Two weeks ago in Windows & .NET Magazine UPDATE, I discussed the Microsoft patch-management nightmare ( http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39383 ); now I'm happy to report that the company will be fixing this problem much sooner than I'd previously thought. In a recent briefing with Microsoft, I learned how the software company will consolidate its patch-management infrastructure and tools and provide customers a more workable solution by mid-2004. Here's what's happening.
Today, we have a variety of patch-management tools, but many of these tools run off of different back-end data sources, which can cause confusion. For example, you might run the Microsoft Baseline Security Analyzer (MBSA) against a Windows XP installation and receive a report about the various updates you need to install, but when you run Windows Update against that same machine, it says you're up-to-date.
The number of patch-management tools available to enterprises is bewildering. Microsoft offers Windows Update and Auto Update to individuals and very small businesses; Microsoft Software Update Services (SUS) to small- and mid-sized businesses; Microsoft Systems Management Server (SMS) SUS Feature Pack for enterprises; and other tools, such as MBSA and the IIS Lockdown Tool to address specific problems. The company also offers an Office Update Web site, similar to Windows Update, for its Microsoft Office products.
Another concern is patch quality. Microsoft walks a fine line between releasing security patches quickly and releasing patches that correct the problem without introducing new problems. Many of Microsoft's critics complain that the company doesn't deliver high-quality patches quickly enough. To release a high-quality patch, the software giant must perform a certain level of testing. So I ask, "Do you want the patch now or do you want it right?"
Microsoft tells me it will address all these concerns. On the back end, Microsoft is creating a new centralized patch-management infrastructure that it will use for all its products. New versions of existing patch-management tools will build off this infrastructure, and the long-sought version of Windows Update that will work with all the software giant's products is on the drawing board as well. I think of this product as "Microsoft Update," but the company tells me it hasn't settled on a name yet. When these new products appear in the first half of 2004, you'll no longer see different results when you run MBSA and Windows Update, for example. For more information about these plans, please see my WinInfo Daily Update article, "Exclusive: Microsoft's Plan to End the Patch Management Nightmare" ( http://www.wininformant.com/articles/index.cfm?articleid=39451 ).
Microsoft has plans for other products and initiatives that will intersect with its patch-management plans. In December 2003, the company plans to release Windows Server 2003 Service Pack 1 (SP1), which will include a tool called the Microsoft Security Configuration Wizard. This excellent roles-based wizard will finally answer what might be the number-one question I receive: "How do I know which services I can turn off in my Windows installation?" To date, this question has been virtually impossible to answer, even for a base Windows install, but the answer gets even more complicated as you add features and other products to the mix. Currently, your best bet for answering this question is to review a list of services and what they do. But even these lists don't speak to the complexity of the situation because many services on a Windows system have various dependencies.
To solve this problem, Microsoft is creating an extensible XML-based database covering Windows 2003 and every Microsoft server product that can run on that platform. When you run the wizard, it will query your system and compare the results with the database. You'll be able to choose which roles your server should perform--email server, Web server, domain controller (DC)--and the wizard will shut down all unneeded services and ports. For the curious, the wizard will even provide a list of those services so that you can see what it's doing. And because the tool is extensible, third parties can add their products to the database, and administrators and developers can add their custom-built inhouse applications. I look forward to evaluating this tool, and I'll report back as soon as possible. I hope this functionality will be available to other Windows versions, such as XP and Windows 2000?
Another upcoming product that will have dramatic ramifications on patch management is Longhorn, the next major Windows client release (Longhorn is currently due in late 2005). Microsoft will develop Longhorn in a modular fashion, much as XP Embedded is today, that will let administrators and PC makers more easily deploy systems. Because 85 to 90 percent of Longhorn code will consist of a language-independent core code module, to create Longhorn versions such as home, professional, Tablet PC, or Media Center Edition, one will simply add the appropriate code modules to the core module. For example, a PC maker wishing to supply Longhorn Media Center Edition to the US market would assemble the Longhorn core module with the US English language module, the Longhorn professional module, and the Longhorn Media Center Edition module (Media Center Edition builds on professional). The end result will be a more stable system for which patch management will be far simpler. Because most of Longhorn's code will reside in the core module, Microsoft will be able to release most bug fixes for this one code base, negating the need for language- and version-specific fixes. This approach will result in faster and more stable patch delivery.
Of course, Longhorn is still 2 years away. In the meantime, Microsoft is working to, well, patch its current products with more elegant patch management. But looking ahead, it's exciting to think that a long-term dream of centralized patch management is finally happening.