patchdeploy behind the scenes dardan shkreli +41 41 748 22 04 [email protected]

PatchDeployBehind the Scenes

Dardan Shkreli +41 41 748 22 04 [email protected]

2

(c) 2004 Brainware Solutions AG

Agenda

What is „Patch Day“? Benefits of Columbus Patch Deploy Supported Products The Workflow Next Steps Questions & Discussion

3


What is „Patch Day“?

Microsoft products always “under construction“

Security issues, vulnerabilities, bug fixes Updates published 2nd Tuesday of each

Month

4


Benefits of Columbus Patch Deploy

Tested in advance Correctness, Revisions, Adjustment

Management One place to manage

Delivered like software packages through Columbus

Control and reduce risk You decide which patches to deploy, when, and to which

clients

Grouping Make custom deployment groups: OS, SP, Severity, Clients,

Sites

Efficient Target only candidate clients, schedule deployment

5


Supported Products

OS (Workstation/Server) MS Office (XP, 2003, 2007) Over 230 products Five languages

OS Vers. SP 32bit 64bit Language

EN GE FR JP IT

Win 2000 Professional WS SP4 √ √ √ √ √

Win 2000 Standard Server SP4 √ √ √

Win 2000Advanced Server SP4 √ √ √

Win 2003 Server Standard SP1 √ √ √ √

Win 2003 Server Standard SP2 √ √ √ √

Win 2003 Server Enterprise SP1 √ √ √

Win 2003 Server Enterprise SP2 √ √ √

Win XP Professional SP2 √ √ √ √ √ √

Win XP Professional SP3 √ √ √ √ √ √

Vista SP0 √ √ √ √ √ √ √

Vista SP1 √ √ √ √ √ √ √

Win 2008 Server SP1 √ √ √ √ √ √ √

6


The Workflow

1. Analysis OS, SP, Products, Severity

2. Development ENU, DEU, JPN, etc. Severity

3. Testing Detection, Installation, Verification

4. Publishing Catalogs, Encryption, Backup

7


Analysis

First steps - Security Bulletin Analysis (OS, SP, Products, Severity) Filtering (SLA) Infrastructure

8


Security Bulletins – KB Articles Each Patch analysed

Prerequisites, Sources, File Info, Command lines

Development

9


Patch creation Methods

Snapshots (Package Maker), MSI, Copy, Combination

Architecture

Development

[Package]Description=KB 950760 / MS08-032 - Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760): SP2-SP3Identifier=950760 - MS08-032.BWP000183.BWS000312Language=ENUVersion=01Patch=0Platform=XP

AllowConditionalUsage=0Usercondition=File '*.*'Clientcondition= (reserved for future use only)Servercondition= (reserved for future use only)

; When should the package be released ?; e.g. ServerReleaseDate=19970930193000ServerReleaseDate=00000000000000ClientReleaseDate=00000000000000UserReleaseDate=00000000000000FriendlyInstallText=OrderType=Friendly=YESCategory=#Microsoft Patch#Active=3

; Repetitive Jobs; Repeat=EachTime

; This section allows you to define, in which CCC groups the package; automatically should be inserted[Groups]OS Patches ENU_XP__SP2OS Patches ENU_XP__SP3

[PatchManagement]Severity=2BrainwareID={78F07EDF-2919-432E-AAEE-984298B6FC6D}IsPatch=1Vendor=MicrosoftKBID=950760

[Summary]This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb.

[Checks] if not '%_OSMajorVersion%.%_OSMinorVersion%' = '5.1' then Exit 'Not applicable. Required: 5.1 - Current: %_OSMajorVersion%.%_OSMinorVersion%' '1'

if Not FileLanguage '%_WindowsSystem%\browselc.dll' = 'ENU' then Exit 'Not applicable - wrong language.' '3'

RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Machine if '%_SPLevel%'='' then Set _SPLevel='0' /Machine if '%_SPLevel%'='512' then goto SP_OK if '%_SPLevel%'='768' then goto SP_OK Exit 'The current Service pack is not supported.' '5'

:SP_OK RegRead 'HKEY_LOCAL_MACHINE' 'SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB950760' 'InstalledDate' '_KB950760_InstalledDate' /Script if '%_KB950760_InstalledDate%'='' then Exit 'Registry indicates missing (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB950760\InstalledDate)' '102' Exit 'Installed' '120'

[UserAdd]

[ClientAdd];#STARTCRYPT# if '%_NoPatchInstallationChecks%'='1' then goto INSTALL if not '%_OSMajorVersion%.%_OSMinorVersion%' = '6.0' then exit 'Invalid operating system. Required: 6.0 - Current: %_OSMajorVersion%.%_OSMinorVersion%' 'PDW001'

if not '%_OSType%' = 'NT_WORKSTATION' then Exit 'Invalid operating system. Required: NT_WORKSTATION - Current: %_OSType%' 'PDW002'

if '%_64BitOS%' = '1' then Exit 'Wrong type of OS - only for 32Bit OS' 'PDW011'

RegRead 'HKEY_LOCAL_MACHINE' 'SYSTEM\CurrentControlSet\Control\Windows' 'CSDVersion' '_SPLevel' /Immediate if '%_SPLevel%'='0' then goto SP0_OK if '%_SPLevel%'='256' then goto SP1_OK Exit 'The current Service pack is not supported.' 'PDW005'

:SP0_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001'

if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6000.16681' then goto File_OK :SP1_OK if not '%_DirectXMainVersion%' = '9' then exit 'This version of DirectX is not supported. Required: 10 - Current: <%_DirectXMainVersion%>' 'PDW001'

if FileVersion '%_WindowsSystem%\quartz.dll'!<'6.6.6001.18063' then goto File_OK if '%_PkgReinstall%'='1' then goto File_OK Exit 'No requirements met.' 'PDW090'

:File_OK

:INSTALL;#ENDCRYPT# ;SetSystemRestorePoint /Daily /NoErrors if '%_AllowPatchesUnistall%'='1' then goto AllowUninstall goto NoUninstall

Security Bulletins – KB Articles Each Patch analysed

Prerequisites, Sources, File Info, Command lines

10


Testing/Infrastructure

Combined testing - automated/human Analysis & Infrastructure for testing Static test

Source check Command lines Severity Description

Passed!

1 Patch = Different OS/Products

11


Testing/Infrastructure

Combined testing - automated/human Analysis & Infrastructure for testing

Live tests Download Recognition Installation Verification

Static test Source check Command lines Severity Description

Test against MBSA, Windows Update, SMS, …

Passed!Passed!

Patch OK!

12


Publishing

Last checks (syntax, coverage) Expand Product, Service Packs & Patch Catalogs Encrypt files Place created patches into web server Test download of catalogs from web server Backup Inform Helpdesk about published Patches

How do the clients get their patches ? Columbus – Patch Deploy Module Patch Deploy Agent

13


Next steps…

Microsoft (…x64) Adobe McAfee Others

14


Questions & Discussion

??

15


Thank You

Dardan Shkreli +41 41 748 22 04 [email protected]

patchdeploy behind the scenes dardan shkreli +41 41 748 22 04 [email protected]

Documents

brainware solutions

microsoft patch

microsoft products

backup slide

patch day

month slide

severity development

supported products