Windows 7 Resource Kit- P24

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
36
lượt xem
4
download

Windows 7 Resource Kit- P24

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p24', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows 7 Resource Kit- P24

  1. 4. If you can reach the WSUS server, verify that the client is configured correctly . If you are using Group Policy settings to configure Windows Update, use the Resultant Set of Policy (RSOP) tool (Rsop .msc) to check the computer’s effective configuration . Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings . Figure 23-5 shows the RSOP snap-in . FIgURE 23-5 Use the RSOP snap-in to verify Windows Update configuration . 5. If you think WSUS is not configured correctly, verify the IIS configuration . WSUS uses IIS to update most client computers automatically to the WSUS-compatible Automatic Updates . To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate under the Web site running on port 80 of the computer on which you install WSUS . This virtual directory, called the self-update tree, holds the latest WSUS client . For this reason, a Web site must be running on port 80, even if you put the WSUS Web site on a custom port . The Web site on port 80 does not have to be dedicated to WSUS . In fact, WSUS uses the site on port 80 only to host the self-update tree . To ensure that the self-update tree is working properly, first make sure a Web site is set up on port 80 of the WSUS server . Next, type the following at the command prompt of the WSUS server . cscript :\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs MoRe inFo For more information about troubleshooting WSUS, visit http://technet.microsoft.com/en-us/library/cc708554.aspx. If you identify a problem and make a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle . You can do this using the Services console or by running the following two commands . net stop wuauserv net start wuauserv Within 6 to 10 minutes, Windows Update will attempt to contact your update server . Troubleshooting the Windows Update Client CHapTER 23 1103 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. The Process of Updating Network Software You must plan to update every network feature that uses software . This naturally includes client and server operating systems and applications, but it also includes routers, firewalls, wireless access points, and switches . To keep your systems up to date, follow these steps: 1. Assemble an update team . 2. Inventory all software in your organization, and then contact each software vendor and determine its process of notifying customers of software updates . Some vendors will notify you of updates directly via e-mail, but others require you to check a Web site regularly . Assign individuals to identify software updates on a regular basis . For example, someone on your team should be responsible for checking every software vendor’s Web site for new updates on at least a weekly basis . 3. Create an update process for discovering, evaluating, retrieving, testing, installing, auditing, and removing updates . Although most of the process will be the same for all vendors, you might have to customize parts of the process to accommodate different uptime and testing requirements for servers, clients, and network equipment . As an example, this chapter will thoroughly document the update process to use for Microsoft operating system updates . This resource kit focuses only on updating the Windows 7 operating system . However, your process should include the ability to manage updates for other operating systems, ap- plications, and network devices . The sections that follow discuss these steps in more detail . assembling the Update Team Identifying individuals with the right mix of technical and project management skills for deploying updates is one of the first decisions that you and your company’s management will make . Even before staffing can begin, however, you need to identify the team roles, or areas of expertise, required for update management . Microsoft suggests using the Microsoft Solutions Framework (MSF) team model, which is based on six interdependent, multidisciplinary roles: product management, program management, development, testing, user experience, and release management . This model applies equally well to both Microsoft and non-Microsoft software . n Program management The program management team’s goal is to deliver updates within project constraints . Program management is responsible for managing the update schedule and budget, reporting status, managing project-related risk factors (such as staff illnesses), and managing the design of the update process . n Development The development team builds the update infrastructure according to specification . The team’s responsibilities include specifying the features of the update infrastructure, estimating the time and effort required to deploy the update infrastruc- ture, and preparing the infrastructure for deployment . 1104 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. n Testing The testing team ensures that updates are released into the production en- vironment only after all quality issues are identified and resolved . The team’s responsi- bilities include developing the testing strategy, designing and building the update lab, developing the test plan, and conducting tests . n User experience The user experience team ensures that the update process meets the users’ needs . The team gathers, analyzes, and prioritizes user requirements and complaints . n Release management The release management team is responsible for deploying the updates . In large environments, the release management team also designs and manages a pilot deployment of an update to ensure that the update is sufficiently stable for deployment into the production environment . The MSF team roles are flexible; they can be adapted to your organization’s own processes and management philosophy . In a small organization or a limited deployment, one individual might play multiple roles . In larger organizations, a team might be required to perform all of the tasks assigned to each role . MoRe inFo For more information about the MSF team model, visit http://www.microsoft.com/downloads/details.aspx?FamilyID=c54114a3-7cc6-4fa7-ab09- 2083c768e9ab. Inventorying Software After you create an update team, you must inventory the software on your network . Specifically, you need to know which operating systems and applications you have installed to identify updates that need to be deployed . You also need to understand the security requirements for each computer system, including which computers store highly confidential information, which are connected to the public Internet, and which will connect to exterior networks . For each computer in your environment, gather the following information: n Operating system Document the operating system version and update level . Remember that most routers, firewalls, and switches have operating systems . Also document which optional features, such as IIS, are installed . n Applications Document every application installed on the computer, including versions and updates . n Network connectivity Document the networks to which the computer is connected, including whether the computer is connected to the public Internet, whether it connects to other networks across a virtual private network (VPN) or dial-up connection, and whether it is a mobile computer that might connect to networks at other locations . The Process of Updating Network Software CHapTER 23 1105 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. n Existing countermeasures Firewalls and virus checkers might already protect a computer against a particular vulnerability, making the update unnecessary . For fire- walls, document the firewall configuration, including which ports are open . n Site If your organization has multiple sites, you can choose to deploy updates to computers from a server located at each site to optimize bandwidth usage . Knowing at which site a computer or piece of network equipment is located allows you to deploy the updates efficiently . n Bandwidth Computers connected across low-bandwidth links have special require- ments . You can choose to transfer large updates during nonbusiness hours . For dial-up users, it might be more efficient to bypass the network link and transfer updates on removable media, such as CD-ROMs . n Administrator responsibility You must understand who is responsible for deploy- ing updates to a particular device and who will fix a problem if the device fails during the update process . If others are responsible for individual applications or services, make note of that as well . n Uptime requirements Understand any service-level agreements or service-level guarantees that apply to a particular device and whether scheduled downtime counts against the total uptime . This will enable you to prioritize devices when troubleshoot- ing and testing updates . n Scheduling dependencies Applying updates requires planning systems to be offline . This can be a disruption for users, even if the device requires only a quick reboot . Understand who depends on a particular device so that you can clear downtime with that person ahead of time . Some of this information, including operating system and installed applications, can be gathered in an automated fashion . Most network management tools have this capability, including Configuration Manager 2007 R2 . You can also inventory Microsoft software on a computer by using Microsoft Software Inventory Analyzer (MSIA), a free download . MoRe inFo For information about MSIa, visit http://www.microsoft.com/resources/sam /msia.mspx. Creating an Update process Deploying updates involves more than just choosing a technology to install the updates . An effective update process involves planning, discussion, and testing . Although you should use your organization’s existing change-management process (if one exists), this section will describe the fundamental steps of an update process . The sections that follow describe each of these steps in more detail . 1106 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. Discovering Updates The security update process starts when Microsoft releases or updates a security bulletin . Reissued bulletins that have a higher severity rating should be evaluated again to determine whether an already-scheduled security release should be reprioritized and accelerated . You might also initiate the security update process when a new service pack is released . You can be notified of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services . You can register for this service from the following Web site: http://www.microsoft.com/technet/security/bulletin/notify.mspx . If you subscribe to this service, you will receive automatic notification of security issues by e-mail . Note that you will never receive the update as an attachment from Microsoft . E-mail is easy to spoof, so Microsoft includes a digital signature that can be verified . However, it’s generally easier to simply check the Microsoft Web site to ensure that the bulletin is officially listed . In addition, use non-Microsoft sources to receive an objective opinion of vulnerabilities . The following sources provide security alert information: n Security alert lists, especially SecurityFocus (http://www.securityfocus.com) n Security Web sites, such as http://www.sans.org and http://www.cert.org n Alerts from antivirus software vendors Evaluating Updates After you learn of a security update, you need to evaluate the update to determine which computers at your organization, if any, should have the update applied . Read the information that accompanies the security bulletin and refer to the associated Knowledge Base article after it is released . Next, look at the various parts of your environment to determine whether the vulnerability affects the computers on your network . You might not be using the software that is being updated, or you might be protected from the vulnerability by other means, such as a fire- wall . For example, if Microsoft releases a security update for Microsoft SQL Server and your company doesn’t use SQL Server (and it’s not a requirement for other installed applications), you don’t need to act . If Microsoft releases a security update for the Server service but you have blocked the vulnerable ports by using Windows Firewall, you don’t necessarily need to apply the update (although applying the update will provide an important additional layer of protection) . As an alternative, you might decide that applying the update is not the best countermeasure for a security vulnerability . Instead, you might choose to add a firewall or adjust firewall filtering rules to limit the vulnerability’s exposure . Determining whether an update should be applied is not as straightforward as you might think . Microsoft updates are free downloads, but applying an update does have a cost: You will need to dedicate time to testing, packaging, and deploying the update . In larger orga- nizations, applying a software update to a server requires that many hours be dedicated to justifying the update and scheduling the associated downtime with the groups who use the server . The Process of Updating Network Software CHapTER 23 1107 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. Any type of update also carries the risk of something going wrong when the update is applied . In fact, any time you restart a computer, there is a small risk that the computer won’t start up successfully . There’s also the very real risk that the update will interfere with exist- ing applications . This risk, fortunately, can be offset by extensively testing the update before applying it . Deciding not to apply a security update also has a cost: an increased risk of a security vulnerability being exploited . Besides testing, you can offset the risk that an update will cause problems by having a plan to roll back the update . When evaluating an update, determine whether the release can be easily uninstalled if it causes a problem that isn’t identified during testing . Functionality for uninstalling updates can vary from fully automated uninstall support, to manual uninstall procedures, to no uninstall . If an update cannot be uninstalled, your only option might be to restore the computer from a recent backup . Regardless of the uninstall method required for an update, ensure that you have a defined rollback plan in case the deployment doesn’t match the success encountered in the test environment . To be prepared for the worst, verify that you have recent backups of all computers that will be updated and that you are prepared to restore those systems if the update cannot be removed successfully . It’s not likely that an update will cause your systems to fail completely and require them to be restored from backup, but it is a circumstance that you must be prepared to handle . Choosing whether to apply an update is such a complicated, yet critical, decision that larger organizations should create a security committee that collectively determines which updates should be applied . The committee should consist of employees who are familiar with the update requirements of each different type of computer on your network . For example, if you have separate organizations that manage desktop and client computers, both organiza- tions should have a representative on the committee . If separate individuals manage each of the Web, messaging, and infrastructure servers on your network, each person should have input into whether a particular update is applied . Ask members from your database teams, networking groups, and internal audit teams to play an active role—their experience and expertise can be an asset in determining risk . Depending on your needs, the committee can discuss each update as it is released, or it can meet on a weekly or biweekly basis . If the committee determines that an update needs to be deployed, you then need to de- termine the urgency . In the event of an active attack, you must make every effort to apply the update immediately before your system is infected . If the attack is severe enough, it might even warrant removing vulnerable computers from the network until the update can be applied . Speeding the Update Process I f it usually takes your organization more than a few days to deploy an update, cre- ate an accelerated process for critical updates. Use this process to speed or bypass time-consuming testing and approval processes. If a vulnerability is currently being exploited by a quickly spreading worm or virus, deploying the update immediately could save hundreds of hours of recovery time. 1108 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. Retrieving Updates After you decide to test and/or deploy an update, you must retrieve it from Microsoft . If you are using WSUS as your deployment mechanism, WSUS can download the update automatically . If you are deploying updates by using another mechanism, download the update from a trusted Microsoft server . Testing Updates After applying an update or group of updates to your test computers, test all applications and functionality . The amount of time and expense that you dedicate to testing the update should be determined by the potential damage that can be caused by a problematic update deployment . There are two primary ways you can test an update: in a test environment and in a pilot deployment . A test environment consists of a test lab or labs and includes test plans, which detail what you will test, and test cases, which describe how you will test each feature . Organizations that have the resources to test updates in a test environment should always do so because it will reduce the number of problems caused by update incompatibility with applications . Even if your organization does not have the resources to test critical updates and security updates, always test service packs before deploying them to production computers . The test lab can be made up of a single lab or of several labs, each of which supports test- ing without presenting risk to your production environment . In the test lab, members of the testing team can verify their deployment design assumptions, discover deployment problems, and improve their understanding of the changes implemented by specific updates . Such activities reduce the risk of errors occurring during deployment and allow the members of the test team to rapidly resolve problems that might occur while deploying an update or after applying an update . Many organizations divide their testing teams into two subteams: the design team and the deployment team . The design team collects information that is vital to the deployment process, identifies immediate and long-term testing needs, and proposes a test lab design (or recommends improvements to the existing test lab) . The deployment team completes the process by implementing the design team’s decisions and then testing new updates on an ongoing basis . During the beginning of the lifetime of the update test environment, the deployment team will test the update deployment process to validate that the design is functional . Later, after your organization identifies an update to be deployed, the deployment will test the individual updates to ensure that all of the updates are compatible with the applications used in your environment . An update test environment should have computers that represent each of the major computer roles in your organization, including desktop computers, mobile computers, and servers . If computers within each role have different operating systems, have each operating system available on either dedicated computers, a single computer with a multiboot configu- ration, or in a virtual desktop environment . The Process of Updating Network Software CHapTER 23 1109 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. After you have a set of computers that represent each of the various types of computers in your organization, connect them to a private network . You will also need to connect test versions of your update infrastructure computers . For example, if you plan to deploy updates by using WSUS, connect a WSUS server to the lab network . Load every application that users will use onto the lab computers and develop a procedure to test the functionality of each application . For example, to test the functionality of Internet Explorer, you can visit both the Microsoft Web site and an intranet Web site . Later, when test- ing updates, you will repeat this test . If one of the applications fails the test, the update you are currently testing might have caused a problem . note If you will be testing a large number of applications, identify ways to automate the testing of updates by using scripting. In addition to testing your implementation of an update, conducting a pilot deployment provides an opportunity to test your deployment plan and the deployment processes . It helps you to determine how much time is required to install the update as well as the personnel and tools needed to do so . It also provides an opportunity to train support staff and to gauge user reaction to the update process . For example, if a particular update takes an hour for a dial-up user to download, you might have to identify an alternative method for delivering the update to the user . note The more significant the update, the more important it is to use a pilot program. Service packs, in particular, require extensive testing both in and out of the lab. Besides testing the update yourself, subscribe to mailing lists and visit newsgroups fre- quented by your peers . People tend to report problems with updates to these forums before an official announcement is made by Microsoft . If you do discover a problem, report it to Microsoft . Historically, Microsoft has fixed and re-released security updates that have caused serious problems . On the other hand, Microsoft support might be able to suggest an alterna- tive method for reducing or eliminating the vulnerability . Installing Updates After you are satisfied that you have sufficiently tested an update, you can deploy it to your production environment . During the installation process, be sure to have sufficient support staff to handle problems that might arise . Have a method in place to monitor the progress of the updates, and have an engineer ready to resolve any problems that occur in the update deployment mechanism . Notify network staff that an update deployment is taking place so that they are aware of the cause of the increased network utilization . 1110 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. Removing Updates Despite following proper planning and testing procedures, problems can arise when you deploy an update to production computers . Before you deploy updates, have a plan in place to roll back updates from one, many, or all of the target computers . The main steps for the rollback and redeployment of updates are as follows: 1. Stop the current deployment . Identify any steps necessary for deactivating release mechanisms used in your environment . 2. Identify and resolve any update deployment issues . Determine what is causing an update deployment to fail . The order in which updates are applied, the release mecha- nism used, and flaws in the update itself are all possible causes for a failed deployment . 3. Uninstall updates if necessary . Updates that introduce instabilities to your production environment should be removed if possible . For instructions, refer to the section titled “How to Remove Updates” earlier in this chapter . 4. Reactivate release mechanisms . After resolving update issues, reactivate the appropri- ate release mechanism to redeploy updates . Security bulletins issued by Microsoft will always indicate whether an update can be uninstalled . Because reverting computers to a previous state is not always possible, pay close attention to this detail before deploying an update that cannot be uninstalled . When a simple uninstall process is not available for a security update, ensure that the nec- essary provisions are in place for reverting your critical computers back to their original states in the unlikely event that a security update deployment causes a computer to fail . These pro- visions might include having spare computers and data backup mechanisms in place so that a failed computer can be rebuilt quickly . auditing Updates After you deploy an update, it is important to audit your work . Ideally, someone who is not responsible for deploying the update should perform the actual audit . This reduces the possibility that the person or group responsible for deploying the update would unintentionally overlook the same set of computers during both update deployment and auditing; it would also reduce the likelihood of someone deliberately covering up oversights or mistakes . Auditing an update that resolves a security vulnerability can be done in one of two ways . The simplest way to audit is to use a tool, such as MBSA, to check for the presence of the update . This can also be done by checking the version of updated files and verifying that the version matches the version of the file included with the update . The Process of Updating Network Software CHapTER 23 1111 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. Quarantine Control for Computers That Haven’t Been Updated Y ou should require updates for remote computers connecting via dial-up and VpN solutions because they might miss your update and auditing. Windows 7 and Windows Server 2008 both support Nap, which you can use to restrict access to computers that do not meet specific security requirements, such as having the latest updates, and to distribute the updates to the client computer so that they can safely join the intranet. For more information about Network access protection, refer to Chapter 25. You can use Nap with a Windows Server 2008 infrastructure as described in Windows Server 2008 networking and network Access Protection (nAP) (Microsoft press, 2008). How Microsoft Distributes Updates Microsoft continually works to reduce the risk of software vulnerabilities in its software, including Windows 7 . This section describes the different types of updates released by Microsoft . It also describes the Microsoft product life cycle, which affects update management because Microsoft stops releasing security updates for a product at the end of its life cycle . Security Updates A security update is an update that the Microsoft Security Response Center (MSRC) releases to resolve a security vulnerability . Microsoft security updates are available for customers to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article . MoRe inFo For more information about the MSRC, visit http://www.microsoft.com /security/msrc/default.mspx. A Microsoft security bulletin notifies administrators of critical security issues and vulner- abilities and is associated with a security update that can be used to fix the vulnerability . Security bulletins generally provide detailed information about whom the bulletin concerns, the impact and severity of the vulnerability, and a recommended course of action for affected customers . Security bulletins usually include the following pieces of information: n Title The title of the security bulletin, in the format MSyy-###, where yy is the last two digits of the year and ### is the sequential bulletin number for that year . 1112 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. n Summary Information about who should read the bulletin, the impact of the vulner- ability and the software affected, the maximum severity rating, and the MSRC’s recom- mendation on how to respond to the bulletin . The severity rating of a bulletin gauges the maximum risk posed by the vulnerability that the update fixes . This severity level can be Low, Moderate, Important, or Critical . The MSRC judges the severity of a vulner- ability on behalf of the entire Microsoft customer base . The impact a vulnerability has on your organization might be more or less serious than this severity rating . n Executive summary An overview of the individual vulnerabilities discussed in the security bulletin and their severity ratings . One security bulletin might address multiple, related vulnerabilities that are fixed with a single update . n Frequently asked questions Discusses updates that are replaced, whether you can audit the presence of the update using MBSA or Configuration Manager 2007 R2, life- cycle information, and other relevant information . n Vulnerability details The technical details of the vulnerabilities, a list of mitigating factors that might protect you from the vulnerability, and alternative workarounds that you can use to limit the risk if you cannot install the update immediately . One of the most important pieces of information in this section is whether there are known, active exploits that attackers can use to compromise computers that haven’t been updated . If you are unable to install the update immediately, you should read this section carefully to understand the risk of managing a computer that hasn’t been updated . n Security update information Instructions on how to install the update and what files and configuration settings will be updated . Refer to this section if you need to deploy updated files manually or if you are configuring custom auditing to verify that the update has been applied to a computer . MoRe inFo If you are not familiar with the format of security bulletins, take some time to read current bulletins. You can browse and search bulletins at http://www.microsoft.com /technet/security/current.aspx. In addition to security bulletins, Microsoft also creates Knowledge Base articles about security vulnerabilities . Knowledge Base articles generally include more detailed information about the vulnerability and step-by-step instructions for updating affected computers . From time to time, Microsoft releases security advisories . Security advisories are not as- sociated with a security update . Instead, advisories communicate security guidance that might not be classified as a vulnerability to customers . Update Rollups At times, Microsoft has released a significant number of updates between service packs . It is cumbersome to install a large number of updates separately, so Microsoft releases an update rollup to reduce the labor involved in applying updates . An update rollup is a cumulative How Microsoft Distributes Updates CHapTER 23 1113 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. set of hotfixes, security updates, critical updates, and other updates all packaged together for easy deployment . An update rollup generally targets a specific area of a product, such as security, or a feature of a product, such as IIS . Update rollups are always released with a Knowledge Base article that describes the rollup in detail . Update rollups receive more testing from Microsoft than individual security updates but less testing than service packs . In addition, because update rollups consist of updates that have been released previously and are being run by many other Microsoft customers, it is more likely that any incompatibilities associated with the update rollup have already been discovered . Therefore, the risk associated with deploying update rollups is typically lower overall than the risk of deploying security updates, despite the fact that rollups affect more code . However, you still need to test update rollups with critical applications before deploying them . Service packs A service pack is a cumulative set of all of the updates that have been created for a Microsoft product . A service pack also includes fixes for other problems that have been found by Microsoft since the release of the product . In addition, a service pack can contain customer- requested design changes or features . Like security updates, service packs are available for download and are accompanied by Knowledge Base articles . The chief difference between service packs and other types of updates is that service packs are strategic deliveries, whereas updates are tactical . That is, service packs are carefully planned and managed—the goal is to deliver a well-tested, comprehensive set of fixes that is suitable for use on any computer . In contrast, security updates are developed on an as-needed basis to combat specific problems that require an immediate response . note Service packs undergo extensive regression testing that Microsoft does not per- form for other types of updates. However, because they can make significant changes to the operating system and add new features, they still require extensive testing within your environment. Microsoft does not release a service pack until it meets the same quality standards as the product itself . Service packs are constantly tested as they are built, undergoing weeks or months of rigorous final testing that includes testing in conjunction with hundreds or thousands of non- Microsoft products . Service packs also undergo a beta phase, during which customers participate in the testing . If the testing reveals bugs, Microsoft will delay the release of the service pack . Even though Microsoft tests service packs extensively, they frequently have known ap- plication incompatibilities . However, they are less likely to have unknown application incom- patibilities . It is critical that you review the service pack release notes to determine how the service pack might affect your applications . 1114 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. Because service packs can make substantial changes to Windows 7, thorough testing and a staged deployment are essential . After Microsoft releases a service pack for beta, begin testing it in your environment . Specifically, test all applications, desktop configurations, and network connectivity scenarios . If you discover problems, work with Microsoft to identify the problem further so that Microsoft can resolve the issues before the service pack is released . After the service pack is released, you need to test the production service pack carefully before deploying it . While testing a newly released service pack, stay in touch with the IT community to understand the experiences of organizations that deploy the service pack before you . Their experiences can be valuable for identifying potential problems and refining your deployment process to avoid delays and incompatibilities . Microsoft security updates can be applied to systems with the current or previous service pack so you can continue with your usual Microsoft update process until after you have deployed the new service pack . MoRe inFo For more information about the Microsoft TechNet IT professional Community, visit http://www.microsoft.com/technet/community/. After testing, you should use staged deployments with service packs, just as you would for any major change . With a staged deployment, you install the service pack on a limited number of computers first . Then, you wait days or weeks for users to discover problems with the service pack . If a problem is discovered, you should be prepared to roll back the service pack by uninstalling it . Work to resolve all problems before distributing the service pack to a wider audience . Microsoft product Life Cycles Every product has a life cycle, and, at the end of the product life cycle, Microsoft stops providing updates . However, this doesn’t mean that no new vulnerabilities will be discovered in the product . To keep your network protected from the latest vulnerabilities, you will need to upgrade to a more recent operating system . Microsoft offers a minimum of five years of mainstream support from the date of a product’s general availability . When mainstream support ends, businesses have the option to purchase two years of extended support . In addition, online self-help support, such as the Knowledge Base, will still be available . Security updates will be available through the end of the extended support phase at no additional cost for most products . You do not have to have an extended support contract to receive security updates during the extended support phase . For more information on the Windows 7 product life cycle, see http://support.microsoft.com/gp/lifeselectwin . When planning future operating system upgrades, you must keep the product life cycle in mind, particularly the period during which security updates will be released . How Microsoft Distributes Updates CHapTER 23 1115 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. You have to stay reasonably current on updates to continue to receive Microsoft support because Microsoft provides support only for the current service pack and the one that im- mediately precedes it . This support policy allows you to receive existing hotfixes or to request new hotfixes for the currently shipping service pack, the service pack immediately preceding the current one, or both during the mainstream phase . Summary Networks and the Internet are constantly changing . In particular, network security threats continue to evolve, and new threats are introduced daily . Therefore, all software must change constantly to maintain high levels of security and reliability . Microsoft provides tools for managing Windows 7 software updates for home users, small organizations, and large enterprises . Regardless of the organization, the Windows Update client in Windows 7 is responsible for downloading, sharing, and installing updates . Small organizations can download updates directly from Microsoft to a Windows 7 computer, which will then share the update with other computers on the same LAN . Larger organizations, as well as organizations that must test updates prior to installation, can use WSUS to identify, test, and distribute updates . Combined with AD DS Group Policy settings, you can manage updates centrally for an entire organization . Additional Resources These resources contain additional information and tools related to this chapter . Related Information n The Microsoft Update Management Web site at http://technet.microsoft.com /updatemanagement . n See the MBSA 2 .1 Web site at https://www.microsoft.com/mbsa for more information and to download MBSA . n “MBSA 2 .0 Scripting Samples” at http://www.microsoft.com/downloads /details.aspx?familyid=3B64AC19-3C9E-480E-B0B3-6B87F2EE9042 includes examples of how to create complex auditing scripts using MBSA . n The Configuration Manager 2007 R2 Web site at https://www.microsoft.com/sccm includes more information about using Configuration Manager 2007 R2 . n “Microsoft Update Product Team Blog” at http://blogs.technet.com/mu provides the latest Microsoft Update news direct from the Microsoft Update product team . n “WSUS Product Team Blog” at http://blogs.technet.com/wsus/ has the latest WSUS news . 1116 CHapTER 23 Managing Software Updates Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. On the Companion Media n ConfigureSoftwareUpdatesSchedule .ps1 n DownloadAndInstallMicrosoftUpdate .ps1 n Get-MicrosoftUpdates .ps1 n Get-MissingSoftwareUpdates .ps1 n ScanForSpecificUpdate .ps1 n TroubleshootWindowsUpdate .ps1 n UninstallMicrosoftUpdate .ps1 Additional Resources CHapTER 23 1117 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. CHAPTER 24 Managing Client protection n Understanding the Risk of Malware 1119 n User Account Control 1121 n AppLocker 1142 n Using Windows Defender 1149 n Network Access Protection 1159 n Forefront 1160 n Summary 1162 n Additional Resources 1162 N etworked client computers are constantly under attack . In the past, repairing computers compromised by malware was a significant cost to IT departments . The Windows 7 operating system strives to reduce this cost by using a combination of technologies—including User Account Control (UAC), Windows AppLocker, and Windows Defender . Additionally, Microsoft offers Microsoft Forefront separately from Windows 7 to provide better manageability of client security . Understanding the Risk of Malware Malware (as described in Chapter 2, “Security in Windows 7”) is commonly spread in several different ways: n Included with legitimate software Malware is often bundled with legitimate software . For example, a peer-to-peer file transfer application might include potentially unwanted software that displays advertisements on a user’s com- puter . Sometimes, the installation tool might make the user aware of the malware (although users often do not understand the most serious compromises, such as degraded performance and compromised privacy) . Other times, the fact that unwanted software is being installed might be hidden from the user (an event known as a non-consensual installation) . Windows Defender, as described later in this chapter, can help detect both the legitimate software that is likely to be bundled and the potentially unwanted software bundled with it, and it will notify 1119 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. the user about the software running on their system . Additionally, when UAC is active, standard user accounts will not have sufficient privileges to install most dangerous applications . n Social engineering Users are often tricked into installing malware . A common technique is to attach a malware installer to an e-mail and provide instructions for installing the attached software in the e-mail . For example, the e-mail might appear to come from a valid contact and indicate that the attachment is an important security update . E-mail clients such as Microsoft Office Outlook now prevent the user from run- ning executable attachments . Modern social engineering attacks abuse e-mail, instant messages, social networking, or peer-to-peer networks to instruct users to visit a Web site that installs the malware, either with or without the user’s knowledge . The most effective way to limit the impact of social engineering attacks is to train users not to install software from untrustworthy sources and not to visit untrusted Web sites . Addi- tionally, UAC reduces the user’s ability to install software, AppLocker can prevent users from running untrusted software, and Windows Defender makes users more aware of when potentially unwanted software is being installed . For more information about social engineering, read “Behavioral Modeling of Social Engineering–Based Malicious Software” at http://www.microsoft.com/downloads /details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73 . note Windows Xp Service pack 2 (Sp2), Windows Vista, and Windows 7 support using Group policy settings to configure attachment behavior. The relevant Group policy settings are located in User Configuration\administrative Templates \Windows Components\attachment Manager. n Exploiting browser vulnerabilities Some malware has been known to install itself without the user’s knowledge or consent when the user visits a Web site . To accomplish this, the malware needs to exploit a security vulnerability in the browser or a browser add-on to start a process with the user’s or system’s privileges, and then use those privileges to install the malware . The risk of this type of exploit is significantly reduced by Windows Internet Explorer Protected Mode in Windows Vista and Windows 7 . Ad- ditionally, the new Internet Explorer 8 feature, SmartScreen, can warn users before they visit a malicious site . For more information about Internet Explorer, read Chapter 20, “Managing Windows Internet Explorer .” n Exploiting operating system vulnerabilities Some malware might install itself by exploiting operating system vulnerabilities . For example, many worms infect computers by exploiting a network service to start a process on the computer and then install the malware . The risks of this type of exploit are reduced by UAC, explained in this chapter, and Windows Service Hardening, described in Chapter 26, “Configuring Windows Firewall and IPsec .” 1120 CHapTER 24 Managing Client Protection Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. User Account Control Most administrators know that users should log on to their computers using accounts that are members of the Users group, but not the Administrators group . By limiting your user ac- count’s privileges, you also limit the privileges of any applications that you start—including software installed without full consent . Therefore, if you can’t add a startup application, neither can a malicious process that you accidentally start . With versions of Windows prior to Windows Vista, however, not being a member of the Administrators group could be very difficult, for a few reasons: n Many applications would run only with administrative privileges . n Running applications with elevated privileges required users to either right-click the icon and then click Run As or create a custom shortcut, which is inconvenient, requires training, and requires that the user has a local administrator account (largely defeating the purpose of limiting privileges) . n Many common operating system tasks, such as changing the time zone or adding a printer, required administrative privileges . UAC is a feature of Windows Vista and Windows 7 that improves client security by making it much easier to use accounts without administrative privileges . At a high level, UAC offers the following benefits: n Most applications can now run without administrative privileges Applications created for Windows Vista or Windows 7 should be designed to not require admin- istrator credentials . Additionally, UAC virtualizes commonly accessed file and registry locations to provide backward compatibility for applications created for earlier versions of Windows that still require administrator credentials . For example, if an application attempts to write to a protected portion of the registry that will affect the entire com- puter, UAC virtualization will redirect the write attempt to a nonprotected area of the user registry that will affect only that single application . n Applications that require administrative privileges automatically prompt the user for administrator credentials For example, if a standard user attempts to open the Computer Management console, a User Account Control dialog box ap- pears and prompts for administrator credentials, as shown in Figure 24-1 . If the current account has administrator credentials, the dialog box prompts to confirm the action before granting the process administrative privileges . User Account Control CHapTER 24 1121 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. FIgURE 24-1 UAC prompts standard users for administrator credentials when necessary . n Users no longer require administrative privileges for common tasks Windows Vista and Windows 7 have been improved so that users can make common types of configuration changes without administrator credentials . For example, in earlier versions of Windows, users needed administrator credentials to change the time zone . In Windows Vista and Windows 7, any user can change the time zone, which is important for users who travel . Changing the system time, which has the potential to be malicious, still requires administrator credentials, however . n Operating system features display an icon when administrator credentials are required In earlier versions of Windows, users were often surprised when an aspect of the operating system required more privileges than they had . For example, users might attempt to adjust the date and time, only to see a dialog box informing them that they lack necessary privileges . In Windows Vista and Windows 7, any user can open the Date And Time properties dialog box . However, users need to click a but- ton to change the time (which requires administrative privileges), and that button has a shield icon indicating that administrative privileges are required . Users will come to recognize this visual cue and not be surprised when they are prompted for credentials . n If you log on with administrative privileges, Windows Vista and Windows 7 will still run applications using standard user privileges by default Most users should log on with only standard user credentials . If users do log on with an account that has Administrator privileges, however, UAC will still start all processes with only user privileges . Before a process can gain administrator privileges, the user must con- firm the additional rights using a UAC prompt . Table 24-1 illustrates the key differences in the behavior of Windows 7 with UAC installed when compared to Windows XP . 1122 CHapTER 24 Managing Client Protection Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản