TechNet Home > Common IT Scenarios

Patch Management Using Systems Management Server 2003

Chapter 4 - Appendices

Published: October 25, 2004
On This Page
Appendix A: Project Guidance Appendix A: Project Guidance
Appendix B: Mapping Patch Management to MOFAppendix B: Mapping Patch Management to MOF
Appendix C: Modifying SMS_Def.mof to Inventory the RegistryAppendix C: Modifying SMS_Def.mof to Inventory the Registry
Appendix D: Emergency Security ResponseAppendix D: Emergency Security Response
Appendix E: Building a List of Reference ComputersAppendix E: Building a List of Reference Computers

Appendix A: Project Guidance

The purpose of this appendix is to offer high-level project management and testing guidance for deploying the components of the Patch Management Using Systems Management Server 2003 Solution Accelerator. The solution accelerator contains:

Information about the prerequisites for conducting the solution accelerator and the role of Microsoft Systems Management Server (SMS) in managing software updates effectively (Chapter 1).

Solution guidance about the four-phase process for managing software updates (Chapter 2).

Operational guidance for conducting the essential maintenance tasks required to manage software updates effectively (Chapter 3).

A set of appendices that support the accelerator, including this appendix (Chapter 4).

Other materials, including the MSM Management Architecture Guide, which provides guidance on how to set up and configure tools such as Microsoft Systems Management Server (SMS) 2003 and Microsoft Operations Manager (MOM) to support patch management.

The project guidance offered by this appendix is based on Microsoft Solutions Framework (MSF). MSF provides proven practices for planning, building, and deploying a variety of technology solutions, combining aspects of software design and development, and building and deploying infrastructure into a single project life cycle for guiding technology solutions of all kinds.

For more information about MSF, see the Microsoft Solutions Framework Web site at http://www.microsoft.com/technet/solutionaccelerators/msf/default.mspx.

Solution Accelerator Overview

The Patch Management Using Systems Management Server 2003 Solution Accelerator focuses on the Microsoft-recommended four-phase patch management process, which is designed to give your organization control over the deployment and maintenance of interim software releases into your production environment.

The Microsoft-recommended patch management process contains the following four phases:

Assess. The first thing you should do is assess your organization to evaluate its readiness to implement a formalized patch management process. This is less a step than an ongoing process that organizations should follow to ensure that they always know what computing assets they have.

Identify. The goal for the Identify phase is to discover new software updates in a reliable way, determine whether software updates are relevant to your production environment, obtain software update source files and confirm that they are safe and will install successfully, and determine whether the software update is a normal change or requires an emergency response.

Evaluate and Plan. The third step in the process is evaluation of the software update and—assuming that it is approved for deployment—planning for its deployment into your production environment.

Deploy. The goal of the fourth and final step is to successfully roll out the approved software updates into your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) that you have in place.

Project Team Prerequisites

Members of the team working on a patch management project should:

Be familiar with the key issues and technology around patch management and software distribution.

Be familiar with Microsoft Operations Framework (MOF) concepts and principles.

Understand Microsoft Solutions Framework (MSF) concepts and principles.

Solution Project Phases and Activities

Although MSF prescribes a five-phase process model, complete with major milestones and interim milestones, at a high level those phases fit into four major areas of concentration: planning, building, deploying, and operating.

Planning

To prepare for patch management, you should fully understand the business importance of patch management for your specific environment and the technologies and skills that you have (or do not have) in place for performing proactive patch management.

Next, you can assign teams and responsibilities to ensure that patch management is carried out effectively, as part of normal operations. Successful patch management, like security and operations, is achieved through a combination of people, processes, and technology.

To determine how much effort to put into patch management, first assess the impact of poor (or reactive) patch management on the business, then determine if your organization’s capabilities and infrastructure are sufficient to perform patch management effectively. Use this information to decide what your organization’s goals for proactive patch management should be.

The business problem should document the impact to a business when it does not have a proactive patch management process in place. Reacting to security problems (whether they are attacks by computer viruses and worms or targeted attacks instigated by perpetrators inside or outside an organization) only after they occur, can negatively affect the financial health and the related business goals and objectives of an organization.

Security programs such as patch management are more easily accomplished with executive support. Technology professionals can drive patch management infrastructure, tools, techniques, and processes; but without executive sponsorship, it will be difficult to ensure sufficient resources and broad support for areas such as security policy, which must be applied across the organization to be truly effective. Clear business goals and supporting objectives should be created and understood by the sponsoring executives.

After you have executive sponsorship and buy-in, the first step in deploying an effective patch management solution within your organization will be to summarize the tools and assets that are available to be used in patch management, and then to assess the capabilities of the organization to perform patch management.

Operations Assessment

Through MOF, Microsoft offers a well-established process for conducting an operations assessment. The primary reason for conducting such an assessment is to ensure that you have the operational and technical capability to deploy software updates in your environment. Organizations that want to implement patch management should possess the process maturity to support the following:

The ability to formally request a change.

The presence of an approval process for these change requests.

An environment and process for testing approved changes outside the production environment.

Application of risk management principles during planning and implementation in order to reduce the potential for negative impacts to the production environment.

Configuration management to support the planning and decision-making processes.

The operations assessment is conducted through:

Reviews of current documentation, procedures, employee handbooks, and orientation materials.

Employee interviews, including IT support staff, users, and senior management.

Observation of daily tasks.

The results from these activities are then compared with the minimum set of practices and standards necessary to successfully implement patch management.

Technical Assessment

The assessment team must also complete a technical assessment of the IT infrastructure, reviewing the implementation of SMS to verify that it is operated and maintained according to best practices. This service operates on top of other core IT services (for example, TCP/IP), which must also be verified for proper operation. The patch management solution architecture is optimized for specific configurations of SMS to support patch management. These include service pack installation, site structure, and file amendments, all of which are discussed within this solution accelerator.

Building

Recommendations for solution design are described in this solution accelerator, which includes solution architectural elements as well as specific design guidance. Using the recommendations and guidelines in this solution accelerator, the design team will create a design document that outlines how to perform the activities required during each phase of patch management. For example, the design document might describe how the organization registers for, receives, and monitors information about new software updates. Although the design may vary according to the size and complexity of the organization, follow the recommendations documented in the solution accelerator to ensure best results.

Testing the solution prior to deployment is a basic requirement. The test environment should be configured to replicate the production environment to the greatest extent possible. It should include a representative sample of older and newer hardware, various baseline and line-of-business (LOB) applications, and servers. For each test described in the solution accelerator, there is information about the specific equipment and technical configurations required to perform each test, the steps that are required to carry it out, and the expected results.

Process testing is also required, although it is more conceptual in nature. To test operational processes, it may be necessary to simulate the various tasks required: from discovery of a new (simulated) software update through approval, testing, and deployment.

Deploying

Deploying a software update management solution is likely to require a phased approach. First, the organization must upgrade its service management functions to fill gaps identified during assessment. Next, the technical aspects of the solution are installed and configured, including the software update distribution infrastructure. Finally, the patch management process is layered over the hardware and software components to implement the service features, including patch subscription, notification, approval, testing, and deployment. This approach is described in greater depth elsewhere in this solution accelerator.

The solution deployment may include training activities for IT staff, as well as technical tasks. Staff members must become familiar with the necessary responses to a patch notification and how to integrate these responses into their operational environment. In addition to training for these specific tasks, you might want to provide more generalized operations training. This can be accomplished through formal training using courseware developed by Microsoft and delivered through a variety of vendors. Applicable courses include Course 1737: Microsoft Operations Framework Essentials, Course 1787: Microsoft Operations Framework Changing Quadrant, and Course 2126: Managing a Microsoft Windows 2000 Network Environment. For more information about these courses, see the Microsoft Training Web site at http://www.microsoft.com/learning/training/default.asp.

Depending upon the solution architecture and configuration, some user training may also be required if manual interaction is required to install software updates on user devices.

Operating

Operations refers to the daily, weekly, monthly, and as-needed tasks required to deploy software updates into a production environment and how each of these tasks is allocated to a MOF Team Model role cluster.

This solution accelerator includes a chapter (Chapter 3, “Operational Guidance”) on those tasks. The project team must review these tasks to determine which will be required for the patch management solution being created. Note that the list of tasks in Chapter 3, “Operational Guidance,” is not exhaustive and it is likely that additional tasks may be required, depending upon your environment, existing management procedures, and corporate standards.

After the list of tasks has been identified, the project team will work with the IT organization customer to allocate roles and responsibilities to groups or to individuals who will then carry out those tasks as part of their usual duties. In many cases, training, as described in the previous Deploying section, will be required to ensure that the roles meet performance requirements.

Operations Checklist

The Operations Checklist should be used to ensure that your organization has the minimum operational processes necessary to support patch management. If any of these processes are missing, you should determine whether they can be designed and implemented within the scope of the patch management project or if you will need to start a separate—and more wide-ranging—review of service management.

The checklist is presented in the format of a table, as shown in Figure 4.1.

Figure 4.1. Sample checklist table

Figure 4.1. Sample checklist table
See full-sized image

Change Management

The organizational changes subject to the change management process include hardware, software, system components, documents, and processes—anything deliberately introduced into the IT environment that could affect its functioning as reflected in the service level agreements (SLAs) existing between the IT department and the business it serves.

Information in Table 4.1 is based on the MOF Change Management service management function (SMF). For more information about the Change Management SMF, see the SMF Web site at http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smf/default.mspx.

Table 4.1.

Required FunctionalityWhy NeededExists

The scope and objectives of the Change Management SMF need to be defined and agreed upon.

If there is confusion over which IT components are covered by change management, it is likely that some changes will be made without reference to the process. This could lead to unscheduled outages, support problems, and inaccurate configuration data.

 

All change requests must follow an approvals process that prevents them from being implemented until the necessary approval has been granted.

Organizations require a disciplined process that can introduce needed changes into their environment with minimal disruption to ongoing operations.

 

Need to have a set of agreed priority levels that indicate the relative urgency of the change to the business.

Priority setting is important because it has a direct effect on the order and timing of the review and implementation processes. It is particularly important to assign an emergency priority classification to those changes that call for it because this will expedite their path through the change management process.

 

Need to have a set of agreed-upon change categories that can be used to indicate the size of a change’s impact on the business, the IT infrastructure, or the users.

The change category is used to determine who needs to be involved in the approval of a change.

 

Change requests should be submitted on a standard RFC form, which can be paper-based or electronic.

The use of a standard form requires the change initiator to provide enough information to the change manager and subsequently the change advisory board (CAB) to enable them to decide whether to implement the change. Using a standard form also forces the change initiator to identify and fully document the scope, implications, and risks of the change being requested, as well as the plans for recovery should the change be unsuccessful.

 

Change requests need to be filtered for completeness, duplication, and practicality and returned to the initiator when necessary.

This process ensures that change requests are complete, do not duplicate other changes, and are of an appropriate nature. It improves the efficiency of the change management process by excluding requests that do not meet the required quality bar.

 

Different approval processes should be defined for each category of change.

More stringent approval procedures will be needed for complex changes or those that require major resources. A CAB will generally be required to approve a major change to business-critical servers, for example.

 

There needs to be a process that deals with emergency changes.

Time constraints for these changes allow for only limited testing and require that normal processes and controls be bypassed. Therefore, an emergency change needs to be fast-tracked through the change management system. Emergency changes cannot be authorized by a single individual and must be approved through a change advisory board emergency committee (CAB/EC).

 

Changes need to be scheduled to reduce risk of failure, reduce likelihood of conflict with other changes, and minimize impact on the business.

Using information relating to service availability and business-critical times, it should be possible to achieve minimal impact and disruption to the business.

 

A schedule of forthcoming changes needs to be made available to everyone within the organization.

The forward schedule of changes shows when all changes are to take place. Having a single change schedule makes it possible to show when change windows (times during which changes are permitted) are available.

 

After implementation, each change needs to be subjected to a post-implementation review.

As well as making a success/failure decision on the change, the review should also look at how the change was deployed and whether it was implemented on time and within budget.

 

All those involved in the change management process need to be aware of their roles and responsibilities.

People and processes play a central role in the daily, weekly, monthly, and as-needed tasks required to effectively deploy changes into the production environment for any organization.

 

Configuration Management

Configuration management is a critical process responsible for identifying, controlling, and tracking all versions of hardware, software, documentation, processes, procedures, and all other inanimate components of the information technology (IT) organization. The goal of configuration management is to ensure that only authorized components are used in the IT environment and that all changes are recorded and tracked.

Information in Table 4.2 is also based on the Configuration Management SMF.

Table 4.2.

Required FunctionalityWhy NeededExists

The scope and objectives of the Configuration Management SMF need to be defined and agreed upon.

If there is confusion about which IT components are covered by the configuration management process, this may adversely affect the planning and assessment of changes to the production environment.

 

Information about IT components and their relationships with other components and services in the production environment is recorded.

The proper understanding and documentation of relationships between IT components makes it possible to perform detailed impact analysis on a proposed change.

 

As changes are made to IT components, the information recorded about those components must also be updated.

Without accurate information, the value of configuration management is significantly reduced.

 

At regular intervals, an audit of managed components within the production environment should be performed.

Changes may have been made to the production environment that have not been tracked or recorded. The results of the audit should be used to confirm that information held about IT components is accurate and up to date.

 

Automated tools are used to assist in the management of IT components.

Automated tools should be used to collect and record information about IT components within the production environment, maintain details of the interrelationships between these components, and support the planning and decision-making process.

 

All those involved in the configuration management process need to be aware of their roles and responsibilities.

People and processes play a central role in the daily, weekly, monthly, and as-needed tasks required to effectively maintain information about IT components in the production environment.

 

Release Management

Release management is responsible for deploying changes into an IT environment. After one or more changes are developed, tested, and packaged into releases for deployment, release management is responsible for introducing these changes and managing their release into the IT environment. Release management also contributes to the efficiency of change introduction by combining changes into one release and deploying them together.

Information in Table 4.3 is based on information from the Release Management SMF. For more information about the Release Management SMF, see the SMF Web site at http://www.microsoft.com/technet/solutionaccelerators/cits/mo/smf/default.mspx.

Table 4.3.

Required FunctionalityWhy NeededExists

The scope and objectives of the Release Management SMF need to be defined and agreed upon.

The goal of release management is to ensure that all changes are deployed successfully into the production IT environment in the least disruptive manner possible.

 

Releases are managed and implemented in accordance with the Release Management SMF.

It is critical that releases are implemented in accordance with the Release Management SMF. Each release should have a corresponding request for change and be assessed, approved, built, tested, and implemented in accordance with the Release Management SMF.

 

Changes need to be implemented, treating each release as a project, to ensure a consistent delivery mechanism and reduce the likelihood of failure.

It may be appropriate, for example, to treat each RFC as a simple release project, with its own project plan and allocated resources. On the other hand, some benefits may be gained by combining the changes from one or more RFCs to form a more complex release.

 

A release strategy is generated for every release.

A release strategy document should be prepared for all releases. This document should contain the steps necessary to prepare the organization for the release, the risks it poses to the production environment, and the manner in which it can be removed from production if it fails to meet its objective. The existence of a tested and documented backout plan will reduce the impact on the business should a release need to be withdrawn.

 

Master copies of all software are stored in a definitive software library (DSL).

This will ensure a single point where all authorized software is stored and will assist in the effective allocation and management of licenses. The DSL needs to be reliable and available at all times. A number of copies can be made and placed in separate locations to ensure that the organization can rebuild and recover any site in the event of a disaster.

 

A schedule of forthcoming releases is maintained that details the contents of each release together with its proposed implementation date.

A schedule of forthcoming releases is used by the Release Management SMF to ensure that approved changes do not conflict with the implementation of a release. Furthermore, the service desk can use the schedule to advise users of periods of unavailability or to provide details of fixes contained within a specific release.

 

All releases are tested prior to implementation.

To ensure that releases do not adversely impact the production environment, each release should be tested in a facility that effectively models the conditions existing in production. The degree to which this can be achieved will be limited by the complexity of this environment and budget, but it should be sufficiently equipped to allow the release team and business representatives to build confidence in a release.

 

Information about releases is communicated to all interested parties.

Effective communications are essential to the success of all releases. Users, support staff, and others need to be made aware of and prepared for deployment of any release.

 

Automated tools are used to assist in the deployment of releases.

Automated tools should be used to deploy releases (where appropriate) and provide detailed status reports that enable the release team to track and monitor the progress of deployment.

 

All those involved in the release management process need to be aware of their roles and responsibilities.

People and processes play a central role in the daily, weekly, monthly, and as-needed tasks required to effectively deploy releases into the production environment.

 

Appendix B: Mapping Patch Management to MOF

MSM version 3.0 includes a high-level, four-stage Process Model for patch management, as illustrated in Figure 4.2.

Figure 4.2. The Microsoft patch management four-stage Process Model

Figure 4.2. The Microsoft patch management four-stage Process Model

This model is a higher-level abstraction of the full end-to-end MOF patch management Process Model used in earlier versions of the MSM patch management offerings.

The four phases of the model map to the full end-to-end process as follows:

Assess

In the Assess phase of the high-level model, you determine what you have in your production environment, what security threats and vulnerabilities you might face, and whether your organization is prepared to respond to a software update.

This phase incorporates the initial setup activities of baselining and subscription described in previous versions of MSM:

Baselining is the process by which you identify what versions of software you want to manage.

Subscription is how you work out the best sources of information about new software updates for the versions of software you have decided to manage.

Identify

In the Identify phase, after your organization becomes aware of a new software update, you determine whether the update is relevant to computers within your production environment. If it is relevant, you submit a change request to gain approval for deploying the software update into production.

This phase incorporates the identification activities of identification, relevance, and quarantine, and the Change Management SMF activity of submitting a change request described in previous versions of MSM.

Identification is how organizations are notified of new software updates, how they screen them, and how they validate them.

Relevance is how organizations determine whether they have the operating systems or applications that need to be updated and, if they do, whether they have the vulnerabilities in question.

Quarantine is the process by which organizations look at any software update in isolation to prevent virus infection or malicious code from affecting their IT infrastructures.

Change request is a formal request to make the changes required to deploy a software update.

Evaluate and Plan

By the end of the Evaluate and Plan phase, you should have made a go/no-go decision to deploy a software update and have determined the necessary tasks that will be needed to deploy it into production. You should also have tested the software update in a production-like environment to confirm that it does not compromise business-critical systems and applications.

This phase incorporates the following activities from the Change Management SMF and the Release Management SMF:

Change classification, which is the assigning of a priority and a category to a proposed change, using its urgency and its impact on the infrastructure or users as criteria.

Change authorization, which is consideration and approval or disapproval of a proposed change by the change manager and the CAB.

Change development, which is the planning and development of a change, a process that can vary immensely in scope and includes reviews at key interim milestones.

Plan release, which is the process whereby the release manager determines what needs to be done to the production environment to implement a change.

Release development, which is the phase during which members of the release team develop the processes, tools, and technologies required to deploy the release into the production environment.

Acceptance testing, which is the process for ensuring that releases will not adversely affect the production environment. Each release should be tested in a facility that effectively models the conditions that exist in the production environment.

Rollout planning, which is the stage at which the release manager reviews the rollout order to determine whether it is still aligned with business requirements and priorities.

Deploy

The goal for the Deploy phase is to successfully roll out the approved software update into your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) you have in place.

This phase incorporates the following activities from the Release Management SMF:

Rollout preparation, which is getting the production environment ready for each new release, and generally includes communicating information about the release to users and other personnel, training service desk and technical support staff, and making backups of critical IT components.

Release deployment, which is the process of moving the release into the production environment.

Change review, which is the process of determining the effectiveness of the change.

Configuration management, which spans all phases of both models, is a critical process responsible for identifying, controlling, and tracking all versions of hardware, software, documentation, processes, procedures, and all other inanimate components of the IT organization.

The following figure illustrates how the high-level, four-phased process maps to the MOF patch management Process Model used in earlier versions of the MSM patch management offerings.

Figure 4.3. Comparison of high-level four-phase process to the MOF patch management Process Model

Figure 4.3. Comparison of high-level four-phase process to the MOF patch management Process Model
See full-sized image

Appendix C: Modifying SMS_Def.mof to Inventory the Registry

The following is a sample SMS_Def.mof file showing modification to inventory registry.

//------------------------------------------------------
// Identifying Servers running TS in Application Mode
// Terminal Services- Obtain TSEnabled from Registry
// Terminal Services- Obtain TSAppCompat from Registry
//------------------------------------------------------

#pragma namespace (“\\\\.\\root\\cimv2”)
// grab the TS Enabled and TS Application Mode
[DYNPROPS]
class TSAPPMode
{
   [key] 
    string keyname=””;
    string TSEnabled;
    string TSAppCompat;
};
[DYNPROPS] 
instance of TSAPPMode
{
    keyname=”TSAPPMode”;

    [PropertyContext(“local|HKEY_LOCAL_MACHINE
    \\SYSTEM\\CurrentControlSet\\Control
    \\Terminal Server|TSEnabled”),Dynamic,
Provider(“RegPropProv”)] 
    TSEnabled;

    [PropertyContext(“local|HKEY_LOCAL_MACHINE
    \\SYSTEM\\CurrentControlSet\\Control
    \\Terminal Server|TSAppCompat”),Dynamic,
Provider(“RegPropProv”)] 
    TSAppCompat;

};
#pragma namespace (“\\\\.\\root\\cimv2\\sms”)
[

    SMS_Report(TRUE), 
    SMS_Group_Name(“TS Application Mode”), 
    SMS_Class_ID(“MICROSOFT|TSAPPMode|1.0”)
]
class TSAPPMode : SMS_Class_Template
{

    [SMS_Report(TRUE),key] 
    string keyname;
    [SMS_Report(TRUE)]
    string TSEnabled;
    [SMS_Report(TRUE)]
    string TSAppCompat;
};

Appendix D: Emergency Security Response

Overview

Even with the best patch management process, your technology environment can still be attacked. Not all vulnerabilities are resolved by the application of security updates; some vulnerabilities may be related to weak computer security configurations.

Alternatively, a software vulnerability could be exploited before a security update is available or even before it has been publicly reported—otherwise known as a “zero day” attack. Perhaps a vulnerability that has recurred in the environment has been exploited before being addressed.

Regardless, it is not necessary to understand why you are vulnerable to realize that an emergency security response may be required. To deal with the emergency effectively, you need to have an incident response plan in place. This appendix identifies key ways to prepare for an emergency, provides suggestions for setting up an incident response plan, and gives prescriptive measures and ideas about how to minimize impact and take control during an emergency situation.

Evaluation

The first step in the emergency response scenario is to identify and define the emergency. If you are in an emergency situation, the attack requires immediate attention. How vulnerable are all of your systems? You need to be able to immediately prioritize the resources needed to fight the emergency based on asset valuation.

When your intrusion detection system or other indicators tell you that you are under attack, as part of your evaluation, you need to:

Identify the nature of the attack. Is the attack a distributed denial of service attack, or an attack targeted just at you? Is someone trying to shut down your network altogether, or attempting to infiltrate individual computers?

Localize the source. Use your firewall and audit logs to attempt to identify where the attack originated. This will help you identify whether the attack is coming from a compromised host on your own network or from the outside world.

Notification and Escalation

Proper communication is critical to managing an attack. Depending on the type of attack, determine exactly who needs to know that an attack is underway. During a targeted attack, do not tip off the attacker with company-wide communications; keep attack communications contained to the people who have a need to know.

With a virus or worm, company-wide communication that reaches all employees both onsite and remote may be appropriate. Keep in mind that communication technologies may also be under attack. You should have a contingency plan in the event any of your usual communication methods are unavailable.

Be sure to communicate appropriately. Make the communication to the point, informational, and constructed to alleviate any panic. If you have specific company guidelines for communications, make sure to follow them so that the recipients trust the message. These guidelines may need to be revised to accommodate emergency situations.

It is very important that all those who are involved in an incident response communicate effectively. Doing so will help ensure that decisions are made without duplicating effort and that no steps of the process are missed. The incident response team should be the focal point for all communications.

Contact Your Technology Vendors

If a Microsoft product is involved in the attack, notify Microsoft Product Support Services at (866) PC SAFETY or (866) 727-23389 for free virus-related and security update–related support in the United States and Canada. For other locations, contact Microsoft Product Support Services worldwide at http://support.microsoft.com/common/international.aspx.

If you have Microsoft Premier Support, contact your Technical Account Manager using his or her contact information.

Microsoft has security and incident response experts who can help you understand an attack and assist you throughout the incident response process.

Contact Law Enforcement Agencies

Intrusions can be a criminal event. Consider notifying the appropriate law enforcement agency if you are under attack, and understand and comply with your local jurisdictional requirements for involving the authorities and informing those who may be affected by the intrusion.

Many government agencies have extensive experience (likely more experience than your organization will have) assisting organizations with Internet intrusions and subsequent prosecution. Reduce your risk in an emergency situation by involving them!

Note   In the United States, there are several agencies that you can contact when you are under attack. The United States Department of Justice provides information on how to report Internet-related crime at http://www.usdoj.gov/criminal/cybercrime/reporting.htm.

Contact Legal Counsel

It is a good idea to contact your organization’s legal counsel at this point to collaboratively determine if legal prosecution is a possibility after the event, depending on the nature of the attack. If legal prosecution is an option, throughout the event process your organization should maintain a log of the business impact of the attack (damages) and take additional steps to protect the evidence, such as:

Keep backup copies of any logs you generate on read-only media, and take detailed notes so that you have a good evidential record of what happened and when. Include checksums of all data collected on the same read-only media to prove that it was not tampered with.

Save the running system state (services, ports open, user accounts, memory maps, and so on) and create a forensic image of the suspect drive.

If protecting evidence is critical and a backup computer (and data) is available, do not attempt to change or fix the affected computer. Turn off the affected computer and introduce the backup computer after ensuring that it does not have any vulnerabilities that would make it susceptible to attack. Just as in a crime scene, the more you do to an affected computer, the greater the chance of destroying evidence.

Isolate and Contain

Although uptime is very important in most environments, keeping computers available during an attack may result in more damage. Balance the impact of an ongoing attack with the impact of an appropriate defense.

Attacks that destroy, manipulate, or divulge sensitive data or that require a full computer reinstallation to recover from may merit taking computers offline to protect them. Less intrusive attacks, such as some denial of service attacks, may not require a response this severe. In most cases, the source of an attack should be removed from the network to isolate and minimize proliferation, regardless of the type of attack.

When you take extreme measures that affect the business, you should track them closely so that they can be successfully removed after the incident is resolved.

The following are several activities that you can perform to isolate and contain an attack:

Disable access points. Determine which access point(s) the attacker used and implement measures to prevent ongoing access. Such measures may include disabling a modem, shutting down virtual private network (VPN) and remote access servers, adding access control entries to a router or firewall, or physically disconnecting network equipment.

Protect classified, sensitive, and proprietary data. As part of planning for incident response, you should clearly define which assets contain sensitive information that needs to be protected. Depending on the nature of the attack, you might choose to shut down these computers or turn off specific services.

Protect software against attack. This includes protecting against loss or alteration of system files. Damage to software can result in costly downtime.

Block the attack. If an attack or attempted attack is coming from outside, block access to your network from that IP address. Some attacks change the range of the source IP address, so you may need to analyze the traffic and block specific ports.

If you are the target of a distributed denial of service attack, you might want to work with your ISP on a coordinated response.

There are also specific items you may want to turn off or disable during an attack. Some of these are:

Attack-source computers. If you have identified specific computers that have been compromised and are involved in the attack, you might want to pull them from the network until you can disinfect them and return them to service.

File shares. If the attack uses the context of the user to gain access to files and data for destruction, set all file shares to read-only to allow most work to continue but prevent attacks from causing further damage.

Virtual private network or remote access. To protect your remote users from the attack, you can disable the ability for remote users to connect to the company network. The attack could spread to those users who are connecting or the attack could be coming from a remote user.

Internet connection. Shut down the Internet connection to the outside world. Not only could this halt the attack if it is coming from outside the company, but it can also contain the attack before you infect other locations.

Internal connections. Try to contain the attack by disabling connections to other company offices or geographic locations.

Vulnerable services and applications. Certain vulnerabilities depend on specific services running in order to propagate themselves. Shut down services that could proliferate the attack.

Vulnerable ports. Shut down or block ports at the firewall. Vulnerabilities that attack from the outside generally depend on specific ports or port numbers being open. Review the documentation from your networking hardware vendor for more information.

Passwords for elevated privilege accounts. Various vulnerabilities attempt to guess the password for specific accounts. Administrator and guest accounts and accounts that run with high privilege are favorite points of attack. Change these passwords immediately when confronted with an attack.

For more information about using IPSec to block ports and secure a server, see “Using IPSec to Lock Down a Server” at http://www.microsoft.com/technet/solutionaccelerators/network/security/ipsecld.mspx.

For scripts that can start and stop services remotely, visit the TechNet Script Center at http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx.

Scripts that can remotely change passwords and lock accounts are also available from the TechNet Script Center at http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx.

Analyze and Respond

To be able to recover effectively from an attack, you need to determine how seriously your environment has been compromised. This will help identify how to contain and minimize the risk, how to recover, with whom you should communicate the incident, and whether to seek legal redress. In general you should attempt to:

Determine the nature of the attack, which may be different than your initial assessment suggests.

Determine the point of origin of the attack.

Try to determine an attack signature so you can recognize when new computers are being attacked.

Determine the intent of the attack. Was the attack specifically directed at your organization to acquire specific information, or was it a random attack?

Identify which computers have been compromised.

Identify the files that have been accessed and determine the sensitivity of those files.

Remediation

If computers need to be recovered from an attack, it is always best to rebuild a fresh system. Consider rebuilding a fresh system with new hard disks using your up-to-date, secure baseline. Ensure that you change any local passwords and address the vulnerability that was exploited during the attack. You should also change administrative and service account passwords elsewhere in your environment.

If Microsoft or your virus vendor provides a recommended way of cleaning a computer from a virus or worm that does not require a full reinstallation, this option might be preferable because of the time and cost saved.

However, there is always a chance that an attacker opened several back doors after your computer was compromised during an attack (for example, several viruses leave back doors for future exploits). When a computer has been compromised by an attack of any kind, the safest way to return it to service is to reinstall the operating system, reload applications from a known good backup or baseline that applies an up-to-date security policy, and ensure the exploited vulnerability has been addressed.

Even though it might be tempting to address the compromise quickly and get the computer back on the network, it is risky to do so because it is impossible to determine what back doors or changes to the computer the attackers have left.

CERT maintains a list of steps for recovering from a system compromise, which is available at http://www.cert.org/tech_tips/root_compromise.html.

Accelerated Release Management

When fixing problems across the environment in response to an attack, use your current change and release management processes as a guide, performing only those steps that are required to quickly and effectively respond to the attack.

If an attack can be resolved with the application of a security update or countermeasure, determine how to quickly install it throughout the organization. The risk of the vulnerability being exploited during an attack is significantly higher than normal, so you might decide to perform only basic testing during an emergency.

Take all of the company’s technology assets into account. During an attack, not all assets may be connected to the network—for example, remote users may need to be addressed. If you deploy an accelerated release, you may need to deploy it again when remote computers return, or have them install it before they can connect.

If you do not have a software update distribution infrastructure in place, consider sending users to Windows Update or Office Update to install a security update or putting an emergency Software Update Services infrastructure in place.

As long as your connection to the Internet has not been disabled during an attack, computers can download and install the security update from Windows Update. This method is extremely useful for remote users. You can communicate to them the importance of the security update and give instructions for using the Windows Update Web site.

As a last resort, if an attack affects network services, consider deploying a security update manually. This would involve visiting each computer and applying the release, or providing CDs and installation information to all users in a coordinated manner.

Monitoring and De-Escalation

After you have installed a release in the production environment, continue to monitor your computers and network. Watch for a recurrence of any attack signatures determined when learning about the attack. As well as monitoring existing servers, it is important that you monitor the environment as a whole to ensure that new computers added to the network are not vulnerable, thereby enabling the attack to start again.

De-escalation indicates a return to normal business operations. De-escalation typically occurs when none of the parties involved in the incident are identifying or reporting new information.

Post-Incident Activities and Review

After the incident is over and the attack is no longer considered an active threat, there are a few wrap-up activities that should be performed, including:

Submit a change request following your organization’s typical change process and re-release any production changes that were required during the attack. If testing was skipped earlier, now is the time to properly ensure that the implemented production changes do not negatively impact the security and reliability of your environment.

Ensure the vulnerabilities that were exploited are added to your vulnerability scanning reports and security policy computer standards so the attack does not have an opportunity to recur.

Assess the total incident damage and cost—both downtime costs and recovery costs.

Review your organization’s performance throughout the incident. Take this opportunity to improve your incident response plan.

Appendix E: Building a List of Reference Computers

The following is a sample script that should be run on your SMS 2003 primary site servers to create a collection that contains all representative computers in the environment. This resulting collection is effectively a replacement for the “pre-production collection” that Setup creates by default. This collection allows you to test a software update on a representative set of computers. When prompted by the script for the collection name, type Security Update Inventory Tool (preproduction) for the name.

Note   If the collection does not appear in the SMS Administrator console after refresh, you should stop and restart the SMS_EXECUTIVE service. The new collection should then appear.

Option Explicit
‘On Error Resume Next ‘ comment out for debugging, uncomment for 
error handling
Const sScriptTitle = “Create OS Sample Collections Script”
Const cnSamples = 3 ‘ default number of samples
‘ since this is VB Script, there are no types. Type information 
is included for readability.
Dim oLocator  ‘ as SWbemLocator
Dim oServices ‘ as SWbemServices
Dim eInstances ‘ as SWbemObjectSet
Dim oInstance ‘ as SWbemObject
Dim oWMIContext ‘ as SWbemNamedValueSet

“””””””””” First we need to set up our connection to the 
SMS Provider
‘ Create locator, needed to connect to the WMI namespace
Set oLocator = CreateObject(“WbemScripting.SWbemLocator”) 
If Err.Number <> 0 Then ReportError “Windows Management (WMI) is 
not installed on this computer.”
‘ Ask the user for the name of the Site Server
‘ you can also get this from the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\AdminUI\Connection
\Server
Dim sSiteServer, msg
msg = “This script will create collections based on site 
membership. “ 
msg = msg & “Enter the name of the site server where 
the collections will be created: “
‘ see if we can guess the site server name
Dim oShell
Set oShell = CreateObject(“WScript.Shell”)
sSiteServer = 
oShell.RegRead(“HKLM\SOFTWARE\Microsoft\SMS\AdminUI\Connection
\Server”)
If Err.Number = 0 Then
 sSiteServer = Mid(sSiteServer,3,Len(sSiteServer)-3)
Else
 sSiteServer = vbNullString
End If
Set oShell = Nothing
If sSiteServer = vbNullString Then
 sSiteServer = InputBox(msg,sScriptTitle,sSiteServer)
End If
If sSiteServer = vbNullString Then WScript.Quit(0)
‘ Connect to the SMS Site Server, we’re using integrated security
here but you do have the option
‘ of specifying a user name and password as well.
Set oServices = oLocator.ConnectServer(sSiteServer, “root\sms”)
If Err.Number <> 0 Then ReportError “Could not connect to SMS 
Site Server on: \\” & sSiteServer & vbCrLf & Err.Description

“””””””””””””” 

‘ Ask it for the the name of the SMS Provider
Set eInstances = oServices.ExecQuery(“select SiteCode, Machine 
from SMS_ProviderLocation where ProviderForLocalSite=TRUE”)
If Err.Number <> 0 Then ReportError “Could not find SMS 
Provider on SMS Site Server: \\” & sSiteServer
Dim sSiteCode  
Dim sProvMachine 

‘ There should be only one of these instances
For Each oInstance In eInstances 
  sSiteCode = oInstance.SiteCode
  sProvMachine = oInstance.Machine
  Exit For
Next

‘ Connect to the SMS Provider
Set oServices = oLocator.ConnectServer(sProvMachine, 
“root\sms\site_” & sSiteCode)
If Err.Number <> 0 Or oServices Is Nothing Then 
 ReportError “Could not connect to SMS Provider on: \\” &
 sProvMachine
End If
‘ We’re done with the WMI Locator now
Set oLocator = Nothing

‘ Create context object for use with logging
Set oWMIContext = 
CreateObject(“WbemScripting.SWbemNamedValueSet”)
‘ get the machine name
Dim oWshnetwork
Set oWshnetwork = CreateObject(“Wscript.Network”)

‘ These two context properties are needed for proper auditing
oWMIContext.Add “ApplicationName”, sScriptTitle 
oWMIContext.Add “MachineName”, oWshNetwork.ComputerName
Set oWshNetwork = Nothing

Dim eOSTypes, oOSType, oColl, oRuleCls, oRule, oPath, 
oNewColl2Sub, oWMIContextLimit
Dim nRulecount, nMaxRulecount, nInstanceCount
Dim sCollName, nSamples


If WScript.Arguments.Count > 0 Then
 sCollName = WScript.Arguments(0)
Else
 sCollName = InputBox(“Enter the name of the collection 
 to create.”,sScriptTitle,””)
End If
If Len(sCollName)=0 Then
  WScript.Quit(0)
End If
If WScript.Arguments.Count > 1 Then
 nSamples = CInt(WScript.Arguments(1))
Else 
 nSamples = cnSamples ‘ use default
End If
Set oWMIContextLimit = 
CreateObject(“WbemScripting.SWbemNamedValueSet”)
oWMIContextLimit.Add “InstanceCount”, CInt(nSamples)
‘ get list of sample operating systems
set eOSTypes = oServices.ExecQuery(“select distinct Caption,
CSDVersion, Version, OSLanguage from 
SMS_G_System_Operating_System”)
If Err.Number <> 0 Or eOSTypes Is Nothing Then 
 ReportError “Could not retrieve list of operating systems”
End If
‘ get new or existing collection and set up
set oColl = Nothing
set eInstances = oServices.ExecQuery(“select * from
SMS_Collection where Name=””” & sCollName & “”””)
If Err.Number <> 0 Or eInstances Is Nothing Then 
 ReportError “Error querying for collection”
End If
If eInstances.Count = 0 Then
 set oColl = oServices.Get(“SMS_Collection”).SpawnInstance_
 oColl.Name = sCollName
 oColl.Comment = “Contains a representative sample of each 
 operating system and version.”
 oColl.RefreshType = 1
 oColl.OwnedByThisSite = True
Else
 For each oColl in eInstances
  Exit For
 Next
End IF
Set eInstances = Nothing
set oRuleCls = oServices.Get(“SMS_CollectionRuleDirect”)
‘ query for each type of OS and add systems, take the systems 
that most recently reported inventory
Dim sSelect, sOrderBy, sWhere
sSelect = “select sys.ResourceID, sys.Name from SMS_R_System sys
join SMS_G_System_Operating_System os on 
sys.ResourceID=os.ResourceID “
sSelect = sSelect & “ join SMS_G_System_WORKSTATION_STATUS stat 
on sys.ResourceID=stat.ResourceID “
sOrderBy = “ order by stat.LastHardwareScan DESC”
nMaxRulecount = nSamples*eOSTypes.Count
ReDim arRules(nMaxRulecount-1)
nRulecount=0

If nMaxRulecount > 0 Then
‘ walk through each operating system type and find healthy 
examples
 For each oOSType in eOSTypes
  sWhere = “ where os.Caption=””” & oOSType.Caption & “”” and
os.Version=””” & oOSType.Version & “”” and os.OSLanguage=” &
CStr(oOSType.OSLanguage)
  If IsNULL(oOSType.CSDVersion) Then
   sWhere = sWhere & “ and os.CSDVersion is NULL”
  else
   sWhere = sWhere & “ and os.CSDVersion=””” & oOSType.CSDVersion
& “”””
  End If
  set eInstances = oServices.ExecQuery(sSelect & sWhere &
sOrderBy,,48,oWMIContextLimit)
  If Err.Number <> 0 Or eInstances Is Nothing Then 
    ReportError “Error querying for machines”
  End If
  nInstanceCount = 0
  for each oInstance in eInstances
   set oRule = oRuleCls.SpawnInstance_
   oRule.RuleName = oInstance.Name
   oRule.ResourceClassName = “SMS_R_System”
   oRule.ResourceID = oInstance.ResourceID
   set arRules(nRulecount) = oRule
   nRulecount = nRulecount + 1
   nInstanceCount = nInstanceCount + 1
   If nInstanceCount >= nSamples Then exit for   
  next

  set eInstances = Nothing
 Next
 End If 
Set eOSTypes = Nothing
‘ if we didn’t get all the samples, resize the array
If nMaxRulecount > nRulecount Then 
  Redim preserve arRules(nRulecount-1)
End if
‘ set the rules array into the rules property and then save the
collection oColl.CollectionRules = arRules set oPath = 
oColl.Put_( ,oWMIContext)
If Err.Number <> 0 Then ReportError “Could not create or update 
collection.”
‘ put this site in the tree (top level) by creating an 
association with COLLROOT
Set oNewColl2Sub = 
oServices.Get(“SMS_CollectToSubCollect”).SpawnInstance_
oNewColl2Sub.parentCollectionID = “COLLROOT”
oNewColl2Sub.subCollectionID = 
CStr(oPath.Keys.Item(“CollectionID”))
oNewColl2Sub.Put_ ,oWMIContext
If Err.Number <> 0 Then ReportError “Could not create collection
association.”

“” End of Script
WScript.Quit(0)


“”””””””
“ Error handling routine
Sub ReportError(Msg)
 Dim oError
 Set oError = CreateObject(“WbemScripting.SWbemLastError”)
 If Not oError is Nothing Then
   MsgBox Msg & vbCrLf & 
oError.GetObjectText_(),vbCritical,sScriptTitle
 Else 
   MsgBox Msg & vbCrLF & Err.Text & “ : “ &
Err.Number,vbCritical,sScriptTitle
 End If
 WScript.Quit(1)
End Sub

**
**

Download

Get the Patch Management Using Systems Management Server 2003

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions