Brian Dejno, Systems Security Professional
On June 6, 2005, Microsoft released its second attempt at a centralized patch management solution. After many gripes and gasps, it appears that Microsoft may have gotten it right this time. Relying heavily on feedback from users of SUS, Microsoft’s first entry into the patch management realm, Microsoft has hit a home run with Windows Software Update Services (WSUS). User complaints generally ranged from lack of reporting and client visibility to limited number of support patches and high bandwidth requirements. In order to address these issues, Microsoft leveraged technologies incorporated within Windows clients such as Background Intelligent Transfer Service (BITS), enhanced Group Policy contol, increased product coverage, as well as enhanced the amount of client information stored on the server.
The most common complaint of SUS was the lack of reporting and visibility into the performance of the patch management system. While Microsoft did offer up separate solutions for Small Businesses such as the Hfnetchk command line utility and Microsoft Baseline Security Analyzer there was no effective way to see the Windows clients as a whole and simply no way to see which computers were missing a particular patch. To remedy this problem, WSUS uses a backend system leveraging a SQL database to track information on which patches have and have not been approved, which patches have been successfully deployed to which systems (and which have failed), and how you would like to group your computers.
To address the problems with bandwidth, Microsoft made two changes. The first change is in what information is downloaded to the WSUS servers.
With SUS, a new server installation required a massive initial synchronization which downloaded all published patches from the Windows Update Site. WSUS can now be configured to download the patch metadata (simple text files that contain specific information about the patch and what types of systems it applies) and only download patches once they are approved for install.
WSUS also introduces the notion of a replica server to help curb bandwidth requirements and ease management. Replica servers act in a parent-child relationship sharing metadata, approved patch files, and group information.
The second change is in how the information is downloaded. WSUS and its managed computers rely on the latest BITS client, which allows for recovery in the case of download interruption and minimizes the impact on bandwidth to download patches in the background.
Increased Patch Coverage and Control
Microsoft’s first attempt at a patch management system was nothing more than a critical update storage center. The SUS system only managed Windows critical updates and did not include any other Microsoft products. WSUS now supports updates for Windows, Office, Exchange Server and SQL Server, with the option to add additional product support over time. In addition to the changes in the support product base, administrators now have control over which computers receive certain updates.
In the past, with SUS, update deployment was an all or nothing deal; either all computers received the update or none at all. With WSUS, Microsoft has introduced client grouping capabilities allowing administrators to target specific groups of computers for specific updates. Another new feature that Microsoft has incorporated into WSUS is the ability to establish deadlines for the installation of patches. When approving an update, an administrator can set a deadline which will force clients to install the update if it is past the scheduled date.
Microsoft has definitely taken giant steps in the right direction with the release of WSUS. Even with all of the changes that have been made, Microsoft has also left it’s development open for future customization and capabilities by introducing an Application Programmers Interface (API) used to access all of the data contained in the WSUS SQL database.
Is It Right for You?
Even with all of the changes in WSUS, it is not the silver bullet of patch management. So, what is the best patch management solution for your organization? It really comes down to a matter of control. When comparing WSUS with other commercial products such as Shavlikâ’s HfnetchkPro, PatchLink, and GFI Network Security Scanner, one would see a glaring difference in how the updates are deployed to the network.
Microsoft’s patch management programs, both SUS and WSUS, are considered to work on a “pull” technology, working primarily in a passive manner by simply providing a data warehouse and up-to-date inventory for clients to download/pull an approved update from. The management of updates is very “hands-off” and generally works behind the scenes. Once the system is set up (i.e. software and group policies configured) the administrator only has to approve updates to have them distributed throughout the organization. Each client computer will periodically check in with the update server to determine if it is missing any updates. If the client computer is missing updates, it will download the updates from the server and eventually install the updates. The schedule of the installation is controlled via a group policy and can be configured to install immediately, schedule an install, or notify an administrative user that updates are ready to be installed.
Most other commercial products work with a “push” technology and implementation, which allows for more control and instant feedback of patch distribution. By working with a push model, an administrator is able to say,”I want to install these patches, to these systems, right now.” This is a comment that you would never hear from a WSUS administrator’s mouth. Commercial products will also vary in their requirements for additional software to be loaded on the workstations. Products that require agents to be installed on the workstation will increase setup time, but give you better client management and reporting in the long run.
The last advantage that will be covered here is a more robust reporting capability. While WSUS has increased the amount of reporting possible, it in no way compares to the reports that can be generated by commercial products right out of the box. Also, commercial reporting is generally more instantaneous than WSUS because they usually poll constantly during the process and immediately following the installation. WSUS servers wait for the clients to report back to them, which doesn’t always occur in a timely manner. As you can see, these commercial products offer a great deal more in the categories of control and visibility into the patch management system.
So which one is right for you? Unfortunately, only you can answer that one, but hopefully this article has shed some light on the differences between “the Microsoft Way” and “the other way” patch management products out on the market function and distribute patches.
- Microsoft Windows Software Update Services – http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
- Shavlik HfnetchkPro – http://www.shavlik.com/hfnetchk-windows.aspx
- Patchlink Update – http://www.patchlink.com/products_services/patchlink_update.html
- GFiLANguard – http://www.gfi.com/lannetscan/