EM L04 Using Workflow to Manage Your Patch Process and Follow CISSP Best Practices Hands-On Lab Description Most corporations today have some form of patch process in place. In this session, you will learn how to meet industry standards when working with currently released workflows within Patch Management Solution and when applying best practices. You will also learn how to include CISSP best practices with patching. At the end of this lab, you should be able to Use compliance reports to identify which lab machines are out of compliance Learn how bulletins and updates are downloaded to the server. Use the Software Update Policy Wizard to deploy a Patch Understand Patch Policies and were they are located in the system How to configure and install the Zero Day Patch workflow Know what processes should be in place to meet CISSP standards Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.
CISSP Process Infrastructure: This is not just your physical infrastructure but everything to do with allowing the patch process to move forward. This includes who is on the team responsible for patch, what systems they are accountable for, applications they are responsible for, and what process should be followed. Research: Sometimes the wrong patch gets installed to the wrong system and the network gets taken down. Ensuring that the proper patch is installed to the correct systems and that the patch is authentic is critical. Assess and Test: Before installing a patch, testing must be done and a test plan followed. Vendors who release the patches and the patch vendors all claim to do their internal testing and they do. But there is no way possible for them to test the billions of different configuration possibilities so some form of internal testing is required. A perfect example, would be McAfee releasing their update earlier this year which blue screened thousands of systems. Mitigation ( Rollback ): Once the patch has been tested and applied, problems still may occur. The only way to truly roll back any changes is to reset the system state. Uninstalls will still leave files, folders, and/or registry keys behind and most administrators do not want to risk it on servers. Restoring from the previous backup is the best way to return to known good operational state. Deployment ( Rollout ): A phased approach should be taken in deploying patches. This way if something goes wrong, not all systems are affected at once. This is especially true for critical systems. Typically this happens in a pre-determined window such as outside business hours. Validation, Reporting, and Logging: There must be some sort of audit performed to track what has been done. Logs kept, documentation filed, processes followed. Once deployed, a company should be able to verify what patch went out, which machines did get patched, when they were patched, who patched them, and whether they remained patched. Reports are generated for historical and compliance reasons. 2 of 18
Working with Patch Managetment This lab works with following processing Patch with Zero Day management Patching Process. The intention is to walk through a simple patch process to ensure we understand what exactly what will happen within the workflow. Once we have seen how to apply a patch manually we should be able to have our workflow identify a critical patch and deploy that to the workstation in an automative way. EXERCISE 1: How to Identify Vulnerable Systems Once the patch and update information has been imported to the Notification Server database, an administrator can use compliance reports to determine which patches and updates are needed in their environment. This information can then be reviewed, and the desired patches can be downloaded and deployed to the managed environment. Use compliance reports to identify which lab machines are out of compliance based upon the data imported earlier. 1. Switch to the NS71 VM 2. Open the Symantec Management Console 3. Navigate to Home Patch Management on the main menu 4. Click on the Compliance by Bulletin link. The Windows Compliance by Bulletin report is displayed in the right-hand pane, and after a short delay, is populated with data. Note that there is a drop-down for Vendor near the top of the report. This can be used to view bulletin information from each available vendor. 5. Click the Compliance column header to sort the column by compliance percentage so that the bulletins with less than 100% compliance appear at the top. 6. To review compliance from a computer perspective, click on the Compliance by Computer link in the left-hand pane. The Windows Compliance by Computer report is displayed in the right-hand pane, and after a short delay, is populated with data. 7. Review the compliance results for each machine. You can use this information to determine how many updates apply to each machine, how many are installed, how many are missing, and whether or not each machine is waiting for a reboot to occur. 8. For this lab, we are going to concentrate on the Win7 Computer. It is at 97.10% compliance. 3 of 18
EXERCISE 2: How to Stage and Deliver Relevant Updates Once the patch and update information has been imported to the Notification Server database, and an administrator has reviewed the compliance reports to determine which updates are required by their environment, the administrator needs to stage (or download) the relevant updates. The following covers how bulletins and updates are downloaded to the server. 1. From the Patch Management portal page (Home > Patch Management), click on the 2. Compliance by Computer link 3. Highlight the Win7 virtual machine by clicking on the WIN7 line item 4. With Win7 highlighted, right click on it The right click menu appears 9. Select the View Not Installed Updates link from the resulting menu. Note: You have just created a report that shows a detailed vulnerability analisys for a specifc resource. You also have the ability to view all applicable updates regardless of installation status. 10. Select the Vendor drop down menu and choose Sun Microsystems from the list. 11. Press the Refresh button located on the menu bar. Note: It is by design that the report data does not dynamically refresh with the narrowing of scope. Click the Refresh button above. 4 of 18
12. Right click on the JAVA6-37 bulletin and review the menu Note: To download the relevant updates, you would normally select Download Packages from the resulting menu. Download Packages does not appear on the current menu because the updates were downloaded prior to the lab to save time. If you ever want to verify that the files were downloaded properly, or retry a previously failed attempt, click Recreate Packages. Once the patch and update information has been imported to the Notification Server database, the compliance reports are reviewed to determine which patches and updates are required by their environment, and the relevant patches have been downloaded, the administrator can create a Software Update Policy to deploy patches and updates to their environment. The Software Update Policy Wizard will be used to create a policy to distribute the applicable bulletins to the systems within the environment to which they apply. 13. Highlight and right-click JAVA6-37 bulletin and right click and select Distribute Packages. The Software Update Policy Wizard interface is displayed. 5 of 18
14. Verify that the bulletin previously selected is listed in the Name and Software Bulletins fields. 15. Expand the Package Options section of the page and verify that the Use multicast when the Symantec Management Agent s multicast option is enabled checkbox is selected. 16. Check the Run (other than agent default) check box, and verify that the As soon as possible radio button is selected. 17. Verify that Windows Computers with Software Update Plug-in Installed Target is listed in the Apply to computers Name column. 18. Click Next. 6 of 18
19. Verify that all of the packages are selected, click the Off button in the upper-right corner of the window, and select On (the header should change from red to green). 20. Click Distribute software updates to initiate the Software Update Policy. The Software Update Policy Wizard interface will close, and a new window will appear showing the progress of Creating Software Update Policy will appear. When the policy is finished creating, click Close to close the window. 21. Press Close when this completes 22. Open the Windows Task Scheduler by going to the icon on the task tray or Start > Administrative Tools > Task Scheduler in Windows. 23. Click on the Task Scheduler Library folder in the left-hand pane. 24. In the right-hand pane, find the NS.Windows Patch Remediation Settings task, rightclick on it, and choose Run. Continue to refresh the window until it finishes running. Note: This step is not necessary in a production environment as the task automatically runs every 30 minutes. We are simply executing it manually to speed things up for convenience of the lab. 25. The JAVA update will eventually execute on the Win7 VM during this lab. You can check for the complete update at the end of this lab. 26. Close the Symantec Management Console windows 7 of 18
EXERCISE 3: Installation of the Zero-Day Workflow Designed to run on a schedule (e.g. once a day), this process will query the Symantec Patch Management system for new critical bulletins and updates. When applicable updates are found, the process will automatically stage the updates and create an enabled patch policy so that the next time applicable systems check in, the critical updates will be automatically installed on the appropriate resource target(s). The process is designed to be highly extensible and easily configurable using Project Properties. 1. Switch to the NS71 VM 2. Locate the Workflow Manager on the Desktop of the NS71 Server 3. Click File Open and drill down on your machine under C:\Lab Resources\Zero Day Patch\ and select the Zero_Day_Patch_7_1.package and press Open 4. The UnPackage Project box will show up 5. Press OK Once the package has unpacked into the Workflow directory minimize the Workflow Manager. Open Internet Explorer and Browse to: http://ns71.symplified.org/processmanager Save it as as a Bookmark or shortcut for use in future steps, as the Process Manager Icon on your desktop does not work. 6. At the login screen login as: UserName: admin@symantec.com Password: password 8 of 18
7. Click on Admin Users Accounts List Groups 8. Add a Group and call it Patch Administrators 9. Press Save 10. Now add a user to Patch Administrators group (Press the Orange Arrow on the right) 11. Add the user admin@symantec.com 12. Press Add, then Close 13. Now modify the permissions of the Patch Administrators group 9 of 18
14. Locate and find the following objects and select them: a. Account.CompanyAdministration b. AccountManagement.User.FetchInfo c. ProcessData.Access d. ProcessData.Reports e. Reports.Access f. Reports.OLAP.Create g. Reports.ShowInMenu h. WorkflowTasksManagement.Access i. WorkflowTasksManagement.Add j. WorkflowTasksManagement.CanSetupDefaultProfile k. WorkflowTasksManagement.ShowInMenu l. WorkflowTasksManagement.ViewUnassignedTasks 15. Click Save to continue 16. Select Admin Data Lists and Profiles 17. Click on the Import icon top right 18. Select the Browse button and go to C:\Program Files\Symantec\Workflow\WorkflowProjects\Zero_Day_Patch_7_1\resource 19. Select Zero_Day_Patch.pfl 20. Click Import (this may take a little while) 21. Now click on the Reports tab 22. Click on the Imports icon 23. Select Import Reports 24. Select the Browse button and go to C:\Program Files\Symantec\Workflow\WorkflowProjects\Zero_Day_Patch_7_1\resource 25. Select the Zero+Day+Patch.report 26. Select Import 10 of 18
27. Once complete click Close You see that the Zero Day Patch report has been imported. Note: the report does not currently contain any detail until after the process successfully runs. 28. Edit the permissions on the report just created. 29. Click the Add New Permission button 30. Select Permission Type: Group and then press the Pick button 31. Type Patch, Press Search, Then select Patch Administrators 11 of 18
32. Choose the following permissions (if they are not already set): a. Can View this report b. Can edit this report c. can delete this report d. can modify permissions of this report 33. Click Add 34. Click Close 35. Go back to the Opened Worklow in Workflow Manager 12 of 18
36. Select the Properties of the project by selecting the Zero_Day_Patch_7_1 item at the top of the left pane tree and selecting Properties on the tab in the Right hand pane. 37. Locate the Customizations Following are the description for each customization: Symc_CMDB_ConnectionString - Connection string to Symantec_CMDB database. Severity_Levels_To_Analyze - NO SPACES IN BETWEEN ITEMS, JUST A COMMA. Commaseparated list of severity and custom severity level patches to analyze and import into this process (all others will be ignored). Resource_Targets_To_Apply_To_Policy - Comma-separated list of resource targets (NOT filters) that the zero-day patch policy will be applied to (in addition to the default resource target as specified in the SMP). Age_Filter - Number of time units (defined by Age_Time_Unit) of bulletins to import into the process (based on bulletin released date). e.g. set this to 1 and Age_Time_Unit to dd if your process runs once a day. Age_Time_Unit - This defines the unit of time for Age_Filter. Use hh for hours, dd for days, mm for months, and yy for years. Platform_Filter - You can restrict what bulletins are imported into the process by a single platform (e.g. "Windows" or "Linux"), or "Any" will not filter by platform. 13 of 18
Vendor_Filter - You can restrict what bulletins are imported into the process by a single vendor GUID (e.g. Microsoft's GUID or Adobe's GUID), or "00000000-0000-0000-0000- 000000000000" will not filter by vendor. Ignore_Staged_Bulletins - "True" will ignore any bulletins that have already been staged prior to the process running. If set to "False", bulletins that are already staged will still be processed. Ignore_Bulletins_With_Policies - "True" will ignore any bulletins that already have an associated policy prior to the process running. If set to "False", bulletins that already have a policy will still be processed. PatchWorkflowSvcURL - URL to Patch Management webservice API (typically on SMP server). Enable_New_Policy_After_Creation - Set to "True" to immediately enable the new policy. Set to "False" to manually enable the new policy at a later time. Email_From_Address - The "from" email address. Email_To_Address - The "to" email address. Email_Server - The name or IP address of the relay SMTP server. Report_URL - The URL to this process' report in Process Manager. 38. Modify the following Variables to the appropriate settings: a. Resource_Targets_To_Apply_To_Policy: 541216a7-86f3-4edc-9041-32066695c8d0 NOTE that this is the GUID of the WIN7 machine in your environment, this could also have been the GUID of a Filter) b. Email_To_Address: catchall@symplified.org c. Severity_Levels_to_Analyze: Critical,Important (enter this without Spaces) 39. Now select File and then Check In Project 14 of 18
40. Click Yes 41. Drill down on the NS71.symplified.org folder 42. Select Projects and click Create 43. Once complete you ll see the following success screen, click OK 15 of 18
44. Now click File Publish Project Publish Project 45. Select Only SD7 and click Next 46. Ensure the changes you made to the variables are in place, if not retype them, then click Next 47. Before the publishing begins review your changes for correctness and then click Next 16 of 18
48. You see the publishing screen, once that is complete you ll see the following screen. 49. Once publishing is successful, click finish and save and close your project. Exercise 5: Checking for Policies and Applied Patches 1. Switch to the Win7 virtual machine. 2. Right-click the Symantec Management Agent in the system tray, and select Symantec Management Agent Settings. The Symantec Management Agent Settings interface is displayed. 3. Click Update and verify that both the Requested and Changed timestamps update. This indicates that the agent received the new Software Update Policy. Note: The Configuration Update would have occurred automatically at the next scheduled time, and thus this step is not required. Manually updating the configuration, however, allows us to move quickly through the lab. 4. Close the Symantec Management Agent Settings interface. 5. Right-click the Symantec Management Agent in the system tray, and select Software Updates. The Symantec Management Agent interface is displayed, 6. Select the Software Updates tab. You should see a list of pending updates. The status of each update will eventually change to Update Scheduled as soon as the relevant files finish downloading to the machine. Since this is a Lab without Internet Access, the files will never download. 7. After a few minutes, a message will appear saying New software updates ready to apply. Click Install now to begin the update cycle. Note: This message only appears for 60 seconds before automatically proceeding. 8. The updates will eventually change from Update Scheduled to Installed with green checkmark to indicate that they were successfully installed. 17 of 18
Note: If any updates require a reboot, a reboot interface will be displayed as soon as the last update installs. The user will be able to delay the notification for 5 minutes, and a reboot will be forced after 20 minutes. 9. After the updates are installed you can double-click the Symantec Management Agent icon in the task bar. Once the agent window appears, select the Software Delivery tab, click the Windows System Assessment Scan policy, and then click the Windows System Assessment task in the left-hand pane of the window. This manually runs the assessment scan which will update the compliance information for the machine. As the scan is running, there will be a white bubble with a blue I in it under the Status column indicating that it s running. Note: This scan is scheduled to run every 4 hours by default and would have run on its own. We are simply speeding things up for convenience of the lab. 10. Once the process is complete, you would return to the Compliance by Computer report and see that the Win7 virtual machine is now 100% in compliance. EXERCISE 6: Checking Your Workflow (Informational) 1. Switch to the NS71 virtual machine. 2. First start the Symantec Management Console 3. Click on Manage Policies 4. Drill down to Software Patch Management Software Update Policies 5. Note that a MS12-069 policy should be created. 6. If this policy is not created then we should check our workflow Click on Start All Programs Symantec Workflow Designer Tools and then start Log Viewer 7. Click on Current Running Processes and locate the Patch Workflow, it should be running 8. When you see it, click on it once and then select Configure Logging on the right 9. Click OK to log All 10. Select the Log Viewer and select Refresh at the bottom of the page and watch the results. 11. Further problem solving can be done by opening the project again and selecting to run the project in debug mode This concludes this lab today, we hope that you have discovered some new features and methods for accomplishing your patch process within your organization. 18 of 18