Unreasonable Expectations

The patching process is full of holes

I think I speak for most network administrators when I say that we need help from Microsoft to fix the patching problem. Over the past year, we've been fortunate because advance warnings preceded most exploits, so we knew they were coming. Nevertheless, keeping systems up-to-date takes too darned much time.

Pointing Fingers
I know that many people place the blame for recent virus epidemics on the network administrator's head. Being an overly busy network administrator myself, I'm not one of those laying blame. But I hear what those people are saying, and they have some good points. In their view, the network administrator's job is to keep up with security advisories and make sure that all relevant patches are applied on all systems. I don't disagree with that—when you concentrate on viruses, those expectations seem to make sense.

However, you can't simply ignore administrators' other responsibilities. Some large companies have staff dedicated to keeping up with patches, but many small and midsized organizations don't. In small companies, the network administrator often performs almost every computer-related function from adding users and fielding Help desk questions to adding hard drives. Those administrators don't have enough hours in their day to keep up with patches on all the systems in their network as well as do the things that they need to do to address their company's computer-related needs.

Current Solutions
All the current update processes have their problems. Microsoft's Automatic Updates service certainly isn't the answer. Automatic Updates doesn't let you test patches before you apply them, and it's unpredictable—recently, I've seen some cases in which Automatic Updates crashed the system it was running on, requiring a complete restore. And if you've had Automatic Updates turned on for a while, you've likely been unpleasantly surprised at just how much disk space it can consume.

Microsoft Software Update Services (SUS) is far better in that it can at least let you control the flow of patches to your networked systems. However, you still have to deal with massive numbers of patches and determine which ones your environment needs. Microsoft Systems Management Server (SMS), another option, is too costly and complex for small organizations such as mine.

Changing Course
I think the virus epidemic stems from two sources. First, Microsoft products, especially the OSs, have become feature laden, and every feature of a network OS broadens the potential attack area. Second, over the years, Microsoft has created an unfriendly image that, in combination with the company's dominant market position, has had the effect of painting a big bull's-eye on Microsoft products. The problem isn't with code quality, though—I want to be clear about that. I've seen Microsoft's build process, and I know the code quality is good.

Rather, I think the problem from the administrator's standpoint is in the patching process. Basically, Microsoft produces too many patches for too many products too quickly for the process to be manageable. The Trustworthy Computing initiative notwithstanding, the patching problem is as bad as it's ever been. You have to patch not only multiple versions of different Windows Server products but also multiple versions of client OSs and other server products, such as Microsoft Exchange Server and Microsoft SQL Server, not to mention Microsoft Office.

Microsoft is keenly aware of the patching problem that network administrators face today, and the company is moving to plug some of those gaping holes with its new Windows Update Services (WUS). Windows Update Services is a replacement for SUS. While WUS won't stop the flow of product patches that's coming out of Microsoft, its subscription-based setup promises to make the patching process more manageable.

While WUS promises to revamp the patching process for Microsoft products, one thing that Microsoft absolutely needs to do is make sure that this solution applies to older products such as Windows 2000, Exchange 5.5, and SQL Server 7.0, in addition to newer products such as Windows XP and Windows Server 2003. Fixing the patching process for the existing systems is far more "trustworthy" than using manageability as a carrot to entice users to upgrade products they've already purchased.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.