An Introduction to Windows Patch Management - Page 3
Advances in Patch Management and What's Still to Come
These advancements in patch management have simplified the task of keeping a Windows environment secure. Although the release of Longhorn – and with it revolutionary changes in the area of patch management – is still a few years away, recent initiatives from Microsoft have brought meaningful improvements. For example, the number of patches that do not require a reboot has been steadily increasing.
The freely available QCHAIN.EXE program allows the combination of multiple hot fixes in a single batch (for details and caveats, refer to the Microsoft Knowledge Base article 296861). Microsoft's strategy of limiting updates to only individual patches has been abandoned, which resulted in the release of Security Update Rollup 1 for Windows XP in October 2003. This simplifies applying post-Windows XP SP1 patches to newly installed systems.
It is also expected that patches will soon be available in MSI format, which would eliminate the need to create customized packages in environments where Group Policy-based deployment is used. Perhaps one day Windows Update will even be offered as a Web Service, which would help developers create in-house patch deployment solutions based on .NET technology.
In general, patch management solutions use an approach very similar to inventory and deployment, although obviously implementation details vary. Inventory relies on an external database to establish what is considered to be a recommended patch level and provides criteria for validating whether a particular patch has been installed. Products from Microsoft and Shavlik Technologies (on which HFNetChk, MBSA, and SMS 2.0 Feature Pack are based), keep track of published patches on the Microsoft Web site using the same mechanism, based on an XML formatted file called mssecure.xml. This file, available centrally at predefined locations, serves as a template against which the status of updates on target systems is compared. mssecure.xml can be obtained directly or via its compressed, digitally signed version, mssecure.cab. Both files can be downloaded from:
- The Microsoft Web site at:
- The Shavlik.com Web site at:
You can open mssecure.xml in Internet Explorer and examine its content. Starting with version 5, the browser has a built-in XML parser. For older versions, install XML Parser v4, downloadable from http://msdn.microsoft.com/library/default.asp?url=/downloads/list/xmlgeneral.asp. Alternatively, you can use any other tool containing an XML parser (e.g., the freely downloadable XML Notepad).
mssecure.xml contains fairly detailed information about each patch, such as the target operating system version and service pack level, corresponding Microsoft Knowledge Base article and security bulletin reference number, affected product and service pack IDs, registry key to be created, file version, checksum and location, and reboot requirement.
In addition, an overwhelming majority of third-party companies maintain their own mechanisms for verifying whether a patch should be installed (through their own testing procedures) as well as for distributing approved patches. They might also employ custom validation algorithms to determine whether a patch has been successfully installed (Microsoft's and Shavlik Technologies' tools share the same algorithm).
The next article in this series will discuss these features.
Feature adapted from ServerWatch.