email article printer friendly more resources

Manage Security Patches
Take control of the delivery and distribution of security patches within your network.
by Danielle Ruest and Nelson Ruest

Posted November 20, 2003

For This Solution: Windows Server 2003, Windows 2000 Server or Professional, Windows XP Professional, Microsoft Security Update Services, Microsoft Baseline Security Analyzer

Q: The recent flurry of security threats against various Microsoft products has us scrambling to try to keep our servers and workstations up-to-date. Do you have any recommendations on how we can facilitate this process? It seems a bit overwhelming.

—Nancy, Tampa Bay, Fla.

A: Danielle: You're right Nancy; patch management is a lot of work. In fact, it forces us to rethink our deployment strategies because when we receive a critical warning of a security flaw and an accompanying patch, we pretty well have to deploy it right away. Just look at the MSBlaster worm. That worm came out a little more than a month after the Microsoft warning and security patch release. It is easy to understand why people were caught by this worm. Before the storm of security patches and associated threats we've seen recently, Nelson and I advocated a four-month schedule for service pack and hot-fix update deployment within most networks. This gave you a lot of time to collect, test, and aggregate the patches you needed to deploy. Of course, we also provided our customers with an emergency deployment process that could be used when the circumstances were dire enough. But what we're seeing now is that the emergency mode is becoming the norm, whereas the standard schedule is sometimes being dropped altogether.

There is no doubt: Security patches are a fact of life in any computing environment. You can limit their impact if your operating systems are designed properly and your servers run only the required services to support their role, but you still need to be prepared for emergencies. The first thing you need to do is be informed. Microsoft offers e-mail notification for security bulletins (see Resources). You should also subscribe to third-party security newsletters because they sometimes know about vulnerabilities before Microsoft does. Two excellent sources for this type of information are the SANS Institute and the CERT Coordination Center (CERT/CC). Not only will these bulletins help you know when patches are critical, but the third-party bulletins will also cover non-Microsoft technologies.

Now that you're informed, you'll need to do two more things to control patch distribution in your network. Of course, you could acquire one of the many excellent commercial patch-management technologies that are on the market, such as those provided by Altiris, Shavlik Technologies, ManageSoft, or Ecora, to name a few (see Resources). But if you don't want or can't afford a commercial product, you can use two free utilities from Microsoft: the Microsoft Baseline Security Analyzer (MBSA) and Software Update Services (SUS). Both are available from Microsoft's downloads Web site (see Resources). The first one scans systems for security failures and proper security patches, and the second deploys security patches to operating systems. Unfortunately, though MBSA works with a whole variety of products such as the operating system, Internet Explorer, Office, and SQL Server, SUS only works with operating systems. Microsoft is currently working on consolidating its patch-management technologies and delivery process. A new version of the Windows Installer service is in the works (version 3.0) as well as a new structure for all patches, including standardized naming, documentation, testing, and deployment strategies. Meanwhile, you'll still need to work with both SUS and MBSA. I'll let Nelson tell you how.

Nelson: Thanks Danielle. The first thing you need to do, Nancy, is know your systems. Fortunately, MBSA does a great job of this and it is easy to use. One important note: you'll need MBSA version 1.1.1 or later to scan servers running Windows Server 2003. MBSA is also easy to install because it is a Windows Installer file. You'll need administrative rights to the system on which you install it. This can be your own workstation so long as you have network access to all the systems you want to scan. MBSA can be used to scan a single system or a complete network. It will even scan network segments based on IP address ranges. You can use MBSA to scan a single computer, to scan multiple computers, or to review scan reports. In addition, MBSA gets an updated scan database from the Microsoft Web site every time it runs.

To scan a system do the following:

1. Launch MBSA (Start Menu | All Programs | Microsoft Baseline Security Analyzer).
2. Select Scan a computer.
3. Use either the computer name or its IP address (or address range) and select the options you want to use in the scan. Click Start scan (see Figure 1).
4. View the report in the MBSA details pane when the scan is complete. The report is automatically saved with the domain name, computer name, and date in the \%UserProfile%\Security Scans folder directly under Documents and Settings.