Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


April 2004

Unreasonable Expectations

The patching process is full of holes
From the April 2004 Edition
of Windows IT Pro
Michael Otey
Editorial
InstantDoc #41987
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

I think I speak for most network administrators when I say that we need help from Microsoft to fix the patching problem. Over the past year, we've been fortunate because advance warnings preceded most exploits, so we knew they were coming. Nevertheless, keeping systems up-to-date takes too darned much time.

Pointing Fingers
I know that many people place the blame for recent virus epidemics on the network administrator's head. Being an overly busy network administrator myself, I'm not one of those laying blame. But I hear what those people are saying, and they have some good points. In their view, the network administrator's job is to keep up with security advisories and make sure that all relevant patches are applied on all systems. I don't disagree with that—when you concentrate on viruses, those expectations seem to make sense.

However, you can't simply ignore administrators' other responsibilities. Some large companies have staff dedicated to keeping up with patches, but many small and midsized organizations don't. In small companies, the network administrator often performs almost every computer-related function from adding users and fielding Help desk questions to adding hard drives. Those administrators don't have enough hours in their day to keep up with patches on all the systems in their network as well as do the things that they need to do to address their company's computer-related needs.

Current Solutions
All the current update processes have their problems. Microsoft's Automatic Updates service certainly isn't the answer. Automatic Updates doesn't let you test patches before you apply them, and it's unpredictable—recently, I've seen some cases in which Automatic Updates crashed the system it was running on, requiring a complete restore. And if you've had Automatic Updates turned on for a while, you've likely been unpleasantly surprised at just how much disk space it can consume.

Microsoft Software Update Services (SUS) is far better in that it can at least let you control the flow of patches to your networked systems. However, you still have to deal with massive numbers of patches and determine which ones your environment needs. Microsoft Systems Management Server (SMS), another option, is too costly and complex for small organizations such as mine.

Changing Course
I think the virus epidemic stems from two sources. First, Microsoft products, especially the OSs, have become feature laden, and every feature of a network OS broadens the potential attack area. Second, over the years, Microsoft has created an unfriendly image that, in combination with the company's dominant market position, has had the effect of painting a big bull's-eye on Microsoft products. The problem isn't with code quality, though—I want to be clear about that. I've seen Microsoft's build process, and I know the code quality is good.

Rather, I think the problem from the administrator's standpoint is in the patching process. Basically, Microsoft produces too many patches for too many products too quickly for the process to be manageable. The Trustworthy Computing initiative notwithstanding, the patching problem is as bad as it's ever been. You have to patch not only multiple versions of different Windows Server products but also multiple versions of client OSs and other server products, such as Microsoft Exchange Server and Microsoft SQL Server, not to mention Microsoft Office.

Microsoft is keenly aware of the patching problem that network administrators face today, and the company is moving to plug some of those gaping holes with its new Windows Update Services (WUS). Windows Update Services is a replacement for SUS. While WUS won't stop the flow of product patches that's coming out of Microsoft, its subscription-based setup promises to make the patching process more manageable.

While WUS promises to revamp the patching process for Microsoft products, one thing that Microsoft absolutely needs to do is make sure that this solution applies to older products such as Windows 2000, Exchange 5.5, and SQL Server 7.0, in addition to newer products such as Windows XP and Windows Server 2003. Fixing the patching process for the existing systems is far more "trustworthy" than using manageability as a carrot to entice users to upgrade products they've already purchased.

End of Article

Reader Comments
Great article. You certainly speak for this administrator. I have too much to do to upgrade an entire branch to worry about patching. And SUS has been a big let down for me. After reading all the MS documentation and white papers covering installation and implementation, there's still something I'm missing, as I have not been able to get it to work. So we're still at manually patching, touching each and every workstation. I guess it can only get better from here, it certainly can't get any worse! :-)

pameladg March 31, 2004

Just a quick note, I found the article interesting but seem to want to point out that you did not mention the base line security analyzer that already does the sql exchange and others. Also if you read into MS patching you'll see that they are combining all the technologies into two pieces, update.exe and msi once the conversion is done and we move to WUS we should have a better solution. I am not quite sure if it will be as we may need or expect but I do believe that at least WUS will conbine SUS and MBSA. At least this way we can do all the os's and most layered products....

Daniel Gagnon April 06, 2004

At this point I'd be happy with 2 immediate changes. First, why don't they make all patches respond to the same command line switches? Second, why don't they rebundle the security rollup every time a critical patch is issued and make it work like the SP1 express-update so that it applies only the patches needed on that system? That way we could slipstream (or run via command line) one patch and know that in the running of this cumulative security update, we are covering all the bases.

Mike April 07, 2004

There are several good points in this article. However, we can broaden the scope of the problem by mentioning the fact that many systems are running 3rd party software built for Microsoft products. These products often use code that correctly compile but use less than desirable techniques. Microsoft's patches very often break major functions in these products. Other products are written well, but MS patches introduce severe regression problems. Most of these systems are integrated with other systems which can create cascades of problems. Sometimes they are Microsoft's fault and other times the 3rd party's. Unless the small-medium company has an comprehensively complex lab, these will never be discovered until two days after the patches are rolled out and there is no return.

Any patch can cost you your job, but no patch will enhance it. It is a classic lose-lose (Patch-If-You-Do, Patch-If-You-Don't) proposition. This essentially the same old problem (DLL hell) in a different guise. What is needed is a completely different philosophy.

On the one hand Microsoft cannot predict the future any better than the rest of us. On the other hand Win2k did not make my life any better, and based on the whitepapers neither will 2003 or Longhorn. While Microsoft understands my current pain, they don't understand what I want in a future OS. They are busy pushing an agenda which increasingly diverges from my vision. I don't hate Microsoft, but in spite the great Office XP ads now running, I think they are increasingly irrelevant in getting actual work done

mjones April 07, 2004

More details about how SUS crashed a system would have been good when making a claim like that. Such a blanket statment without details does not give those that use SUS the kind of info needed to avoid such a senario.

Bill Weiss April 07, 2004

The flood of patches had me looking ad alternatives too. I looked at a few of the alternatives but couldn't beat the free SUS product for this task. What I'd like to see is a tighter connection between MBSA and SUS. Maybe a merger of these two products would be nice - but wait, isn't that what shavlik is all about? :)

Ken Richmond April 19, 2004

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing