Upload
jasoncondo
View
342
Download
6
Tags:
Embed Size (px)
DESCRIPTION
From the Dogfood Conference 2014 in Columbus Ohio (www.dogfoodcon.com). Learn how the SUP role works in ConfigMgr 2012, how to implement a security risk process and how to manage updates in ConfigMgr 2012.
Citation preview
Managing Software Updates with System Center Configuration Manager R2
Managing Software Updates with System Center
Configuration Manager R2Jason CondoBennett [email protected]
Agenda
• Why do we care about patching• Common approaches to patching• Example of controlled patch approval process• Overview of the ConfigMgr SUP Role• Ongoing Management of SUP• Tips and Tricks• Links
Common Approaches to Patch Management
• “What Updates?” Approach• “Shotgun” Approach• “Managed” Approach• “Controlled” Approach
“Patches? We don’t need no stinking patches!”
Security Review/Approval Process
• At least three teams: Security, Systems, Application• Vendors shouldn’t dictate patch installation• You are inevitably responsible for accepting vulnerabilities• “No process” is still a process
Enterprise Security Review Process – Example Cross-Functional Workflow – Bennett Adelson
Secu
rity
Vend
orSy
stem
s - T
echn
ical
Busi
ness
- Te
chni
cal
Secu
rity
Revi
ew T
eam
Docu
men
tatio
n
AssimilateAcquire Assign Asses Apply
Vendor releases update information
Update reviewed and classified for security threat level
Technical review validates the risk exists in current systems
and assigns level
If determined to be applicable, submit to BA for impact of
change
Application owner assesses impact and assigns level
Security Review Board Meeting – assess team risk levels and
assign deployment
Master risk/priority level assigned based on security risk, mitigation factors, and business
impact
Matrix defines when update must be applied based on
master level
Each update documented based on finding and mitigation
factors
Update applied and tested for functionality, stability
Update is deployed. Up to 80% saturation
Update integrated into source installations, images
Verify reporting and matrix deadline
Update added to Enterprise Security Vulnerability database/
spreadsheetSecurity risk level assigned Technical Risk level assigned Business impact assigned
Vunerability assigned Enterprise Risk level – SLA defined
Issues encountered
Change to assessment or mitigation requirements
documented – Enterprise Risk level adjusted
Update reviewed for mitigation
yes
no
Update documented as standard. Report on anomolies
Security receives information from vendor or other source
System Admins receive information from vendor or
other source
Developer, business analyst, or application owner receives information from vendor or
other source
The Five “A”s
• From the previous process diagram:– Acquire
• Review the information for the Enterprise• Security, Technical, Application/Business
– Assign• Team/Board review and assign to Enterprise Risk Level
– Assess• Testing
– Apply• Deploy
– Assimilate• Prevent the vulnerability from occurring
ConfigMgr SUP Role – What is it?• Built on WSUS and like WSUS but not• Functionally similar to role in ConfigMgr
2007
– 2012 new features• SUP fallback with 2012 SP1• Load balancing supported• Automatic Deployment rules• Superseded updates not automatically expired• Single instance storage
– 2007 Functions kept• Maintenance Windows
– Update will not be installed until next available service window
– Potential system restart time period is factored into evaluation
– If client is member of multiple collections – all applicable maintenance windows will be honored
– One time maintenance windows can prevent future update deployments
– Can be overridden• Internet-based client support• Wake-On-LAN integration• Selective download of binaries
ConfigMgr SUP – How does it work
ConfigMgr Console - SUP
• The SUP sections in the console (demo):– All Software Updates– Software Update Groups– Deployment Packages– Automatic Deployment Rules
• Reporting– Search “Software Updates”
Managing Updates (demo)
• Acquire– List from vendors
• Vendor blogs, rss feeds, email newsletters
• See hyperlinks at end of slide deck
– List from ConfigMgr console• Only Microsoft• Depends on SUP settings• Patch Tuesday and based on
your sync schedule
• Assign
– Review with team (if exists)– Your custom severity level
• Assess– Creation of update groups
• Apply– SUP collections– Maintenance windows– Reporting
• Assimilate– Deployment rollups– Image updates
User Experience
• Uses the new Software Center user interface• End user has better control of their own
experience:– Install/schedule updates– Use non-business hours
• Admin can choose to hide just pop-ups, or hide all end user notifications
Ongoing Updates Management• General
– Leverage Rollups• Single package• Operational deployment• Organize by products and year
– Keep current SUG for 2-3 months• Depending on saturation and mobile workforce• Retire into rollup
• Monthly– Prune expired– Be careful about superseded
• Yearly– One old rollup, One current year rollup.– Removing old updates from packages
• Download from existing package source• Be aware of redistribution (package size)• What are you really saving
Rollup WorkflowConfiguration Manager 2012 - Software Updates Lifecycle Management
Ope
ratio
nsDe
ploy
edRo
llout
2013 January Patching February Patching DescriptionsMarch Patching
Patches Rollup 2013
January 2014 March 2014
Patches Rollup 2014 Patches Rollup 2014
February 2014
January 2014 February 2014
Patches Rollup 2013 Patches Rollup 2013 Patches Rollup 2013
January 2014
December 2013
December 2013
December 2012
Always deployed to all systems
Catches any new systems that were not connected during deployment.
Targeted to the OSD collections to ensure images are up to date.
Previous update groups two cycles old are copied into here and the update group removed. (Patches stay deployed but cleans up the console)
Updates always downloaded to the Rollup Package.
Update Group membership edited when retiring monthly update lists.
Keep up to three cycles of update groups for reporting
Newly created update groups of the current deployment cycle
Tips and Tricks
• Patch Organization– Filter console (Demo)– Saved searches (Demo)– File deployed updates into folders (Demo)
• Deployment templates– General and specific
• Deployments and Collections– One to one relationship
• but collections can include collections• Phased collections with a deployment collection (Demo)
Tips and Tricks
• Automatic Deployment Rules– Streamlining new patches
• ADR to deploy to pilots• Validate• Rollout the SUG
• Demo – creation of SCEP ADR
• Optimize Package Distribution– Ensure downloading only the languages you need– Configure patch distribution to occur in the evenings– Stagger patch distributions between tiered sites
Troubleshooting – Server LogsLog Types of issues
SUPsetup.log Installation of SUP Site Role
WCM.log, WSUSCtrl.log Configuration of WSUS Server/SUP
WSyncMgr.log ConfigMgr/WSUS Updates Synchronization Issues
Objreplmgr.log Policy Issues for Update Assignments/CI Version Info policies
RuleEngine.log Auto Deployment Rules
Troubleshooting – Client LogsLog Types of issues
UpdatesDeployment.log Deployments, SDK, UX
UpdatesHandler.log Updates, Download
ScanAgent.log Online/Offline scans, WSUS location requests
WUAHandler.log Update status (missing/installed – verbose logging), WU interaction
UpdatesStore.log Update status (missing/installed)
%windir%\WindowsUpdate.log Scanning/Installation of updates
Links• Information
– BA Blog (slides, technical)• http://bennettadelson.wordpress.com
– BA website• http://www.benettadelson.com
• Vendor security RSS or newsletter– Adobe
• http://helpx.adobe.com/security.html
– Oracle• http://www.oracle.com/technetwork/topics/security/alerts-086861.html
– Microsoft Security Bulletin Advance Notification• http://technet.microsoft.com/en-us/security/gg309152.aspx
– Microsoft Technical Security Notifications• http://technet.microsoft.com/en-us/security/dd252948.aspx• sign up for various topics delivered via email, rss, or website.