Managed Host Security –Patch Management

BigFix Deployment April-September 2004

Jay Stamps, ITSSTuring Auditorium, May 21, 2004

Why Here? Why Now? Because Stanford wants

to protect its information resources andcontinue to enjoy an open, academic network

Three-pronged approach: Patch Management Configuration Management Controlled Network Access

Clear that this approach requires active management of networked resources

Who’s Involved? Executive Buy-In

Internal Audit CFO System Governance Group C-ACIS Academic Senate President/Provost

Campus-Wide Working Group Computer Science Earth Sciences Graduate School of Business Internal Audit ITSS Medical School Residential Computing

Patch Management A tool / service designed to manage the

application of patches to hosts Components

An agent on each desktop and laptop computer A server with all relevant patches & history One or more consoles to manage / monitor the

process Relay servers to spread the patch distribution

load Basic process

Server provides new vulnerability information Agent signals if its host needs remediation Administrator releases patch to selected hosts

Patch Management (continued)

The BigFix Enterprise Suite (BES)

Internet

Patching Procedures and Process Routine: Non-security patch

Handled locally As it is handled today or Use patch management tool locally

Routine: Security patchNo known exploits

Patch tested centrally and Patch tested locally Patch released after brief wait

High-risk security patchExploits known to exist

CISO and CIO determine the rollout timeline

Centrally Tested Platforms NT 4.0 Workstation SP 6a Windows 2000 Professional SP 4 2003 Server, desktop configuration Windows XP Home SP 1 Windows XP Pro, SP 1 Windows ME Windows 98 SE

Newly available critical patches will be tested on these platforms with the latest Service Packs and ESS applications installed

Retrieved Properties Computer Name IP Address MAC Address OS OS Language Version CPU Last Report Time Subscription Time Locked Username Blank Password Check Free Space on System Drive Lock Expiration Total Size of System Drive DNS Name BES Relay Selection Method Office Version RAM

Norton AntiVirus Service Status Norton AntiVirus DAT version PC-Leland Version Relay Computer Type PC-AFS Version BES Relay Service Installed BRIO Plug-in Installed BIOS Domain/Workgroup Active Directory Path Web Browser Client Administrators Client Settings SU Group SU Subgroup

Managing Patch Management Top-down and hierarchical

To provide for testing of patches To provide for managed patch deployment

Campus divided by groups Groups may have management sub-groups Administrators for each group can see and

manage only PCs in their own group Each group can lock individual machines

Self-managed machines Not part of any group

Managing Patch Management continued)

Web Reports

Total issues by Fixlet severity

Issues remediated by Fixlet severity

Web Reports (cont)

Computer vulnerability breakdown by severity

Computers in the networkwith the BigFix agent, reported over time

Top 10 Issues identified on the computers in the network

Web Report Progress Report

Remediation progress report updates in near real-time as actions are being executed across the enterprise

Deployment Plan Meeting with all organizations

Administrative contacts Technical contacts

Discussing roll-out roadmaps

Selecting target date

Deployment Details Local relays: ~ one per 500 – 1000

clients

SUGroup Remote deployment tool Wrapped agent installer

www.stanford.edu/dept/itss/services/bigfix/index.html

Ferret tool

Console Operators Selection & training

What’s Next? Questions?

www.stanford.edu/dept/itss/services/bigfix/bigfix-faq.html

Added to email list

Follow up and meeting notes summary

Target date