Automating Windows Patch Mngt: Part III

In the previous two installments [part 1, part 2] of this article series, as well as in my book Hardening Windows, I've covered the current version of Microsoft's Software Update Services product. I've received a lot of positive feedback on the features; thanks to all who have written in.

In this final installment of the series, you'll find a mixture of useful information: first, a discussion about two alternative, relatively low cost tools to manage the application of patches on Windows systems. Additionally, I'll cover some details of the upcoming revision to Software Update Services from Microsoft, due out later this year. I'll also talk a bit about the new monthly security update process from the company, how it might affect your organization, and then conclude the series.

Flarepath Windows Update Analyzer

The Flarepath Windows Update Analyzer (FWUA) is a utility that looks at the history of Windows Update operations on a single computer or multiple machines that belong to an Active Directory domain. It provides a full and easy to understand analysis of a set of machines in a "dashboard" format, which allows you to grasp the "big picture" of your current update level across your network or to see a detailed report of update activity for a single computer, all from within the same program. The program doesn't rely on sometimes inaccurate registry checking, which can fail if a patch isn't fully installed but the associated registry keys were added; it actually examines the activity log for the Windows Update service, looking for confirmation that updates were successfully committed.

Glen Conway, the architect of the program, has included some beneficial features that make the product more compelling, including the ability to e-mail notifications about failed update processes, threaded scanning of machines as a background task, Active Directory support for an updated list of machines to scan, and integration with SUS server machines to see which updates were approved, when, and by whom.

You begin using FWUA by creating a database which contains information on machines and their update levels. The program uses the free Microsoft Desktop Engine (MSDE) or a full-blown Microsoft SQL Server database to store its data. After you've set up the database, you point FWUA to Active Directory domains that you'd like to scan, and then let it discover computers within the domain -- there's no need to enter them manually. You can then scan each computer to retrieve its Windows Update history and assimilate it into the database, configure notifications about failed updates, pending reboots, or even normal computer scans, and then view the reports from within the utility.

FlarePath Windows Update Analyzer requires Windows 2000 Professional or Server, Windows XP Professional, or Windows Server 2003, Microsoft SQL Server or MSDE, Active Directory, Microsoft Data Access Components 2.6, and the .NET Framework, which is included in the package. The program is commercial, but it's relatively inexpensive and a license to scan five computers is free. You can find FWUA information on their website.

Some of the advantages of FWUA are: it doesn't require SUS; it can read regular Windows Update history; it's inexpensive; it doesn't rely on registry checking for patch installation verification. The only real disadvantage is that it requires Active Directory.

Shavlik HFNetChk Pro

If you have used Microsoft's Baseline Security Analyzer product before, you have used the Shavlik Technologies product HFNetChk before. Microsoft licensed the technology from the company. However, the company offers an enhanced version, HFNetChk Pro, which offers a great graphical user interface which allows you to deploy patches and updates rapidly across multiple machines.

The product includes both a GUI and a command line client and operates independently of any client software, which is a big plus in large or fragile environments with custom disk images. Shavlik uses direct access to the Microsoft security patch database, so that the product knows about new updates as soon as they're released from Microsoft. You can push patches out to thousands of computers and ensure they're actually fully installed using file verification technology. You can also group updates into specific categories, like criticality, size, revision, applicability, and other criteria, and only deploy certain updates to certain systems depending on their requirements.

To use HFNetChk Pro, you first determine what machines you'd like to scan -- this could be a single machine, a workgroup, a custom group of machines, or an Active Directory container of machines -- and select either a quick or full scan. You can also define custom scan types to look for particular circumstances, such as a misinstalled patch or an infected machine, and then direct patch installation that way.

Shavlik HFNetChk Pro requires Windows 2000 Professional, Server, or Advanced Server, Windows XP Professional, or Windows Server 2003; MDAC 2.7 or later, and the Microsoft .NET Framework. It supports scanning all current professional versions of Windows and Windows XP Home (for a local scan only) and Tablet PC Edition. It does NOT support any version of DOS, Windows 3.x or 9x, Windows NT 3.x, 64-bit versions of Windows, or certain types of scans on machines with multiple processors. The product is a commercial and more expensive the FWUA, but contains more features. You can find details on HFNetChk pro on their website.

Some of the advantages of HFNetChk Pro are: that it does not require Active Directory; it pushes updates automatically on demand; it supports machine and patch grouping; it scans a wide variety of clients; you can directly access the Microsoft patch database for instant updates of new releases. The disadvantage is that this tool is somewhat expensive.

The next version of SUS

Changing the pace of this feature a bit, let's turn to the future: Microsoft has formally announced plans for the next version of Software Update Services (SUS). What used to be called SUS 2.0 is now Windows Update Services (WUS), and the product will offer an expanded set of update services and product support than was possible with SUS 1.0. The broader update support will include various versions of Windows, Office, Exchange, SQL Server and MSDE, although the latter three will not be available in the beta version. Microsoft plans to increase support for other software it produces as time goes on, ensuring that the refreshes will be free from headaches. Windows Update Services will also supports driver updates, non-critical generalized updates and other fixes and add-ons, as a sort of "one-stop shopping" for updating your Windows-based infrastructure. Microsoft wants the use of WUS to be seamless, and any updates will not require redeploying or upgrading current WUS systems.

As you'll remember from parts I and II of this series, one of the key weaknesses with SUS was the lack of reporting capabilities. Microsoft has heard the constant complaints from end-users everywhere and decided that WUS will have reports on the following information:

• Missing updates on identified systems
• Details on the success or failure of updates
• Details on new downloads for approval
• Distribution of updates among multiple SUS servers

There will also be a utility to add and update this information inside Microsoft SQL Server or MSDE for analysis with other utilities than can use the SQL query language.

Perhaps the most useful feature that's improved in Windows Update Services is the enhanced distribution capabilities, which allow you to target updates to certain Active Directory containers, like organizational units or domains, or groups that you can specify on the WUS server. This way, you can update the most critical machines in service first, you can hold off on updates for certain groups of machines, or you can specify different update policies among these divisions. WUS will also contain an improved bandwidth management function -- still using BITS -- that suppresses patch delivery during peak business hours, so your production network isn't crippled when updates begin.

You can deploy WUS servers in a hierarchical fashion to mimic your Active Directory structure, or the geographical layout of your corporate campuses. When you deploy the WUS servers in this fashion, settings and approvals can be inherited from parent servers, or individual child servers can be configured and administered independently of any other servers in the "tree," whichever makes the most sense for your organization. The WUS client is also self-updating, which is a benefit for everyone and makes future rollouts a lot smoother and more efficient. WUS can also select a specific port to use for transmissions, so you only have to poke one hole in your firewall to use WUS effectively.

WUS is scheduled to be available this fall, with beta versions available during the summer months. Check back on SecurityFocus for more information and a detailed walkthrough once WUS is publicly available.

About monthly updates

I've received a lot of mail from readers of the first two installments of this patch management series commenting on their opinion of Microsoft's recent push to release all security updates and bug fixes once a month in a "cycle." While on the surface, it might seem easier for IT departments to schedule updates when administrators know those fixes will appear on the second Tuesday of every month at 11 AM Pacific time, think about the ramifications for those people who automate Windows Update services and set their clients to update at that time -- there would be, as reader Rafael Cappas writes, a "Denial of Service of Windows Update from their own customers. How many people are setting their updates for this timeframe?"

It appears that many are. A bit of personal experience: last month I was installing a batch of new computers and happened to proceed to Windows Update on that fateful day that the April patches were released, and the service crawled. Perhaps Microsoft underestimated the load that would be placed on the site with this once-a-month release cycle. But that load is ever increasing: we're in the first months of this cyclical update style, and as more small businesses and large organization latch on to the automation bandwagon, the load to those services will skyrocket. Will Microsoft be able to add servers fast enough to compensate? Only time will tell.

This is not to mention the other problems associated with a monthly release cycle. It doesn't take 30 days for machines to get infected. Virus writers and worm developers don't exploit holes on one specific day each month. People don't leave their computers unlocked for only one day a month. It's really beyond me why Microsoft wouldn't attempt to fix problems that creep up as soon as they occur, rather than batching them up for one big shot in the arm in about 30 days. That's not smart strategy, in my opinion.

How many other problems involving systems critical to your infrastructure are fixed only one day a month? Imagine the uproar if your local natural gas company decided it would only repair gas leaks on the first Thursday of each month, or if your local monitoring station for your home security system decreed that it would only fix system faults on the last Wednesday of each month. Would you put up with that? Security and convenience are almost inevitably at odds, and security update application is no exception. It's a tedious job, period. But alas, we can only complain to Microsoft about that policy, and please do.

What you really can do now is be a good Internet citizen, and beware of setting your computers to automatically update on the second Tuesday of every month. Otherwise, you're in for failed downloads, and you become part of the overcrowding. Consider spreading your schedule out over the following two or three days in that week: usually exploit code doesn't hit the street that quickly, and you'll have a much higher rate of success.

Wrap-up

On the SecurityFocus mailing lists, in training discussions and in my public seminars, patch management is always a big topic. In this day and age, it's impossible to completely secure a medium- or large-sized network without some sort of automated patch management system to save you from the sneakernet procedure. The entire patch management process can be extremely time-consuming, tedious, and repetitive -- all the marks of a desirable activity, no doubt. However, ensuring an up-to-date network is the best way to avoid lost productivity and revenue, and I hope this article series has helped you come up with a strategy to do just that.

Please feel free to contact me with comments or questions, and I'll do my best to get back to you as soon as I can.