Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


April 2004

Unreasonable Expectations

The patching process is full of holes
From the April 2004 Edition
of Windows IT Pro
Michael Otey
Editorial
InstantDoc #41987
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

I think I speak for most network administrators when I say that we need help from Microsoft to fix the patching problem. Over the past year, we've been fortunate because advance warnings preceded most exploits, so we knew they were coming. Nevertheless, keeping systems up-to-date takes too darned much time.

Pointing Fingers
I know that many people place the blame for recent virus epidemics on the network administrator's head. Being an overly busy network administrator myself, I'm not one of those laying blame. But I hear what those people are saying, and they have some good points. In their view, the network administrator's job is to keep up with security advisories and make sure that all relevant patches are applied on all systems. I don't disagree with that—when you concentrate on viruses, those expectations seem to make sense.

However, you can't simply ignore administrators' other responsibilities. Some large companies have staff dedicated to keeping up with patches, but many small and midsized organizations don't. In small companies, the network administrator often performs almost every computer-related function from adding users and fielding Help desk questions to adding hard drives. Those administrators don't have enough hours in their day to keep up with patches on all the systems in their network as well as do the things that they need to do to address their company's computer-related needs.

Current Solutions
All the current update processes have their problems. Microsoft's Automatic Updates service certainly isn't the answer. Automatic Updates doesn't let you test patches before you apply them, and it's unpredictable—recently, I've seen some cases in which Automatic Updates crashed the system it was running on, requiring a complete restore. And if you've had Automatic Updates turned on for a while, you've likely been unpleasantly surprised at just how much disk space it can consume.

Microsoft Software Update Services (SUS) is far better in that it can at least let you control the flow of patches to your networked systems. However, you still have to deal with massive numbers of patches and determine which ones your environment needs. Microsoft Systems Management Server (SMS), another option, is too costly and complex for small organizations such as mine.

Changing Course
I think the virus epidemic stems from two sources. First, Microsoft products, especially the OSs, have become feature laden, and every feature of a network OS broadens the potential attack area. Second, over the years, Microsoft has created an unfriendly image that, in combination with the company's dominant market position, has had the effect of painting a big bull's-eye on Microsoft products. The problem isn't with code quality, though—I want to be clear about that. I've seen Microsoft's build process, and I know the code quality is good.

Rather, I think the problem from the administrator's standpoint is in the patching process. Basically, Microsoft produces too many patches for too many products too quickly for the process to be manageable. The Trustworthy Computing initiative notwithstanding, the patching problem is as bad as it's ever been. You have to patch not only multiple versions of different Windows Server products but also multiple versions of client OSs and other server products, such as Microsoft Exchange Server and Microsoft SQL Server, not to mention Microsoft Office.

Microsoft is keenly aware of the patching problem that network administrators face today, and the company is moving to plug some of those gaping holes with its new Windows Update Services (WUS). Windows Update Services is a replacement for SUS. While WUS won't stop the flow of product patches that's coming out of Microsoft, its subscription-based setup promises to make the patching process more manageable.

While WUS promises to revamp the patching process for Microsoft products, one thing that Microsoft absolutely needs to do is make sure that this solution applies to older products such as Windows 2000, Exchange 5.5, and SQL Server 7.0, in addition to newer products such as Windows XP and Windows Server 2003. Fixing the patching process for the existing systems is far more "trustworthy" than using manageability as a carrot to entice users to upgrade products they've already purchased.

End of Article

Reader Comments
Great article. You certainly speak for this administrator. I have too much to do to upgrade an entire branch to worry about patching. And SUS has been a big let down for me. After reading all the MS documentation and white papers covering installation and implementation, there's still something I'm missing, as I have not been able to get it to work. So we're still at manually patching, touching each and every workstation. I guess it can only get better from here, it certainly can't get any worse! :-)

pameladg March 31, 2004

Just a quick note, I found the article interesting but seem to want to point out that you did not mention the base line security analyzer that already does the sql exchange and others. Also if you read into MS patching you'll see that they are combining all the technologies into two pieces, update.exe and msi once the conversion is done and we move to WUS we should have a better solution. I am not quite sure if it will be as we may need or expect but I do believe that at least WUS will conbine SUS and MBSA. At least this way we can do all the os's and most layered products....

Daniel Gagnon April 06, 2004

At this point I'd be happy with 2 immediate changes. First, why don't they make all patches respond to the same command line switches? Second, why don't they rebundle the security rollup every time a critical patch is issued and make it work like the SP1 express-update so that it applies only the patches needed on that system? That way we could slipstream (or run via command line) one patch and know that in the running of this cumulative security update, we are covering all the bases.

Mike April 07, 2004

There are several good points in this article. However, we can broaden the scope of the problem by mentioning the fact that many systems are running 3rd party software built for Microsoft products. These products often use code that correctly compile but use less than desirable techniques. Microsoft's patches very often break major functions in these products. Other products are written well, but MS patches introduce severe regression problems. Most of these systems are integrated with other systems which can create cascades of problems. Sometimes they are Microsoft's fault and other times the 3rd party's. Unless the small-medium company has an comprehensively complex lab, these will never be discovered until two days after the patches are rolled out and there is no return.

Any patch can cost you your job, but no patch will enhance it. It is a classic lose-lose (Patch-If-You-Do, Patch-If-You-Don't) proposition. This essentially the same old problem (DLL hell) in a different guise. What is needed is a completely different philosophy.

On the one hand Microsoft cannot predict the future any better than the rest of us. On the other hand Win2k did not make my life any better, and based on the whitepapers neither will 2003 or Longhorn. While Microsoft understands my current pain, they don't understand what I want in a future OS. They are busy pushing an agenda which increasingly diverges from my vision. I don't hate Microsoft, but in spite the great Office XP ads now running, I think they are increasingly irrelevant in getting actual work done

mjones April 07, 2004

More details about how SUS crashed a system would have been good when making a claim like that. Such a blanket statment without details does not give those that use SUS the kind of info needed to avoid such a senario.

Bill Weiss April 07, 2004

The flood of patches had me looking ad alternatives too. I looked at a few of the alternatives but couldn't beat the free SUS product for this task. What I'd like to see is a tighter connection between MBSA and SUS. Maybe a merger of these two products would be nice - but wait, isn't that what shavlik is all about? :)

Ken Richmond April 19, 2004

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...

WinInfo Short Takes: Week of October 13, 2008

An often irreverent look at some of the week's other news... ...
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

Latest Advancements in SSL Technology
There are a variety of different kinds of SSL to explore to ensure customer data is kept confidential and secure. In this paper, we will discuss some of these SSL advances to help you decide which would be best for your organization.

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST Files.

Get Protected -- Data Protection Manager 2007
Protect your virtualized environment with Data Protection Manager

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Maximize Your SharePoint Investment: Get Your Data Moving
Watch this web seminar now to learn how to maximize your SharePoint investment! Join us as we take a look at the complex business of securing, accessing and managing vast amounts of information in a global network and various ways to get your data moving.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing