If you work with Microsoft OSs, you know that managing security hotfixes and bug fixes is an ongoing nightmare, complete with catalog errors, file-version problems, multiple installers, and inconsistent registry modifications. The challenge of incorporating updates into new builds and distributing timely updates across an enterprise further complicates matters.
Last October, Brian Valentine, senior vice president of Microsoft's Windows Division,
previewed the company's Strategic Technology Protection Program (STPP), a new six-pronged initiative that Microsoft hopes will simplify and expedite the arduous security update process. In February 2002, Valentine reaffirmed that the STPP initiative is alive and well but, predictably, behind schedule. Here’s a progress report on each component of the STPP vision and a brief description of how each initiative will help keep systems current and secure.
The Security Toolkit
The Security Toolkit, the first offering in the STPP program, contains audit and update tools, Windows Installer (MSI) and Microsoft Systems Management Server (SMS) distribution techniques and packages, updates such as Windows 2000 Service Pack 2 (SP2) and Internet Explorer (IE) 5.5 SP2, the Microsoft IIS lockdown utility, and selected critical hotfixes. Microsoft released the toolkit in October 2001 but hasn't updated the product for 6 months, so its utility is limited to customers with older systems.
Free Virus Support
Microsoft has committed to providing free telephone-based virus support for all Microsoft customers, from home users to enterprise users. The Microsoft Web site indicates that US customers can call 1-866-PC SAFETY (1-866-727-2338) to receive assistance from Product Support Services (PSS). Last year, Valentine said that Microsoft would expand this service and publish phone numbers for other countries, but, not surprisingly, I couldn't locate any such numbers at the Microsoft Web site.
Cumulative Security Updates
Microsoft said that it will release bimonthly cumulative security rollup packages for Win2K. The first rollup, Win2K Security Rollup Package 1 (SRP1), which Microsoft had slated for December 2001, didn't appear until February 2002. If the program stays on track, we’ll see SRP2 in April.
Hotfix Auditing and Distribution
Microsoft has promised a utility to audit and identify missing updates and a companion tool to expedite delivery of updates via MSI and SMS. The Hfnetcheck utility, which performs comprehensive audits on Win2K, IE, IIS, Microsoft SQL Server, and other components on local and remote systems, minimally fulfills the audit promise. The tool falls short because the free version contains no features that help you download and distribute needed hotfixes and updates. Microsoft took a stab at a distribution tool with the Security Toolkit—it contains MSI and SMS packages that distribute service packs and hotfixes across an enterprise, but these packages are specific to the updates on the Security Toolkit CD-ROM. To be truly viable, Microsoft must provide a solution that integrates the audit and update tasks and lets you select a distribution method.
Win2K SP3 and the Critical Update Client
Another STPP component is a secure Win2K SP3. Microsoft had planned to release SP3 in February 2002. I suspect that two factors have contributed to the delay. First, according to Valentine, Microsoft wants to release a service pack that won't require a security hotfix in the first few days or weeks, so the company is looking long and hard at all known and potential security vulnerabilities in Win2K SP3 and any vulnerabilities that SP3 changes might uncover.
The second likely cause of the delay relates to the inclusion of the critical update client. According to the Security Toolkit, which contains the precursor to this client, the planned update client lets Win2K systems search, download, and install updates from the Windows Update site. The installation procedure prompts you to configure the update client: You can select an automatic download and install mode with a fixed daily or weekly schedule, or you can ask the client to prompt you when new releases become available.
I'm opposed to automatically installing the update client for security and bandwidth reasons. If Microsoft includes this client in SP3, we can only hope that the setup program won't install the client by default. Can you imagine the chaos as your 10,000 Windows XP and Win2K SP3 machines attempt to download updates from Windows Update on a day when your Internet router is broken or the Update servers are down?
The Federated Corporate Windows Update Program
The final STPP component is a corporate version of the Windows Update facility that lets each site create and host a local update server. When the update process is driven internally, administrators can download, screen, eliminate, and test updates prior to distribution. With local control, administrators can delay a rollout by a week or two to ensure that patches don't introduce additional and potentially severe problems. When a local server is available, the update client can safely contact it and receive only approved and necessary updates, which should reduce the number of fixes that each client requires. I heard that this program was in beta during February, but the beta signup has since disappeared from Microsoft’s security home page. Microsoft planned to make this program available in February 2002, so stay tuned.