RE: MS Software Update Service

• Previous message: Starks, Brad: "MS Software Update Service"
• Maybe in reply to: Starks, Brad: "MS Software Update Service"
• Next in thread: Sullivan, Glenn: "RE: MS Software Update Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Kolde, Jennifer E." <jkolde@nosc.mil>
To: "'Starks, Brad'" <BStarks@co.marin.ca.us>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 20 Feb 2003 11:29:07 -0800

Hi Brad,

(once more without signature)

I looked extensively at SUS and it looks like it provides a reasonable
solution for some patching issues, but you need to be aware of its
limitations. I have not tried the Feature Pack, this may address some
of the issues I still have with the product.

Note that MS recently released SUSv1.1 that addresses some of the
problems with the first release.

We all know patch management on Windows is difficult. The Automatic
Update client provides a great option for "hands free" fully automated
patching but a lot of admins aren't comfortable automatically installing
MS patches without testing first. SUS provides a great alternative -
you get the advantages of Automatic Update (patches pushed to client
systems without intervention) with the added bonus that you get to test
and approve the patches before releasing them to your clients.

If you integrate SUS with Active Directory, it gives you even greater
control over who gets the patches and when.

The limitations are:
 - only works with Win2K and XP clients (i.e., that can support the
Automatic Update client)
 - only distributes patches for Windows OS, IE, IIS and (I believe)
Windows Media Player - in other words, the OS and any apps that come
"bundled" with the OS. Doesn't patch SQL Server, Exchange, Office, etc.
 - cannot install Service Packs (though note that Service Packs can be
distributed through Active Directory software installation, so this may
not matter to you)

The original release of SUS had a problem where you had to schedule the
installation for specific dates / times. If the client was consistently
powered off at the scheduled install time, the client never got the
patches.

The latest release has an automatic "reschedule" option that will
attempt to re-install X minutes after the system comes back online after
a missed install time.

There is some loging done by SUS, but it's not optimal. The SUS IIS
server will log the IPs of clients connecting to the server, and the
clients will log in Event Viewer when patches are installed. Of course,
the client logs are distributed throughout your network on all of your
clients, so there are issues with log consolidation, etc.

You do need to monitor the logs because there is no central SUS
management console where you can see if there are clients that are not
getting patched. (Alternately, you could script HFNetChk to
periodically scan your network and double-check patch status.)

Third-party software like the ones you mentioned have the advantages
that:
 - they can generally patch more systems / applications (i.e., support
for NT, Office, SQL Server, etc.)
 - some can push Service Packs as well
 - they allow you to schedule patch installation
 - system status can be viewed from a central management station
 - include reporting features
 - vendors continue to add supported products, including those from
other vendors (PatchLink alread supports non-MS products, many other
vendors are rushing to follow suit)

Biggest disadvantage is cost, but if you have the budget, a third-party
product is probably a better solution. SUS isn't bad for "free"
software though.

Regards,
Jennifer

-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Wednesday, February 19, 2003 4:43 PM
To: 'focus-ms@securityfocus.com'
Subject: MS Software Update Service

Hi everyone,

Microsoft's Software Update Service has been out for awhile (they've
recently released a service pack for it, too) and I was curious as to what
folks think about it. If you're using this technology, are you happy with
it? How well does it suit your needs? Is it comparable to other solutions
like Update Expert, Hfnetchk Pro, Net Octopus, etc.?

In addition, has anyone used the Feature Pack for SMS that contains the SUS
(as well as all kinds of additional) components? How does that compare to
the standard SUS?

Thanks in advance,

Brad Starks
IST Security Team
County of Marin

• Next message: Sullivan, Glenn: "RE: MS Software Update Service"
• Previous message: Starks, Brad: "MS Software Update Service"
• Maybe in reply to: Starks, Brad: "MS Software Update Service"
• Next in thread: Sullivan, Glenn: "RE: MS Software Update Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]