《微软IT的补丁管理》PPT课件

1、,微软IT的补丁管理,内容概要,微软环境 安全补丁面临的挑战 Microsoft IT 为什么采用SMS？ 补丁处理流程 补丁管理流程定义 最佳经验 不断演化改进的服务,Microsoft IT 环境,Dublin,Singapore,Redmond,3,000,000+ internal e-mail messages per day 99.99% availability,106,000 end users 98 countries/regions 441 buildings,300,000+ PCs and devices,1.9-terabyte database single ins

2、tance SAP,42,000,000+ remote connections/month,116,000+ e-mail server accounts,Microsoft IT 环境,All computers 300,000,VPN,Domain SecureNet joined clients 230,000,Managed through SMS 220,000,11,000 servers,Remote access clients/dial-up,Labs,Workgroups,Internet Protocol security boundary,Microsoft IT 环

3、境,多层次 桌面机合作管理模式 9种语言支持 完全集中化的管理,Need to determine and maintain a known level of software updates for operating systems and application software,解决方案概述,业务需求,解决方案,收益,Systems Management Server 2003,Promotion of security Higher systems availability Improved auditing,SMS Server 2003 帮助Microsoft有效管理和实施补丁策

4、略.,产品和技术,Systems Management Server 2003,业务挑战,多种类软件更新 多种补丁部署解决方案 需要提供用户良好的使用体验 不同的补丁应用场景,BusinessChallenge,为什么Microsoft IT 采用 SMS,Scalability Flexible targeting and configuration Compliance reporting Forced installation and reboots User notification and reminders Source path management User of existi

5、ng technical resources and skills Future enhancements,补丁流程 多选择的补丁实施手段,较高 客户端影响,较低 客户端影响,E-mail and intranet Web site notification; users can use Microsoft Update or similar (all optional),SMS patch management (voluntary to start, and then forced),Custom scanning (forced),Remediation,补丁部署流程核心构成,SMS p

6、ackages include: Scanning Staging Sustainer EST and others as needed Packages are set to recur every two days Non-security updates and service packs are deployed as needed,补丁部署流程核心构成,策略 Policies 安全补丁是首要关注焦点 通常不会授权通过例外申请 用户可在强制日期前提前部署补丁 人员安排 Staff 一个项目经理 三个管理员,补丁部署流程每月行动事项,补丁部署流程角色和义务,Corporate Secur

7、ity monitors vulnerability information,Corporate Security finds and analyzes vulnerability,Critical vulnerability?,Corporate Security determines enforcement schedule,Patch Mgmt Service analyzes update,six hours,Two weeks later normally, 24 hours if accelerated, or immediate if emergency,Patch Mgmt S

8、erviceprepares update,Patch Mgmt Service distributes update,Patch Mgmt Service enforces update,yes,Wait for service pack,no,补丁部署流程时间安排,补丁部署流程维护时间窗口 Maintenance Windows,Thursday,Friday,Saturday,Sunday,Hour 1 Patch Tuesday 8 P.M. Pacific Time (UTC-8),Thursday,Hour 2,Friday,Hour 3,Saturday,Hour 4,Sunda

9、y,Critical deployment (21 days),Accelerated deployment (48 hours),补丁部署流程每周二的补丁动作,Scan catalogs and articles downloaded Assess updates Apply specifics for MBSA-based updates Authorize updates Conduct final quality control check Copy update packages to the other hierarchies Monitor update deployment C

10、oordinate with internal suppliers Announce results to interested parties,补丁部署流程测试,Testing is appropriate for needs at Microsoft Monitor computers as patches are released Monitor status messages carefully in early stages First users serve as voluntary test cases Application owners perform tests upon

11、release of patches A prerelease quality control check is performed on about 15,000 internal clients, plus some external labs Microsoft IT trusts Microsoft patches,补丁部署流程报表生成,Update reporting focuses on compliance, errors, and SMS involvement Completeness reporting is useful Traditional software dist

12、ribution reporting can verify success of scanning and installation,补丁部署流程报表样本,补丁管理是一项服务概要,了解服务的客户和合作伙伴 完善服务等级协议（SLA） 正规化、书面化所有流程 信息集中管理 设定考核指标并分析结果 收集用户反馈 完善应急计划 尽可能实现自动化, 特别是信息报告,补丁管理是一项服务关系,经验,过程,人员,技术,经验,评估补丁实施的环境,1. Assess,2. Identify,4. Deploy,3. Evaluate and Plan,确定新的软件更新,部署软件更新,评价和计划软件更新部署,Mi

13、crosoft Operations Framework,经验,把安全视为第一优先考略因素 获得决策领导支持 正确的定义服务并不断总结 管理好SMS 设定清晰的期望值; 让业务服务器主人准确理解沟通信息 对基于MBSA分析的补丁更新操作在update 命令行使用 /ER 选项,经验,Keep to single restart on clients Use change control windows efficiently Ensure software installations restart when needed so that updates install At very lar

14、ge sites, spread workload on servers over time Subscribe to community resources,Microsoft IT补丁管理服务的下一步计划,Quarantine (Network Access Protection) Hot updatesin memory as soon as installed Windows Vista Restart Manager New clients 64 bit, Windows Vista, devices, possibly other operating systems Interne

15、t-facing update servers User-oriented improvements Other aspects of security,总结,补丁管理并非易事，特别在一个大型机构内部 技术、过程和人员都会遇到挑战 补丁管理是一种不断进化的科学,更多信息,Systems Management Server Microsoft Solutions for Management Microsoft Operations Framework Microsoft community sites,更多信息,Additional content on Microsoft IT deploy

16、ments and best practices can be found on Microsoft IT Showcase Webcasts Microsoft TechNet ,This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. 2006 Microsoft Corporation. All rights reserved. This presentation is for informa

17、tional purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be