La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

Microsoft Solutions for Windows Update Management

Presentaciones similares


Presentación del tema: "Microsoft Solutions for Windows Update Management"— Transcripción de la presentación:

1 Microsoft Solutions for Windows Update Management
Slide Title: Title Slide Keywords: Key Message: Slide Builds: 0 Slide Script: Hello and Welcome to this Microsoft TechNet session on Microsoft Solutions for Windows Update Management. My name is {insert name} Slide Transition: So what’s in this session? Slide Comment: Additional Information:

2 ¿Lo que vamos a cubrir? ¿Qué es la Administración de actualizaciones?
¿Por qué necesito administrar las actualizaciones? ¿Cómo puedo administrar las actualizaciones? Slide Title: What we will Cover Keywords: Key Message: Explain what we will cover Slide Builds: 3 Slide Script: This session looks at software and patch management. [BUILD1] It will help you to understand what update management is, [BUILD2] It will help you to understand why you need to manage updates and why that’s important to your organization, [BUILD3] and finally, it will describe the tools you can use to manage updates. Slide Transition: As we go through today's session you will hear various Microsoft acronyms and terminology, and while we will explain all new terms related to today's session, there are some general terms from the industry or other versions of Microsoft products we may not spend time on. Slide Comment: Additional Information:

3 Nivel 200 Experiencia útil
Experiencia práctica con Microsoft Windows® 2000 Server o herramientas de administración de Windows Server™ 2003 Slide Title: Helpful Experience Keywords: Key Message: Explain pre-requisite knowledge Slide Builds: 1 Slide Script: To help you out, we have listed the areas where it maybe be helpful to either be familiar with yourself prior to this session, or to have for reference afterwards. [BUILD1] To get the most out of this session, it would be useful if you had experience of Windows 2000 Server or Windows Server 2003 management tools. Slide Transition: Let’s look at the agenda for this session. Slide Comment: Additional Information: Nivel 200

4 Agenda Descripción general de la Administración de actualizaciones
Proceso de la Administración de actualizaciones Herramientas de la Administración de actualizaciones Slide Title: Agenda Keywords: Explain the agenda for today's session Key Message: Slide Builds: 3 Slide Script: [BUILD1] In today’s session, we’ll start by defining what update management is. Then, we’ll look at the business case for update management. Next, we’ll look at the vulnerability timeline and demonstrate how this gets shorter with every new vulnerability. We’ll examine the severity ratings that are attributed to vulnerabilities and learn what the various levels mean. We’ll also look at ways that Microsoft has improved the updating experience, to make it as straightforward for the user as possible. [BUILD2] Next, we’ll look at both the processes that are required in an organization to facilitate effective update management and the update management process itself. [BUILD3] Finally, we’ll explore the various update management solution components and look at how they work along with some demonstrations. Slide Transition: So let’s begin by looking at the business case for update management. Slide Comment: Additional Information:

5 Caso de negocios para la Administración de actualizaciones
Tiempo de paro Tiempo de remediación Integridad de datos cuestionables Pérdida de credibilidad Relaciones públicas negativas Defensas legales Propiedad intelectual robada Slide Title: Business Case for Update Management Keywords: Key Message: Describe the business case for effective update management Slide Builds: 7 Slide Script: Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. Update management helps you to maintain operational efficiency and effectiveness, overcome security issues, and maintain the stability of your production environment. Consider the following issues when determining the potential financial impact of poor update management: [BUILD1] Downtime. What is the cost of computer downtime in your environment? What if critical business systems are interrupted? Downtime is a result of most attacks, caused either by the attack itself or by the remediation needed to recover from the attack. [BUILD2] Remediation time. What is the cost of fixing a wide-ranging problem in your environment? How much does it cost to reinstall the operating system and applications on one computer, or on all of your computers? Many security attacks require a complete reinstallation, to be certain that back doors were not left behind by the attack. [BUILD3] Questionable data integrity. If an attack damages data integrity, what is the cost of recovering that data from the last known good backup, or of confirming data correctness with customers and partners? [BUILD4] Lost credibility. What does it cost if you lose credibility with your customers? How much does it cost if you lose one or more customers? [BUILD5] Negative public relations. How much could your stock price or company value fall if you are seen as an unreliable company with which to do business? What would be the impact of failing to protect your customers’ personal information, such as credit card numbers? [BUILD6] Legal defenses. What might it cost to defend your organization from others taking legal action after an attack? Organizations providing important services to others have had their update management process, or lack of one, put on trial. [BUILD7] Stolen intellectual property. What is the cost if any of your organization’s trade secrets or customer lists are stolen or destroyed? The eCrimeWatch survey performed by CSO Magazine, Computer Emergency Response Team (CERT), and the U.S. Secret Service indicate that seventy percent of organizations surveyed reported at least one e-crime or intrusion was committed against their organization. Electronic crime cost organizations approximately $660 million in 2003. Fifty-six percent of organizations report operational losses, and 25 percent state financial loss. Half of the organizations surveyed said they do not even know the total amount of loss. Clearly, the business case for update management is a strong one. Slide Transition: Let’s look at the vulnerability timeline. Slide Comment: Additional Information:

6 Comprender los tiempos de vulnerabilidades
Slide Title: Understanding the Vulnerability Timeline Keywords: Key Message: Explain the vulnerability timeline Slide Builds: 0 Slide Script: To understand when a typical attack takes place, it is helpful to identify the product vulnerability time line. The time line illustrates that most attacks take place after an update has been disclosed and made available. Most companies take a reactive approach and deploy the update after the attack has taken place. After a product is shipped, the following phases take place: Vulnerability discovered. When a product vulnerability is discovered, it is referred to as “under investigation,” and only the vendor and the reporting party are aware of it. As an update is developed and tested, only the vendor and the reporting party know of the vulnerability, to prevent attackers from attempting an initial exploit. Vulnerability disclosed. When the update is ready for release, the security issue is disclosed to provide awareness to the general public. Update made available. As the security bulletin and update are released, the issue becomes public knowledge. Attackers then attempt to reverse-engineer the update to discover the vulnerability that is being addressed. Attack launched. Once a virus or worm is released, unprotected or non-updated systems are vulnerable. Update deployed by customer. As an attack is launched, many organizations reactively scramble to update the product vulnerability previously reported. This usually results in an increase of resource costs as administrators spend long hours fixing the vulnerability. Organizations who update more proactively tend to have less or no impact from these threats. Slide Transition: Let’s look at the exploit timeline. Slide Comment: Additional Information: La mayoría de los ataques ocurren aquí Producto enviado Vulnerabilidad descubierta Vulner. presentada Actualización disponible Actualización implementada por el cliente

7 Comprender los tiempos de explosión
Slide Title: Understanding the Exploit Time Line Keywords: Key Message: Explain the exploit timeline Slide Builds: 2 Slide Script: Many widely publicized security issues and attacks have had no effect on organizations that had already implemented a proactive approach to update management. These organizations quickly tested and deployed vulnerability fixes shortly after such fixes were made available. [BUILD1] However, it is important to understand that the time line between the release of the update and the actual exploitation of the product vulnerability has been quickly decreasing in recent attacks. Only organizations that deploy a variety of defenses throughout their organization will be able to effectively protect against future malware attacks. Slide Transition: Slide Comment: Additional Information: La mayoría de los ataques ocurren aquí Producto enviado Vulnerab. descubierta Actualización disponible Actualización implementada por el cliente presentada

8 Comprender los tiempos de explosión
La mayoría de los ataques ocurren aquí Producto enviado Vulnerab. descubierta Actualización disponible Actualización implementada por el cliente presentada Slide Title: Understanding the Exploit Time Line Keywords: Key Message: Explain the exploit timeline Slide Builds: 2 Slide Script: [BUILD2] The following table illustrates how long it took between the update and the exploit for a number of popular attacks. Slide Transition: Let’s look at how Microsoft classify security updates. Slide Comment: Additional Information: Ataques de malware Días entre la actualización y la explosión Nimda 331 SQL Slammer 180 Welchia/Nachi 151 Blaster 25 Sasser 14

9 Clasificación de severidad de Microsoft Update
Promedio Definición Crítica La explotación puede permitir la propagación de gusanos de Internet con la acción del usuario Importante La explotación puede poner en peligro de los datos del usuario o disponibilidad de los recursos de procesamiento Moderada La exploración es seria, pero puede ser mitigada a un grado importante por configuración, auditoría, necesidad de acción por parte del usuario o dificultad de explotación predeterminadas Bajo La explotación es extremadamente difícil o el impacto es mínimo Slide Title: Microsoft Update Severity Ratings Keywords: Key Message: Explain the various Microsoft update severity ratings Slide Builds: 0 Slide Script: The Microsoft Security Response Center (MSRC) has implemented the Maximum Severity Rating System, which the MSRC team uses to assign a severity rating to each update released in a security bulletin. These ratings are designed to assist you in quickly determining the importance of an update to your organization. The ratings are based on the potential impact of the security issue, and are intended to inform you of the urgency of any required actions. Updates can be assigned any of the following severity ratings: Critical. Exploitation could allow the propagation of an Internet worm, such as Code Red or Nimda without user action. Important. Exploitation could result in the compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. Moderate. Exploitation is serious, but such factors as default configuration, auditing, need for user action, or difficulty of exploitation have mitigated the threat to a significant degree. Low. Exploitation is extremely difficult or impact is minimal. The MSRC helps to protect customers from being harmed by externally reported security vulnerabilities in Microsoft products. Its mission is to communicate with external researchers to bring security issues in-house, work with product teams to provide timely fixes, determine the best way to deliver fixes and to communicate issues to customers, act as a customer advocate, and provide security and vulnerability expertise. Slide Transition: So now you know the classifications, but how does that translate into update time frames? Slide Comment: Additional Information: For a list of the security bulletins that Microsoft has released, see the Microsoft Security Bulletin Search website. Consulte “Microsoft Security Bulletin Search” en el sitio Web de TechNet

10 Tiempos de actualización
Promedio de gravedad Tiempo de actualización recomendado Tiempo de actualización máximo recomendado Crítico Dentro de 24 horas Dentro de dos semanas Importante Dentro de un mes Dentro de dos meses Moderada Espere el siguiente paquete de servicio o instalación de actualización, o implemente la actualización dentro de los siguientes cuatro meses Implemente la actualización dentro de seis meses Bajo Espere el siguiente paquete de servicio o instalación de actualización, o implemente la actualización dentro de un periodo de un año Implemente la actualización dentro de un periodo de un año Slide Title: Update Time Frames Keywords: Key Message: Explain the Microsoft recommendations on update time frames Slide Builds: 0 Slide Script: Microsoft has issued the following recommended update time-frame guidelines: Deploy critical security updates within 24 hours. Deploy important security updates within one month. Deploy moderate-threat security updates within four months or with the next update rollup or service pack, whichever is sooner. Deploy low-threat security updates with the next service pack or update rollup that includes the update, or deploy the update within one year. With the understanding that not every organization can implement a update within the recommended updating time frame, Microsoft has also issued recommended maximum updating time-frame guidelines: Deploy critical security updates within two weeks. Deploy important security updates within two months. Deploy moderate-threat security updates within six months. Deploy low-threat security updates within one year, or choose not to deploy the update at all. Several factors can affect how an organization determines the updating time frame. If the organization has high-value assets, or assets with high exposure, it may consider decreasing the recommended time frames. If the organization has other mitigating factors in place, such as countermeasures that minimize the threat, or if its assets have a low risk of exposure, the organization may consider increasing the recommended time frames. Slide Transition: Update management is important but not always painless. Slide Comment: Additional Information: Most small organizations should install every update suggested by Windows Update and Microsoft Office Update. Larger organizations can use the Security Risk Management Guide to determine which updates are most appropriate. For more information about SRMG, see the Security Risk Management Guide on the Microsoft TechNet website.

11 Mejorar la experiencia de actualización
Su necesidad Respuesta de Microsoft Reducir la frecuencia de actualización Frecuencia reducida de las versiones de actualización que no son de emergencia de una vez a la semana a una vez al mes Menor complejidad de actualización Menor número de tecnologías del instalador de actualización Menor riesgo de implementación de la actualización Calidad de actualización mejorada y capacidad de instalación de actualización introducida Menor tamaño de actualización Se desarrolló una tecnología de "actualización delta” para reducir el tamaño de la actualización Consistencia mejorada de la herramienta Desarrollar herramientas consistentes Capacidades mejoradas de la herramienta Desarrollar herramientas más capaces Slide Title: Improving the Updating Experience Keywords: Key Message: Explain how Microsoft have improved the updating experience Slide Builds: 0 Slide Script: Microsoft receives both solicited and unsolicited feedback about update management from numerous individuals and organizations. Microsoft has responded by taking steps to improve the updating experience for its customers: Reduced frequency of non-emergency update releases from once per week to once per month. Microsoft is releasing these updates on the second Tuesday of every month. Rare cases may require an update to be released on an emergency basis because exploit code for the security issue addressed by the update is in the public domain. Reduced number of update installer technologies. Today, Microsoft has numerous update installer technologies across multiple applications and the Microsoft Windows® operating systems. To reduce this complexity, Microsoft already enforces the same naming and packaging guidelines for all updates released. In addition, all updates use one of two installers: Update.exe is used for operating system and select legacy applications. Microsoft Installer (MSI) 3.0 is used for the current generation of applications. Improved update quality and introduced update rollback capability. Microsoft has significantly expanded the internal testing resources that are allocated to verifying updates before release. Today, update.exe supports rollback. Almost every MSI-based update shipped for Windows 2000 and later generations of applications has full rollback capability. Developed “delta updating” technology to reduce update size. Delta updating allows Microsoft to ship only the changes to the files that need to be fixed, as opposed to current industry practices in which updates include new versions of entire files. The use of this technology has enabled Microsoft to reduce update size for new updates. Developing consistent tools. Microsoft has provided various update scanning tools that, at times, report inconsistent results about whether a computer has the updates that it needs to be secure. Inconsistent scanning results are being addressed by building into Windows a single scanning engine that will be used for all scanning purposes. Developing more capable tools. Microsoft has provided tools for improving update management such as Windows Server Update Services (WSUS), which provides several important enhancements over Software Update Services (SUS). WSUS can be used to update applications such as Microsoft Office, SQL Server™, and Exchange Server, and WSUS supports the use of computer target groups to designate update installation based on computer groups. Microsoft has also released the Malicious Software Removal Tool that can be used to remove viruses and other unwanted software from computers. Microsoft is committed to customer communications, guidance, and training, in addition to these responses designed specifically to improve the updating experience. Microsoft has developed a set of security and update management workshops, training sessions, and Web casts that will be delivered on an ongoing basis. Microsoft also continues to provide prescriptive guidance on the update management process, and to share additional details on the testing process for updates. Slide Transition: Let’s look at the security defense model that Microsoft recommends for implementing security products and guidance. Slide Comment: Additional Information:

12 Políticas, procedimientos y conciencia
Defensa en detalle Políticas, procedimientos y conciencia Seguridad física Datos ACLs, encriptación, EFS Consolidación de la aplicación, antivirus Aplicación Slide Title: Defense in Depth Keywords: Explain the principles of defense in depth Key Message: Slide Builds: 1 Slide Script: A security strategy for an organization is most effective when data is protected by more than one layer of security. A defense-in-depth security strategy uses multiple layers of defense. If one layer is compromised, it does not necessarily follow that the security of your entire organization will be compromised. A defense-in-depth strategy increases an attacker’s risk of detection and reduces an attacker’s chance of success. The defense-in-depth model consists of a series of interconnected layers. At the base of the model are: Policies, procedures, and awareness layer. This foundational layer affects every other defense-in-depth layer. Components in this layer include security policies, security procedures, and security education programs for users. Physical security layer. This layer wraps around the remaining five core layers. Components in this layer include security guards, locks, and tracking devices. There are many tools, technologies, and best practices you can use to protect each of the five core layers. Examples include: Perimeter layer. Hardware or software firewalls, or both; and virtual private networks that use quarantine procedures. Internal network layer. Network segmentation, Internet Protocol security (IPSec), and network intrusion-detection systems (NIDSs). Host layer. Server and client operating system hardening practices, strong authentication methods, update management tools, and host-based intrusion-detection systems (HIDSs). Application layer. Application hardening practices and antivirus software. Data layer. Access control lists (ACLs), encryption, and the Encrypting File System (EFS). Slide Transition: Slide Comment: Additional Information: Consolidación del sistema operativo, autenticación administración de revisiones, HIDS Host Red interna Segmentos de red, IPSec, NIDS Firewalls, Control de cuarentena de acceso a la red Perímetro Protecciones, seguros, dispositivos de seguimiento Documentos de seguridad, educación del usuario

13 Políticas, procedimientos y consciencia
Defensa en detalle Políticas, procedimientos y consciencia Políticas, procedimientos y consciencia Seguridad física Firewalls, Control de cuarentena de acceso a la red ACLs, encriptación, EFS Documentos de seguridad, educación del usuario Perímetro Red interna Host Aplicación Datos Seguridad física Datos ACLs, encriptación, EFS Consolidación de la aplicación, antivirus Consolidación de la aplicación, antivirus Aplicación Slide Title: Defense in Depth Keywords: Explain the principles of defense in depth Key Message: Slide Builds: 1 Slide Script: [BUILD1] This session addresses update management. The update management processes, tools, and technologies discussed in this session relate primarily to the host and application layers. Slide Transition: Let’s go back to the agenda. Slide Comment: Additional Information: Consolidación del sistema operativo, autenticación administración de revisiones, HIDS Consolidación del sistema operativo, autenticación administración de revisiones, HIDS Host Red interna Segmentos de red, IPSec, NIDS Segmentos de red, IPSec, NIDS Firewalls, Control de cuarentena de acceso a la red Perimeter Protecciones, seguros, dispositivos de seguimiento Protecciones, seguros, dispositivos de seguimiento Documentos de seguridad, educación del usuario

14 Agenda Descripción general de la Administración de actualizaciones
Proceso de la Administración de actualizaciones Herramientas de la Administración de actualizaciones Slide Title: Agenda: Update Management Process Keywords: Key Message: Slide Builds: 0 Slide Script: In the next section of this session, we’ll examine the required processes for the implementation of an effective update management process. Slide Transition: Let’s look at the requirements for successful update management. Slide Comment: Additional Information:

15 Requisitos para una Administración de actualizaciones exitosa
Administración de proyectos, proceso de administración de actualización de cuatro fases Slide Title: Requirements for Successful Update Management Keywords: Key Message: Explain the requirements for a successful update management process Slide Builds: 3 Slide Script: Successful update management requires that an organization have [BUILD1] Effective project management processes. To achieve successful update management results, treat your use of the update management process as a project, using an effective project management process. Most organizations have their own methodologies for project management, all of which should be compatible with the Microsoft update management process. Microsoft recommends using the Microsoft Solutions Framework (MSF) for project management guidance. Slide Transition: Slide Comment: Additional Information: For more information about MSF, see the various resources about Microsoft Solutions Framework on the Microsoft TechNet website. For more information about MOF, including its models and SMFs, see the MOF Executive Overview white paper on the Microsoft TechNet website. Procesos efectivos

16 Requisitos para una Administración de actualizaciones exitosa
Administración de proyectos, proceso de administración de actualización de cuatro fases Slide Title: Requirements for Successful Update Management Keywords: Key Message: Explain the requirements for a successful update management process Slide Builds: 3 Slide Script: [BUILD2] Effective operations, including people who understand their roles and responsibilities. The Microsoft Operations Framework (MOF), the MOF process model, the MOF Service Management Functions (SMFs), and the MOF team model provide guidance for effective IT operations. Three of the SMFs—Change Management, Configuration Management, and Release Management—are especially important to update management. Slide Transition: Slide Comment: Additional Information: For more information about MSF, see the various resources about Microsoft Solutions Framework on the Microsoft TechNet website. For more information about MOF, including its models and SMFs, see the MOF Executive Overview white paper on the Microsoft TechNet website. Procesos efectivos Personas que comprenden sus roles y responsabilidades Operaciones efectivas

17 Requisitos para una Administración de actualizaciones exitosa
Administración de proyectos, proceso de administración de actualización de cuatro fases Slide Title: Requirements for Successful Update Management Keywords: Key Message: Explain the requirements for a successful update management process Slide Builds: 3 Slide Script: [BUILD3] Tools and technologies that are most appropriate for effective update management. It is essential that an organization have the appropriate tools for update management. Much of the remainder of this session examines the Microsoft tools and technologies available for enterprise update management of Windows-based systems. Slide Transition: Now let’s look at the update management process. Slide Comment: Additional Information: For more information about MSF, see the various resources about Microsoft Solutions Framework on the Microsoft TechNet website. For more information about MOF, including its models and SMFs, see the MOF Executive Overview white paper on the Microsoft TechNet website. Procesos efectivos Personas que comprenden sus roles y responsabilidades Herramientas y tecnologías Operaciones efectivas Productos, herramientas, automatización

18 Proceso de la Administración de actualizaciones
1. Evalúe el entorno que va a revisar Cree/mantenga la línea base de los sistemas Descubra los activos Haga un inventario de los clientes 2. Identifique las revisiones nuevas Identifique nuevos parches Determine la relevancia de la revisión Verifique la autenticidad de la revisión, así como su integridad Slide Title: Update Management Process Keywords: Key Message: Explain the update management process Slide Builds: 4 Slide Script: The Software Update Management process, based upon the Microsoft Operations Framework and involves four main steps: [BUILD 1] Firstly you need to assess your environment. You need to know the operating systems and versions running on each computer. You need to know your environment so that you can plan how you are going to deploy updates. This is very much a planning phase. It is important to know the processes your enterprise has for identifying new security issues or changes in security levels. [BUILD 2] Secondly you need to identify new patches. When Microsoft or others release software updates you need to identify their relevance to your environment. You need to determine their priority. This is step that you perform every month. Microsoft releases updates on a monthly cycle and you need review these updates and determine how they will effect you. [BUILD 3] Thirdly you need specifically plan the software update deployment. You need to go though some testing and develop some pilot deployments. This is where the actual update deployment begins. [BUILD 4] Lastly you deploy the update. You should monitor how the deployment proceeds and you should evaluate the effectiveness of the deployment. The cycle must be repeated on an on going basis. You go back to step one and assess you environment again have new computers joined your network? Has then been a software upgrade? Has your baseline shifted. Slide Transition: Let’s return to the agenda. Slide Comment: Additional Information: For more information about risk assessment and security risk management, see the Security Risk Management Guide on the Microsoft TechNet website. For more information about the update management process, see the Patch Management Process document on the Microsoft TechNet Security website. 1. Evaluar 2. Identificar 3. Evalúe y planee la implementación de la revisión Lleve a cabo evaluaciones de riesgo Planee el proceso de liberación de la revisión Complete la aceptación y la prueba de la revisión 4. Implemente la revisión Implemente la revisión Informe acerca del progreso Enfrente las excepciones Revise la implementación 3. Evaluar y planear 4. Implementar

19 Agenda Descripción general de la Administración de actualizaciones
Proceso de la Administración de actualizaciones Herramientas de la Administración de actualizaciones Slide Title: Agenda: Update Management Tools Keywords: Key Message: Slide Builds: 0 Slide Script: In the last section of this session, we’ll look at the tools used for update management and demonstrate their suitability in different sized organizations. Slide Transition: Let’s look at the factors involved when choosing an update management solution. Slide Comment: Additional Information:

20 Elegir una solución de Administración de actualizaciones
Tipo de cliente Escenario Solución Consumidor Todos los escenarios Microsoft Update Organización pequeña No cuenta con servidores Windows MBSA y Microsoft Update Tiene servidores Windows 2000 o servidores más recientes y un administrador de informática MBSA y WSUS Empresa mediana o grande Desea actualizar la solución de administración con control básico para actualizar Windows 2000 y versiones más recientes de Windows Desea una sola solución de administración de actualización flexible con nivel ampliado de control para actualizar y distribuir todo el software Systems Management Server Slide Title: Choosing an Update Management Solution Keywords: Key Message: Outline the choice of update management solutions Slide Builds: 0 Slide Script: The update management solution you choose depends on the size of your organization, your network infrastructure, the operating systems in use, and the update management requirements for your organization. If you are a consumer, Microsoft Update is the most appropriate choice. Microsoft Update is a revised version of Windows Update that includes updates for applications such as Microsoft Office. If you are a small organization, either a combination of Microsoft Baseline Security Analyzer (MBSA) and Microsoft update or Microsoft Windows Server Update Services (WSUS) is the most appropriate option. If you have at least one server running Windows 2000 or later and one skilled IT administrator, you should normally choose MBSA and WSUS. If you don’t have any servers, MBSA 2.0 can assign clients to Microsoft Update and can scan them for compliance remotely.  As long as Automatic Updates is set to “download and install”, you have a basic reporting and deployment solution without the overhead of a server. If you are a medium-sized or large enterprise, either a combination of MBSA and WSUS or Microsoft Systems Management Server is the logical option. If you need a simple but somewhat limited update management solution that will update computers that run Windows 2000 and later versions of Windows, choose MBSA and WSUS. If you want full software distribution, including update management functionality, choose Systems Management Server. Slide Transition: Let’s look at the update management solution for consumers and small organizations. Slide Comment: Additional Information:

21 Soluciones para los consumidores y las pequeñas empresas
Microsoft Update Solución basada en Proteja su PC: Utilice un firewall de Internet Obtenga actualizaciones para el PC Utilice software antivirus actualizado Implemente Windows XP SP 2 Slide Title: Solution for Consumers and Small Organizations Keywords: Key Message: Explain the Solution for consumers and small Slide Builds: 3 Slide Script: [BUILD1] Microsoft Update is the update management solution for consumers and small organizations that have no servers. Microsoft Update is the online extension of Windows that helps you to keep your computer up-to- date. You can use Microsoft Update to choose updates for your computer’s operating system, software, and hardware. New content is added to the site regularly, so you can always get the most recent updates and fixes to protect your computer and keep it running smoothly. You can also use Microsoft Update to install the latest Office security releases along with your Windows updates. [BUILD2] This solution is part of Microsoft’s Protect Your PC guidance. Protect Your PC is a Microsoft security service designed for home computers or small organizations without Microsoft Windows servers. When you visit the Protect Your PC website, you navigate through a three-step process to improve your computer’s security. During this process, you are prompted to use an Internet firewall, get computer updates, and ensure that your antivirus software is up-to-date. [BUILD3] Windows XP Service Pack 2 includes the Security Center, which can be used to configure Windows Firewall, Internet settings, and Automatic Updates. Installing Windows XP SP2 on all computers running Windows XP is a critical component in securing these computers. You can configure Automatic Updates so that your computer will automatically connect to the Microsoft Update site and check for new updates. Slide Transition: Let’s move on to solutions for small and medium-sized organizations. Slide Comment: Additional Information:

22 Soluciones para las organizaciones medianas y grandes
Tamaño de la organización Escenario Actualizar la solución de administración Pequeña Tiene uno a tres servidores que se ejecutan en Windows 2000 o versiones posteriores y un administrador de informática MBSA y WSUS Mediana o grande Desea una solución de administración de actualizaciones con nivel básico de control que actualice los PCs que se ejecutan en Windows 2000, Windows XP y Windows Server 2003 y algunas aplicaciones de Microsoft Slide Title: Solutions for Small and Medium-Sized Organizations Keywords: Key Message: Outline the choices for small and medium-sized organizations Slide Builds: 0 Slide Script: The update management solution for small and medium-sized organizations depends on several factors. If you have between one and three computers running Windows 2000 or Microsoft Windows Server™ 2003 and a skilled IT administrator, the logical update management solution for your organization is a combination of MBSA and WSUS. You should also use a combination of MBSA and WSUS if you have a medium-sized or large organization, require only a basic level of control for your update management solution, and need to update only computers running Windows 2000, Windows XP, and Windows Server 2003. Slide Transition: Let’s look at the benefits of MBSA. Slide Comment: Additional Information:

23 Beneficios de Microsoft Baseline Security Analyzer (MBSA)
Explora los sistemas en busca de: Actualizaciones de seguridad faltantes Problemas potenciales de configuración Trabaja con una gran variedad de software Microsoft Permite que un administrador explore de manera central múltiples PCs simultáneamente Slide Title: MBSA Benefits Keywords: Key Message: Outline the benefits of MBSA Slide Builds: 3 Slide Script: [BUILD1] The Microsoft Baseline Security Analyzer (MBSA) tool, which includes a graphical and command-line interface, can perform local or remote scans of computers running Windows to identify missing security updates and potential configuration issues. MBSA displays the results of the scan in a Web-based report. [BUILD2] MBSA runs on computers running Windows 2000, Windows XP, and Windows Server 2003, and will scan for missing security updates and potential configuration issues on a broad range of Microsoft software. [BUILD3] An administrator can use MBSA to centrally scan multiple computers simultaneously. MBSA 2.0 includes the ability to check Microsoft Update as well as what’s approved on WSUS servers in your organization. From this, MBSA 2.0 can advise about security updates that may not yet be approved and should be. MBSA is also “real-time” for when you don’t want to wait for the detection cycle of Automatic Updates and don’t want to write scripts. In addition, MBSA 2.0 can help to identify which computers are not yet managed by WSUS. Slide Transition: There are some things you need to consider before implementing MBSA. Slide Comment: Additional Information: Please refer to the MBSA 2.0 datasheet at for more information about MBSA 2.0, including new improvements, features, and system requirements.

24 Consideraciones de MBSA
Debilidad de la contraseña La cuenta del visitante no está desactivada No está configurada la auditoría Se instalan servicios innecesarios Problemas de seguridad de Internet Information Services (IIS) Configuraciones de la zona de Internet Explorer Configuración de las actualizaciones automáticas Configuración del firewalll de Windows® XP Slide Title: MBSA Considerations Keywords: Key Message: Outline considerations for implementing MBSA Slide Builds: 8 Slide Script: MBSA scans for numerous security issues and weaknesses. [BUILD1] MBSA performs a password test on each local user account on the computer. This check is not performed on domain controllers. MBSA identifies common password vulnerabilities, such as blank passwords, passwords that are the same as the corresponding user account names, passwords that are the same as the corresponding machines, passwords that use the word “password”, passwords that use the words “admin” or “administrator”, and user accounts with non expiring passwords. MBSA checks for other important security issues, such as: [BUILD2] Whether the Guest account is disabled [BUILD3] Whether auditing is configured [BUILD4] Unnecessary services that are installed on the system [BUILD5] IIS security issues such as anonymous access settings [BUILD6] Internet Explorer zone settings and Enhanced Security Configuration checks for Windows Server 2003 [BUILD7] Automatic Updates configuration [BUILD8] and Internet Connection Firewall (ICF) and Windows Firewall configuration Slide Transition: So let’s see how MBSA works. Slide Comment: Additional Information:

25 Centro de descarga de Windows Catálogo fuera de línea
MBSA – Cómo funciona Centro de descarga de Windows Catálogo fuera de línea Slide Title: MBSA – How It Works Keywords: Key Message: Describe how MBSA works Slide Builds: 4 Slide Script: [BUILD1] Run MBSA and specify the target machines to scan. Slide Transition: Slide Comment: Additional Information: You can manually download the MSSecure.cab file from the Microsoft Download website. PC con MBSA

26 Centro de descarga de Windows Catálogo fuera de línea
MBSA – Cómo funciona Centro de descarga de Windows Catálogo fuera de línea Slide Title: MBSA – How It Works Keywords: Key Message: Describe how MBSA works Slide Builds: 4 Slide Script: [BUILD2] MBSA downloads the offline catalog containing update definitions in XML format and verifies its digital signature. MBSA attempts to contact the Microsoft Download Center to obtain this file; alternatively, the file can be downloaded and copied to the computer that initiates the scan and then placed in the MBSA installation folder. The update definitions contain: Security bulletin names Product-specific updates Version and checksum information Registry keys changes Microsoft Knowledge Base article numbers Slide Transition: Slide Comment: Additional Information: You can manually download the MSSecure.cab file from the Microsoft Download website. PC con MBSA

27 Centro de descarga de Windows Catálogo fuera de línea
MBSA – Cómo funciona Centro de descarga de Windows Catálogo fuera de línea Slide Title: MBSA – How It Works Keywords: Key Message: Describe how MBSA works Slide Builds: 4 Slide Script: [BUILD3] MBSA scans the target systems for operating systems, operating system components, and applications. MBSA parses the definition file to see if updates are available. MBSA checks the system to see if required updates are missing. Slide Transition: Slide Comment: Additional Information: You can manually download the MSSecure.cab file from the Microsoft Download website. PC con MBSA

28 Centro de descarga de Windows Catálogo fuera de línea
MBSA – Cómo funciona Centro de descarga de Windows Catálogo fuera de línea Slide Title: MBSA – How It Works Keywords: Key Message: Describe how MBSA works Slide Builds: 4 Slide Script: [BUILD4] MBSA generates a time-stamped report that lists any security updates missing from your system. Slide Transition: MBSA has two scan options: Slide Comment: Additional Information: You can manually download the MSSecure.cab file from the Microsoft Download website. PC con MBSA

29 MBSA – Opciones de escaneo
Interfaz gráfica de MBSA Interfaz de línea de comando estándar de MBSA Slide Title: MBSA – Scan Options Keywords: Key Message: Describe the scan options available with MBSA Slide Builds: 2 Slide Script: [BUILD1] MBSA graphical user interface (GUI). When this option is used, you initiate the scan from a GUI interface and MBSA generates a report that can be viewed in the same interface. [BUILD2] MBSA command-line interface. This scan option can be used to perform the same types of scans as the GUI version of MBSA. You can use the command-line interface to scan for missing security updates as well as for potential configuration issues. When you use MBSA from the command line, you can specify numerous options, such as a range of IP addresses of the computers to be scanned, the various security issues for which you want MBSA to scan, and the manner in which you want the output from the scan to be displayed. The output from a command-line interface scan is displayed as text in the command-line window. One of the advantages of using the command-line interface is that MBSA can be run from a script, which enables you to run scans on a schedule or to use other tools to automate the use of MBSA in your environment. Slide Transition: Let’s look at Windows Software Update Services. Slide Comment: Additional Information: To see the full list of available MBSA command-line switches, type mbsacli /? at a command prompt. HFNetChk Scan is no longer supported in MBSA 2.0

30 Beneficios de WSUS Da a los administradores control sobre la administración de actualizaciones Simplifica y automatiza los aspectos clave del proceso de administración de actualizaciones Fácil de implementar Herramienta gratuita de Microsoft Slide Title: WSUS Benefits Keywords: Key Message: Explain the benefits of MBSA Slide Builds: 4 Slide Script: MBSA is a stand-alone product, but it can also be used in combination with Microsoft Windows Server Update Services (WSUS). WSUS is a no-charge, add-in component for Windows 2000 and Windows Server 2003 that can be used to automate the process of distributing software updates. WSUS enables an organization to implement a service like Windows Update within the corporate firewall structure. The WSUS server downloads updates from Microsoft Update, and client computers are configured to obtain their updates automatically from the WSUS server instead of from Windows Update. WSUS can be used to update computers running Windows 2000, Windows XP, and Windows Server 2003. [BUILD1] WSUS provides administrators with control over update management in their organization. Administrators can review each update and determine if it is appropriate for their environment. They can also test each update to ensure that it functions as expected in their environment. Finally, administrators approve the updates for distribution to client computers. [BUILD2] WSUS simplifies and automates key aspects of the update management process. When managing a large number of client computers, the most efficient way to configure client computers to use a WSUS server is by using Group Policy. However, an organization does not have to use Group Policy to use WSUS. In a small environment or an organization in which Group Policy is not used, the administrator would simply have to configure clients manually to use a WSUS server or use scripts to accomplish this client configuration. [BUILD3] WSUS is easy to implement, and this ease of use alleviates the difficulty of keeping systems up to date, thereby reducing an organization’s security risks. WSUS is an effective update management solution for many organizations. [BUILD4] WSUS is a free tool that you can download from the Microsoft website. Slide Transition: WSUS is the replacement for Software Update Services, or SUS. What are the differences between the two products? Slide Comment: Additional Information:

31 Comparación de SUS y WSUS
Funciones comunes Actualiza los PCs que se ejecutan en Windows XP, Windows 2000 o Windows Server 2003 Los clientes jalan actualizaciones del servidor - no las empujan Mejoras a WSUS Soporte ampliado para productos de Microsoft tales como Office, SQL Server y Exchange Server Puede crear y administrar grupos objetivo en el PC Más opciones para administrar las actualizaciones Más opciones para configurar los agentes Uso más eficiente del ancho de banda de la red Capacidades de informes Slide Title: Comparing SUS and WSUS Keywords: Key Message: Explain the differences between SUS and WSUS Slide Builds: 2 Slide Script: WSUS is an updated version of Software Update Services (SUS). SUS and WSUS have some of the same features. [BUILD1] Both can be run on computers running Windows 2000 and Windows Server 2003. Both can be used to update desktop and server computers running Windows 2000, Windows XP, or Windows Server 2003. Both products do not have the option to push updates to clients; client computers must be configured to pull updates from the server. [BUILD2] WSUS also includes several significant enhancements over SUS, including Expanded support for Microsoft products to include Microsoft Office, SQL Server, and Exchange Server. Additional products will be added over time. With WSUS, you can create multiple target groups and then manage updates for each target group. There are two default target groups: All Computers and Unassigned Computers. By default, each client computer is added to both these groups by the WSUS server when the client initially contacts the WSUS server. You can move computers from the Unassigned Computers group to any target group you create. You cannot remove computers from the All Computers group. The All Computers group enables you to quickly target updates to every computer on your network, regardless of group membership. The Unassigned Computers group permits you to target only computers that you have not yet been assigned group membership. You have two options for adding clients to target groups: You can use Group Policy to define client membership for Active Directory® directory service environments, or you can move computer accounts in the target groups on the WSUS server after the clients have registered with the WSUS server. With WSUS, you have more options for managing updates, including: You can use a Detect only option to create a list of computers that require a specific update. You can also approve the installation and uninstallation of updates. You can set date-based deadlines for when updates must be installed. You can manage updates on a per-target group basis. For example, you can apply different updates to different target groups and set different deadlines per each target group. With WSUS, administrators have more options for configuring the agents, including: Polling frequency, notification and installation behaviors, restart behaviors, port configuration, and non-administrators, like administrators, can install updates. There is also the Install at Shutdown option (Windows XP SP2 only). With this option, the client computer will not automatically rebooted when an update requires a reboot, but the update is applied the next time a user initiates a computer restart. WSUS provides enhanced network utilization by using Background Intelligent Transfer Service (BITS) for client-to-server and server-to-server downloads. With this service, downloads are in the background and minimized. You can also download updates for only the products, classifications, and languages that you need and use delta compression for client-to-server communications. WSUS also provides extensive reporting capabilities with a variety of pre-built reports, as well as the ability to create your own. Slide Transition: We’ll discuss how to migrate from SUS to WSUS a little later in the session. Let’s see how WSUS works. Slide Comment: Additional Information:

32 WSUS – Cómo funciona Microsoft Update Firewall
Slide Title: WSUS—How It Works Keywords: Key Message: Explain how WSUS works Slide Builds: 4 Slide Script: [BUILD1] The WSUS server downloads metadata about new updates, as well as the updates themselves, from the Microsoft Update site. This synchronization can either be scheduled or manually initiated. Slide Transition: Slide Comment: Additional Information: PCs piloto Grupo objetivo WSUS Server PCs cliente Grupo objetivo Administrador de WSUS Servidores Windows Grupo objetivo

33 WSUS – Cómo funciona Microsoft Update Firewall
Slide Title: WSUS—How It Works Keywords: Key Message: Explain how WSUS works Slide Builds: 4 Slide Script: [BUILD2] The administrator reviews the new updates and after completing any required testing, approves the ones wanted. The administrator can approve the updates based on computer target groups. Slide Transition: Slide Comment: Additional Information: Grupo objetivo de PCs piloto WSUS Server Grupo objetivo de PCs cliente Administrador de WSUS Grupo objetivo de servidores Windows

34 WSUS – Cómo funciona Microsoft Update Firewall
Slide Title: WSUS—How It Works Keywords: Key Message: Explain how WSUS works Slide Builds: 4 Slide Script: [BUILD3] Automatic Updates on the client computers makes contact with the WSUS server to determine if there are newly approved updates. If so, they get the metadata information for the update and check to see if it is already installed. Slide Transition: Slide Comment: Additional Information: Grupo objetivo de PCs piloto WSUS Server Grupo objetivo de PCs cliente Administrador de WSUS Grupo objetivo de servidores Windows

35 WSUS – Cómo funciona Microsoft Update Firewall
Slide Title: WSUS—How It Works Keywords: Key Message: Explain how WSUS works Slide Builds: 4 Slide Script: [BUILD4] If the updates have not been installed, Automatic Updates (depending on the configuration) either automatically downloads the missing updates or notifies you that there are missing updates and requests your permission to download them. Depending on the Automatic Updates configuration, Automatic Updates either automatically installs the updates or notifies you, and then allows you to review and select the updates to be installed and informs you concerning when to install them. Automatic Updates logs the success or failure history for update installs on the target computers. Slide Transition: Let’s look at the deployment scenarios for WSUS. Slide Comment: Additional Information: Grupo objetivo de PCs piloto WSUS Server Grupo objetivo de PCs cliente Administrador de WSUS Grupo objetivo de servidores Windows

36 WSUS – Escenarios de implementación
Microsoft Update Firewall PCs cliente regionales Slide Title: WSUS –Deployment Scenarios Keywords: Key Message: Explain possible deployment scenarios for WSUS Slide Builds: 4 Slide Script: You can use WSUS in several deployment scenarios. The graphic here illustrates the possible ways to use multiple WSUS servers in a small-to-medium-sized organization [BUILD1] The main office WSUS server obtains updates from Microsoft Update. If you require only one WSUS server, then you can manage and distribute all updates from this one server. Slide Transition: Slide Comment: Additional Information: WSUS Server independiente PCs cliente de oficina remota WSUS Server desconectado Oficina principal WSUS Server PCs cliente de la oficina principal Réplica de WSUS Server

37 WSUS – Escenarios de implementación
Microsoft Update Firewall PCs cliente regionales Slide Title: WSUS –Deployment Scenarios Keywords: Key Message: Explain possible deployment scenarios for WSUS Slide Builds: 4 Slide Script: [BUILD2] You can also deploy multiple independently managed servers. In this scenario, you can have additional WSUS servers download the updates from Microsoft Update. Then you can configure target groups and administer updates separately on each server. This deployment is appropriate for situations in which different organization locations are managed as separate entities, for example, a branch office. Slide Transition: Slide Comment: Additional Information: WSUS Server independiente PCs cliente de oficina remota WSUS Server desconectado Oficina principal WSUS Server PCs cliente de la oficina principal Réplica de WSUS Server

38 WSUS – Escenarios de implementación
Microsoft Update Firewall PCs cliente regionales Slide Title: WSUS –Deployment Scenarios Keywords: Key Message: Explain possible deployment scenarios for WSUS Slide Builds: 4 Slide Script: [BUILD3] You can also deploy additional WSUS servers that do not have direct access to the Internet. In this scenario, you can set up an internal server running WSUS that is connected to the Internet but isolated from the intranet. After downloading, testing, and approving the updates on this server, an administrator would then export the update metadata and content to a CD, and then, from the CD, import the update metadata and content to servers running WSUS within the intranet. Slide Transition: Slide Comment: Additional Information: WSUS Server independiente PCs cliente de oficina remota WSUS Server desconectado Oficina principal WSUS Server PCs cliente de la oficina principal Réplica de WSUS Server

39 WSUS – Escenarios de implementación
Microsoft Update Firewall PCs cliente regionales Slide Title: WSUS –Deployment Scenarios Keywords: Key Message: Explain possible deployment scenarios for WSUS Slide Builds: 4 Slide Script: [BUILD4] You can also deploy multiple servers running WSUS that synchronize all content within their organization’s intranet. In this scenario, only one server is exposed to the Internet; that is the only server that downloads updates from Microsoft Update. This server is set up as the upstream server—the source to which the downstream server synchronizes. You can then configure target groups and manage updates on each WSUS server. Slide Transition: There are 2 components in WSUS. Let’s look at the client component. Slide Comment: Additional Information: WSUS Server independiente PCs cliente de oficina remota WSUS Server desconectado Oficina principal WSUS Server PCs cliente de la oficina principal Réplica de WSUS Server

40 WSUS – Componente del cliente
Puede obtener actualizaciones de WSUS o Microsoft Update Tres maneras para configurar las Actualizaciones automáticas WSUS actualizará automáticamente el cliente de Actualizaciones automáticas a una versión compatible Slide Title: WSUS – Client Component Keywords: Key Message: Describe the WSUS client component Slide Builds: 3 Slide Script: The client component of WSUS is the Automatic Updates feature in Microsoft Windows. [BUILD1] You can configure Automatic Updates on the client computers to pull its updates from the appropriate WSUS server in your environment or to pull its updates directly from Windows Update. [BUILD2] There are three ways in which you can configure Automatic Updates on the clients: Centrally, by using Group Policy By manually configuring the client computers By using scripts to configure the client computers When Automatic Updates is configured to use a WSUS server on the corporate network, Automatic Updates uses the approved updates list on the WSUS server to determine the updates it will download and install. Automatic Updates consolidates multiple reboots into a single reboot when installing multiple updates. [BUILD3] WSUS requires a compatible version of Automatic Updates. The latest version of Automatic Updates is already installed on Windows XP with Service Pack 2 (SP2) and Windows Server 2003 SP1. If you do not have Windows XP with SP2, you must update Automatic Updates using the Automatic Updates self-update feature. Each time Automatic Updates checks the public website or internal server for updates, it also checks for a newer version of Automatic Updates. Slide Transition: What about the WSUS server component? Slide Comment: Additional Information: For more information about how to configure an Automatic Updates client to use a WSUS server, see Administrative Methods for Configuring Automatic Updates on the Microsoft Windows Server System website. Automatic Updates is localized in 24 languages.

41 WSUS – Componente del servidor
Puede descargar actualizaciones sobre el programa Proporciona una interfaz administrativa basada en el Web GUI Varias funciones de seguridad predeterminadas integradas Proporciona sincronización y reportes de actualización Utiliza la base de datos de SQL para almacenar metadatos de actualización, eventos y configuraciones Slide Title: WSUS – Server Component Keywords: Key Message: Describe the features of the WSUS server component Slide Builds: 5 Slide Script: The server component of WSUS is Microsoft Software Update Services (WSUS). [BUILD1] The WSUS server can be configured to automatically download updates from Microsoft Update according to a schedule specified by the administrator. [BUILD2] WSUS provides a Web-based administrative GUI to allow control of various setup, download, and update-approval options. You can use the GUI to: Specify server and update process configuration options Create target groups and assign client computers to target groups View downloaded updates Approve updates and view approved updates View update reports [BUILD3] WSUS has several built-in default security features: WSUS verifies, by checking digital signatures, the source and content of all updates it downloads. All WSUS communications take place over Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS), so only port 80 and port 443 need to be open on the server. Administration can be performed securely by using Secure Sockets Layer (SSL). Only local Administrators can gain access to the WSUS administration site. [BUILD4] WSUS provides reporting capabilities. WSUS provides standard reports that aggregate update approval and deployment status per update, per computer, and per computer groups, based on all events that are sent from the client. WSUS also provides synchronization reports. [BUILD5] WSUS servers use a database to store update metadata, events, and settings. You can use the SQL Server 2000 Desktop Engine (Windows) database that WSUS can install during setup on Windows Server 2003, or you can use SQL Server 2000. Slide Transition: How does WSUS integrate with MBSA? Slide Comment: Additional Information: The WSUS interface is localized in 17 languages. However, WSUS delivers updates for all 24 supported client languages.

42 WSUS – Integración de MBSA
MBSA se puede utilizar con WSUS MBSA se puede escanear con base en actualizaciones aprobadas sobre WSUS en lugar de Windows Update Disponible con GUI e interfaces de línea de comando de MBSA Slide Title: WSUS – MBSA Integration Keywords: Key Message: Explain how WSUS integrates with MBSA Slide Builds: 3 Slide Script: [BUILD1] MBSA is a stand-alone tool, but it is designed to work with WSUS. [BUILD2] MBSA can be configured to scan for missing updates based on approved updates on WSUS server instead of available updates on Windows Update. [BUILD3] You can use the GUI or command-line interfaces of MBSA to specify the WSUS server MBSA will use to check for missing updates. Slide Transition: How can I migrate from SUS to WSUS? Slide Comment: Additional Information:

43 Migrar de SUS a WSUS Instale SUS y WSUS en el mismo PC
Migre las actualizaciones y las aprobaciones Utilice la herramienta de línea de comando WSUSUTIL.exe Configure los clientes para utilizar el servidor WSUS Utilice la auto-actualización de la Actualización automática Si no existen Paquetes de servicio de Windows XP, instale primero el cliente de Actualización automática Slide Title: Migrating from SUS to WSUS Keywords: Key Message: Explain the steps for migrating SUS to WSUS Slide Builds: 6 Slide Script: You cannot upgrade an SUS server to a WSUS server, but you can migrate your approvals and updates from SSUS to the new WSUS server. This ensures that you do not have to download the same updates twice, nor spend time approving updates that have been previously approved. [BUILD1] You can install WSUS and SUS on the same computer and both will function. You can also have WSUS and SUS environments running simultaneously on your network. However, you can never synchronize an SUS server with a WSUS server or vice versa. After you complete the migration, the two update solutions are completely isolated from one another. [BUILD2] There are some limitations to SUS-to-WSUS migration. Migration is only for approvals and updates on the SUS server. You cannot migrate anything else, such as proxy or IIS settings. These types of configuration tasks must be completed independently on the WSUS server. Migration is a one-way process; you cannot migrate from WSUS back to SUS. [BUILD3] WSUS includes a command-line tool, WSUSUTIL.exe, that enables you to migrate from SUS to WSUS. You can find WSUSUTIL.exe in the tools subdirectory where you installed WSUS. WSUSUTIL.exe allows you to move both approvals and updates; you are not required to migrate one, the other, or both. WSUSUTIL.exe uses HTTP to get approvals and Server Message Block (SMB) to copy updates from a remote WSUS installation. To copy updates from a remote computer, this tool requires Read share permissions on the Content folder and all its subfolders. [BUILD4] After migrating the updates and approvals to WSUS, you need to configure the clients to use the WSUS server. You can use Group Policy or registry settings to do this. WUS requires a compatible version of Automatic Updates. The latest version of Automatic Updates is already installed on Windows XP with Service Pack 2 (SP2). [BUILD5] If you do not have Windows XP with SP2, you must update Automatic Updates using the Automatic Updates self-update feature. Each time Automatic Updates checks the public website or internal server for updates, it also checks for a newer version of Automatic Updates. This means that most versions of Automatic Updates can be pointed to the WSUS server and they will automatically self-update to the latest version. The self-updating client is available on Windows 2000 with Service Pack 3 or later, Windows XP with Service Pack 1 or later, and Windows Server 2003. [BUILD6] Windows XP with no service packs has a version of Automatic Updates installed, but it is not the version that will automatically update itself when pointed to the WSUS server. If you have Windows XP without any service packs in your environment, and have never used SUS, you must install the version of Automatic Updates that shipped with SUS to enable Automatic Updates to self-update. After you load the SUS client, you can simply point these clients to the server running WSUS. If the client self-update feature is configured on Port 80 of the WSUS server, Automatic Updates will find the new client and self-update. Slide Transition: Let’s look at the solutions for medium-sized and large organizations. Slide Comment: Additional Information:

44 Soluciones para organizaciones medianas y grandes
Capacidad WSUS SMS 2003 Plataformas soportadas para contenido Windows 2000 Windows XP Windows Server 2003 Windows NT 4.0 Windows 98 Tipos de contenidos soportados Las actualizaciones de seguridad y para instalar seguridad, las actualizaciones críticas y los paquetes de servicio para los sistemas operativos anteriores y actualizaciones para algunas aplicaciones de Microsoft Todas las actualizaciones, paquetes de servicio y actualizaciones para los sistemas operativos arriba mencionados; soporta actualizaciones e instalaciones de aplicaciones para Microsoft y otras aplicaciones Actualiza el control de distribución Básico Avanzado Slide Title: Solutions for Medium-Sized and Large Organizations Keywords: Key Message: Outline the solutions for medium-sized and large organizations Slide Builds: 0 Slide Script: If you have a medium-sized (25 to 499 desktops) or large (500 or more desktops) organization, your best update management solution is one of the following options: A combination of MBSA and WSUS. A solution based on Systems Management Server—either Systems Management Server 2003, or Systems Management Server 2.0 with the SUS Feature Pack. A combination of WSUS and an Systems Management Server–based solution. The selection of an update management solution for your organization is affected by many factors, including the operating systems in use on your network, the types of updates and software you need to deploy, and the level of control you require for these deployments. The combination solution of MBSA and WSUS can be used when you have servers running Windows 2000 or Windows Server 2003; you want to deploy only security updates, critical updates, and service packs to computers running Windows 2000, Windows XP, and Windows Server 2003; and you require only a basic level of update distribution control. The Systems Management Server–based solutions can be used when you have servers running Windows 2000 or Windows Server 2003; you want to deploy all updates, service packs, operating system updates, and application installations for Microsoft and other applications to computers running Windows NT 4.0, Windows 98, Windows 2000, Windows XP, and Windows Server 2003; and you require an advanced level of distribution control. A combination of WSUS and Systems Management Server is used in some cases when a large organization has computers, such as test or lab computers, that do not fit well into the Systems Management Server infrastructure. In this situation, Systems Management Server is used for the majority of the organization’s computers, and WSUS is used for update management on the computers for which Systems Management Server is not a practical solution. A Systems Management Server–based solution is widely used by large enterprises, which typically need greater control of update and software management. The WSUS-based solution may be appropriate for medium-sized organizations, but it is important to consider both the WSUS-based and Systems Management Server–based options, irrespective of the size of your organization. Slide Transition: What are the benefits of SMS? Slide Comment: Additional Information:

45 Beneficios de SMS Proporciona un control total sobre la administración de actualizaciones Automatiza aspectos clave de la administración de actualizaciones Puede actualizar una amplia gama de productos de Microsoft También puede actualizar software de terceros e instalar otras actualizaciones o aplicaciones Slide Title: SMS Benefits Keywords: Key Message: Explain the benefits of SMS Slide Builds: 4 Slide Script: Systems Management Server (SMS) is a full software distribution solution for Microsoft Windows environments that includes update management capabilities. For organizations that have already implemented SMS 2.0 in their environment, update management is provided with the Software Update Services Feature Pack. The WSUS Feature Pack is unrelated to the WSUS product discussed earlier in this session. SMS 2003 has update management functionality merged into the core release. The key benefits of using SMS for update management are: [BUILD1] SMS provides administrators with control over update management, including the ability to perform staging and testing of updates before installation, and fine-grained control of update management options. [BUILD2] SMS automates the key aspects of the update management process. [BUILD3] SMS can update a broad range of Microsoft products in addition to Windows and Microsoft Office. [BUILD4] SMS can be used to update third-party software and deploy and install other software updates or applications. SMS is flexible enough to meet your software deployment and update management needs, whatever your type of organization or specific environment. SMS also provides hardware and software inventory management and detailed reporting. In contrast to WSUS, which uses a “pull” model, SMS uses a “push” model to distribute updates to the target systems. Systems Management Server relies on the SMS clients on these computers to complete the installations. Slide Transition: SMS can also integrate with MBSA. Slide Comment: Additional Information:

46 Integración de SMS Herramienta de inventario de SMS para Microsoft Updates (ITMU) que se integra al Agente de actualización de Windows para escanear e instalar las actualizaciones Herramienta de exploración individual El agente es nativo para todos los sistemas operativos Windows nuevos que empiezan con Windows Server 2003 SP1 Se distribuye como una instalación individual por SMS para sistemas operativos anteriores Proporciona consistencia con Microsoft Update con respecto a las actualizaciones de seguridad crítica, instalaciones de actualizaciones y paquetes de servicio Slide Title: SMS Integration Keywords: Key Message: Explain how SMS integrates with Other Microsoft Update Solutions Slide Builds: 5 Slide Script: [BUILD1] The SMS Inventory tool for Microsoft Updates builds on the functionality of the Windows Update Agent for scanning and installation of updates [BUILD2] ITMU is a standalone scanning tool that doesn’t require WSUS or client internet connectivity [BUILD3] ITMU uses the update agent included with all new Windows operating systems after Windows 2003 SP1 and Windows XP SP2, [BUILD4] and installs it on older operating systems where required. [BUILD5] It’s integration with Microsoft update enables managed distribution of Windows and Office updates using your existing SMS infrastructure Slide Transition: Let’s see how update distribution with SMS works. Slide Comment: Additional Information: MBSA integration included with SMS 2003 and the WSUS Feature Pack for SMS 2.0 Scans SMS clients for missing security updates using mbsacli.exe /hf

47 SMS – Cómo funciona Microsoft Update Firewall
Punto de distribución de System Management Server Clientes de System Management Server Slide Title: SMS – How It Works Keywords: Key Message: Explain how SMS works Slide Builds: 4 Slide Script: [BUILD1] As the Systems Management Server administrator, you download the Inventory Tool for Microsoft Updates from the Microsoft Download Center website. This needs to be done only once. Then run the inventory tool installer program on the Systems Management Server site server, which creates the necessary packages, collections, and advertisements for distributing the software update scan tools to the clients. This needs to be done only once. Simultaneously, the installer program creates the program for the synchronization component on the synchronization host. Slide Transition: Slide Comment: Additional Information: The Systems Management Server 2003 Software Update Scanning Tools, which include the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates, are available as a free download from the Microsoft Systems Management Server 2003 Downloads website. Punto de distribución de System Management Server Servidor del sitio de System Management Server Clientes de System Management Server Clientes de System Management Server

48 SMS – Cómo funciona Microsoft Update Firewall
Punto de distribución de System Management Server Clientes de System Management Server Slide Title: SMS – How It Works Keywords: Key Message: Explain how SMS works Slide Builds: 4 Slide Script: [BUILD2] The software update scan component packages are replicated to distribution points in your SMS site. From there, the packages are distributed to your target client computers. Slide Transition: Slide Comment: Additional Information: The Systems Management Server 2003 Software Update Scanning Tools, which include the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates, are available as a free download from the Microsoft Systems Management Server 2003 Downloads website. Punto de distribución de System Management Server Servidor del sitio de System Management Server Clientes de System Management Server Clientes de System Management Server

49 SMS – Cómo funciona Microsoft Update Firewall
Punto de distribución de System Management Server Clientes de System Management Server Slide Title: SMS – How It Works Keywords: Key Message: Explain how SMS works Slide Builds: 4 Slide Script: [BUILD3] The scan component analyzes the installed and applicable software updates on the client computer. The information is converted to SMS hardware inventory data and propagates up the hierarchy with the rest of the hardware inventory data. The amount of time that it takes for the information to reach the Site Server depends on the scan component configuration, the hardware inventory agent schedule settings, and the site server load. Slide Transition: Slide Comment: Additional Information: The Systems Management Server 2003 Software Update Scanning Tools, which include the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates, are available as a free download from the Microsoft Systems Management Server 2003 Downloads website. Punto de distribución de System Management Server Servidor del sitio de System Management Server Clientes de System Management Server Clientes de System Management Server

50 SMS – Cómo funciona Microsoft Update Firewall
Punto de distribución de System Management Server Clientes de System Management Server Slide Title: SMS – How It Works Keywords: Key Message: Explain how SMS works Slide Builds: 4 Slide Script: [BUILD4] You run the Distribute Software Updates Wizard to view, evaluate, and authorize applicable software updates from the software update inventory data. The Distribute Software Updates Wizard downloads the source files for the specified software update from the Microsoft Download Center website. The wizard then stores the source file in the specified package source shared folder. The necessary packages, programs, and advertisements are now created, or updated, for distributing the software updates to the Systems Management Server clients. The Distribute Software Updates Wizard appends a Systems Management Server program that contains commands to run the Software Updates Installation Agent to every package that it creates or updates. Finally, the software update packages replicate to distribution points in your site, and the programs are advertised to the Systems Management Server clients. The Software Update Installation Agent runs on the Systems Management Server clients and deploys the software updates. It runs the scan component to ensure that it installs only the software updates that are actually required. The synchronization component checks the Microsoft Download Center website for updates to the scan component and software updates catalog. This is a periodic activity, weekly by default. The synchronization component downloads these new updates and updates the packages, programs, and advertisements associated with the scan component. The updated scan component package and advertisement are distributed to the destination SMS client computers. Slide Transition: We’ve reached the end of the session, so let’s summarize what we’ve covered. Slide Comment: Additional Information: The Systems Management Server 2003 Software Update Scanning Tools, which include the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates, are available as a free download from the Microsoft Systems Management Server 2003 Downloads website. Punto de distribución de System Management Server Servidor del sitio de System Management Server Clientes de System Management Server Clientes de System Management Server

51 Resumen de la sesión Implementar rápidamente actualizaciones de seguridad es un componente crítico en el plan de administración de seguridad La administración de actualizaciones debe seguir sus procesos estándar de administración de redes Para empresas pequeñas y medianas, MBSA y WSUS en conjunto proporcionan una solución de administración Windows Update excelente Slide Title: Session Summary Keywords: Key Message: Slide Builds: 3 Slide Script: This session explained how to implement security update management. The session explored the following topics: [BUILD1] Update Management Overview. This topic discussed the business case for update management, the importance of proactive update management, the exploit timeline, Microsoft update severity ratings, updating time frames, improving the updating experience, and defense in depth. [BUILD2] Update Management Process. This topic explained the requirements for successful update management, the update management process, and Microsoft update management guidance resources. [BUILD3] Update Management Tools. This topic explored the numerous Microsoft update management tools and technologies. Guidance was presented for choosing an update management solution for consumers as well as for small, medium-sized, and large organizations. Several tools were introduced and explained, including Microsoft Update, Microsoft Baseline Security Analyzer (MBSA), Microsoft Windows Server Update Services (WSUS), and Microsoft Systems Management Server. This topic also explored best practices for update management. Slide Transition: For more information on the products and technologies we have covered today, we have some online resources available that can help you. Slide Comment: Additional Information:

52 www.microsoft.com/technet/mgt-11 Para mayores informes
Visite TechNet en Para información adicional, visite Slide Title: More Information Keywords: Key Message: Slide Builds: 0 Slide Script: For the most comprehensive technical information about Microsoft products, visit the main TechNet website at Visit for more information on books, courses, certifications, and other community resources that related directly to this particular session. Slide Transition: There are a number other resources that are available from Microsoft. Slide Comment: Additional Information:

53 ¿Ya se enteró de lo más reciente sobre TechNet?
¡Software sin límite de tiempo! Soporte técnico gratuito Los recursos más actuales disponibles Slide Title: TechNet Subscription Keywords: Technet, Subscription, Benefits Key Message: TechNet Plus has some new benefits. Slide Builds: 0 Slide Script: Many of you may be familiar with TechNet events and the TechNet website, but have you realized the benefits of being a TechNet Plus subscriber? A TechNet Plus subscription is the most convenient and reliable resource for IT professionals evaluating, managing, and supporting Microsoft technologies. With a TechNet Plus subscription, you can: Evaluate Microsoft software without time limits. This benefit allows you try products at your own pace and make informed decisions without worrying about the software expiring. TechNet Plus evaluation software includes the latest Microsoft operating systems, server applications, and Office products. With TechNet Plus, you can also save time resolving technical issues. TechNet Plus subscriptions include a range of support options, including the complete Microsoft Knowledge Base delivered each month on portable media, and two complimentary professional support incidents to address your technical roadblocks. TechNet Plus offers centralized access to current, authoritative technical guidance, software and support resources from Microsoft. IT professionals around the world rely on TechNet Plus to help them build their technical expertise and be successful implementing Microsoft solutions. For details, visit Slide Transition: On the subject of Technet and support, the new TechNet support pages outlines all the support options open to you. Slide Comment: Additional Information:

54 Encuentre todas esas opciones de soporte en www. microsoft
Encuentre todas esas opciones de soporte en Microsoft ofrece una serie progresiva de opciones de soporte que comienzan con soporte en línea sin cargo alguno y se desarrollan a través de suscripciones, incidentes y soporte por contrato. 1. Soporte en línea sin cargo Knowledge Base Busque en una amplia base de datos de artículos para encontrar la información que necesita. Grupos de noticias Acceda a más de 20 mil grupos de noticias activos sobre cientos de temas. Centros de soporte para productos Obtenga respuestas a las preguntas más frecuentes, además de artículos de instructivos e instrucciones paso a paso organizadas por producto. Base de datos de ayuda de DLL Busque aquí para identificar el software que se utilice para instalar una versión DLL específica. Centro de eventos y mensajes de error Resuelva rápidamente eventos y mensajes de error con explicaciones, recomendaciones y vínculos para tener soporte y recursos. Difusiones de soporte por el Web Sintonice las presentaciones técnicas en vivo que ofrecen expertos de Microsoft y forme parte en la sesión de preguntas y respuestas en tiempo real. Chats Converse en línea con especialistas de Microsoft o busque los archivos con las transcripciones. Programa para grupos de usuario Acceda a información y soporte de informática y otros grupos de usuario con un interés específico. Centro de recursos de seguridad de TechNet Adelántese a los riesgos de seguridad con los recursos que lo mantienen actualizado, incluyendo boletines de seguridad y el servicio de notificación de Microsoft. 2. Soporte basado en suscripción Suscripción a TechNet Suscríbase a TechNet para obtener una biblioteca personal de artículos, paquetes de servicio, guías instructivas, kits de recursos, herramientas, utilidades y más. Su suscripción incluye actualizaciones mensuales que se ofrecen en CD o DVD, para que siempre cuente con la información más reciente, directamente de la fuente. Realice una actualización a la suscripción TechNet Plus y agregue todo esto: 1. Software de evaluación de la versión completa, Incluyendo Microsoft Office System y los productos Windows Server System™, sin restricciones de tiempo. 2. Soporte gratuito — dos incidentes complementarios, además de un descuento en otras llamadas de soporte. 3. Acceso ilimitado al siguiente día hábil a respuestas confiables de la comunidad de informática y Profesionales de soporte de Microsoft a través de Grupos de noticias moderados (sólo inglés). 3. Soporte asistido para incidentes Soporte para correo electrónico Obtenga ayuda en línea para incidentes un Profesional de soporte de Microsoft a través de correo electrónico. Soporte telefónico Obtenga ayuda vía telefónica para incidentes de un Profesional de soporte de Microsoft. Contrato de soporte telefónico Ahorre con un contrato con descuento de 5 Soportes telefónicos. Servicios de consultoría Agregue opciones de consulta que se ofrecen de manera remota de los Servicios de consultoría de Microsoft para obtener soporte proactivo que va más allá del mantenimiento rutinario para productos. 4. Soporte basado en un contrato Premier Support Obtenga la flexibilidad para obtener las opciones de soporte adecuadas para su organización y disfrute un acceso directo a los expertos técnicos de Microsoft a cualquier hora, ya sea durante el día o por la noche. Premier Support ofrece opciones personalizadas para negocios con necesidades complejas, incluyendo profesionales técnicos dedicados para supervisar su soporte, resolver sus problemas 24 horas al día y ofrecer capacitación y talleres que mantienen a su personal de informática actualizado. Essential Support Essential Support ofrece opciones pre- empaquetadas específicamente diseñadas para cumplir con los requisitos de soporte fundamentales de cualquier negocio, grande o pequeño. Incluye administración de cuentas, resolución de problemas y servicios de información. Slide Title: TechNet Troubleshooting and Support Keywords: Community Key Message: Where to get more help Slide Builds: 0 Slide Script: The enhanced TechNet Troubleshooting and Support page outlines all the ways IT professionals get support assistance from Microsoft. From free online support options to subscription-based support, you’ll find all your Microsoft support resources in one location at Slide Transition: TechNet also provides a number of community resources. Slide Comment: Additional Information:

55 ¿Dónde más puedo obtener ayuda?
Chats gratuitos y difusiones por el Web Lista de grupos de noticias Sitios de la comunidad de Microsoft Eventos y columnas de la comunidad Slide Title: Community Help Keywords: Community Key Message: Where to get more help Slide Builds: 0 Slide Script: There are a number of free community resources available on TechNet. You can attend a regular chat with members of the product groups or technology specialists from Microsoft, or you can attend a webcast where you can see sessions like the one you’ve just watched, but presented live and with the ability to ask questions as you go. You can also read or post questions in public newsgroups. The Newsgroup page lists the available groups and provides an interface from which you can read and post messages. TechNet Plus subscribers can use these groups to post questions, and through their subscription ID, are guaranteed a response from Microsoft Support Professionals and IT experts by next business day. The main community site provides a comprehensive list of resources available—more than we can cover on this slide—and, the page has some dynamic features with continually updated content. The Events page provides dates and details about attending a live TechNet event. These events take place around the world and provide the opportunity for you to talk to Microsoft specialists face-to-face. And finally, the TechNet Columns provide a variety of topics written by industry authors. Slide Transition: [Thanks the audience for attending and sign off] Slide Comment: Additional Information:


Descargar ppt "Microsoft Solutions for Windows Update Management"

Presentaciones similares


Anuncios Google