managed host security – patch management
DESCRIPTION
Managed Host Security – Patch Management. BigFix Deployment April-September 2004 Jay Stamps, ITSS Turing Auditorium, May 21, 2004. Why Here? Why Now?. Because Stanford wants to protect its information resources and continue to enjoy an open, academic network Three-pronged approach: - PowerPoint PPT PresentationTRANSCRIPT
Managed Host Security –Patch Management
BigFix Deployment April-September 2004
Jay Stamps, ITSSTuring Auditorium, May 21, 2004
Why Here? Why Now? Because Stanford wants
to protect its information resources andcontinue to enjoy an open, academic network
Three-pronged approach: Patch Management Configuration Management Controlled Network Access
Clear that this approach requires active management of networked resources
Who’s Involved? Executive Buy-In
Internal Audit CFO System Governance Group C-ACIS Academic Senate President/Provost
Campus-Wide Working Group Computer Science Earth Sciences Graduate School of Business Internal Audit ITSS Medical School Residential Computing
Patch Management A tool / service designed to manage the
application of patches to hosts Components
An agent on each desktop and laptop computer A server with all relevant patches & history One or more consoles to manage / monitor the
process Relay servers to spread the patch distribution
load Basic process
Server provides new vulnerability information Agent signals if its host needs remediation Administrator releases patch to selected hosts
Patch Management (continued)
The BigFix Enterprise Suite (BES)
Internet
Patching Procedures and Process Routine: Non-security patch
Handled locally As it is handled today or Use patch management tool locally
Routine: Security patchNo known exploits
Patch tested centrally and Patch tested locally Patch released after brief wait
High-risk security patchExploits known to exist
CISO and CIO determine the rollout timeline
Centrally Tested Platforms NT 4.0 Workstation SP 6a Windows 2000 Professional SP 4 2003 Server, desktop configuration Windows XP Home SP 1 Windows XP Pro, SP 1 Windows ME Windows 98 SE
Newly available critical patches will be tested on these platforms with the latest Service Packs and ESS applications installed
Retrieved Properties Computer Name IP Address MAC Address OS OS Language Version CPU Last Report Time Subscription Time Locked Username Blank Password Check Free Space on System Drive Lock Expiration Total Size of System Drive DNS Name BES Relay Selection Method Office Version RAM
Norton AntiVirus Service Status Norton AntiVirus DAT version PC-Leland Version Relay Computer Type PC-AFS Version BES Relay Service Installed BRIO Plug-in Installed BIOS Domain/Workgroup Active Directory Path Web Browser Client Administrators Client Settings SU Group SU Subgroup
Managing Patch Management Top-down and hierarchical
To provide for testing of patches To provide for managed patch deployment
Campus divided by groups Groups may have management sub-groups Administrators for each group can see and
manage only PCs in their own group Each group can lock individual machines
Self-managed machines Not part of any group
Managing Patch Management continued)
Web Reports
Total issues by Fixlet severity
Issues remediated by Fixlet severity
Web Reports (cont)
Computer vulnerability breakdown by severity
Computers in the networkwith the BigFix agent, reported over time
Top 10 Issues identified on the computers in the network
Web Report Progress Report
Remediation progress report updates in near real-time as actions are being executed across the enterprise
Deployment Plan Meeting with all organizations
Administrative contacts Technical contacts
Discussing roll-out roadmaps
Selecting target date
Deployment Details Local relays: ~ one per 500 – 1000
clients
SUGroup Remote deployment tool Wrapped agent installer
www.stanford.edu/dept/itss/services/bigfix/index.html
Ferret tool
Console Operators Selection & training
What’s Next? Questions?
www.stanford.edu/dept/itss/services/bigfix/bigfix-faq.html
Added to email list
Follow up and meeting notes summary
Target date