Automating security patches

Microsoft explained its highly publicised service for managing security patches at this week`s Tech-Ed at Sun City, saying a choice of three methods is available to resolve the inadequacy of reactive current practices.

These are Software Update Services (SUS), currently in version 1, service pack (SP) 1, Windows Updates (WU) and Systems Management Server (SMS) 2.0 with the SUS service pack.

Jacob Miemic, Microsoft account technologist, told delegates that the first two only manage Windows updates. SMS is an end-to-end software update system, including security updates.

"If you are currently using SMS, then SUS is probably not for you," Miemic said. Literature on the different technologies reveals the other salient differences between SUS, SMS and WU, and the pros and cons of each. Miemic noted that SUS is probably at home in small to medium-sized companies, whereas SMS is primarily used by larger enterprises.

"Accenture has revealed that up to 70% of companies` resources are devoted to maintaining their existing environments, and only 30% to moving the business forward," said Miemic. "Current systems are reactive, and that`s understandable, but there is a better way."

SUS provides updates approved by administrators, but updates are not specifically targeted, as SMS updates are. It also doesn`t feature a central, customisable inventory of infrastructure, as SMS does. SUS furthermore covers security patches, not all software, and only in the Windows environment.

This Windows-centricity is also a hallmark of WU, but the preponderance of Windows-centric vulnerabilities in Microsoft`s updates means these are nonetheless fair security patch automation technologies.

SMS requires licence fees, while SUS and WU do not, and SUS only covers Windows 2000 SP2 and higher, and XP, while SMS covers all major versions, including W95. SUS architecture and installation is considered much easier than for SMS. SUS is not suitable for service Pack updates.

SUS consists of two components - Microsoft Software Update Services and Automatic Updates. The first is a server-side component on the machine running Windows 2000 Server, and synchronises with the Windows Update site to deliver critical updates to Windows 2000 and XP clients.

Synchronisation can be manual or automated. Once downloaded, new updates are tested and approved before client distribution.

The second component is Automatic Updates, sitting on either the client device or server receiving updates from the SUS server. One can set the specific server a client/server should connect to, and specify downloads according to group policy, manually or via Active Directory.

For a series of frequently asked questions, visit Microsoft`s resource site on SUS.