On November 11th, Microsoft released a total of 16 security updates for November's Patch Tuesday which mitigate potential security threats in Office, Windows, SharePoint, and Internet Explorer. If you are a patch administrator for your company, then it's worth your time to read the Microsoft Article (Microsoft Security Bulletin Summary for November 2014).
In theory, there are several issues that could be causing concern when you read the article, but the one that seems to be the generating the most buzz is MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611). This vulnerability was additionally reported as CVE-2014-6321. Although there are no known exploits of this vulnerability, it is quite serious and you should take note. This vulnerability in the Microsoft Secure Channel or Schannel, is a set of security protocols used to encrypt traffic between endpoints and is primarily used for Internet communications over HTTPS. This particular patch is applicable to every Windows Operating System under active maintenance. This ranges from Windows Server 2003 SP2 and Windows Vista SP2 through Windows Server 2012 R2 and Windows 8.1.
Although the media is touting both the scope and the number of updates as the craziest thing that we've ever seen in patching, this isn't even the largest bundle of patches that Microsoft has released for a single Patch Tuesday. That current record is for April 2011 with a total of 29. But fear not, Patch Administrators, although the quantity seems daunting, the process is still the same. This is most definitely not a "sky is falling" moment - we're here to help.
One thing that people seem to forget is that Patch Administration is the same on Patch Tuesday whether there are 2 patches or 100 patches. If you follow the same procedure from start to finish, you are guaranteed to make sure that your environment is up to date and secure. The best practices for any software (not just patches) is to test them on a small segment of your infrastructure before sending them everywhere. Thankfully, you can do this easily with SolarWinds Patch Manager.
- Download the Updates from Microsoft to your WSUS Server
- Test Group
- Patching Production Endpoints
- Next Steps...
Download the Updates from Microsoft to your WSUS Server
I've found that the easiest way to see these updates is within a Custom Updates View. I have one called "Microsoft Updates - This Week" which is defined as "Updates were released within a specific time period: Last Week" and "Updates source is Microsoft Update." If you need to create one, you can navigate to "Patch Manager\Enterprise\Update Services\WSUS Server\Updates" and then right-click on the Updates node and select "New Update View." Feel free to use this screenshot as a reference.
On that view, I tweak a few of the settings so that I can get a direct look at the updates that are concerned with this particular Patch Tuesday. I start by flipping the "Approval Settings" to "All" and the "Status" to "Any" and let the list refresh. Then I group it by the MSRC Number, which I do by dragging the "MSRC Number" header to the gray area just above the headings.
Now I have a list of the all the items released by Microsoft within the Last Week, grouped by the MSRC Number. After that it's as easy as expanding each and scanning through the list and seeing if all the updates that are applicable to my environment are approved. (You can also flip the Approval filter at the top to "Unapproved", but I like seeing all the information.) It's also good to check the "State" field to make sure that the updates are "Ready for Installation."
If you don't see any of this information, it means that the updates haven't yet been synchronized to your WSUS Server. Running a manual Synchronization with Patch Manager is simple - highlight your WSUS server in the left pane and click on the "Synchronize Server" in the Action Pane (right-side of the screen). Click Finish and it's kicked off.
After the synchronization is completed, you can go back and verify that the updates are available using the Update View that we just finished building. Or you can use a report. I've crafted one especially for this month's updates.
To use it, download (Software Updates for MS14-NOV) and import it into the Windows Server Update Services folder. This report has a prerequisite that the WSUS Inventory job has completed after the updates have been synchronized to WSUS. This is normally a scheduled job that runs daily, so you can either kick it off yourself, or just wait for tomorrow to run the report.
This report tells you the WSUS Servers in the environment, the Security Bulletin updates, the Approval Status, the Product Titles, and the Update Title, filtered to only those updates in the MS14-NOV Bulletin.
You should run updates against a test group whenever possible. For me, I've got a test group with a few different versions of Windows in it, so I'll use that.
Approve the Updates for a Test Group
If you need to approve the updates, just right-click on them and select Approve and then "Approve for Install" in the Approve Updates window and (recommended) scope it only to your testing computers. They may already be updated based on your automatic approval rules. If that's the case and you are trusting, then you are good to go! If not, send the updates to a test group first.
Theoretically, you can stop here and the updates will apply based on your defined policies (either via GPO or Local Policies), but where's the fun in that?
Run a Simulation of the Patch Installation on the Test Group
For any Patch Tuesday, I'm a fan of creating a set of Update Management Rules and save it as a template. That way I can refer to it for pre-testing, deployment to the test group, and then deployment to the rest of the organization. You can either create your own MS14-NOV Template (within the Update Management Wizard) or download and use mine. It's defined to include all Security Bulletins from MS14-064 through MS14-079.
Now it's time to pre-test these patches. I right-click on my Test Group and then select "Update Management Wizard."
Select "Load existing update management rules" and select the MS14-NOV entry from the drop-down. (If you need to build your own, you can select "Create custom dynamic update management rules"). Click Next.
Verify that the Dynamic Rule shows Security Bulletins from MS14-064 through MS14-079 and click Next.
You can leave most of the defaults on the Options page, but be sure to check the "Run in planning mode" checkbox in the Advanced Options. Click Finish.
Either change your scope to include a few other computers or add additional computers for the testing and then click Next.
Select the schedule (I am a fan of "now") and Export or Email the results as you like and click Finish.
Planning mode is an oft-overlooked feature that you should definitely use for large patch deployments.
This gives you in three quick tabs, the overall status summary of the job, the per patch and per computer details, and the distribution of the job (if you have multiple Patch Manager Servers in your environment).
Pre-Stage the Patch Files on a Test-Group (optional)
If you have a large or highly distributed environment, you can use the Update Management Wizard to deploy the patches to the endpoint, but hold off on installing them. This can be staged to run over several hours or multiple days. This is as simple as running through the same steps as the previous wizard and then checking a different box in the "Advanced Options." Leave the Planning Mode checkbox unchecked and check the box for "Only download the updates, do not install the updates."
That's it. Just use the rest of the wizard as before and check this one box to pre-stage the updates to your environment.
Install the Patches on your Test Group
Same rules apply here. Just make sure that you leave the Planning Mode and Download Only checkboxes empty. Yeah - it's really just that simple.
Reporting on the Results
To report on the status of these patches within your environment, you can use any number of our pre-built reports or customize your own for your needs. Likewise, you should take advantage of all the Shared Reports in the Content Exchange here on Thwack and download this one that was kindly donated by LGarvin and repurposed (very) slightly by yours truly:Report: Computer Update Status for MS14-NOV This report shows the status of the MS14-NOV Patches in your environment.
Plan & Test, Stage, Install: Three steps, one wizard, and you have successfully deployed those pesky patches to your test environment. So what's up next? Moving to production...
Patching Production Endpoints
You ever read the instruction on the back of a bottle of shampoo? It says "Lather, rinse, repeat." This is no different.
The previous process (hopefully) has been run against a group of test computers in your environment. If that go wells, then it's time to schedule the updates for the rest of your environment. Just use the same few steps (Approve, Test in Planning, Deploy, and Install) to deploy the patches all at once, in waves, or staggered based on your needs.
Hopefully, this "day-in-the-life" snapshot for a Microsoft Patch Tuesday has been helpful, but this just scratches the surface of what SolarWinds Patch Manager can do to help you keep your environment running smoothly. Now that you've got Operating System patching under control, extend your knowledge of Patch Manager by keeping on top of patching Third Party Updates from Adobe, Google, Mozilla, Sun, and more!
If you need more help, like everything SolarWinds, start on Thwack. We've got the best user community bar none. Just ask a question in the forums and watch the people come out of the woodwork to help. Start with the Patch Manager Forum and you can go from there.