Operating systems include millions and millions of lines of code, and it's impossible to predict how the code might be exploited or fail to work in any given situation. Patching, patching, patching, and more patching is the key to keeping your systems running securely with full functionality. Administrators around the world wake in the middle of the night from patching nightmares. Up all day coddling users, up all night updating operating systems and applications to close potential vulnerabilities — when does an administrator get to sleep? In this chapter, we review the following:
Features of Microsoft Update
Features of Windows Server Update Services
Installation and configuration of Update Services
At least Microsoft has heard the cries in the night and acted on them. Granted, the solution is not perfect, but it sure makes life easier for administrators around the world. Everyone now gets four to five hours of sleep per night instead of two or three hours.
Patching is a hassle. Patching is a problem when you have to get so many systems done and get them done quickly. But patching is so important to maintaining the integrity of the individual systems as well as maintaining the integrity of the entire network. One unpatched system can wreak havoc around the network and bring critical applications to a complete halt.
A bigger problem than deploying patches, however, is falsely believing that a system is fully and properly patched. This is an area where Microsoft has done a much better job in the last couple of years. Just because the operating system has been patched does not mean that the system is patched. It is important to remember that there are other very vulnerable points of attack including Office applications and back office applications such as Exchange and SQL. Patching Windows Server 2003 is not nearly good enough if that same server is running SQL 2000 and the appropriate patches are not in place to protect against Slammer or other common and devastating virus infections. Patching SQL 2000 is not good enough if the operating system is not fully patched. Patching SQL 2000 and the operating system is not enough if the latest patch for Internet Explorer is missed. All patches for all components must be in place to properly protect the individual workstation or server, and all workstations and servers need to be properly patched to protect each other.
Windows Update, Office Update, and Software Update Services were huge steps forward. Microsoft has taken the next very large step forward by addressing the concern of all components being scanned and patched at the same time by adding to these components and combining their technologies. Windows Update has now become Microsoft Update (MU), and Software Update Services has evolved into Windows Server Update Services (WSUS).
There are many different patch management applications and tools available on the market today. Many of them are targeted at larger installations. When looking at the overall market, Microsoft has positioned three products at three different sizes of organizations:
Microsoft Update is targeted toward individual users and small organizations.
Windows Server Update Services is targeted to mid-sized organizations.
Systems Management Server 2003 is targeted toward enterprise customers.
Microsoft Update hits that sweet spot and fills the needs of the Small Office/Home Office (SOHO) market place as well as individual users. Understanding Microsoft Update and its capabilities is important even to large enterprise organizations as they will often work very closely with smaller companies and individual contracts that bring unique talents to joint projects. It is important to know that there are options available to all sizes of organizations.
The goal of this chapter is to help understand the requirements and benefits of installing MU and WSUS.