Managing Patches


Microsoft is taking a proactive approach in maintaining reliability and availability with Windows Server 2003 by establishing measures to help you keep up to date with the latest service packs and updates.

Anyone who has administered a Windows system is probably aware of the importance of keeping up to date with the latest system upgrades, such as bug fixes, performance upgrades, and security updates. Service packs and updates are intended to ensure optimal performance, reliability, and stability. Updates are individual patches, whereas service packs envelope many of these updates into a single upgrade. The service packs themselves don't contain new features. Only core enhancements and bug fixes are a part of the service pack. This makes for a more reliable, more robust service pack that will most likely prevent you from losing reliability and availability.

Service packs also contain the following benefits:

  • They can detect the current level of encryption and maintain that version (such as 56-bit or 128-bit).

  • They usually don't have to be reapplied after you install a system component or service.

Updates are Microsoft's answer to quick, reliable fixes. They are convenient because you don't have to wait for the next service pack to get a problem fixed. Updates often address a single problem. They now contain built-in integrity checks to ensure that the update doesn't apply an older version of what already exists.

You can run the update from a command line using the hotfix.exe utility.

Automating Patch Management

Various patch automation solutions exist for the Windows Server 2003 network environment. All of them strive to keep you up to date with the latest service packs and updates without large administrative overhead.

Two of these solutions are provided by Microsoft. The first is Windows Update with the Automatic Updates service, and the other is Software Update Services (described next).

Windows Update is a Web-based service using ActiveX controls that scans a system to see whether any patches, critical updates, or product updates are available and should be installed. It presents a convenient and easy way to keep your system up to date. The downside, however, is that you still have to go to the Windows Update Web site (http://windowsupdate.microsoft.com/) and select which components to download and install. Moreover, using this process makes it difficult to control and manage which updates can safely be applied to clients and servers.

Windows Automatic Update

As you can probably already tell, the Windows Automatic Update method of keeping up with service packs and updates can be beneficial to Windows network environments, but it's not true patch automation. Users or administrators still need to tend to each system and download the appropriate components. This method also has a few other limitations; for example, it doesn't allow you to save the update to disk to install later, there are no mechanisms to distribute updates to other systems, and there isn't administrative control over which updates are applied to Windows systems throughout the organization's network infrastructure.

The Windows Software Update Services is a logical extension of Windows Update that helps solve the automation problem while maintaining a greater level of control for the organization's IT personnel. It is a tool designed specifically for managing and distributing Windows service packs and updates on Windows 2000 and higher systems in an AD environment.

The Software Update Services consists of a Windows Server 2003 server preferably located within a DMZ and a client-side agent or service. The update server receives service packs and updates directly from Microsoft's public Windows Update Web site at scheduled intervals, and then they are saved to disk. Administrators can then test the service packs and updates before approving them to be distributed throughout the network. The path that the update takes from here depends on how the Windows Software Update Server is configured. After they are approved, service packs and updates can be pushed out at predefined intervals through a Group Policy Object (GPO) to client and server systems, systems can jump on the intranet and manually download updates, or the updates can be distributed to other servers that will eventually push the updates out to systems through the network environment. The latter option is extremely beneficial to larger companies or organizations because it distributes the workload so that a single server isn't responsible for pushing updates to every system.

Other benefits to using Software Update Services stem from the following management capabilities:

  • Software Update Services can be managed from a Web-based interface using Internet Explorer 5.5 or higher.

  • Synchronization with Software Update Services and the content approval process is audited and logged.

  • Statistics about update download and installations are kept.

Tip

For even more granular control and manageability over patch management automation, such as enhanced reporting functionality, evaluate Systems Management Server or a third-party product.





Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net