I’ve just finished a white paper on the Inventory Tool for Custom Updates feature pack that is included with SMS 2003 R2.  I also describe how to use the Custom Updates Publishing Tool.

Although many organisations may not be aware or choose not to utilise them, we have many
solutions available for updating Microsoft operating systems and products. Solutions include the
free WSUS 2.0 or 3.0 (currently in beta) or the Inventory Tool for Microsoft Updates feature pack
for SMS 2003.

However, what do you use to maintain the same level of updates for 3rd party products or even
your own in-house implementations? Microsoft sees SMS as a solution for medium to large
organisations. These organisations often have large implementations of 3rd party products and in
house applications. 3rd party products sometimes have their own deployment mechanisms and
sometimes have no mechanism at all. But medium to large organisations usually have at least
one home bread application. These are the most difficult to manage because they are often
tweaked on a frequent basis by developers who have little understanding (or care) for how the
updates should be deployed and managed. They just build them and expect them to magically
appear on PC’s, usually at short notice.

This gap between the developer and the system administrator is something Microsoft has started
to recognise. In fact, it was the subject of their keynote speech at TechEd Europe 2005.
Microsoft has responded by developing the Dynamic Systems Initiative. The aim to resolve these
problems by changing the way we build, deploy and manage applications starting with design in
Visual Studio to management with Microsoft Operations Manager and SMS.

One of the solutions is the Inventory Tool for Custom Updates (ITCU) feature pack that is
included with SMS 2003. By using ITCU you can deploy non-Microsoft updates to applications
on your SMS clients using the software updates functionality of SMS 2003. Microsoft’s aim with
ITCU is to open up their own catalogue solution that third parties can use with the Inventory Tool
for Microsoft Updates in SMS 2003. By itself, the ITCU is supported by Adobe and by Citrix.
There are also some rumblings that 1E will also adopt the usage of ITCU. But, you can use
another tool that is included with SMS 2003 R2 (and via MSDN) called the Custom Updates
Publishing Tool (CUPT) to create your own updates catalogue and import them into SMS 2003.

The document continues …

I am now officially registered as a Microsoft Partner and have access to all the perks that come with that status including partner training, education resources and support from Microsoft on cirtical issues.

• Windows XP with Service Pack 2 (x86)
• Windows 2003 Server (x86)
• Windows 2003 Server and Windows XP (x64)

You can find out about the features and the system requirements on the Microsoft IE web site.

Personally, I find the phishing filter slows down my browsing experience so I disable it (not just turn it off).  I know when someone is trying to get me to divulge my credit card or banking details.  I really like the addition of tabbed browsing (about time) and RSS (which I use a lot).  You’ll find when you start it up that a number of companies (not just the usual search engines) have produced extension to make their site the default search engine for your browser and that IE7 presents you with this choice.

I’ve been using IE7 during it’s beta process and I can recommend it.  Do make sure you test against your applications before widespread deployment.  There’s bound to be junkware out there that doesn’t like it.

• Microsoft Softgrid: Softrird (from the Softricity acquisition) is a super new way of deploying complex application catologs to the desktop environment.  Using application virtualisation you can seperate the application from ther desktop’s OS installation and from other applications.  This reduces complexity, eliminates regression testing, resolves compatibility problems and increases security.  Self service user deployment (with workflow/approval)is possible via a web portal which minimises IT involvment in application deployment.  Also, by using streaming, wasted disk space is eliminated.
• Microsoft Asset Inventory Services: Every application installed on your desktop network can be identified for auditing purposes.  This goes much fiurther than SMS 2003 on SP2 si going because it can identify application from a database of 430,000 known applications.  It does not just rely on the contents of add/remove programs because as we know, many vendors do not adhere to well accepted standards.
• Microsoft Advanced Group Policy Management: To quote Microsoft, it "increases control over Group Policy Objects (GPOs) – the component rules within Windows’ administrative management system – and is intended to allow IT administrators to delegate or assign administrative control of specific tasks based on employees’ titles or roles … provides administrators additional safeguards for GPOs, including detailed logs to track all changes and the ability to quickly undo inappropriate changes. These new tools function as a native extension to Microsoft’s Group Policy Management Console, providing a central management interface for all Group Policy administration".
• Microsoft Diagnostic and Recovery Toolset: This offers diagnostic tools, the ability to recover data that has been lost and a post crash analysis toolkit.

There is a feature chart available.

Anyone tracking what Microsoft has been doing will have noticed a number of acquisitions of interesting players in this market.  I can see that Softrgrid was purcahsed from Softricity.  I am wondering if Advanced Group Policy Management is a result of the Desktop Authority acquisition.  The tools in the Diagnostic and Recovery Toolset are a result of the recent Winternals acquisition.

This tool kit will be of great benifit to desktop/laptop administrators.  It will reduce complexity, offer new deployment mechanisms, reduce project times and costs, enahnce automation and enable them to spend more time on engineering rather than firefighting or repetitive tasks.  And if things do go wrong, there will be tools to help diagnose those problems.

Microsoft has belatedly released a MOM 2005 management pack for the version 9.0 Antigen products (the next version being Forefront Security for Exchange 2007 and is currently in Beta).  Microsoft says:

The new Microsoft Antigen Management Pack for MOM supports the 9.0 versions of Microsoft Antigen for Exchange, Microsoft Antigen for SMTP Gateways, and Microsoft Antigen Spam Manager. The MOM pack supplies critical events and alerts on virus, worm, and spam activity to MOM 2005, and also monitors the health and availability of these products.

You can now deploy Windows Vista using SMS 2003 thanks to an updated release of the OS deployment feature pack.  This image based solution is ideal for replacing solution such as Ghost.  It is superb for client OS upgrades and clean domain migrations.

The following updates will be available from Microsoft Update in the following few hours.  As usual, you should test them before deploying onto a production environment.

Critical

• MS06-057: Vulnerability in Windows Shell Could Allow Remote Code Execution – Windows
• MS06-058: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution – Powerpoint
• MS06-059: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution – Excel
• MS06-060: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution – Word
• MS06-061: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution – Windows
• MS06-062: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution – Office

Important

• MS06-063: Vulnerability in Server Service Could Allow Denial of Service – Windows

Moderate

• MS06-056: Vulnerability in ASP.NET Could Allow Information Disclosure – .Net Framework
• MS06-065: Vulnerability In Windows Object Packager Could Allow Remote Code Execution – Windows

Low

• MS06-064: Vulnerabilities in TCP/IP Could Allow Denial of Service – Windows

I’ve just completed a whitepaper on this feature pack that is included in SMS 2003 R2.  It is a pretty simple feature pack and I like the power it adds to an SMS network to do an otherwise nasty task, i.e. scanning the network for insecure configurations.

In the late summer of 2006, Microsoft released Systems Management Server 2003 R2 (Release 2). SMS 2003 R2 consists of 2 CD’s: CD 1 is SMS 2003 with Service Pack 2 integrated and CD2 contains:

• The Device Management Feature Pack: A previous free release that adds functionality to manage Windows Mobile and Windows CE devices using SMS 2003.
• The Inventory Too l for Custom Updates Feature Pack: A new feature pack that is available to those who are entitled to install SMS 2003 R2. This feature pack adds functionality to SMS 2003 so that you can deploy updates for third party products (e.g. Citrix and Adobe) and so that you can also deploy your own catalogues of updates for in-house or 3^rd party products.
• Custom Updates Publishing Tool: This administration tool enables you to build catalogues from EXE or MSI installers for use with the Inventory Tool for Custom Updates. This is licensed for SMS 2003 R2 customers and MSDN subscribers.
• The Scan Tool for Vulnerability Assessment: A new feature pack that adds security auditing and reporting functionality to SMS 2003.

SMS 2003 R2 is a simple release. If you need the functionality described above then upgrading to SMS 2003 R2 is simple. You insert the second CD and install the feature packs as described in the help file on the root of the CD. There is no SMS migration, no SMS upgrade or no server migration. The R2 release is nothing more than 2 new feature packs and a tool that is available to MSDN subscribers. If you do not need the above functionality then I would recommend that you do not bother to upgrade, even if you do have the right to under software insurance. I would wait until the much anticipated release of System Centre Configuration Manager 2007, aka SMS V4.

I do not want to belittle SMS 2003 R2. The added features will be of great benefit to many SMS 2003 customers. This document will describe one of the new feature packs added by SMS 2030 R2, the Scan Tool for Vulnerability Assessment (STVA).

The SVTA will be of great benefit to security officers, IT auditors and security conscious administrators. It will automatically scan targeted computers and centrally store compliance information. This can easily be reported on using SMS reports (SMS console or web based). This means that vulnerability information can be made available to non technical people via delegated reports.

The document continues …

The final "release" version of Internet Explorer is going to be avale for download this month.  It will initially be available for downloads and will then be available via Automatic Updates.

I really like IE7.  I’ve been using beta releases of it for several months.  There are some nigglies (like not be able to permanently approve actions for specified sites) but on the whole, it’s a major upgrade from IE6.  I make great use of the RSS reader and tabbed browsing is a plus.  The latter was long overdue from the IE team.

IE7 will be made available via automatic updates and via WSUS.  WSUS administrators can choose to not approve the download thus preventing automated deployment of IE7 on their networks.  There is a tool to prevent automated download via Automatic Updates for standalone computers. 

The IE team has posted an entry on their blog about how to prepare for the deployment of IE7.