In January 2002, Microsoft launched the Trustworthy Computing initiatives throughout its organization with the goal that computers, OSs, and applications should be secure by design, secure by default, and secure by deployment. This last point, secure by deployment is Microsoft’s terminology for systems that are easily audited and patched as needed, thereby helping organizations assess and manage security risks across their networks.
“Easy” is really the key part of the success of secure by deployment, because the costs involved with manually deploying hotfixes throughout an organization tend to grow exponentially as the number of devices within the organization increases. Manual patching is simply no longer a viable option for most organizations; rolling out a patch “by hand” throughout an organization is just too costly because patches are released so frequently. The net result of the problems with manual patching is evident in the fact that systems that are exploited usually could have been protected had patches been applied in time. In fact, a recent Carnegie Mellon University study estimates that 99 percent of all reported intrusions were exploitations of known vulnerabilities or configuration errors for which countermeasures existed.
To address its customers’ need to keep up-to-date on patches and hotfixes, several years ago Microsoft released Software Update Services (SUS), which let administrators run their own sort of private “Windows Update” server for their organization. Through SUS’s tight integration with the Automatic Updates client on each server and workstation in an organization, deploying new patches for Windows and its related components became as simple as selecting a check box to approve each patch you wanted pushed out. Servers and workstations then dutifully obeyed these approvals and either staged or installed the hotfixes according to the configurations that were set.
Administrators who start using SUS often wonder how they ever lived without it! However, there are a few areas where SUS has typically fallen short—namely in grouping systems by classifications (i.e., servers versus desktops) to vary patch deployments, the ability to push out application patches (not only OS patches), and reporting.
In second quarter 2005, Microsoft plans to release an update to SUS that provides a significant architectural redesign and rebrand it as Windows Server Update Services (WSUS). This solution will truly bring enterprise-class patch management system capabilities to organizations of all sizes, but without the complexity of most enterprise-class applications or without the cost. (Just like SUS, WSUS is expected to be released for free from Microsoft). In short, SUS—and soon, WSUS—deserves a place on every Microsoft network.