,微软IT的补丁管理,内容概要,微软环境 安全补丁面临的挑战 Microsoft IT 为什么采用SMS？ 补丁处理流程 补丁管理流程定义 最佳经验 不断演化改进的服务,Microsoft IT 环境,Dublin,Singapore,Redmond,3,000,000+ internal e-mail messages per day 99.99% availability,106,000 end users 98 countries/regions 441 buildings,300,000+ PCs and devices,1.9-terabyte database single instance SAP,42,000,000+ remote connections/month,116,000+ e-mail server accounts,Microsoft IT 环境,All computers 300,000,VPN,Domain SecureNet joined clients 230,000,Managed through SMS 220,000,11,000 servers,Remote access clients/dial-up,Labs,Workgroups,Internet Protocol security boundary,Microsoft IT 环境,多层次 桌面机合作管理模式 9种语言支持 完全集中化的管理,Need to determine and maintain a known level of software updates for operating systems and application software,解决方案概述,业务需求,解决方案,收益,Systems Management Server 2003,Promotion of security Higher systems availability Improved auditing,SMS Server 2003 帮助Microsoft有效管理和实施补丁策略.,产品和技术,Systems Management Server 2003,业务挑战,多种类软件更新 多种补丁部署解决方案 需要提供用户良好的使用体验 不同的补丁应用场景,Business Challenge,为什么Microsoft IT 采用 SMS,Scalability Flexible targeting and configuration Compliance reporting Forced installation and reboots User notification and reminders Source path management User of existing technical resources and skills Future enhancements,补丁流程 多选择的补丁实施手段,较高 客户端影响,较低 客户端影响,E-mail and intranet Web site notification; users can use Microsoft Update or similar (all optional),SMS patch management (voluntary to start, and then forced),Custom scanning (forced),Remediation,补丁部署流程 核心构成,SMS packages include: Scanning Staging Sustainer EST and others as needed Packages are set to recur every two days Non-security updates and service packs are deployed as needed,补丁部署流程 核心构成,策略 Policies 安全补丁是首要关注焦点 通常不会授权通过例外申请 用户可在强制日期前提前部署补丁 人员安排 Staff 一个项目经理 三个管理员,补丁部署流程 每月行动事项,补丁部署流程 角色和义务,Corporate Security monitors vulnerability information,Corporate Security finds and analyzes vulnerability,Critical vulnerability?,Corporate Security determines enforcement schedule,Patch Mgmt Service analyzes update,six hours,Two weeks later normally, 24 hours if accelerated, or immediate if emergency,Patch Mgmt Service prepares update,Patch Mgmt Service distributes update,Patch Mgmt Service enforces update,yes,Wait for service pack,no,补丁部署流程 时间安排,补丁部署流程 维护时间窗口 Maintenance Windows,Thursday,Friday,Saturday,Sunday,Hour 1 Patch Tuesday 8 P.M. Pacific Time (UTC-8),Thursday,Hour 2,Friday,Hour 3,Saturday,Hour 4,Sunday,Critical deployment (21 days),Accelerated deployment (48 hours),补丁部署流程 每周二的补丁动作,Scan catalogs and articles downloaded Assess updates Apply specifics for MBSA-based updates Authorize updates Conduct final quality control check Copy update packages to the other hierarchies Monitor update deployment Coordinate with internal suppliers Announce results to interested parties,补丁部署流程 测试,Testing is appropriate for needs at Microsoft Monitor computers as patches are released Monitor status messages carefully in early stages First users serve as voluntary test cases Application owners perform tests upon release of patches A prerelease quality control check is performed on about 15,000 internal clients, plus some external labs Microsoft IT trusts Microsoft patches,补丁部署流程 报表生成,Update reporting focuses on compliance, errors, and SMS involvement Completeness reporting is useful Traditional software distribution reporting can verify success of scanning and installation,补丁部署流程 报表样本,补丁管理是一项服务 概要,了解服务的客户和合作伙伴 完善服务等级协议（SLA） 正规化、书面化所有流程 信息集中管理 设定考核指标并分析结果 收集用户反馈 完善应急计划 尽可能实现自动化, 特别是信息报告,补丁管理是一项服务 关系,经验,过程,人员,技术,经验,评估补丁实施的环境,1. Assess,2. Identify,4. Deploy,3. Evaluate and Plan,确定新的软件更新,部署软件更新,评价和计划软件更新部署,Microsoft Operations Framework,经验,把安全视为第一优先考略因素 获得决策领导支持 正确的定义服务并不断总结 管理好SMS 设定清晰的期望值; 让业务服务器主人准确理解沟通信息 对基于MBSA分析的补丁更新操作在update 命令行使用 /ER 选项,经验,Keep to single restart on clients Use change control windows efficiently Ensure software installations restart when needed so that updates install At very large sites, spread workload on servers over time Subscribe to community resources,Microsoft IT补丁管理服务的下一步计划,Quarantine (Network Access Protection) Hot updatesin memory as soon as installed Windows Vista Restart Manager New clients 64 bit, Windows Vista, devices, possibly other operating systems Internet-facing update servers User-oriented improvements Other aspects of security,总结,补丁管理并非易事，特别在一个大型机构内部 技术、过程和人员都会遇到挑战 补丁管理是一种不断进化的科学,更多信息,Systems Management Server http:/www.microsoft.com/sms Microsoft Solutions for Management http:/www.microsoft.com/msm Microsoft Operations Framework http:/www.microsoft.com/technet/itsolutions/cits/mo/mof/default.mspx Microsoft community sites http:/www.microsoft.com/technet/community,更多信息,Additional content on Microsoft IT deployments and best practices can be found on http:/www.microsoft.com Microsoft IT Showcase Webcasts http:/www.microsoft.com/howmicrosoftdoesitwebcasts Microsoft TechNet http:/www.microsoft.com/technet/itshowcase,This document is provided for informational purposes only. MICROSOFT M