Securing the Microsoft Environment Using Desktop Patch Management
Published: February 2009
In an enterprise organization such as Microsoft, it's mission critical to maintain a secure environment by keeping client computers up to date with the latest software and security updates. In large environments, automating the management of this environment as much as possible is a significant goal. Learn how Microsoft achieves this goal using Microsoft® System Center Configuration Manager 2007 to manage its own environment of more than 255,000 computers worldwide.
Article, Microsoft Word file, 171 KB
Products & Technology
This article describes how Microsoft IT uses System Center Configuration Manager to manage the process of distributing applications, managing hardware and software assets, and managing the deployment of security updates and other software updates across the enterprise.
Patch-management administrators, enterprise security administrators, and System Center Configuration Manager administrators
The Microsoft Information Technology (Microsoft IT) group uses Microsoft® System Center Configuration Manager 2007 to manage more than 255,000 computers worldwide. Microsoft IT ensures that nearly 90,000 users in more than 400 Microsoft locations around the world are able to access the corporate network 24 hours per day, seven days per week. The critical nature for round-the-clock access creates challenges in both connectivity and security. Connection to the Microsoft corporate network must be provided in a secure manner to protect the company's assets, which include the network, other connected systems, and local and remote computers.
Microsoft faces challenges common to many organizations. These challenges include:
- An increase in the number of software updates because of the increased efforts to maintain system security.
- The efficiency in enterprise patch management, which requires a level of automation to improve supportability and cost.
- The need to reduce downtime that connected employees experience because of the installation of software updates.
- The thoroughness and efficiency of collected software inventory and reporting.
But, because of the diversity in Microsoft's computing environment, which is based on business need and processes, Microsoft IT must also manage elements that are not typical of large-scale enterprises:
- Users maintain administrative rights.
- Users have diverse desktop implementations, including having multiple client computers.
- Users retain mixed versions of approved software.
- Groups maintain autonomy to choose the software versions that best fit their work models.
- Systems are rebuilt frequently to accommodate software testing processes.
- Microsoft operates in an extremely active and challenging security environment.
These challenges include:
- Approximately 100,000 intrusion attempts each month.
- Probing, scanning, and quarantining more than 125,000 virus-infected e-mail messages monthly.
Faced with the challenges of such a diverse computing landscape that requires a high level of security and security management, Microsoft IT deployed System Center Configuration Manager to manage the deployment of both security updates and software updates across the enterprise.
Microsoft IT chose System Center Configuration Manager because it provides for the intricate requirements of the environment. System Center Configuration Manager allows Microsoft to:
- Deploy more than 50 critical software updates to client computers each year.
- Increase the effectiveness and timeliness of software-update deployment for its client computers.
Using System Center Configuration Manager, Microsoft IT was able to dramatically and quickly improve security and update management. System Center Configuration Manager received rapid adoption. By early December 2007, more than 95 percent of client computers were running the System Center Configuration Manager Advanced Client. The Advanced Client was deemed the best option because it:
- Conscious of bandwidth for limited connections.
- Supports checkpoint/restart for downloading updates.
- Provides specific features for users of mobile devices.
By July 2008, Microsoft IT saw more than 220,000 client computers installed in the System Center Configuration Manager management environment.
The deployment of System Center Configuration Manager as a patch-management solution within Microsoft provided immediate benefits in the following areas:
- High compliance rates. Using System Center Configuration Manager as one of several distribution methods, Microsoft IT now achieves a 95 percent compliance rate across its organization over nine business days of the publication of a critical security update. The remaining 1 percent includes assets that are not connected to the Microsoft network during deployment as well as computers in test labs.
- Efficiency in deployments of software updates. Elimination of custom scripting has shortened the time required to package updates from 5–10 business days to no more than 4 business days. Most updates are ready to deploy within one day. By eliminating custom scripting, Microsoft IT saves money and human resources for scripting, testing, and deploying software.
- Reduction of unplanned downtime. Users can choose the best time to install a software update within a specifically configured grace period.
- Improved inventory capability. System Center Configuration Manager's robust inventory capability allows Microsoft IT to take a proactive approach to security by knowing the systems that exist on the network and their patch levels.
Microsoft's System Center Configuration Manager Architecture for Desktop Patch Management
Microsoft IT conducted researched and determined that System Center Configuration Manager should be implemented within Microsoft in the following ways.
- Microsoft IT deployed the System Center Configuration Manager Advanced Client to all client computers.
- All System Center Configuration Manager site servers use Advanced Security.
Advanced Security for System Center Configuration Manager provides additional infrastructure security, causing the System Center Configuration Manager service to run in the local system context on the servers rather than using an actual service account. This behavior also makes communication among servers more secure, as it uses the computer account rather than a connection account. In addition to providing a greater level of network security, Advanced Security enables easier management of the System Center Configuration Manager environment, because no account maintenance is required.
Microsoft IT implemented System Center Configuration Manager in a Windows Server® 2008 environment with Microsoft SQL Server® 2008 based on the following configuration:
- One central site server. The central site server is a high-capacity, high-throughput server with eight processors and 16 gigabytes (GB) of RAM.
- A dedicated SQL Server computer. SQL Server 2008 is used to maintain the System Center Configuration Manager database. The SQL Server computer has 16 processors and 32 GB of RAM.
- Five primary site servers. Each primary site server has eight-processors and 4 GB of RAM. In the data center at headquarters, there is one cluster balanced through Network Load Balancing (NLB).
- 20 dedicated distribution point servers. The distribution point servers contain two processors and 4 GB of RAM.
- 26 shared secondary site servers. System Center Configuration Manager runs on approximately 26 secondary site servers providing the Distribution Point roles that are shared with other services, such as file and print services.
- 120 shared distribution point servers. The distribution point servers contain two processors and 4 GB of RAM.
Based on Microsoft IT's examination of the software-updating requirements at Microsoft, it was determined that a best practice would be to create two separate System Center Configuration Manager infrastructures. One infrastructure was created just to update servers, while the other one would be exclusive to updating client computers. Microsoft IT's decision was based on the following factors:
- It was determined in the Microsoft environment that security updates are more critical for servers than for client computers. Servers affect the security and workflow of large groups of workers. Microsoft IT determined that it could more easily meet the short time frame for updating servers if it did not have to share the infrastructure for updating servers with the client computers, and having a dedicated server infrastructure allowed for flexibility and longer patch windows than are realized for client desktops. It was determined that the software platform baseline for servers at Microsoft is uniform and unilaterally enforced, whereas client computers run a wide variety of software versions and service pack levels.
Software Update Deployment
The Microsoft IT software updating process is a collaborative effort that involves Microsoft personnel in several specialty areas:
- Corporate security analyst. A corporate security analyst reviews the bulletins posted by the Microsoft Security Response Center (MSRC). This person then analyzes the information that the Corporate Security team supplies, recommends the enforcement dates, and facilitates the flow of information between Corporate Security and the desktop security management team.
- Client support security program manager. The client support security program manager relays information from the corporate security analyst to the System Center Configuration Manager updates administrator and also tracks the progress of deployment.
- System Center Configuration Manager update administrator. The System Center Configuration Manager update administrator first creates and prepares the deployment package for a software update, and then distributes the update. Other duties include the testing of updates, reevaluating the environment inventory to assess success, and then providing custom reports to interested or required parties.
To determine the need to deploy security updates and Microsoft Office updates to client computers throughout the organization, Microsoft IT must first determine the risks that vulnerabilities pose. By using a combination of the Microsoft Security Baseline Analyzer (MBSA) version 2.1, which is included in System Center Configuration Manager, and an internally developed tool, Microsoft Corporate Security continuously scans the entire client computer environment to monitor and ensure consistent and timely installation of software updates for operating systems and applications. Measuring the environment allows Microsoft IT to create and maintain a baseline of systems in the environment.
If Corporate Security identifies a specific vulnerability, it then assesses the risk of the issue that the software update is intended to correct. The MSRC security bulletin assigns a priority rating based on the average needs of Microsoft customers. The corporate security analyst evaluates the update according to the Microsoft environment and adjusts the priority level accordingly, which helps determine how quickly an update will pass through the established change-management process.
Microsoft IT uses the criteria shown Table 1 to assess the priority of the software update request for the Microsoft desktop environment based on the update's original risk assessment from the MSRC.
Table 1. Microsoft IT's Priority Assessment of a Software Update Request
The corporate security analyst then sends an e-mail message to the Client Support Security program manager with a recommendation of an enforcement date based on the priority level. The program manager then submits a request to the System Center Configuration Manager update administrator that states the updates required, the client computers and operating systems affected, and the dates on which to apply enforcement.
Process of Deploying Software Updates
To provide complete security coverage over Microsoft assets, Microsoft IT has developed a multi-layered approach to accommodate software updates in its the diverse environment:
- Windows® Update pushes the update to client computer desktops, and users of those computers are requested to install the update.
- E-mail and Web notifications are also sent to users.
- After a determined deadline, System Center Configuration Manager forces the installation of the update.
An internal tool scans client computers for a current inventory of missing updates. If a critical update is missing, the network ports of noncompliant computers are disabled to minimize exposure to the rest of the connected devices. Incidentally, this procedure is also performed on computers that are infected with a virus to aid in complete coverage against security penetrations.
In the Microsoft environment, about 70 percent of computers are updated before System Center Configuration Manager forces the installation.
Lessons Learned and Best Practices
System Center Configuration Manager offers IT administrators a powerful toolset to efficiently manage the deployment of software updates for both Microsoft Office and the Windows operating system. Microsoft IT realized, however, that to be effective and provide efficient patch management requires a balanced interdependence among three primary elements: processes, people, and technology.
- Formulate and enforce security guidelines.
- Formulate an overall patch-management process.
- Generate a baseline of the environment.
- Test the impact of the update.
- Manage the impact of deploying updates to client computers.
- Consolidate critical updates that have passed their enforcement periods.
- Deploy updates in a logical order.
- Staff appropriately.
- Appoint a person or committee to prioritize software updates.
- Create an inventory of the known environment for both assets and software.
- Use software-update features for troubleshooting.
- Use the Security Update Inventory Tool and scanning tools.
- Use the Office Update Inventory Tool.
- Use source path update management for Office Update.
- Slipstream and tailgate routine updates into new computer builds.
- Consolidate updates into service packs.
- Implement System Center Configuration Manager Advanced Client throughout the enterprise.
- Streamline the production environment.
These three elements provide for a robust, efficient, and accountable system that maximizes security and minimizes vulnerabilities to the environment and infrastructure.
Microsoft IT determined a critical need to develop a better, more efficient and all-encompassing security process. Based on the needs and diversity of the environment, Microsoft IT implemented System Center Configuration Manager in a way that provides timely, efficient, and sustainable security update distribution and management.
Using System Center Configuration Manager, Microsoft IT was able to implement new technology rapidly and provide immediate improvements to the software-update processes. Microsoft assets have entered a state in which they are secure more quickly during vulnerability reports, and Microsoft IT has shown a high level of security compliance across the board worldwide.
The addition of System Center Configuration Manager to the security arsenal allowed Microsoft IT to develop new strategies and processes for security update management and to update old strategies in which technology created limitations. System Center Configuration Manager brings corporate environments the technologies required to achieve attainable and sustainable security configurations that protect corporate assets and provide a secure computing landscape.
For More Information
For more information on System Center Configuration Manager, go to http://www.microsoft.com/systemcenter/configurationmanager/en/us/default.aspx.
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:
© 2009 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.