are aware of the cause of the increased network utilization. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The Process of Updating Network Software CHAPTER 23 1111 Removing Updates Despite following proper planning and testing procedures, problems can arise when you deploy an update to production computers. Before you deploy updates, have a plan in place to roll back updates from one, many, or all of the target computers. The main steps for the rollback and redeployment of updates are as follows: 1. Stop the current deployment. Identify any steps necessary for deactivating release mechanisms used in your environment. 2. Identify and resolve any update deployment issues. Determine what is causing an update deployment to fail. The order in which updates are applied, the release mecha- nism used, and flaws in the update itself are all possible causes for a failed deployment. 3. Uninstall updates if necessary. Updates that introduce instabilities to your production environment should be removed if possible. For instructions, refer to the section titled “How to Remove Updates” earlier in this chapter. 4. Reactivate release mechanisms. After resolving update issues, reactivate the appropri- ate release mechanism to redeploy updates. Security bulletins issued by Microsoft will always indicate whether an update can be uninstalled. Because reverting computers to a previous state is not always possible, pay close attention to this detail before deploying an update that cannot be uninstalled. When a simple uninstall process is not available for a security update, ensure that the nec- essary provisions are in place for reverting your critical computers back to their original states in the unlikely event that a security update deployment causes a computer to fail. These pro- visions might include having spare computers and data backup mechanisms in place so that a failed computer can be rebuilt quickly. Auditing Updates After you deploy an update, it is important to audit your work. Ideally, someone who is not responsible for deploying the update should perform the actual audit. This reduces the possibility that the person or group responsible for deploying the update would unintentionally overlook the same set of computers during both update deployment and auditing; it would also reduce the likelihood of someone deliberately covering up oversights or mistakes. Auditing an update that resolves a security vulnerability can be done in one of two ways. The simplest way to audit is to use a tool, such as MBSA, to check for the presence of the update. This can also be done by checking the version of updated files and verifying that the version matches the version of the file included with the update. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 23 Managing Software Updates 1112 Quarantine Control for Computers That Haven’t Been Updated Y ou should require updates for remote computers connecting via dial-up and VPN solutions because they might miss your update and auditing. Windows 7 and Windows Server 2008 both support NAP, which you can use to restrict access to computers that do not meet specific security requirements, such as having the latest updates, and to distribute the updates to the client computer so that they can safely join the intranet. For more information about Network Access Protection, refer to Chapter 25. You can use NAP with a Windows Server 2008 infrastructure as described in Windows Server 2008 Networking and Network Access Protection (NAP) (Microsoft Press, 2008). How Microsoft Distributes Updates Microsoft continually works to reduce the risk of software vulnerabilities in its software, including Windows 7. This section describes the different types of updates released by Microsoft. It also describes the Microsoft product life cycle, which affects update management because Microsoft stops releasing security updates for a product at the end of its life cycle. Security Updates A security update is an update that the Microsoft Security Response Center (MSRC) releases to resolve a security vulnerability. Microsoft security updates are available for customers to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article. MoRe inFo For more information about the MSRC, visit http://www.microsoft.com /security/msrc/default.mspx. A Microsoft security bulletin notifies administrators of critical security issues and vulner- abilities and is associated with a security update that can be used to fix the vulnerability. Security bulletins generally provide detailed information about whom the bulletin concerns, the impact and severity of the vulnerability, and a recommended course of action for affected customers. Security bulletins usually include the following pieces of information: n Title The title of the security bulletin, in the format MSyy-###, where yy is the last two digits of the year and ### is the sequential bulletin number for that year. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Table 24-1 illustrates the key differences in the behavior of Windows 7 with UAC installed when compared to Windows XP 1122 Chapter 24  Managing Client Protection Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Table 24-1  Behavior Changes in Windows 7 with UAC When Compared to Windows XP Windows XP Windows 7 with UAC When logged on as a standard user, administrators could... still exists in Windows Vista and Windows 7 However, Windows Vista and Windows 7 remove the elevated privileges Therefore, you should make users members of the Users group and not use the Power Users group at all To use the Power Users group on Windows 7, you must change the default permissions on system folders and the registry to grant Power Users group permissions equivalent to Windows XP Direct... departments The Windows 7 operating system strives to reduce this cost by using a combination of technologies—including User Account Control (UAC), Windows AppLocker, and Windows Defender Additionally, Microsoft offers Microsoft Forefront separately from Windows 7 to provide better manageability of client security Understanding the Risk of Malware Malware (as described in Chapter 2, “Security in Windows 7 ) is... software, and Windows Defender makes users more aware of when potentially unwanted software is being installed For more information about social engineering, read “Behavioral Modeling of Social Engineering–Based Malicious Software” at http://www.microsoft.com/downloads /details.aspx?FamilyID=e0f 272 60-58da-40db- 878 5-689cf6a05c73 Note  Windows XP Service Pack 2 (SP2), Windows Vista, and Windows 7 support... and reliability Microsoft provides tools for managing Windows 7 software updates for home users, small organizations, and large enterprises Regardless of the organization, the Windows Update client in Windows 7 is responsible for downloading, sharing, and installing updates Small organizations can download updates directly from Microsoft to a Windows 7 computer, which will then share the update with other... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 1121 Figure 24-1  UAC prompts standard users for administrator credentials when necessary n Users no longer require administrative privileges for common tasks  Windows Vista and Windows 7 have been improved so that users can make common types of configuration changes without administrator credentials For example, in earlier versions of Windows, ... purchase PDF Split-Merge on www.verypdf.com to remove this watermark On the Companion Media n ConfigureSoftwareUpdatesSchedule.ps1 n DownloadAndInstallMicrosoftUpdate.ps1 n Get-MicrosoftUpdates.ps1 n Get-MissingSoftwareUpdates.ps1 n ScanForSpecificUpdate.ps1 n TroubleshootWindowsUpdate.ps1 n UninstallMicrosoftUpdate.ps1 Additional Resources  Chapter 23 Please purchase PDF Split-Merge on www.verypdf.com... required administrative privileges UAC is a feature of Windows Vista and Windows 7 that improves client security by making it much easier to use accounts without administrative privileges At a high level, UAC offers the following benefits: n Most applications can now run without administrative privileges  Applications created for Windows Vista or Windows 7 should be designed to not require administrator... within Windows XP without requiring a separate computer You can maximize virtual machines so that they display full screen, providing a similar experience to running the operating system natively Virtual machines perform slightly slower than applications that run natively within Windows, however Windows 7 Professional, Enterprise, and Ultimate operating systems include Windows Virtual PC and the Windows. .. privileges UAC confirms elevated privileges before starting a non -Windows tool that requires administrative privileges Windows features that require administrative privileges automatically receive elevated privileges without prompting the user As described in Chapter 2, Windows 7 can reduce the number of UAC prompts when compared to Windows Vista Instead of requiring multiple prompts for a file operation . /details.aspx?FamilyID=e0f 272 60-58da-40db- 878 5-689cf6a05c73. note Windows XP Service Pack 2 (SP2), Windows Vista, and Windows 7 support using Group Policy. differences in the behavior of Windows 7 with UAC installed when compared to Windows XP. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.