Overview
Operating systems include millions and millions of
lines of code, and it's impossible to predict how the code might be
exploited or fail to work in any given situation. Patching,
patching, patching, and more patching is the key to keeping your
systems running securely with full functionality. Administrators
around the world wake in the middle of the night from patching
nightmares. Up all day coddling users, up all night updating
operating systems and applications to close potential
vulnerabilities — when does an administrator get to sleep? In this
chapter, we review the following:
-
Features of Microsoft Update
-
Features of Windows Server Update
Services
-
Installation and configuration of Update
Services
At least Microsoft has heard the cries in the night
and acted on them. Granted, the solution is not perfect, but it
sure makes life easier for administrators around the world.
Everyone now gets four to five hours of sleep per night instead of
two or three hours.
Patching is a hassle. Patching is a problem when
you have to get so many systems done and get them done quickly. But
patching is so important to maintaining the integrity of the
individual systems as well as maintaining the integrity of the
entire network. One unpatched system can wreak havoc around the
network and bring critical applications to a complete halt.
A bigger problem than deploying patches, however,
is falsely believing that a system is fully and properly patched.
This is an area where Microsoft has done a much better job in the
last couple of years. Just because the operating system has been
patched does not mean that the system is patched. It is important
to remember that there are other very vulnerable points of attack
including Office
applications and back office applications such as Exchange and SQL.
Patching Windows Server 2003 is not nearly good enough if that same
server is running SQL 2000 and the appropriate patches are not in
place to protect against Slammer or other common and devastating
virus infections. Patching SQL 2000 is not good enough if the
operating system is not fully patched. Patching SQL 2000 and the
operating system is not enough if the latest patch for Internet
Explorer is missed. All patches for all components must be in place
to properly protect the individual workstation or server, and all
workstations and servers need to be properly patched to protect
each other.
Windows Update, Office Update, and Software Update
Services were huge steps forward. Microsoft has taken the next very
large step forward by addressing the concern of all components
being scanned and patched at the same time by adding to these
components and combining their technologies. Windows Update has now
become Microsoft Update (MU), and Software Update Services has
evolved into Windows Server Update Services (WSUS).
There are many different patch management
applications and tools available on the market today. Many of them
are targeted at larger installations. When looking at the overall
market, Microsoft has positioned three products at three different
sizes of organizations:
-
Microsoft Update is targeted toward
individual users and small organizations.
-
Windows Server Update Services is targeted to
mid-sized organizations.
-
Systems Management Server 2003 is targeted
toward enterprise customers.
Microsoft Update hits that sweet spot and fills the
needs of the Small Office/Home Office (SOHO) market place as well
as individual users. Understanding Microsoft Update and its
capabilities is important even to large enterprise organizations as
they will often work very closely with smaller companies and
individual contracts that bring unique talents to joint projects.
It is important to know that there are options available to all
sizes of organizations.
The goal of this chapter is to help understand
the requirements and benefits of installing MU and WSUS.