Microsoft has released a document that describes how they deploy and manage security updates for their servers. As you can imagine on a 55,000-71,000 user network (size varies depending on what you read), MS has a lot of servers around the world. Even though they have applied centralisation and consolidation practices, there is always a need to run operating systems and machines in various locations.
In my travels over the years since automated patch management solutions became commonplace, I’ve come across three types of sites/administrators:
- Complete Automation: I say complete but there’s always a couple of machines that are manually managed for some reasons. But the idea is that they automatically manage not only the desktops but also the servers. I’ve been in this category as an admin. It worked beautifully. You can maintain your security levels with confidence using differing installation and reboot schedules for servers than you would for desktops. Reports can indicate your success levels. Using something like MOM 2005 you can monitor the health of your network afterwards. In the two years that I managed a network with SUS/WSUS 2.0, I never had a bad patch. Despite some misconceptions, MS patches are quite healthy (the reason they take their time releasing them is so they can hammer them in testing) and you can be in complete control over what you deploy.
- Automation of desktop patching: They don’t trust the patch deployment solution to patch their servers or they don’t trust the patches. OK … so you won’t deploy patches to 100 servers that are in easy reach of you and that you have backups of but you will patch 10,000 PC’s automatically? That makes sense … NOT! If there’s something I want to get updates onto ASAP it’s my servers. That’s where my data is and where my applications are hosted. I want those resources secured and quick. I hear loads of of comments like "we patch them every X months" or "we patch them when there’s a real threat" but honestly, I often never see a single update on these servers. And these are the people who get hammered by the Nimdas and Blasters of the world. Usually these are also the admins who don’t keep up to date with security alerts or IT news so even if their latter excuse was truthful, they’d probably only update after an infection has hit them.
- No updates of any kind: "We don’t trust patching", "We’ve got a firewall", "We’ve got anti malware". Hah! I hope you’ve got insurance or you’re not attached to the idea of bringing in a pay check on a regular basis. Since I started working with automated patching in 2003, I’ve not had a single MS update break a PC, server or application that was under my control. I personally don’t know anyone who has either. The arguments about firewalls … that makes me laugh. They’ve no understanding of what a firewall is. Does your firewall block email attachments? How about web downloads? Nope, because if they did then you’d break basic functionality of these tools. How about an application filter to strip malformed traffic, e.g. ISA? Even then, you sometimes hear of threats that use legitimate traffic but exploit buffer overflows (a much less common threat in MS products since a code review in 2003). The anti-malware solution … that’s OK if you’re talking about a known virus. But that didn’t stop Nimda or Blaster or SQL Slammer which hammered in the Internet in a matter of minutes. And what about other attacks such as DOS or hacking? Anti-malware doesn’t stop those … don’t forget that it is estimated that 75% of all security threats are from employees, not malcontent teenagers in their parents basements or big-bad spies from competing countries/companies.
I would urge anyone to take a read of Microsoft’s document. It’s evidence of their "eat our own dog food" approach. I’d also urge you to have a read of my WSUS 3.0 beta guide.