微软IT的补丁管理

内容概要

● 微软环境
● 安全补丁面临的挑战
● Microsoft IT 为什么采用SMS？
● 补丁处理流程
● 补丁管理流程定义
● 最佳经验
● 不断演化改进的服务
Microsoft IT 环境
•116,000+ e-
e-mail
•300,000+ PCs and devices server accounts •1.9-
1.9-terabyte database
single instance SAP

Dublin
Redmond

•106,000 end users Singapore

•98 countries/regions
•441 buildings

•42,000,000+
42 000 000+ rremote
t •3,000,000+ internal e
e--mail messages per day
connections/month •99.99% availability
Microsoft IT 环境

Remote access
clients/dial--up
clients/dial

All computers
Domain
300,000
SecureNet
joined
clients
Managed through SMS
Workgroups
220,000 230,000
VPN

11,000 servers

Labs

Internet Protocol security boundary

Microsoft IT 环境

● 多层次
● 桌面机合作管理模式
● 9种语言支持
● 完全集中化的管理
解决方案概述
SMS Server 2003 帮助
帮助Microsoft 有效管理和实施补丁策略.
有效管理和实施补丁策略.
Microsoft有效管理和实施补丁策略

业务需求 解决方案 收益

• Need to determine • Systems • Promotion of

and maintain a Management Server security
known level of 2003 • Higher systems
software updates for availability
operating systems • Improved auditing
and application
software
产品和技术

● Systems Management
Server 2003
 Business

业务挑战 Challenge

● 多种类软件更新
● 多种补丁部署解决方案
● 需要提供用户良好的使用体验
● 不同的补丁应用场景
为什么Microsoft IT 采用 SMS

● Scalability
● Flexible targeting
g g and configuration
g
● Compliance reporting
● Forced installation and reboots
● User notification and reminders
● Source path management
● User of existing technical resources and skills
● Future enhancements
补丁流程
多选择的补丁实施手段

较低 较高
客户端影响 客户端影响

notification; users
E-mail and intranet Web site notification; users can use Microsoft Update or similar (all optional)

SMS patch management (voluntary to start, and then forced)

Custom scanning (forced)

Remediation
补丁部署流程
核心构成

● SMS packages
k include:
i l d
● Scanning
● Staging
● Sustainer
● EST and others as needed
● Packages are set to recur every two days
● Non-security updates and service packs are
d l
deployed
d as needed
d d
补丁部署流程
核心构成

● 策略 Policies
● 安全补丁是首要关注焦点
● 通常不会授权通过例外申请
● 用户可在强制日期前提前部署补丁
● 人员安排 Staff
● 一个项目经理
● 三个管理员
补丁部署流程
每月行动事项
补丁部署流程
角色和义务
Corporate Security Corporate Security Critical Corporate
Co po a e Security
Secu y
monitors vulnerability finds and analyzes vulnerability? determines enforcement
yes
information vulnerability schedule
no
Wait for service pack

Patch Mgmt
g Patch Mgmt
g Patch Mgmt
g Patch Mgmt
Service Service Service Service
analyzes update prepares update distributes update enforces update

six hours Two weeks later normally, 24

hours if accelerated,
or immediate if emergency
补丁部署流程
时间安排
补丁部署流程
维护时间窗口 Maintenance Windows
Critical deployment
y Accelerated deployment
y
(21 days) (48 hours)

12A-
12A- 4A-
4A- 8A-
8A- 12P- 4P
12P- 4P-- 8P-
8P-
Thursday 2A 6A 10A 2P 6P 10A Thursday Hour 1
Patch Tuesday 8 P.M.
Pacific Time (UTC
(UTC--8)

12A-
12A- 4A-
4A- 8A-
8A- 12P-- 4P
12P 4P-- 8P--
8P
Friday 2A 6A 10A 2P 6P 10A Friday H
Hour 2

12A-
12A- 4A-
4A- 8A-
8A- 12P- 4P
12P- 4P-- 8P-
8P-
Saturday 2A 6A 10A 2P 6P 10A Saturday Hour 3

12A-
12A- 4A-
4A- 8A-
8A- 12P- 4P
12P- 4P-- 8P-
8P-
Sunday 2A 6A 10A 2P 6P 10A Sunday Hour 4
补丁部署流程
每周二的补丁动作
● Scan catalogs
S t l andd articles
ti l d downloaded
l d d
● Assess updates
● Apply specifics for MBSA-based updates
● Authorize updates
● Conduct final quality control check
● Copy update packages to the other hierarchies
● Monitor update deployment
● Coordinate with internal suppliers
● Announce results to interested parties
补丁部署流程
测试

● T ti is
Testing i appropriate
i t ffor needs
d att Microsoft
Mi ft
● Monitor computers as patches are released
● M it status
Monitor t t messages carefully
f ll in
i early
l stages
t
● First users serve as voluntary test cases
● Application
A li ti owners performf ttests
t upon release
l off
patches
● A prerelease
l quality
lit control
t l check
h k iis performed
f d on
about 15,000 internal clients, plus some external
labs
● Microsoft IT trusts Microsoft patches
补丁部署流程
报表生成

● Update reporting focuses on compliance,

errors,, and SMS involvement
● Completeness reporting is useful
● T diti
Traditionall software
ft di
distribution
t ib ti reporting
ti
can verify success of scanning and
installation
补丁部署流程
报表样本
补丁管理是一项服务
概要

● 了解服务的客户和合作伙伴
● 完善服务等 协议
完善服务等级协议（SLA）
● 正规化、书面化所有流程
● 信息集中管理
● 设定考核指标并分析结果
● 收集用户反馈
● 完善应急计划
● 尽可能实现自动化, 特别是信息报告
补丁管理是一项服务
关系
Secure- Office
Offi Security
S i
Net PMs PMs
PM
MMS Microsoft IT
Microsoft.com Security Management
Patches, patch catalogs, Security
articles, programs, and User Patch
advisories experience delivery Patch
delivery
User
experience
Product Teams PMs
(Test Patches) Coverage

Microsoft IT Windows Reports, metrics,

Networking and web site, e-mail
Infrastructure Team
GTS Manageability Services
Software Life-Cycle Mgmt
Patch
Suppliers Management Patched
(Infrastructure,
Engineering, Reporting, Service Clients
Tier 2 Software Distribution, (Main, Labs,
management, and PM Pilot, and Data-
teams) Center
hierarchies))
Engineering/
SMS Product Team
(patching-related A
Office pilot
beta testing)
hierarchy hierarchy
SMS
The service also confers with: RASPatch
- Imaging
beta test (VPN clients)
Helpdesk - community (newsgroups, etc.) hierarchy
Customer-
- Service
S i D Delivery
li M
Mgmtt T
Team ready
The service’s competitors (in
service quality comparisons) are: materials Manual
Users, other SMS and IT services Patching
including data-center (datacenters)
server owners
经验
一致的、可重复的

过程

技术 人员

利用产品和工具实现自动化 清晰定义的角色和职责，
具备合适的技能
经验

评估补丁实施的环境 确定新的软件
更新
1. Assess 2. Identify

4. Deploy 3. Evaluate
部署软件更 and Plan 评价和计划软件更新
新 部署

Mi
Microsoft
ft Operations
O ti Framework
F k
经验

● 把安全视为第一优先考略因素
把安全视为第 优先考略因素
● 获得决策领导支持
● 正确的定义服务并不断总结
● 管理好SMS
● 设定清晰的期望值; 让业务服务器主人准确
理解沟通信息
解沟通信息
● 对基于 分析的补丁更新操作在 p
对基于MBSA分析的补丁更新操作在update
命令行使用 /ER 选项
经验

● Keep to single restart on clients

● Use change control windows efficiently
● Ensure software installations restart when
needed
d d so that
th t updates
d t install
i t ll
● Att very
e y large
a ge ssites,
tes, sp
spread
ead workload
o oad oon
servers over time
● S bscribe to comm
Subscribe communitynit resources
reso rces
Microsoft IT补丁管理服务的下一步计划

● Quarantine
Q ti (Network
(N t k Access
A Protection)
P t ti )
● Hot updates—in memory as soon as installed
● Windows Vista Restart Manager
● New clients
● 64 bit, Windows Vista, devices, possibly other operating
systems
● Internet-facing update servers
● User-oriented improvements
● Other aspects of security
总结

● 补丁管理并非易事，特别在一个大型机构内
部
● 技术、过程和人员都会遇到挑战
● 补丁管理是 种不断进化的科学
补丁管理是一种不断进化的科学
更多信息

● Systems Management Server

http://www.microsoft.com/sms
● Microsoft Solutions for Management
http://www.microsoft.com/msm
● Microsoft
Mi f O
Operations
i F
Frameworkk
http://www.microsoft.com/technet/itsolutions/cits/
mo/mof/default mspx
mo/mof/default.mspx
● Microsoft community sites
http://www.microsoft.com/technet/community
更多信息

● Additional content on Microsoft IT

deployments and best practices can be
f
found
d on http://www.microsoft.com
htt // i ft
● Microsoft IT Showcase Webcasts
http://www.microsoft.com/howmicrosoftdoesitw
ebcasts
● Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
p
This document is provided for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2006 Microsoft Corporation.

p All rights
g reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
SUMMARY. Microsoft, Active Directory, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.
补充信息
Appendix 1
ITConfig
Appendix 2
SMPStatus
Appendix 3
How SMS Patching Works
Microsoft
Download Center

SMS SMS Distribution

Site Server and Point
Management Point
SMS Clients

SMS Distribution
Point

SMS Clients

SMS Clients