An Introduction to Windows Patch Management - Page 2
First Up: Windows Update
Microsoft's most rudimentary and popular solution in patch management is the Windows Update tool that initially debuted in Windows 2000 (and continued in Windows XP and 2003). Easy to configure and manage (especially after Group Policy improvements were added in Windows XP) based on an agent component running on target systems that pulls new patches from predefined locations (by default, a group of Microsoft-managed Windows Update servers), it serves home users and smaller businesses well.
Unfortunately, it does not fit well in more rigidly structured corporate environments, where changes must be tightly and centrally controlled. In addition, Windows Update is limited to newer operating systems, and an overwhelming majority of desktops and servers are still running Windows NT 4.0.
To allow more selectivity in patch deployment and to address the issue of legacy systems, Microsoft turned its attention to products available from third-party developers. The Code Red and Nimda outbreaks in September 2001 most likely triggered that decision. Microsoft addressed immediate needs with the release of the IIS Lockdown utility, automating secure configuration of Internet Information Server; however, it was clear that there was a need for more generic solutions to eliminate other vulnerabilities of Windows operating systems.
Initially, the void in this area was filled by third-party vendors, such as Patchlink (Update Patch Management), GravityStorm (Service Pack Manager 2000), St. Bernard Software (UpdateEXPERT), and Shavlik Technologies (HFNetChkPro). Microsoft also contracted Shavlik Technologies to develop HFNetChk, a command line-based, feature-limited version of its tool that provided only reporting functionality.
Although HFNetChk could not fully compete with more comprehensive (including patch deployment capabilities) GUI-based products, it was available for free and allowed patch inventory for not only systems with Windows NT 4.0 and later, but also a number of Microsoft applications, including IIS, SQL Server, Exchange Server, Windows Media Player, and Internet Explorer. Its scanning engine was subsequently used in the Microsoft Baseline Security Analyzer (MBSA), again developed for Microsoft by Shavlik Technologies (its version 1.0 was released in March 2002). Like its predecessor, MBSA is limited to reporting, but it offers enhanced scanning functionality and command line and graphical IE-based interfaces.
Software Update Services
To deliver a cost-effective patch deployment solution to clients that also allows them central control over which patches to install, in June 2002 Microsoft released Software Update Services (SUS) 1.0. SUS is currently at SP1 level, and v2.0 is expected to be released in the first quarter of 2004.
Available as a free download, SUS takes advantage of the Windows Update component (which limits it to Windows 2000 and later operating systems) and uses intranet-based, corporate Windows Update servers from which internal client computers pull approved updates. Client update parameters can be set with Group Policies, while server settings are configurable through an intuitive, IE-based interface. Since SUS did not provide any inventory reporting functionality, it must be combined with MBSA or a comparable utility.
Microsoft also developed a comprehensive patch management solution as part of the Feature Pack — an add-on for Systems Management Server (SMS) 2.0 (although there is no additional charge for the Feature Pack, it obviously requires the purchase and deployment of SMS 2.0 to use it). The Feature Pack combines inventory – its scanning process uses Microsoft Baseline Security Analyzer – and deployment. Additional improvements in the area of patch management have been built into the recently released SMS 2003. Future articles in this series will cover both of these, as well as a variety of similar third-party products.