Fortify your servers and workstations with SMS patch management
Staying one step ahead of new exploits of known vulnerabilities takes time and effort. At a minimum, such preparedness requires that Microsoft has patched the vulnerability and that you've protected your systems with the most current updates. In "Patching Windows with SUS," March 2003, http://www.winnetmag.com, InstantDoc ID 37938, I wrote about Microsoft Software Update Services (SUS) and IntelliMirror, two mechanisms that can help you automatically deploy critical Windows updates and service packs in small to midsized environments.
Microsoft offers a third service that provides more robust update management, typically for larger environments. The SMS Software Update Services Feature Pack, which runs on top of Microsoft Systems Management Server (SMS) 2.0, provides update-inventory scanning of both Windows and Microsoft Office platforms, as well as detailed and customizable Web reports that provide the status of updates and patches. Although SMS is generally regarded as a complex enterprise product for large organizations, your small to midsized business can benefit from the Feature Pack's enhanced inventory and reporting capabilities, even if you use it in conjunction with the lighter-weight in-house version of Windows Update (aka SUS). With the capabilities of the Feature Pack, everybody wins.
Built On Top of SMS
The Feature Pack, which you can download at http://www.microsoft.com/smserver/downloads/20/featurepacks/suspack/default.asp, is a set of add-on modules that you install into an SMS site. These modules provide Windows Security Update scanning, Office Update scanning, Web reports, and an update-deployment wizard to help you create SMS packages to deploy your updates.
The SMS platform, a powerful enterprise tool with which you can centrally manage your client machines, includes features such as hardware and software inventory, software distribution, software metering, and remote control services. To assess and install updates for Windows Security and Office products, the Feature Pack leverages SMS's inventory and software-distribution mechanisms. To provide a flexible query and reporting engine for presenting a variety of highly customizable update summary reports, the Feature Pack also includes an enhanced version of the SMS Web Reports.
To take advantage of these features and enhancements, you must first conquer the relatively steep learning curve of successfully deploying and managing SMS 2.0. Fortunately, many resources are available to help answer questions you might have about this multifaceted product. For a primer about the base SMS installation, see "The SMS 2.0 SUS Feature Pack," January 2003, http://www.winnetmag.com, InstantDoc ID 27373. For SMS 2.0 planning, deployment, and administration tutorials, check out http://www.microsoft.com/smserver/default.asp.
Installing the Feature Pack
Compared with the base SMS installation, setup and configuration of the Feature Pack modules are quick and straightforward. Although the modules are interdependent, you install and configure them separately. This modular approach greatly increases the Feature Pack's flexibility to incorporate future scanning tools and might permit some of the modules to plug into the future SMS 2003. To inventory a client's updates, the Feature Pack relies on two update-scanning modules: SMS-tweaked versions of the Office Update tool and the Microsoft Baseline Security Analyzer (MBSA). Using existing tools in these modules not only leverages systems administrators' familiarity with the tools but also lets Microsoft release this Feature Pack quickly.
The inventory modules' installation wizards configure the scanners to work within your SMS framework and create SMS objects to conduct weekly Office and Security Update scans on specified SMS clients. SMS collects the results of these scans during the next scheduled SMS client hardware inventory, so be sure that you have hardware inventory turned on within your site. (Navigate to Site Database, Site Hierarchy, Site Name, Site Settings, and click Client Agents. In the right pane of the resulting Microsoft Management Console—MMC—window, double-click the names of the agents you want to install. Enable Hardware Inventory Client Agent. Additionally, to deploy updates, enable Software Inventory Client Agent and Advertised Programs Client Agent.) In addition to the weekly client-inventory scans, SMS configures the Office Update tool and MBSA to synchronize their update database with Microsoft on a weekly basis.
To create SMS packages that contain the client-update binary files, install the Distribute Software Updates Wizard module. Install the Web Reports module to view the update-inventory scan results for installed or applicable Office or Security updates. Setup wizards walk you through the relatively clean process of installing and configuring the modules.
After you fully configure the Feature Pack, recurring tasks such as running the scanning tools, downloading the update catalog, and installing the update executables on client machines are automated. However, unlike the more transparent, behind-the-scenes approach of the Windows Updatepowered SUS, the Feature Pack requires you to follow several manual steps for creating a package of updates that you want to deploy. A wizard guides you through the necessary steps.
Easier Package Building
Many consider the creation of SMS software-distribution packages to be something of an art, requiring much testing and tweaking to arrive at a successful program deployment. Testing remains important, but the Distribute Software Updates Wizard streamlines the creation of Office and Security update packages.
Run the wizard from within the SMS Administrator Console by navigating to a package node, right-clicking All Tasks, and selecting Distribute Software Updates. Follow the wizard's step-by-step approach to identify applicable updates, download update binaries, and target the update for SMS distribution. The wizard compares the list of applicable updates that it finds with the list of approved updates that SUS displays, as Figure 1 shows. The Distribute Software Updates Wizard lists only applicable updates that a previous update scan has identified.
You must choose to include either the Office or Security update type (not both) in a given package. You can include multiple updates of one type within the package, however. This freedom is convenient because fewer packages are ultimately easier to manage. Also, you can leverage Microsoft's update-chaining tool, Qchain, which monitors which files change during sequential update applications and suppresses reboots between multiple updates until the last chained update has been installed. (For more information about Qchain, see Inside Out, "Roll Out Secure Servers," June 2002, http://www.winnetmag.com, InstantDoc ID 24892.)
The wizard also automatically downloads update binaries; however, you might need to manually provide binaries if the automatic download fails. For each update, you must also specify command-line parameters to suppress the UI and system restarts. Unfortunately, these parameters differ depending on whether you're installing Microsoft Internet Explorer (IE), the Windows OS, or other Microsoft updates. (Disparate or competing update-installation technologies have created problems for Microsoft in the past, and the Feature Pack inherits some of this confusion.) These parameters, however, are well documented, and you'll find yourself reusing the same basic parameters for most of your updates. Table 1 lists parameters for popular updates. (You can find these parameters in the Microsoft article "Summary of Command-Line Syntax for Software Updates," http://support.microsoft.com/?kbid=810232.)
For example, suppose that after running an update-inventory scan, you view the reports and find that several of your machines don't have the Windows 2000 update Q123456, a patch that covers a Win2K Server vulnerability. In the Distribute Software Updates Wizard, you add update Q123456 to a new or existing package. In the update details, you specify the parameters /z, /m, and /q. For Win2K updates, /z suppresses the reboot after installation, /m specifies an unattended-mode installation, and /q complements unattended mode by specifying a quiet installation that doesn't require user interaction. Perhaps Microsoft will one day use a single patchinstallation engine, but until then you need to juggle these parameters.
For each vulnerability, Microsoft typically creates multiple updates—one for each target OS. If you add multiple updates that address the same vulnerability to one package, the Feature Pack will install only the update that's appropriate to the version of software that you're running. For example, suppose you haven't yet patched for "MS02-006: An Unchecked Buffer in the SNMP Service May Allow Code to Run" (http://support.microsoft.com/?kbid=314147) and you're running both Windows XP and Win2K in your environment. Your list of applicable updates would include two patches for this update: one for XP and one for Win2K Server Service Pack 2 (SP2). As the first step toward deploying an update package, the Feature Pack scans the client computer to determine which applicable updates need to be installed. To create the actual list of updates that are installed on that client, the Feature Pack compares the list of applicable updates with a list of updates contained in the deployment package. Then, the software installs only the applicable updates that are in the deployment package. Although the Security updates require that you add UI and reboot parameters, the wizard walks you through the steps to do so.
The wizard is helpful for identifying and creating packages, programs, and advertisements for Office and Security updates. Creating and deploying an update in the Feature Pack isn't as easy as simply approving an update, as you would do with SUS, but overall, the Feature Pack gives you more flexibility than SUS in determining how and where you distribute these updates.
Client Update Control
The Feature Pack gives you good control over how your users interact with the updates, as Figure 2 shows. You can specify whether updates are optional and whether users can postpone installation until a more convenient time, and you can apply updates in the background or require user intervention. The Feature Pack also lets you send the user a custom message (in Rich Text Format—RTF) that describes the update.
The Feature Pack leverages SMS collections to provide robust client-targeting options. Collections are logical groupings of computers based on specific traits, such as brand or model, remaining disk space, processor speed, and installed RAM. The ability to target any update to a collection simplifies phased rollouts and testing to a subset of computers.
The Feature Pack provides several useful update-status reports across all SMS clients. The Web reports modules come with more than 15 predefined reports concerned with software updates. Figure 3, page 115, shows a sample Web report that displays all applicable updates for a specific machine. Additionally, the Web reports create several Feature Packrelated views in the SMS Microsoft SQL Server database and a query interface that lets you create custom reports, assuming you have a working knowledge of SQL Server.
In its attempt to handle Office updates, the Feature Pack stumbles a bit. The Feature Pack deploys the updates, but configuring it to do so without user intervention might require additional manual setup. The reason for this hiccup is that the Office updates are packaged differently from the Windows security updates and might require access to the Office CD-ROM or network-installation binary files. If those files are unavailable to the SMS software distribution account, the need for them can trip up an unattended installation.
Typically, your client computers will use the registry to remember the path to the installation files. However, the Distribute Software Updates Wizard configures the Office update installation program to run under an SMS local machine account (i.e., clientmachine\SMSCliToknAcct&), and this account might not have access to the installation files share. In this case, an installation will fail unless you make your source binaries available to the distribution point.
An alternative is to manually inform the update application where to find the source binaries, then configure the program to run under a domain client software installation account that has access to these source binaries. (Network shares mapped to drive letters might also cause problems for the Distribute Software Updates Wizard.) For example, rather than use W:\Visio 2002 Professional, you might inform the update application that the source binaries reside in \\servername\applications\Visio 2002 Professional.
Also, the self-installing Office updates don't provide an optimal means for suppressing the UI. Microsoft offers a slightly cumbersome workaround to this problem: You can manually extract the update files to the package source folders, then edit the ohotfix.ini file (which is included with the Office update files) to turn off the UI. This workaround burdens the Office update-deployment process and might require that you manually test and tweak the deployment packages.
On the Right Path
Kudos to Microsoft for the broad patch-management approach that characterizes the release of these update-management tools. Whether you prefer SUS's hands-off approach or relish the more powerful SMS 2.0 SUS Feature Pack's flexibility, chances are you'll find one of these solutions helpful in keeping up with the rising tide of updates, patches, and hotfixes. And remember: We're seeing only the first releases of these tools. Based on experience, we can expect Microsoft to improve the tools in future releases.