Implementing, Managing, And Troubleshooting Patch Management Infrastructure

By Author: Alyssa
Total Articles: 128
Comment this article

Topics included: planning the deployment of service packs and hotfixes, verifying with MBSA, to SUS deployment and administration. This is certainly a hot topic for many of us:
patch management. Unless you're an administrator who has been hiding in a server closet for the past 24 months, you've no doubt had your challenges with patch management — a
nightmare if not done correctly. Patch management is one of the key aspects of securing a network.

In the exam world — which can be completely different from the real world- patch management of Windows computers must be done with Microsoft's free tools: the Microsoft
Baseline Security Analyzer and Software Update Services. MBSA is a network-based scanning tool that runs on Windows 2000, XP, and 2003 operating systems; it looks for missing
patches and security updates on all flavors of Windows down to Windows NT 4.0. It also supports scanning of IIS, SQL, and Exchange servers. MBSA comes in both a GUI wizard
version and a command line version called mbsacli.exe.

Windows 70-299(http://www.mcse-70-299.com) Update is ...
... a client-side scanning tool that can check for installed and missing patches and service updates against
the Windows Update web site or a locally installed SUS server. And along with Automatic Updates, Windows computers can be configured to download and install patches and service
packs at scheduled intervals. Server and client computers can be configured to connect to and scan for available updates from SUS servers using Group Policy, SMS (Systems
Management Server) with the SUS Feature Pack, or logon scripts if Active Directory has not been deployed. If users aren't granted local administrator level access to their
desktop, Automatic Updates can be configured for a scheduled date and time to install the updates and restart the computer automatically.

SUS servers deployed within a network allow administrators to collect, approve and distribute critical updates for server and client computers. SUS parent servers can be
configured to synchronize with the Microsoft Windows Update Web site and pass updates to child SUS servers, which, in turn, distribute the updates to the server and client
computers on the network.

Tip: For failed deployments of patches or service packs with SUS, you must cancel approval of the update on the SUS server to prevent further installations.

Implementing, Managing, and Troubleshooting Security for Network Communications
Most of the topics here center on IPSec for securing network data. You'll also find a sprinkle of data security as it relates to wireless, SSL and remote access networks. My
exam seemed to include many free certification exam questionsfree certification exam questions regarding IPSec authentication headers!
I'll briefly cover each of the network data security protocols and methods.

IPSec is a rule-based security protocol that protects data traffic. It uses on-demand authentication and encryption between two end points. IPSec packets are signed with
certificates, verified, encrypted and decrypted at the OSI network layer, making the process transparent to upper layer protocols. L2TP and IPSec can be used to create VPNs.
IPSec can be used in two modes; AH (Authentication Header) and ESP (Encapsulating Security Payload). AH packets can be routed without loss or change to the header signature. ESP
packets can use either DES (Data Encryption Standard) or 3DES in the Transport or Tunnel modes. In Transport mode, ESP encrypts the entire data packet with the exception of the
header. In Tunnel mode, ESP encrypts the entire packet for VPN connections. Using AH and ESP together provides the most secure data transmission.

AH can be implemented using Kerberos, certificates, or preshared keys! IPSec is a wide-ranging protocol and includes many small details. Be sure and study it and IPSec policies
thoroughly prior to the exam.

Tip: IPSec traffic cannot pass through older NAT servers.

SSL (Secure Sockets Layer) and TLS (Transport Level Security) both use public key and symmetric key encryption for TCP-based communications. They provide session encryption and
integrity, and server authentication. This prevents eavesdropping, tempering, and message forging. Both SSL and TLS require digital certificates! SSL and TLS can be used to
secure web, email, news, and FTP traffic.

PPTP over TCP/IP can be used to secure upper layer protocol traffic between clients and servers for such things as VPNs. It uses either PAP (Password Authentication Protocol) or
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) for the exchange process of credentials. PPTP traffic can pass through all NAT servers, but PPTP does not provide
for data integrity.

SMB (Server Message Block) signing can be used to secure client-to-server file sharing traffic on a Windows network. SMB signing can be enabled using GPOs and uses a method of
digital signing and a keyed hash to protect the integrity of each SMB packet.

WEP (Wired Equivalent Privacy) is used to secure wireless data traffic between wireless clients and access points connected to a wired network.

Remote client traffic can be secured using various methods and protocols. PPTP and IPSec/L2TP to create a VPN connection are becoming the most widely used.

EAP-TLS (for Extensible Authentication Protocol-Transport Level Security) is the most secure remote access method and protocol. Because of its support for two-factor
authentication with the use of smart cards or USB keys, and certificates, it meets all the requirements of message and data CIA (Confidentiality Integrity Authentication).

Tip: If the network includes smart cards and certificate services is present to issue both user and computer certificates, use EAP-TLS for the most security.

For the free Microsoft exam questions(http://www.examshots.com/vendor/Microsoft-1.htm) you'll also need to be familiar with CMAK
(Connection Manager Administration Kit), a tool for managing remote connections and remote access policies. CMAK allows administrators to pre-configure remote access clients,
add custom behavior and appearance and provide an updateable phonebook that users can turn to and find the most convenient dial-up access numbers. When gaining that all-
important hands-on experience for this exam, be sure to load up CMAK and create a profile or two.

Familiarity with Microsoft's Internet Security and Acceleration server is also a must for this exam. ISA server provides perimeter firewall services, proxy caching services,
policy-based access control, secure web publishing, and intrusion detection services.

Tip: Client computers may need to install the ISA server firewall client to access the internal or external network.

Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
This objective includes topics such as authentication, authorization, security groups, and certificate services. Know your group types, distribution and security, scopes;
universal, domain local, global, local, and the recommended group strategy; A-G-DL-P Accounts get placed into Global groups which get placed into Domain Local groups which are
assigned Permissions.