130 likes | 196 Views
Patch management. Graham Titmus Computer Laboratory. Patching and verifying. Distribution of Patches Group Policy SUS server within domain Monitoring systems SMS feature pack add-on for SMS 2.0 Web aggregation of status MBSA Scans of domain. Group Policy. Targeting of machines via OU
E N D
Patch management Graham Titmus Computer Laboratory
Patching and verifying • Distribution of Patches • Group Policy • SUS server within domain • Monitoring systems • SMS feature pack add-on for SMS 2.0 • Web aggregation of status • MBSA • Scans of domain
Group Policy • Targeting of machines via OU • Computers (CL SUS) • Group policy applied here • Computers • Test machines with no group policy • Group Policy forced onto machine • Lock out override so users can’t turn it off • Place exceptions on another VLAN
SUS distribution • Local SUS server • Collects updates via CS SUS server • Approval of updates controlled within domain • Test updates • Several machines forced to update via Microsoft Update Server daily • Servers tested independantly • Approve updates after testing
SMS for patches • Capabilities include • Monitoring and Distribution • Are independent of one another • Monitoring uses same scan engine as MBSA • Benefits • Central point for all information • Fine grain targeting for distribution • Web based reporting
MBSA • Useful backstop • Machines may slip through the net • Scan address range – finds stealth systems • Instant report of current state • Important tool for crisis situation • Useful to scan VPN connected hosts • Poor discrimination on causes • High level of noise in a diverse world
Why so many tools? • Basic mechanism is Group Policy + SUS • That offers limited (no) reporting • Reporting host tools added in next version • Management in addition • SMS provides good information collection • Can be used to distribute • Summary of status needed to plan work • Point inspection • For visitor laptops etc.