It May Be Winter, but LANDESK is Heating Up by Joining Forces with HEAT Software

In case you haven’t heard, Clearlake Capital has signed a definitive agreement to acquire LANDESK from Thoma Bravo. As part of the transaction, Clearlake will contribute its portfolio company HEAT Software to the new platform investment in LANDESK.

Read the official press release here.

In this video, LANDESK CEO Steve Daly explains the recent news, including all of the reasons it’s a great idea to join forces.

  • Both companies have been pursuing a strategy that secures, manages, and modernizes end-user environments. By bringing the two companies together, we’ll have many more resources to bear in reaching these goals.
  • The HEAT Software group has spent several years and millions of dollars developing a very robust SaaS platform. We’re excited to bring many of our LANDESK technologies onto this cloud model.
  • Bringing the two companies together is a way for us to gain a lot more scale. For our customers and partners, this means more of everything, including:
    • More resources
    • More reach and investment

As we go through this transition, we will not lose our customer focus and our ability to reach out and provide you with a partnership that you can’t get from any other vendor.

What’s in a Name: Why We’re Changing Our Name (and More) in 2017

In the timeless classic Romeo and Juliet, Shakespeare wrote, “What’s in a name?”

This famous line implies that names are simply labels that don’t really matter. After all, Juliet posits, “A rose by any other name would smell as sweet.”

It’s a nice sentiment, but perhaps (like Juliet) a bit naïve.

If a rose were called skunk weed, you would expect a very different experience when you smelled it. And as Romeo and Juliet’s tragic tale demonstrates, names can unite or divide us.

Names matter.

So what does this have to do with LANDESK?

We’re changing our name in 2017.

LANDESK is a strong, stable and well-respected company in the IT industry. Our technologies are known for just working. This means being reliable, easy to integrate and use alongside other IT systems, and giving IT the ability to get the job done—whatever that job is—particularly when it comes to operational IT and remote enterprise systems management.

Add to that the fact that our staff is known for being friendly, willing to listen, and quick to act to make our customers’ lives easier, and we’ve got ourselves a great name and an equally great brand reputation.

So if the name is so great, why would we want to mess with it?

We wouldn’t, except that…

The name LANDESK is so strongly associated with systems management that it is becoming increasingly more difficult to remind the IT industry that we do much, much more.

In recent years, we’ve continued to organically develop and enhance our technology, extending and integrating it in the directions of unified endpoint management (the management of traditional and mobile devices from a single platform) and endpoint security configuration management.

In addition, we’ve acquired several companies that have significantly expanded our focus to include IT disciplines such as:

  • IT service management (TouchPaper)
  • IT asset management (Managed Planet)
  • Patch management (Shavlik)
  • Enterprise-class, ruggedized mobile device management and application streaming  (Wavelink and Naurtech)
  • Mobile email security (LetMobile)
  • Business value dashboards and reporting for IT (Xtraction)
  • User environment management for physical and virtual devices, as well as application management and privilege management (AppSense)

They’ll all change too. All these companies will have only one name in 2017.

These changes come in conjunction with a rapidly expanding partner program, and in advance of other anticipated acquisitions as we further execute on our company vision and strategy. All of which makes LANDESK—a brand that is still almost exclusively known for systems management—simply not big enough to convey all we offer and our vision for the future.

Over the next several months, you will start to notice changes in LANDESK and the brands we’ve acquired. We are evolving. Refining our focus. Transforming in ways we never have before. And we want to bring our customers with us, continuing to help you along your organization’s journey to IT maturity.

We will still be the great company you’ve come to know and trust. We will continue to develop and maintain the world-class IT solutions relied upon by organizations across the globe. But we will be coming together in new ways, under a new company name, and with a new focus.

These are exciting times for LANDESK and our brands. Stay tuned!

Also, be sure to check out our blog post where we show a time lapse video of our booth getting tagged by a graffiti artist at Gartner ITxpo! (The opportunity to signal to 15,000 CIOs and other industry insiders that a change is coming was too good to resist.)

September 2016 Patch Tuesday

September 2016 Patch Tuesday

Here is the analysis for this month’s Patch Tuesday from Chris Goettl of our Shavlik team:

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.

Originally published at http://blog.shavlik.com/september-patch-tuesday-2016/

August Patch Tuesday 2016

2015_12_08_Patch01

Here is this month’s analysis from Chris Goettl, of our Shavlik Product Management team:

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.

Originally published at http://blog.shavlik.com/august-patch-tuesday-2016/

It’s Official: New MEGABYTE Act Becomes Law and It’s Going to Save Money

megabyte actOn July 29, 2016, the MEGABYTE Act of 2016 was signed into law.

Last Friday, Public Law No: 114-210 m, also known as the Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 or the MEGABYTE Act of 2016, was officially signed into law.

This new legislation directly affects all U.S. government agencies and follows on earlier legislation that has gone into effect over the past two to three years.

Why the MEGABYTE Act Is Different

Although complementary, the MEGABYTE Act differs from previous legislations such as The Federal Information Technology Acquisition Reform Act (FITARA), the National Defense Authorization Act for Fiscal Year 2015 (NDAA FY 2015), and the Office of Management and Budget (OMB) Guidelines.

While FITARA and NDAA FY2 015 focus on IT issues related to staffing, coordinated purchasing, IT hardware inventory, and other areas, the MEGABYTE Act lays out what agencies are expected to document and report.

This documentation and reporting deals specifically with IT software license savings that can be achieved with better visibility and efficiencies.

The full MEGABYTE Act of 2016 text can be found here.

Sponsored by the Committee on Oversight and Government Reform and the U.S. Senate Committee on Homeland Security & Governmental Affairs, the MEGABYTE law requires that government CIOs “of each executive agency must report to the OMB, beginning in the first fiscal year after this Act’s enactment and in each of the following five fiscal years, on the savings from improved software license management.”

The specific requirements that are laid out for agency CIOs are great steps to getting a handle on what software is installed within the agency.

MEGABYTE Act Cost Savings

In my 21 years’ experience as a Gartner Research Director advising public and private sector on IT and software asset management (SAM) programs, I’ve found that an organization without any best practices in place could yield savings of up to 30 percent in cost avoidance and savings in the first year.

Savings will decline in subsequent years as the environment is tightly managed, but the increased visibility will continue to reap savings in other IT domains.

However, OMB and GAO already have best practices in place. They have centrally negotiated contracts and pricing—not to mention a culture that adheres to policies—which will be a huge advantage as agencies begin to move into compliance with this law.

In my professional opinion, I would expect the government could save anywhere from three to five percent by monitoring the installation and usage of software, and up to 20 percent by implementing a complete ITAM/SAM program.

When you consider that OMB reported that government agencies spent $9 billion in 2015 on new software licenses, the savings from software usage monitoring and reallocation of software could be significantly more than $450 million in the first year of this five-year legislation.

LANDESK is no stranger to the importance of ITAM/SAM solutions. Learn why LANDESK was named ITAM Champion by Info-Tech this year!

InfoTech-blogbanner

Senator Orrin Hatch Visits LANDESK

As a major proponent of the tech industry, Senator Orrin Hatch carved time out of his busy schedule to meet with LANDESK yesterday.

Employees anxiously awaited his arrival. The positive impact Senator Hatch has had on the tech industry over the years has been significant.

“He is probably the most influential and the most educated on the tech industry,” said LANDESK CEO Steve Daly. “He’s done a lot of good to help the tech industry grow around the country as well as here in Utah.”

As head of the High-Tech Task Force for the Republican Senate, Senator Hatch first ran for public office in 1977 and is now serving his seventh term as Utah’s senator. His many years in the political arena have given him the opportunity to rub shoulders with world leaders and other prominent figures in society.

He has undoubtedly had a front-row seat to some of the most life-changing events in human history.

13732033_10153666338756921_180579645512798338_o

Senator Orrin Hatch and LANDESK CEO Steve Daly

After taking a tour of the building—where he met and shook hands with dozens of employees from different departments—Senator Hatch personally addressed the LANDESK group and then opened the floor to questions.

Employees didn’t hold back, asking the senator everything from how he plans to fix the VA problem to who to vote for in the upcoming election.

His answers were refreshingly candid and the discussion was both respectful and enlightening—even in a room full of differing perspectives.

Of course, a meet-up of this caliber would not be complete without a few selfies, and the senator was gracious enough to take photos with anyone who wanted one.

We welcome the senator back any time and appreciate his staunch advocacy for the tech industry and all of his continued efforts on our behalf!

Windows 10 Branch Upgrade Solution Architecture Part 2

Managing-Windows-10-Updates

In part 1 of this discussion on Windows 10 branch upgrade solution architecture, I set out the key elements of a Windows 10 branch upgrade solution architecture. The points of upgrade education, end user communication, and solution preparation were discussed in that first article. Let’s complete this discussion by diving into the upgrade rollout model and issue management.

Upgrade Rollout Model

In the article on Windows 10 Branch Upgrade Strategy, I outlined different models and timelines for how to rollout your upgrades. Create a similar rollout model for your organization making sure you have nailed down these key elements:

  • Rollout Groups: Hopefully you have already structured your organization into groups for patching, software rollouts, and previous operating system migrations. If you haven’t, now is the time to do so. At minimum have a pilot or test group and a production group. It is very likely you will have more than 1 of each. Here is one example to get you thinking:
    • Pilot Group 1 – IT: Start here as you should have the most communication with these individuals and they should be technical enough to provide detailed feedback if issues are encountered.
    • Pilot Group 2 – Power Users and Application Owners: Find the tech heads of different departments who will, again, provide detailed feedback if issues are encountered. Also, find the business application owners who aren’t in IT. If you don’t know who these people are, start networking internally. They will surface if you ask.
    • Production 1 – Non-Critical Systems and Users: This is a loaded term, but figure out what systems and users won’t cripple the business if the upgrade has issues. Different departments may be more critical at different times or the year or quarter (sales, finance, etc.). This difference in time of year and quarter could merit breaking this group into 2 or timing very strategically. Every organization is different so make sure you understand yours before assigning anyone to a group.
    • Production 2 – Critical Users: This is the phase to address those critical users like sales, finance, or service delivery. This phase may need to be paused depending on the time of the year or quarter.
    • Product 3 – Critical Systems: This probably includes any system that has material impact on the business in terms of generating review or delivering a service or product to a customer. It could include systems that control medical devices for example. Again timing may apply criticality here, but understanding your business is paramount.
  • Timing: Each rollout group should have a set time in which the upgrade occurs. Remember the 80\20 rule in that you will likely get 80% of the group upgraded quickly and will have to work hard for the other 20%. Also, the upgrade is not the end goal, but making sure business continuity is maintained with optimal service levels. If you have 3 months for pilot group 1, try and get the upgrades completed in month 1 so the remaining 2 months can be used to assess impact.
  • Acceptance Criteria: Before moving to the next phase, know what you consider success. Is it 100% desktop usability (or 95%)? Is it based on a review of all critical incidents related to user’s who were upgraded? Who makes the approval decision? Answer these questions before moving on to the next phase.

Issue Management

One can expect a certain percentage of systems to have issues during the upgrade process. Part of the solution architecture should take into account how to address issues so as to not slow down the overall rollout and to ensure that systems are upgraded before patch support is discontinued.

There are likely many areas to plan for, but I will throw out two that you can prepare for:

  • Hardware: Two examples: Do drivers impact the upgrade? Are storage limitations an issue?
  • Application compatibility: This is likely the number one issue you will run into. What business and 3rd party application teams\vendors do you need to call on when issues are encountered? If a compatibility issues become an upgrade blocker, what is the plan?

Key Takeaways

As the challenge is big, so is the solution. Here are the key points to share around an upgrade solution architecture

  • Upgrade education: prepare your users for the changes
  • End user communication: remember to communicate expectations before, during, and after the upgrade
  • Solution Preparation: the solution architecture needs to be robust and automated
  • Upgrade Rollout Model: break your enterprise into groups and upgrade methodically
  • Issue Management: Windows 10 forces tight timelines so prepare for issues in advance

With the solution architecture setup, I will next explore how LANDESK can help with Windows 10 branch upgrades.

July Patch Tuesday 2016

Shavlik_Patch_July12

Here is this month’s analysis from Chris Goettl:

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

Originally published at http://blog.shavlik.com/july-patch-tuesday-2016/

Windows 10 Branch Upgrade Solution Architecture Part 1

Managing-Windows-10-Updates

In previous articles, I’ve covered a lot of information on Windows 10 branches. As you have seen there are a lot of new concepts and challenges with Windows 10 branch upgrades that did not exist in previous versions of Windows. With all of that as background, this article is the first of two parts around a Windows 10 branch upgrade solution architecture.

Solution Architecture

In order to build an effective solution, the following elements should be in place:

  • Upgrade Education
  • End User Communication
  • Solution Preparation
  • Upgrade Rollout Model
  • Issue Management

Upgrade Education

Before doing an upgrade, consider the changes to the user experience. Branch upgrades are not as drastic as a new version of Windows, but instead introduce new features and usability gradually. Depending on your organization, you may simply inform them that a new version of Windows 10 will roll out and to expect changes. For change sensitive people, you may need to consider some deliberate training in preparation. Use experience from previous operating system migrations to determine what is best here.

Upgrade Communication

Do not underestimate the importance of communication as you develop your solution. As noted in the Windows 10 Current Branch article, upgrades will be disruptive and take around 30 minutes. With these challenges in mind, communications should be multi-phase:

  • Pre-Upgrade Application Owners: Application owners should be notified of the upgrade plan and schedule so they can test their application to ensure business continuity. Constant communication of the upgrade process should be delivered to the application owners.
  • Pre-Upgrade End Users: Users should be prepared to understand that the upgrade experience is unlike anything they have experienced in the past. It will take time and prevent them from doing work. Show them screen shots of what they can expect and remember users will ignore your emails. Per the upgrade education section, make sure to educate them on changes before the upgrade.
  • Upgrade Launch: Per my previous point, users will ignore any emails you send them. Before launching the upgrade, they should have an on screen notification that summarizes what will happen and point them to a web portal with detailed explanations.
  • Post Upgrade: Branch upgrades introduce new features and we all know that despite all the testing you may do, there is the potential for issues. Make sure that post migration, there is a method to gather feedback and measure upgrade issues.

Solution Preparation

  • Upgrade Readiness: An operating system migration requires many considerations (CPU, RAM, etc.). In the case of the branch upgrade, the one element that should be constantly monitored is free disk space. It isn’t clear how much space is required for a branch upgrade, but remember the upgrade file is 3 GB for x86 and 6 GB for x64 plus space for temporary files. As a safe bet, keep to the Windows 10 specifications for free disk space of 16 GB for x86 and 20 GB for x64.
  • Targeting: As mentioned in the Branch Upgrade Strategy, enterprises need to plan on having a systems on multiple branches. This will require that users and computers are assigned to groups identifying them with their branch. Once done, you need to plan on targeting migrations appropriately (for example Current Branch to Current Branch).
  • Distribution: As upgrade packages are large, enterprises will need a plan for how the package will be distributed and cached. The existing software delivery architecture needs to be ready for 4 GB files as that is the size of the 1511 x64 package.
  • Off-Network Systems: In many enterprises a significant minority if not majority of clients will be laptops many of which spend little time on the corporate network. With these systems, there must either be the option to remotely upgrade them or have a planned upgrade when they are on the network.

Looking Ahead

There is a lot of information to cover for a Windows 10 branch upgrade solution architecture. In part 2, I will dive into the upgrade roll out model and issue management.

June Patch Tuesday 2016

June2016PatchTuesdaySummary

Here is the latest analysis on Patch Tuesday from Chris Goettl:

I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Originally published at http://blog.shavlik.com/june-patch-tuesday/