Obtaining and Applying Current Security Patches

Article
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 with SP1

You should always evaluate and apply the latest security updates to help ensure that your Web sites and applications remain secure. These security updates are published as service packs or hotfixes. As new security vulnerabilities are discovered, Microsoft publishes updates to help mitigate any security risks they might cause. You need to apply these security updates to help ensure that your Web server is protected from the most current security risks.

Stay current with security updates by completing the following steps:

Obtain the current security updates by using any combination of the following:

Subscribe to the Microsoft Security Notification Service newsletter. The Microsoft Security Notification Service newsletter is a free subscription-based service that sends notification e-mails about available security updates to administrators.

To subscribe to the Microsoft Security Notification Service newsletter, see the Microsoft.com profile Center.
Run Windows Update on a regular basis. Windows Update is a service that runs on Windows-based computers. Windows Update scans the local computer and identifies any updates that are applicable for the software installed on the computer. Windows Update is installed on Windows Server 2003 by default. You must manually start Windows Update on the Web server from Help and Support Center for Microsoft® Windows® Server 2003.

For more information about running Windows Update, see "Windows Update" in Help and Support Center for Windows Server 2003.
Deploy Microsoft Software Update Services (SUS). SUS is a service that acts as an intermediary between the Windows Update server on Microsoft.com and the Windows-based computers in your organization running Windows Update. By using SUS, you can download the latest updates to a server on your intranet, test the updates on test servers, select the updates that you want to deploy, and then deploy the updates to computers within your organization.

For more information about deploying SUS, see Software Update Services Deployment White Paper in Designing a Managed Environment in the Windows Server 2003 Deployment Kit.

Table 3.11 lists the options for obtaining security updates, and describes the advantages and disadvantages of each option.

Table 3.11 Options to Obtain Security Updates

Option	Advantages	Disadvantages
Microsoft Security Notification Service Newsletter	Does not require Web servers to be directly connected to the Internet. Does not require a dedicated server. Is free.	Is not specific to a particular technology, such as IIS. Is not specific to a particular operating system version. Requires administrators to manually review newsletters for recommended updates.
Windows Update	Provides automatic notification of available updates. Is free.	Requires the Web server to have Internet access.
SUS	Provides automatic notification of available updates.	Requires a dedicated server to run properly. Requires the SUS server be able to access the Internet. Requires separate purchase of SUS.

Test the security updates on a Web server in a test environment.

Before deploying the security updates on your production Web server, use one of the options described in Step 1 to test the security updates on a test Web server that is configured identically to your production Web server. Table 3.12 lists the options for deploying the security updates on a Web server in a test environment.

Table 3.12 Options for Deploying Security Updates

Option	Deployment
Microsoft Security Notification Service Newsletter	Manually download the updates and then deploy them manually or automatically by using a software distribution program, such as Microsoft System Management Server.
Windows Update	Configure Windows Update to do one of the following: Inform an administrator that is logged on to the Web server that updates are available and then allow the administrator to install the updates. Install updates automatically.
SUS	Configure the SUS to provide updates to the Web server through an updated version of Windows Update called Automatic Updates.

Microsoft Security Notification Service Newsletter

Manually download the updates and then deploy them manually or automatically by using a software distribution program, such as Microsoft System Management Server.

Windows Update

Configure Windows Update to do one of the following:

Inform an administrator that is logged on to the Web server that updates are available and then allow the administrator to install the updates.
Install updates automatically.

SUS

Configure the SUS to provide updates to the Web server through an updated version of Windows Update called Automatic Updates.

You can configure Windows Update and Automatic Updates in SUS to install updates automatically, with or without confirmation, based on the security rating of the update. Table 3.13 lists the security ratings used by Windows Update and Automatic Updates, and provides a description of each rating.

Table 3.13 Security Ratings Used by Windows Update and Automatic Updates

Rating	Description
Critical	A vulnerability that, if exploited, might allow the propagation of an Internet worm without user action.
Important	A vulnerability that, if exploited, might result in a compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.
Moderate	A vulnerability risk that can be mitigated by factors such as default configuration, auditing, or difficulty to exploit.
Low	A vulnerability that is extremely difficult to exploit, or that has minimal impact.

Deploy the security updates to your production Web server by using the same option that you tested on the test Web server.

Obtaining and Applying Current Security Patches

Additional resources