|
Patching Windows Security
Microsoft is preparing a series of updates that will tighten security on most of its software.
by Danielle Ruest and Nelson Ruest
Posted June 10, 2004
For This Solution: Windows Server 2003, Windows Server 2003 Service Pack 1, Windows XP Home and Professional, Windows XP Service Pack 2, Windows Update Services (Software Update Services 2.0), Windows Update Web site, Windows Installer 3.0
Editor's Note: This article is based on prerelease versions of all of the components discussed here. It is possible that the behavior of final released versions may differ from the descriptions included herein.
When Scott Charney took the chief security strategist position at Microsoft, his first job was talking to enterprise users. "Patch management was their biggest concern," Charney said. "I started looking at it, and I realized patch management is broken. I went to the next step, which is to figure out why it's broken. It's not enough to say it's broken; you need to understand it." According to Charney, Microsoft uses eight different technologies for patching its products.
It surprised no one when in his keynote address at TechEd 2003, Microsoft's premier conferences for system administrators and developers, Charney said, "We need to do better at securing our products."
A bit more than a year later, Microsoft is on the verge of rolling out a series of tools that will go a long way toward fixing its "broken" patch management tools. These include:
- Service Pack 2 (SP2) for Windows XP.
- Service Pack 1 (SP1) for Windows Server 2003.
- Windows Update Services, a new patch management and update technology. (This is actually Software Update Services 2.0.)
- A new edition of the Windows Update Web site.
- Windows Installer 3.0, a core tool that will help make it all work together.
In Microsoft-speak, "service packs" are no-cost, essential collections of bug fixes and improvements to the basic components of the operating system. However, for both new service packs, Microsoft's focus this time is on security almost exclusively.
It will have taken Microsoft more than 18 months to prepare the first service pack for Windows Server 2003—so much for the fence-sitters who wait for a first service pack before deploying the technology. For conservative system administrators, the wait has been interminable.
Meanwhile, other system administrators have deployed Windows Server 2003 without waiting for the service pack because Windows Server 2003 is Microsoft's most secure operating system to date. Whether or not you've deployed Windows Server 2003, the wait will have been worth it.
Windows Server 2003 SP1 includes a new tool called the Security Configuration Wizard, or SCW (see Figure 1). This wizard provides a comprehensive overview of the status of a current system and helps you determine how to lock down your servers further. Though this isn't the first tool to help lock down systems—Microsoft has provided the Security Configuration and Analysis or secedit tool since Windows 2000—it does provide unique capabilities. The SCW can be used to capture security settings from a standard system, edit an exiting policy, apply captured settings to a local or remote computer, or rollback security settings to their original settings.
Back to top
|