UpdateEXPERT® Premium v7.
St. Bernard Software, Inc. Information in this document is subject to change without notice. This document may be distributed freely only in whole, however no alterations are allowed without the expressed written consent of the author, St. Bernard Software, Inc. © 20012005 St. Bernard Software, Inc. All rights reserved. UpdateEXPERT is a registered trademark of St. Bernard Software, Inc. St. Bernard Software and the St. Bernard Software logo are trademarks of St. Bernard Software, Inc.
St. Bernard Software, Inc. Protecting Your Network Investment Table of Contents Note: TOC items are hyperlinks, use MouseRollover, then click. Also, any reference to UpdateEXPERT in this manual implies UpdateEXPERT Premium. Table of Contents............................................................................................................1 Purpose...........................................................................................................................
St. Bernard Software, Inc. Protecting Your Network Investment SecurityEXPERT Overview ...........................................................................................25 Configure SecurityEXPERT Web Proxy ........................................................................26 Download SecurityEXPERT Templates.........................................................................27 Creating a SecurityEXPERT Policy .............................................................................
St. Bernard Software, Inc. Protecting Your Network Investment Purpose The Evaluation Guide exists to assist in the initial installation, basic usage, and evaluation of UpdateEXPERT Premium. This is specifically intended to help evaluators make an informed decision towards the acquisition of a suitable patch and security settings management product.
St. Bernard Software, Inc. Protecting Your Network Investment Install UpdateEXPERT Premium This Eval Guide example illustrates a new installation of UpdateEXPERT Premium. Login with Administrator privileges. Download the UpdateEXPERT Trial Software. When prompted, click SAVE to download the compressed file (~120MB) to your local disk. When prompted again click RUN to launch the selfextraction dialogue (screen shot).
St. Bernard Software, Inc. Protecting Your Network Investment Click Next Enter the Trial Serial Number from the email called “UpdateEXPERT Dowload Request.” You may also request a trial serial number using the button shown below to launch a web form. June 19th, 2006 UpdateEXPERT Premium v7.
St. Bernard Software, Inc. Protecting Your Network Investment Typical will install all components, i.e., Console Application, Patch Management Server and Settings Management Server. Custom may be used to install to an existing Local SQL instance, exclude “Settings Management”, or install the Console and AgentInstaller Applications only. For example screen shots and notes, see “Appendix A – Custom Install Options.” Click Install June 19th, 2006 UpdateEXPERT Premium v7.
St. Bernard Software, Inc. Protecting Your Network Investment You will see a “Performing Initialization Check … Please Wait” message. In 12 minutes status messages and the status bar will become active. UpdateEXPERT and MSDE files are loaded ... File Loading results in 3 UpdateEXPERT directories… 1. C:\Program Files\St. Bernard Software\UpdateEXPERT 2. C\Program Files\Common Files\UpdateEXPERT 3. %Systemroot%\UEAgent Note: %Systemroot% will be C:\WINNT or C:\WINDOWS.
St. Bernard Software, Inc. Protecting Your Network Investment Launch UpdateEXPERT ... click Finish Doubleclick the ‘agents connected’ message on the status bar to see connected agents (1 at this point). Below, two connected MasterAgents are shown as an example of multiple connections. Note: If you didn’t login with Administrative rights, you may be prompted for credentials. The display areas include Network Pane (upperleft), Updates Pane (upperright), and Browser Pane (bottom).
St. Bernard Software, Inc. Protecting Your Network Investment Note: When you deploy additional MasterAgents (using File > Agent > Install Wizard) you can connect to them using File > Agent >Connect/Configure. Additional MasterAgents are typically deployed for delegation or scaling reasons. The Network Pane (upperleft) is where you “discover” machines, simply by expanding the Window Network or Active Directory objects. These views are identical to viewing your network from “Network Neighborhood”.
St. Bernard Software, Inc. Protecting Your Network Investment Identify the Web Proxy (if applicable) If your organization uses a Web Proxy Server you need to identify it so that UpdateEXPERT can successfully submit URL requests to St. Bernard and Microsoft web sites for database updates, and patch downloads. Navigate to "File > Agent > Settings > Internet" and identify your web proxy server. It is best to enter the information for the "Global Agent".
St. Bernard Software, Inc. Protecting Your Network Investment Download the Latest UpdateEXPERT Database Do “Help > Update Database Now” and wait at least a minute for a dialogue box to come up asking if you want to update your database. Click Yes to update (actually replace) the existing database files with new database files immediately, or simply wait for the countdown timer to expire After this initial database update, UpdateEXPERT will automatically check for a new database every 6 hours by default.
St. Bernard Software, Inc. Protecting Your Network Investment Query your UpdateEXPERT Machine Begin by querying a machine you have Administrative rights on, i.e., your UpdateEXPERT MasterAgent machine, as a means of testing and learning. Select (highlight) your UpdateEXPERT machine, rightclick, do 1) “Set credentials...” and enter valid credentials. Then do 2) Manage Selected (decrements license count). The machine name will bold and means the machine is eligible for querying and patch deployment.
St. Bernard Software, Inc. Protecting Your Network Investment Agentless Query Requirements These requirements are the result of default installations for NT4/W2K/XP. You would have to disable these services and shares, and restrict access, to fall short of the requirements. In order to install OS updates remotely you must have the access rights to remotely access and modify the registry and system files on the target systems.
St. Bernard Software, Inc. Protecting Your Network Investment Download Patches Note: Patches which are not downloaded already, are automatically downloaded by the Patch Install Wizard. Here we do it manually primarily as a learning exercise. Select (highlight) one or more uninstalled patches, rightclick and “Download”. Diskette Icons will turn blue with a red arrow while downloading, and will turn solid blue (shown below) when successfully downloaded. Grey means not downloaded.
St. Bernard Software, Inc. Protecting Your Network Investment Install Patches Suggestion: For the moment, install patches on your UpdateEXPERT machine. Later, you can deploy to other machines. Select (highlight) one or more uninstalled patches, rightclick and “Install”. This will launch the Patch Install Wizard, which integrates with the database for grouping patches, presenting patch options (see below), displaying diagnostic patch deployment messages, and controlling reboots.
St. Bernard Software, Inc. Protecting Your Network Investment Named Policies (“Install Required” command) To get started, select your UpdateEXPERT machine and open the Policy Editor for the Default policy as follows; Policy > Open > Default > Open. You may now check one or more patches as required (example below). At this point, you should be in the Policy Editor for “Default”, as shown below.
St. Bernard Software, Inc. Protecting Your Network Investment Conformance Reporting Conformance Reporting tells you whether Required Updates have, or have not, been installed on specific machines. You can, for example, deploy a required update, requery the machines, and run a Conformance report to see if any machines were missed (these could have been offline for example, or unreachable because of hardening).
St. Bernard Software, Inc. Protecting Your Network Investment Select only your machine, rightclick and Install Required to deploy required updates to all selected machines (yourself at this point). This will launch the Patch Install Wizard again. Click through the dialogue to install the required updates on your machine. Rerun the conformance report, your machine should NOT show up under “Does Not Conform”.
St. Bernard Software, Inc. Protecting Your Network Investment Installing Master or LeafAgents The AgentInstaller GUI makes it easy to deploy additional MasterAgents, or LeafAgents to another machine. Do File > Agent > Install Wizard. 3 screens prompt for the needed information. st The 1 screen specifies a remote install (push the agent across the network) to a machine called “MYTARGETHOST”.
St. Bernard Software, Inc. Protecting Your Network Investment rd The 3 screen lets you use existing “Credentials” to perform the remote installation, or lets you specify credentials as needed. Also note that the specified credentials can be saved for the session only if your policy prohibits storing credential information. When you click “Finish”, the LeafAgent will be pushed, and status information displayed. At the end of the dialogue you will be notified of success.
St. Bernard Software, Inc. Protecting Your Network Investment You have now been exposed to setting credentials for Managing, Querying and Agent Installation. For a very complete discussion of how credentials are stored and managed, see: Credentials Management in UpdateEXPERT Premium Lastly, it is highly recommended you review the LeafAgent Deployment Guide. This document reviews Master and LeafAgent Architecture.
St. Bernard Software, Inc. Protecting Your Network Investment What’s Next? Congratulations! You’ve used important core UpdateEXPERT features. See Help > Contents (User Manual) for information on creating Groups and Profiles. Profiling in particular is a great way to group machines by OS, ServicePack, Applications, and even individual patch. See “What’s New in UpdateEXPERT Premium” to see a menu of features that were introduced in UpdateEXPERT Premium. You may also want to deploy a CustomFix ...
St. Bernard Software, Inc. Protecting Your Network Investment Validating Patches Validation is supported by the UpdateEXPERT database. Validation examines file version, size, or checksum values in the database against individual component files of each installed patch on the target machine. If a mismatch on even one component file fails, Validation for that patch fails.
St. Bernard Software, Inc. Protecting Your Network Investment Scheduling Queries Background Enumeration (to discover newly installed machines), Querying, and even Validation (Note: query time increases substantially), can be scheduled, such as during “off hours”, for each deployed MasterAgent and LeafAgent. To apply a schedule to many Agents, it is best to select the Global Agents object. However, you can select any individual Agent, uncheck the “Use Global Agent ...
St. Bernard Software, Inc. Protecting Your Network Investment SecurityEXPERT Overview Settings Management (Services, Registry, File, and Security Policy settings) is provided by downloading one or more security templates from the UpdateEXPERT Security Templates Tab, and using the settings management information to: · Create Policies, i.e., research and select security points of interest · Test Compliance, i.e., assess the status of machines · Enforce Policy, i.e.
St. Bernard Software, Inc. Protecting Your Network Investment Configure SecurityEXPERT Web Proxy Before attempting to download security templates, set Web Proxy settings if needed. Settings Management is performed with a .NET interface accessed from UpdateEXPERT. This screen saves Web Proxy information to .NET configuration files.
St. Bernard Software, Inc. Protecting Your Network Investment Download SecurityEXPERT Templates New security templates are shown in the Security Templates tab (shown below) for queried machines. Templates may be seen in Machine (shown below) or Research View. Templates are available for Windows 2000 Professional and Server, XP Professional, and 2003 Server. Go to the Security Templates tab for a queried machine, right-click the template, and “Download.
St. Bernard Software, Inc. Protecting Your Network Investment Creating a SecurityEXPERT Policy For purposes of this evaluation, let’s create a very simple Windows XP policy so that assessment reports are easy to interpret. You may easily emulate this example for other platforms. You may create policies using two menu commands: · SecurityEXPERT > Policies ... · RightClick on a Template (shown here) > SecurityEXPERT > Create/Manage Policies Launch the Policy Manager as described above.
St. Bernard Software, Inc. Protecting Your Network Investment Enter a name for the policy (above). The selected template is highlighted on the right. To generate a list of security points to work with, check one or more experts, and check a machine configuration. This will determine the number of security points displayed. Click Next. June 19th, 2006 UpdateEXPERT Premium v7.
St. Bernard Software, Inc. Protecting Your Network Investment The policy initialization screen displays the chosen experts, configuration, resulting number of security points, and number of security point conflicts (one expert disagrees with another). Also shown is general warning and expert disclaimer information. Review this screen then click Next. By default, ALL security points are listed under the All tab.
St. Bernard Software, Inc. Protecting Your Network Investment For our example, we want to assess FTP and Telnet services only. On the ALL tab, uncheck all defined items by checking “Include All”, then unchecking “Include All.” The result will be that all items are unchecked. Note: An even easier way to start with no selected security points is to un select all Experts and Categories on the “Policy Setup” screen. This allows start with 0 security points defined.
St. Bernard Software, Inc. Protecting Your Network Investment Clicking the Complete link (above) will display the assessment results (below). Clearly FTP and Telnet are out of compliance. Note that nothing has been changed on the machines since we have not enforced the policy yet. June 19th, 2006 UpdateEXPERT Premium v7.
St. Bernard Software, Inc. Protecting Your Network Investment Modifying the SecurityEXPERT Policy We now want to modify the policy for enforcement. Go to SecurityEXPERT > Create/Manage Policies, select your policy, and click “View/Edit Policy.” Modify your security points, setting Status: to “Stopped” and checking the Enforcement Options: “Enforce Startup Type” and “Enforce Status.” See the screen shot below.
St. Bernard Software, Inc. Protecting Your Network Investment When you click OK, the settings will be applied. The Job Manager is launched and you will have an “In Process” job. Make sure AutoRefresh is checked so you see the Status change. Clicking the Complete link will display the enforcement results (below). The machine is in compliance when no security points are listed. June 19th, 2006 UpdateEXPERT Premium v7.
St. Bernard Software, Inc. Protecting Your Network Investment Using Profiles with SecurityEXPERT Templates are distributed per operating system platform. It may be helpful to create UpdateEXPERT profiles that group machines by Windows 2000 Professional, Windows 2000 Server, Windows XP Pro and Windows Server 2003 for policy assignment, assessment, and enforcement. Rightclick the Profiles object in the network pane, and “Add profile” to launch the profile wizard. June 19th, 2006 UpdateEXPERT Premium v7.
St. Bernard Software, Inc. Protecting Your Network Investment Click Next, enter a profile name (XP for example), click Next, expand the profile wizard window (shown below) with a corner pull (highlighted below), find the OS to group, Select it (Windows XP English in this case), click Next, Select one or more ServicePack levels, click Next, ignore the individual patches displayed, and click Next again (possibly twice) to complete your profile. Your named object will show up under Profiles.
St. Bernard Software, Inc. Protecting Your Network Investment Glossary · · · · · · · · · · · · · · · · · · · Browser Pane: The bottom pane within the Console that displays the UpdateEXPERT User Web page, detailed information about updates from Microsoft’s web site, and results from the UpdateEXPERT reports. Console: The Console is the GUI front of UpdateEXPERT.
St. Bernard Software, Inc. Protecting Your Network Investment Appendix A – Custom Install Options Doing a “Custom” (instead of “Typical”) install allows you to specifically select which components you wish to install. Click here to return to Typical Install example. Install the Console Application and AgentInstaller components. Useful for delegating patch management, or remotely connecting to one or more Master Agents. Note: The AgentInstaller is used for deploying LeafAgents and MasterAgents.
St. Bernard Software, Inc. Protecting Your Network Investment Appendix A – Custom Install Options Continued… “Custom” (instead of “Typical”) also allows you to specify an existing locally installed SQL instance for use, instead of MSDE. The UEDataStore and optionally SEDataStore databases will be created in MSSQL$SBSDB folder for MSDE, or in MSSQL$LocalInstanceName folder for SQL. “Create SBSDB” means use MSDE. The result will be a folder called MSSQL$SBSDB.
