Everyone remembers the Code Red worm that invaded the Internet last summer. The worm exploited a hole in Microsoft Index Server, a component of most Microsoft IIS installations. Although this worm and its offspring—Code Red v2 and Code Red II—carried a relatively benign payload, they caused tremendous damage in terms of system downtime as administrators scurried to isolate networks and patch systems. This worm's extremely rapid infection rate of more than 350,000 hosts in less than 14 hours was eye-opening.
Ironically, Microsoft patched the vulnerability exploited by this worm a full month before the outbreak. Two months later, the Nimda virus broke out with similar fury, and containment response was much more effective. But once again, well before the outbreak, Microsoft had already released an update that fixed a hole through which this worm burrowed.
No similar large-scale outbreaks occurred for a long time in the aftermath of these wake-up calls (excepting email-based viruses such as Klez and Bugbear). Administrators seemed to increasingly understand the need to regularly patch their systems against known security vulnerabilities. Then, on January 25, 2003, the Slammer worm tore through the Internet, exploiting a Microsoft SQL Server 2000 vulnerability that had been patched 6 months earlier, in July 2002. Again, we were lucky that the payload didn't damage infected servers. However, the Slammer worm created an extremely effective denial of service (DoS) attack that in some regions brought the Internet to its knees with cripplingly slow Web site response times and even caused some ATM machines to fail.
Microsoft has expended considerable energy to launch and publicize its Get Secure, Stay Secure campaign, providing first a security toolkit and more recently a security resource page (http://www.microsoft.com/security/articles/security_resources.asp) that contains up-to-date versions of patch-detection and security-assessment tools. Microsoft also maintains a popular HotFix and Security Bulletin Service Web site (http://www.microsoft.com/technet/security/current.asp) from which administrators and end users can obtain up-to-date warnings and threat assessments.
Thanks to new patch-management systems from Microsoft, patching holes consistently across many machines has become much easier. In particular, small to midsized companies will appreciate the quick and relatively transparent capabilities of Microsoft Software Update Services. SUS regularly and automatically distributes critical OS updates from Microsoft and provides one point from which Windows 2000 Service Pack 2 (SP2) or later clients can fetch applicable updates. (SUS doesn't update service packs, but you can use the built-in Win2K Group Policy software distribution to do so.) Best of all, Microsoft provides SUS as a free download.
Prudent Patching
Effective patch deployment requires that you keep a few key questions in mind. Does the patch apply to your system? Is your system vulnerable to the problem that the patch addresses? Will the patch work with your service pack or application version?
Today's patch-management tools address many of these questions. However, you need to remember that patching a system effectively changes the way your OS or application works. Therefore, you should always test deployment of any new update in a nonproduction test environment before applying it to your production machines. Set up test and production SUS servers to permit a phased rollout of patches to subsets of machines so that you can perform such testing.
To triage new updates and help balance deployment schedules with adequate testing, consider adopting a patch-applicability review board. Decisions that this board makes should help you decide whether to apply a given patch today or during the next regularly scheduled update window.
What's SUS?
SUS provides a centralized method for deploying critical Microsoft updates to Windows XP and Win2K SP2 client computers. SUS leverages the client-update technology from XP's built-in Windows Update and adds improvements—such as centralized configuration, an update-approval process, and inhouse deployment capability—that are beneficial to corporate deployments. When you use inhouse deployment, your company downloads an update once from Microsoft, then your clients download the update from an inhouse location. This feature requires sufficient storage space for all approved critical updates but reduces network load.
SUS is a client/server application. The SUS server component runs on Win2K SP2 or later and requires IIS. You must install Automatic Updates 2.2 or later client software on SUS clients. An SUS-enhanced version of Automatic Updates comes with XP SP1 and Win2K SP3. Alternatively, you can use a standalone installation program—available from Microsoft at http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp—to install this version separately on a Win2K SP2 or later machine. Consider using Active Directory's (AD's) IntelliMirror features, or a deployment application such as Microsoft Systems Management Server (SMS), to deploy the service pack or Automatic Updates client.
Prev. page
[1]
2
next page 
