Understanding Patch and Update Management: Microsoft’s Software Update Strategy

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: October 1, 2003 | Updated : June 7, 2004

On This Page

Introduction
Protecting the IT Infrastructure
Microsoft Technologies for Security and Software Update Management
Futures: Streamlining the Patch and Update Management Process
Related Links

Introduction

With more devices and mobile users accessing corporate networks, a consistent stream of security updates from software and hardware vendors, expanding footprints for systems and applications, almost daily identification of new security threats, and a much more sophisticated hacking community, IT professionals face immense challenges in implementing an effective software update management strategy.

This white paper reviews recent security trends that exemplify the need for strong patch and update management methodologies. It also examines various initiatives within Microsoft that promote software security through stronger development processes as well as streamlined patch and update communications and delivery mechanisms. Finally, it discusses patch and update management tools, including future releases meant to simplify the overall patch and update management process.

According to industry analysts at Forrester Research1, there will be 35 million remote users by 2005 and 14 billion devices on the Internet by 2010. These interconnection paths are potentially susceptible to access by unauthorized individuals. According to the Computer Security Institute (CSI), the results of the 2002 CSI/FBI Computer Crime and Security Survey2 indicate that “the threat from computer crime and other information security breaches continues unabated and the financial toll is mounting.”

Ninety percent of the CSI/FBI survey’s respondents detected computer security breaches in 2002. Of those security breaches, 95 percent occurred because of poor system configuration. About 85 percent of the survey’s participants detected viruses even though most had deployed firewalls (98 percent) and anti-virus technology (99 percent). These attacks on IT infrastructures take many forms, including theft of proprietary information, financial fraud, worms, viruses, and net abuse by employees.

According to the CERT Coordination Center, a center of Internet security expertise located at Carnegie Mellon University, “most intrusions result from exploitation of known vulnerabilities, configuration errors, or virus attacks where countermeasures were available, including most major Internet worm/virus events. Countermeasures are available for most exploited vulnerabilities, but are they deployed? For systems and networks impacted by these events, the answer is generally ‘no’ or ‘not consistently.’”3

Forrester Research recently observed that for nine recent security exploits affecting Microsoft environments, on average, software patches were available weeks or months in advance of the worm/virus event.

CERT calculates the financial damage from these security intrusions worldwide at around $15 billion annually. Of the 90 percent of CSI/FBI survey respondents detecting computer security breaches within the last year, 80 percent acknowledged financial losses. Forty-four percent—those companies which could quantify the loss—reported $456 million in losses. With so much at stake, security requires a commitment of resources—financial, human, and technological—to an enterprise-wide program.

Additionally, the time between when a security update is released and when an exploit for the vulnerability address by the update is available publicly has decreased dramatically, while the security exploits are becoming increasing sophisticated.

Consequently, ensuring that the latest software updates, particularly security updates, are applied quickly and consistently across the enterprise—small, medium, or large—has become an increasingly important part of that enterprise-wide system management and security program.

Protecting the IT Infrastructure

Security management refers to what an organization or IT department can do operationally to manage and mitigate risk across the computing environment. Increasingly, improving security means improving systems management. Consistent, repeatable processes, reliable auditing and reporting against policy, and effective change control can drastically reduce the level of uncertainty and risk throughout the IT infrastructure. And, as the security trends discussed previously indicate, an effective security management strategy must ensure that software remains up-to-date and as fully protected as possible from worms, viruses, and other information security breaches.

By implementing an effective security management strategy, organizations reap the following business benefits:

  • Reduced downtime and costs associated with non-availability of systems and applications.

  • Reduced labor costs associated with inefficient security update deployment.

  • Reduced data loss due to destructive viruses or information security breaches.

  • Increased protection of intellectual property.

Microsoft—through a variety of security initiatives—offers products, resources, prescriptive guidance, training, and partners, designed to help customers keep their IT infrastructures healthy and to enjoy the benefits and peace of mind a secure computing environment brings. The remaining sections of this white paper describe Microsoft’s efforts to significantly improve the security update management process and provide prescriptive guidance for effectively using currently available resources.

Trustworthy Computing Frames the Microsoft Security and Update Management Initiatives

The Microsoft Trustworthy Computing initiative, announced by Bill Gates, in January of 2002, as a long-term initiative for the company, focuses on four key tenants: security, privacy, reliability, and business integrity.

The security effort is driving towards the following:

  • Improve and simplify the patching experience to help customers keep all of their systems protected and up-to-date.

  • Provide security guidance to help customers deploy and operate Microsoft products as securely as possible.

  • Innovate on safety technologies that will make Microsoft Windows–based computers more resilient to attack, even when security updates are not installed.

  • Improve the quality of our software through the Trustworthy Computing development process, to reduce vulnerabilities before the software ships.

Driving major improvements in the area of patch and update management is a key aspect of the Trustworthy Computing initiative. In 2002, Microsoft formed an internal task force to identify opportunities for improving the software update and security update management process and technologies, and to drive those improvements. This cross-divisional team, the Patch Management Task Force, solicited feedback from all sizes of organizations across the world. Based on this extensive customer engagement, the Patch Management Task Force distilled the input into four key areas of focus:

  • Provide clear and timely communications and guidance.

  • Provide consistency in standards and behavior

  • Provide high-quality security updates that reduce recalls, update sizes, and system restarts.

  • Provide consolidated and cost-conscious tools.

Clear Communications

Keeping IT professionals informed about software updates and security updates represents a crucial component to helping customers take the necessary and appropriate actions as they manage operational risks. However, Microsoft readily admits that communicating clearly has proven to be a daunting challenge at times. For example, customers searched four different Web sites for security update management content and complained that the security rating levels were unclear and that terminology and naming conventions were inconsistent.

The Security Bulletin Notification Service enables customers to receive timely and accurate information directly from Microsoft about worms, viruses, and other security events. It represents one of the first steps taken to help customers determine if an event is relevant to their environments, how and when to download and deploy the security updates, and how the software updates or security updates affect their overall IT infrastructures. Customers can sign up to be notified via e-mail when the latest Security Bulletins are posted with versions for business IT professionals and end users.

In the past year, based on customer feedback, Microsoft made the following improvements to the Security Bulletin Notification Service:

  • The Microsoft Security Response Center standardized its distribution processes and now sends bulletins monthly on the second calendar Tuesday (except in situations where a known exploit exists, in which case the bulletin is issued immediately).

  • Many customers found the Security Bulletins too technical or too detailed for their needs. Microsoft kept the original bulletin format for IT professionals, but now it also sends more general and less technical Consumer Bulletins.

  • Microsoft created a Security Bulletin Web search tool, consolidating the number of locations customers needed to search for information about security updates. Customers can view all Security Bulletins available for a given product and service pack (SP) level.

  • To increase clarity around its security rating levels, Microsoft revised the definitions. (See Table 1: Severity Rating Definitions.) Related to this effort, Microsoft has also created more consistent software update and security update naming terminology.

    Table 1: Severity Rating Definitions

    Rating

    Definition

    Critical

    A vulnerability whose exploitation could allow the propagation of an Internet worm/virus without user action.

    Important

    A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.

    Moderate

    Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

    Low

    A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

Other tools and resources used to communicate with customers include the following:

  • Security Guidance Kit. A free CD that offers a collection of tools, templates, roadmaps, and how-to guides in addition to prescriptive security guidance. The kit is designed to help implement measures such as automating security update installation and blocking unsafe email attachments to help organizations stay protected. To order a copy, please see https://www.microsoft.com/technet/security/default.mspx.

  • Virus Information Alliance. Includes industry partners Computer Associates, McAfee, Sybari, Symantec, and Trend Micro to provide customers with the latest virus alert information.

  • Solution Accelerators Provide Prescriptive Guidance. To help customers and partners design effective security processes using the Microsoft tools and resources available to them, Microsoft offers prescriptive guidance for the use of these tools and resources. The Solution Accelerators for security update management guidance use a well-defined four-step process designed to ensure best practices in security update management with additional guidance for critical 24-hour update deployment. Two Solution Accelerations for security and software update management are available, one for use with Microsoft Software Update Services (SUS) and the other for use with Microsoft Systems Management Server. For more information, see https://www.microsoft.com/windowsserversystem/overview/benefits/manageability/patch.mspx.

Consistency and Quality

Each Microsoft product grew over the years with innovation and development focused primarily on helping customers meet their deployment objectives in a variety of situations. This independence enabled individual product teams to meet the business and technical needs of their customers in creative ways. However, this independence also meant that software updates and security updates developed in silos.

With no common nomenclature or taxonomy, product teams developed numerous installer technologies that provided different user interfaces and different functionality. Specifically, the stability of security update code, package size, consistency, and system restart requirements needed further refinement.

Security update quality also remains an ongoing challenge, with customer feedback indicating too many recalls, unnecessary system restarts, and large sizes. When Microsoft releases a product, it uses a comprehensive regression, compatibility, functionality, and security testing plan to ensure a quality release. However, security updates typically need to be tested and released as quickly as possible.

To address these consistency and quality issues, Microsoft has made—and plans to continue making—several changes as follows.

Consistency
  • Microsoft plans to harmonize terminology and naming conventions and to develop and enforce guidelines across all product groups. For a comprehensive list of the new implemented standards, see https://www.microsoft.com/technet/security/guidance/patchmanagement/stdpatex.mspx.

  • By the end of 2004, all Microsoft software designed for deployment in organizations (that is, business or corporate applications) are expected to uniformly use one of two standard installers: Update.exe for operating system components, and Microsoft Installer (MSI) 3.0 for applications. Both installers will support the ability to uninstall updates and will use the standardized installation switches.

Quality
  • Microsoft now uses a five-week test cycle with exit criteria for each step of the cycle, increased depth testing for all security update components, added daily workstation stress testing, self-hosting, consistent security update release criteria, and management-level sign off for updates prior to their release. To address patch size, package contents are more closely inspected for unnecessary or duplicated files.

  • A customer patch validation program has been implemented to uncover testing issues in the customer environment.

  • The Microsoft Security Response Center (MSRC) and the Secure Windows Initiative Team are conducting a formal post-mortem review of any security update issued in conjunction with a Security Bulletin.

  • The established frequency with which new updates are released was reduced from once per week to once per month on the second Tuesday of the month. In emergency situations—that is, when information about how to exploit a vulnerability is determined to be available or imminently available publicly—Microsoft will release the necessary updates outside the established release cycle.

  • The proportion of security updates delivered by Windows Update that require a system to be restarted has been reduced by 10 percent.

  • HotPatching (in-memory patching) technology initially scheduled for delivery with Microsoft Windows Server™ 2003 Service Pack 1 (SP1) will reduce by 30 percent the number of Windows Server 2003 security updates that require computer restarts. This percentage is expected to increase over time.

  • Microsoft’s engineering teams are also developing smarter installers with better detection and dynamic analysis to determine whether a system restart is required and what operating system improvements allow file replacement without restarting.

The Right Tools

Microsoft continues to develop tools and technologies for update management. These tools are designed and customized to the unique needs of Microsoft’s customers—from the individual home user to the largest enterprise. To effectively address this varied set of customer needs, Microsoft maintains a broad update management technology strategy. The table below lists Microsoft’s key update management offerings.

Table 2: Microsoft Update Management Offerings

Type of Technology

Microsoft Offering

Update Analysis

  • Microsoft Baseline Security Analyzer (MBSA) 1.2

  • Office Update Inventory Tool 2.0

Online Update Service

  • Windows Update

  • Office Update

Automated Update Management

  • Automatic Updates feature in Windows

  • Software Update Services (SUS) 1.0

  • SMS 2003

Individuals and IT administrators can use MBSA 1.2 to get a report of installed and missing security updates on their systems. MBSA detects missing security updates for a broad range of the Windows operating systems and other Microsoft software. MBSA also includes functionality to report on common security misconfigurations. MBSA 1.2 delivers several enhancements to the update scanning and security misconfiguration detection functionality available in MBSA 1.1.1. These enhancements are outlined in the section on MBSA below.

It should be noted that with the release of version 1.2, MBSA 1.2 now includes the Office Update Inventory Tool 2.0 functionality to scan for missing Microsoft Office updates on local systems. Therefore, the Office Update Inventory Tool is not needed when MBSA scans are triggered by SMS or another method that runs MBSA locally on the systems to be scanned.

Microsoft hosts two online update services, Windows Update and Office Update, which allow individual systems to be updated over the Internet. As the names of these services imply, Windows Update updates various versions of the Windows operating system, and Office Update updates various versions of the Microsoft Office family of products on systems accessing these Web sites.

Individuals or organizations without an IT administrator-controlled update management process can also automatically stay up-to-date with the latest security updates issued by Microsoft for Windows XP, Windows 2000 SP3 or above, and Windows Server 2003, by using the Automatic Updates feature in Windows. Automatic Updates automatically checks for and downloads the latest security and critical updates directly from Windows Update at regular intervals. Individuals or IT administrators can choose whether the computer user should be prompted to install new updates or whether the updates should be installed automatically.

During the early part of the Trustworthy Computing initiative, many organizations told Microsoft that their policies for patch management included the requirement to test and approve patches in their unique operational environments before approving wide deployment. To help facilitate this process, Microsoft released SUS 1.0, an IT administrator-controlled solution for simple update management. SUS is a downloadable component of Windows Server and is available from the Microsoft Download Center at no extra charge to Windows Server licensees. Microsoft plans to significantly enhance the capabilities in SUS in the next version, which has been renamed Windows Update Services, and is scheduled for release towards the end of 2004.

Further customer feedback indicated that many customers did not want to use a separate tool to address update management but were looking for the higher value of an integrated system management solution that included patch management capabilities. SMS 2003, released in October 2003, addresses this need by enabling advanced patch management within an integrated systems management solution that also includes asset management, software deployment, software metering, and other sophisticated systems management capabilities.

Microsoft recommends that customers review the capabilities and limitations of these automated update management offerings and choose one or more of these options to best meet their individual needs. The table below summarizes the options that best suit different types of customers.

Table 3: Choosing Automated Update Management Offerings

Type of Customer

Appropriate Options

Medium or Large Organization

  • SMS 2003

  • SUS 1.0

Small Organization

  • SUS 1.0

  • Automatic Updates feature in Windows

Individual User

  • Automatic Updates feature in Windows

Microsoft Technologies for Security and Software Update Management

Update Analysis

Microsoft Baseline Security Analyzer 1.2

MBSA 1.2 is a standalone tool available as a free Web download from the Microsoft Download Center. MBSA can be installed on Windows XP, Windows 2000, and Windows Server 2003 and enables users to scan one or more Windows–based computers for missing security updates and common security misconfigurations. MBSA 1.2 was released in January, 2004.

MBSA 1.2 supports scanning of Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 systems. It scans for common misconfigurations in the operating system, Internet Information Services (IIS), Microsoft SQL Server™, Microsoft Internet Explore, and Microsoft Office, and scans for missing security updates for a broad range of Microsoft software, including Windows, Microsoft Office, IIS, SQL Server, and Microsoft Exchange Server.

Note: MBSA 1.2 incorporates the functionality provided in the Office Update Inventory Tool 2.0 (for local scans only). See the section on the Office Update Inventory Tool 2.0 below for additional information. The full list of software scanned by MBSA 1.2 is available at http:www.microsoft.com/mbsa/ and in the Microsoft Knowledge Base article 306460.

MBSA 1.2 supports performing the security updates portion of a scan against a list of administrator-approved updates on a local SUS server. Users can specify this option in the MBSA graphical user interface (GUI) or in the MBSA command-line interface. This support enables administrators to generate a report of missing security updates only for the administrator-approved updates rather than for the complete list of available security updates listed in the Mssecure.xml file downloaded by the tool at run time.

Note: MBSA 1.2 is not compatible with the upcoming Windows Update Services release when scanning based on the list of administrator-approved updates. This limitation will be corrected in the next major release of MBSA.

As noted previously, MBSA offers a GUI as well as command-line operations for scanning one or more Windows–based computers. Individual users can quickly launch a system scan from the GUI by selecting Scan a Computer from the MBSA Web Interface Welcome page. The scan defaults to the local computer and includes a security check for common misconfigurations as well as missing security updates. For an individual user, running the scan provides a comprehensive report that scores a computer’s security readiness, provides an explanation of each result, and details recommended procedures for correctly addressing any issues.

In addition to scanning a single computer, MBSA scans can target a group of computers through domain membership or a range of IP addresses. By combining MBSA’s command-line interface with available scheduling tools such as Task Scheduler, organizations can script MBSA operations to occur on predetermined schedules with a defined set of options, on a defined set of targets. For example, a scan could include an entire domain with all available checks during a low resource utilization time. Conversely, a more advanced usage may be creating an MBSA script that ties into Group Policy and is executed as part of a user logon process. By using the scripting samples available from the TechNet Web site (https://www.microsoft.com/technet), it is possible to combine individual computer compliance reports into a centralized compliance rollup for updates or configuration checks. The samples also demonstrate how to scan an unlimited number of computers, as well as how to query the compliance of a specific vulnerability.

The key enhancements delivered in MBSA 1.2 include:

  • Support for German, Japanese, and French

  • Configuration checks for Internet Connection Firewall, Automatic Updates, and Internet Explorer zones.

  • Scanning for missing updates for additional Microsoft software including Microsoft Office, Exchange Server 2003, and several other products.

  • Additional MBSA command-line switches.

  • Support for alternative file versions.

For more information about MBSA, refer to the following resources:

Office Update Inventory Tool 2.0

Office Update Inventory Tool 2.0 enables administrators to check one or more computers in their organization for the status of Microsoft Office 2000, Microsoft Office XP, and Microsoft Office 2003 updates. From a central location, administrators can run the tool to report on which updates have been applied, which updates are available to be applied, and which updates can be applied only to an administrative image.

Based upon customer feedback, version 2.0 of the detection engine has been significantly improved to include the following:

  • A feature to determine whether the inventory tool executable files or detection data are outdated and to download the latest versions.

  • Information in detection output regarding expired updates—that is, those updates that have been superseded by newer versions.

  • Additional details in the inventory reports, such as an identifier to simplify the task of finding update information in the XML, a path to the client update page, and baseline requirements.

Note: As indicated earlier, Office Update Inventory Tool 2.0 capabilities have been integrated into MBSA 1.2, so MBSA 1.2 should be used instead of this tool unless there is a need to perform remote scans of systems for missing Microsoft Office updates.

Online Hosted Services

Windows Update

Windows Update is the online extension of Windows that helps keep computers up-to-date. Windows Update currently supports Windows 98, Windows Millennium Edition, Windows 2000, Windows XP, and Windows Server 2003. Customers can use Windows Update to choose updates for a computer’s operating system software and hardware drivers. New content is added to Windows Update as soon as new updates for Windows are available from Microsoft, making this tool the authoritative source of the latest updates for the Windows operating systems listed above.

Using Windows Update is a simple three-step process:

  1. Enter Windows Update and click Scan for Updates.

  2. Browse through the available updates in each category, and then click Add to select an update and add it to the collection of updates to install. If necessary, read a full description of each item by clicking the Read More link.

  3. When all required updates are selected, click Review and Install Updates, and then click Install Now.

The Windows Update Catalog (WUC) extends the basic operations of Windows Update by enabling users or administrators to solicit updates for individual categories—operating systems or hardware drivers—and download them to a fixed location for later deployment. WUC pre-packages the updates in a subdirectory structure and offers a download history, displaying the updates that have been downloaded, where they reside, and a brief description of each.

WUC is available through the Windows Update site; a link appears at the bottom of the table of contents. If the link is not visible, the settings under Personalize Windows Update can be changed to make the link to WUC appear.

Office Update

Office Update is similar in concept to Windows Update; however, it is restricted to updates for the Microsoft Office product suite. For a list of supported products, please see “Which Office products does the Office Update site support?” on the About Office Update page.

Users visit the Office Update site and select Check for Updates to trigger a scan of a computer’s Microsoft Office installation for missing software updates or service packs. A detailed list of the missing updates needed to bring the system up-to-date is displayed, and the selected updates are then installed on the computer.

Administrator-Initiated Updating of Office

For organizations, individual machine updates may not be entirely practical. There are two main ways to apply software updates and maintain Microsoft Office products in a managed environment:

  • Patch the administrative image.

  • Apply software updates—either binary patches or FullFile patches—directly to the client.

The Office Admin Update Center provides information on which maintenance method is suitable for an organization.

Microsoft provides two additional tools to assist in the process of updating Microsoft Office installations in organizations:

  • Microsoft Security Baseline Analyzer 1.2 and Office Update Inventory Tool 2.0 enable scanning of the Office family of products for missing updates. For details about these tools, see the Update Analysis section earlier in this document.

  • Ohotfix.exe is a utility designed to help administrators deploy update files within their organizations. OHotFix works by reading a series of deployment instructions contained in an .ini file, and then using those instructions to apply an update to the computer. When an Office update file is available on the system, OHotFix can also check Office applications on the computer to determine which applications need the update and can order a group of update files so that an installation is optimized.

    For more information, see https://www.microsoft.com/office/ork/xp/journ/Ohotfix.htm.

Note: For the latest information and more detailed documentation about updating Microsoft Office in a managed IT environment, please see the Office Admin Update Center at https://www.microsoft.com/office/ork/updates/default.htm.

Automated Update Management Offerings

Automatic Updates

Automatic Updates is a feature in Windows 2000 SP3 and later, Windows XP, and Windows Server 2003 that allows individual systems to be configured to automatically check for and download new security and critical updates available from Windows Update. The Automatic Update component includes analysis capabilities to detect missing updates. It downloads only missing updates for the version of the operating system running on a computer and can be configured to either prompt the user or automatically install the updates on the computer.

IT administrators can configure the various Automatic Updates setting centrally by using Group Policy or scripts that configure the associated registry setting values.

Software Update Services 1.0

SUS is a version of Windows Update designed for organizations that want to approve each software update before installing them. SUS allows administrators to quickly and easily deploy Windows–related security updates and critical updates to any computer running Windows 2000, Windows XP Professional, or Windows Server 2003 systems. SUS includes the following capabilities:

  • Software updates can be approved on each SUS server, enabling testing in a separate environment as well as phased deployments across an enterprise.

  • SUS clients, which are the same as the Automatic Update component described earlier, can be configured to download software updates from the SUS server (saving bandwidth on shared Internet connections), or directly from Windows Update.

  • Software updates can also be copied onto a CD-ROM from an SUS server connected to the Internet, and then transferred to SUS server in a protected network no Internet access.

SUS servers require Windows 2000 Server or Windows Server 2003, IIS, and port 80 communications with SUS clients. SUS servers can be configured to synchronize software update packages and approvals either manually or automatically from a parent SUS server (or from Windows Update), enabling flexibility in how the environment is maintained.

Deployment of SUS servers is driven by an organization’s requirements for system updates. In theory, a single SUS server can accommodate the security update management needs of an organization; however, in practice, it is recommended that multiple SUS servers be deployed.

For example, a SUS server can be deployed in a test environment for pre-deployment testing to determine the impact of any security update on an organization. This SUS server communicates directly with the Windows Update site to determine update availability. After particular updates are tested, they are approved on a production SUS server. This production SUS server obtains security update availability from the Windows Update site and can be configured to download updates locally or modify a local SUS metafile with update information. After the “root” SUS server has the appropriate updates, localized or referenced, tiered SUS servers—which might be deployed closer to an organization’s desktops—can be configured to synchronize with the “root” SUS server for available and approved updates. The synchronization process can be manual or scheduled.

SUS clients connect to an associated SUS server according to a preconfigured daily or weekly schedule. As indicated in the section on Automatic Updates, a client can be centrally configured by using Group Policy settings or administrative scripts that set the appropriate registry setting values. Administrator-defined configuration options driven by Group Policy always take precedence over user-defined options. In addition, Automatic Updates Control Panel options are disabled on a client computer when administrative policies have been set.

Administrators can also use a Web server to log statistical information from Automatic Updates about updates that have been downloaded along with their installation status. These statistics are sent using the HTTP protocol so that the Web server can collect this information in its logs. The statistics server must be a computer running IIS 5.0 or later with logging enabled.

For more information, see https://www.microsoft.com/sus/default.mspx.

Systems Management Server 2003

With the advanced update management capabilities delivered in SMS 2003, administrators can easily manage security and other updates throughout the enterprise. SMS has always been able to distribute any type of software, but the new update management functionality streamlines the security update management process.

SMS includes comprehensive inventory, vulnerability, and software update assessment capabilities; Web-based reports to show compliance and installation results; and wizards that simplify security update management. SMS 2003 assesses and deploys security updates for Windows, Microsoft Office, and other products scanned by MBSA. It includes the following tools.

Security Update Inventory Installer

Security Update Inventory Installer is used to create an inventory of applicable and installed security updates for client computers. It consists of three main components:

  • Security Update Inventory Installer runs on the SMS site server and automatically builds the package, collection, and advertisement needed to deploy the other tool components within the SMS system.

  • Security Update Inventory Tool uses the existing MBSA 1.2 technology in addition to the Security Patch Bulletin Catalog (Mssecure.xml) and the Microsoft XML parser (MSXML) to carry out automated, ongoing scans of client computers for installed or applicable security updates. It then converts the data gathered by those tools into SMS inventory data.

  • Security Update Sync Tool is deployed by the installer and runs on a single computer that has an Internet connection. It periodically checks the Microsoft downloads Web site to download the latest security update bulletin catalog. It then uses SMS distribution points within the SMS infrastructure to send the latest versions of these items to client computers.

Distribute Software Updates Wizard Installer

Distribute Software Updates Wizard Installer is used to perform software update distribution tasks. It consists of three main components:

  • Distribute Software Updates Wizard Installer runs on the SMS site server and installs the Distribute Software Updates Wizard component.

  • Distribute Software Updates Wizard performs the following software update distribution tasks from the SMS site server:

    • Uses inventory information to analyze applicable update status for clients.

    • Provides a method for reviewing and authorizing suggested updates.

    • Downloads authorized updates and installation information.

    • Builds packages and advertisements tailored to each update or set of updates.

    • Distributes the update advertisements to client computers in an enterprise by using SMS software distribution features.

    • Deploys the Software Updates Installation Agent to client computers.

  • Software Updates Installation Agent is used to evaluate advertised software updates against missing and previously installed updates on client computers. It facilitates the installation process for necessary updates and prevents the installation of redundant or unnecessary updates, reducing system overhead.

Web Reports Add-In for Software Updates

Web Reports Add-In for Software Updates provides added functionality to the SMS Web Reporting Tool features and allows users to view a set of reports that was created from information gathered by software update inventory tools. In addition to the preconfigured reports available from the Web Reports Add-In, custom inventory reports using SQL Server views and the inventory schema are also supported.

Organizations looking for advanced update management capabilities or an integrated systems management solution that includes update management should investigate SMS 2003.

Futures: Streamlining the Patch and Update Management Process

Microsoft strives to constantly improve the toolset available to customers for security and software update management. As noted previously, customer feedback indicates the need for tool consolidation and integration. Accordingly, Microsoft has defined a roadmap designed to consolidate and integrate the various update management technologies.

According to this roadmap, Microsoft will deliver the core update management infrastructure and a solution for simple update management in Windows. Windows Update Services, the next version of Software Update Services, will be the first step in delivering this infrastructure and update management solution in Windows. Windows Update Services will initially be available as a Web download at no additional charge to Windows 2000 Server or Windows Server 2003 licensees and will be built into future releases of Windows.

Windows Update Services will also include the authoritative, built-in analysis engine from Microsoft for detecting missing updates for all software supported by Windows Update Services and other management or security tools, such as MBSA and SMS. In addition, products from other software vendors will be able to invoke the WUS analysis engine to get a report of missing Microsoft software updates. Because the analysis engine is built into the Windows Update Services client that is included in Windows—the same component that will enable Automatic Update—these products will not need to rely on the deployment of a Windows Update Services server to use the analysis engine.

Over time, SMS and its successor product (Microsoft System Center) increasingly will take advantage of the Windows Update Services infrastructure to deliver advanced update management capabilities.

Update management technology releases planned for the near term include Microsoft Update, Windows Update Services, SMS 2003 SP1, and MBSA 2.0.  

Microsoft Update

Similar to Windows Update in function, Microsoft Update will be a new online update service hosted by Microsoft that supports delivery of updates for various versions of the Windows operating systems as well as additional Microsoft software. Microsoft Update will also deliver critical driver updates. Microsoft Update is scheduled for release toward the end of 2004.

When initially released, Microsoft Update will deliver updates for Windows 2000, Windows XP, Windows Server 2003, Microsoft Office 2003, Microsoft Office XP, Microsoft SQL Server 2000, MSDE 2000, and Microsoft Exchange Server 2003. Delivery of updates for additional Microsoft software will be provided over time on an ongoing basis.

Windows Update will continue to be maintained and updated along with Microsoft Update for legacy reasons.

Windows Update Services

Building upon the capabilities provided in SUS 1.0, Windows Update Services, the next version of Software Update Services, will increase administrative flexibility while simplifying overall security and software update management. Windows Update Services is scheduled for release toward the end of 2004, in conjunction with the release of Microsoft Update.

Because Windows Update Services will synchronize with Microsoft Update to download updated content, the initial release of Windows Update Services will initially support updating the same set of software listed earlier for Microsoft Update and will automatically support additional Microsoft software on an ongoing basis as that that content becomes available on Microsoft Update.

In addition to the ability to update additional Microsoft software, the key enhancements to be delivered in Windows Update Services include:

  • New update management infrastructure for Windows, including the authoritative, built-in analysis engine from Microsoft for detecting missing updates for all software supported by Windows Update Services; a new data model for update management; and client and server APIs to enable integration with non–Microsoft management or security software as well as development of administrative scripts.

  • Expanded administrative capabilities to control update targeting, uninstallations, client detection frequency, installation deadlines, end-user experience, and so on.

  • Enhanced bandwidth optimization, including improved binary delta compression, to dramatically reduce the amount of bits associated with downloads of updates.

  • Status reporting, including predefined reports to show missing updates, download status, and installation status.

For information about Windows Update Services, see https://www.microsoft.com/wus.

Systems Management Server 2003 SP1

Since the release of SMS 2003, Microsoft has updated its analysis technologies to use the enhanced MBSA 1.2, which was released in January, 2004. SMS 2003 SP1 will be available in the third quarter of 2004 and will improve the existing update management features in SMS 2003 by making it even easier to get updates more quickly from Microsoft, and then delivering them to an enterprise. SMS 203 SP1 will also extend SMS 2003 to provide updates from key hardware manufacturers, such as Dell Corporation, in the same, integrated way that customers manage their Microsoft updates in SMS 2003 today.

SMS 2003 will also be updated to use the analysis engine in the Windows Update Services client shortly after this client releases. The use of this engine will increase the consistency of update scanning across all Microsoft platforms and products. Additional enhancements are being planned for the next version of SMS but have not been finalized at the time of this writing.

For more information about SMS 2003, see https://www.microsoft.com/smserver.

Microsoft Baseline Security Analyzer 2.0

Slated for release the first half of 2005, MBSA 2.0 represents a significant step forward in the ability to detect, analyze, and correct security issues for organizations of all sizes. MBSA will continue to report common security misconfigurations and missing security updates, but it will use the analysis engine in Windows Update Services for all software supported by Windows Update Services. However, until Windows Update Services supports all Microsoft software designed for use in organizations, MBSA will continue to use its own analysis engine for the software not supported by Windows Update Services.

For more information about MBSA, see https://www.microsoft.com/mbsa.

See the following resources for further information:

1 Forrester Research, 2003
2 Computer Security Issues and Trends, Vol. VIII. No. 1, Spring 2002
3 CERT, 2003