WSUS 3.0 Whitepaper

I’ve just added a whitepaper on WSUS 3.0 to my website.  I go into the reasons for automated patching, the options, an overview os WSUS 3.0, deploying it and configuring/using it.

Note: the document is based on Beta 1. 

When people think about IT security, they think about firewalls and antivirus. Firewalls are important but only go so far as to protect your network against a direct attack. A firewall will only prevent illegitimate forms of traffic from the internet. It doesn’t stop traffic on legitimate ports or downloads. Firewall defences have been compared to eggs: hard on the outside but soft on the inside. Anti-virus will only protect you against known threats. Many organisations have made the mistake of thinking that firewalls combined with antivirus will give them a complete defence against threats. That’s a nice wish but it’s not true.

Consider the SQL Slammer virus that hit the Internet in early 2003. Within minutes of its release it crippled networks worldwide. How did this work? Surely people had firewalls in place? Yes they did. Was the antivirus up to date? Yes it was. The problem was that once it could easily get past the firewall and it was unknown to antivirus vendors. It also took advantage of a known flaw in Microsoft’s products that Microsoft had previously released a patch for. In fact they released the patch several months before hand and those organisations that had deployed it were protected against the virus. Microsoft had already released a free to use product called SUS that serviced the Windows product range but few had heard of it. In fact, few had any implemented process for regularly testing and deploying Microsoft updates.

In late 2003 a new virus started to cripple networks. Microsoft Blaster took advantage of a flaw in the RPC service. Surely in the time that had passed people had learned their lessons about keeping their machines up to date? It appeared that most had not. Microsoft had previously released an update to protect their products but few had deployed it.

Since this time Microsoft has spent much time campaigning and trying to raise customer awareness about the need to regularly test and deploy updates. A replacement for SUS called WSUS (2.0) was released. WSUS, again a free to use product, services all of the Microsoft product range and makes it easier for administrators or security officers to test and deploy updates on a production network.

My experience working on client sites and speaking with administrators is that both the awareness of this problem/solution and adoption of WSUS have been minimal. Many large organisation and government agencies do not maintain patch updates. This is either because they are not aware the solution exists, despites Microsoft’s efforts, or because they do not sufficiently understand the problem.

With this document I aim to show how you can manage updating your entire Microsoft network with minimal manual effort by using WSUS 3.0.

The document continues …

Update for the SMS 2003 Inventory Tool For Dell Computers

Microsoft has posted an updated version of the SMS 2003 Inventory Tool for Dell Updates.  This is necessary in order to download the latest catalogs from Dell.  This free feature pack will enable administrators to report on, manage and update BIOS, firmware and drivers on their Dell servers.  It works pretty simiarly to the SMS software updates engine used to deploy Microsoft secuirty updates.  This is the quote from the Microsoft post:

"SMS 2003 Inventory Tool for Dell Updates is an add-on to SMS 2003 Service Pack 1 (SP1) that enables customers to use the SMS 2003 Software Update Management feature to update their Dell servers. Customers will be able to deploy BIOS, firmware, and driver updates to their Dell servers using the same process that they use for deploying security and other updates with SMS.
SMS 2003 Inventory Tool for Dell Update includes the following components:

  • Setup – Windows Installer based setup that allows SMS administrator to install all required components on the SMS site server.
  • Inventory Tool for Dell update (scan tool) – this tool is being built using SDK components provided by Dell Inc. It scans a Dell server for installed and missing updates, just like MBSA scans the computer for Microsoft security updates.
  • Sync tool for Dell update – this tool downloads a catalog from Dell’s website on a recurring schedule. This catalog describes all published Dell updates.
  • Update to Distribute Software Update Wizard (DSUW) – Setup will install an update to DSUW to show new UI that allows to manually import multiple component updates contained within a single system update.
  • Version 3.0 must be installed to coincide with work with the latest Dell catalog".

VML Vulnerability In All Current Windows Platforms

All current releases of Microsoft Windows are vulnerable to a new security threat in the implementation of Vector Markup Language.  This threat enables attackers to take control of a vistims computer.  Microsoft is taking this one really seriously.  Not only is there sample explout code on the Internet but Microsoft is also feeling the heat after a percienved slow reponse in recent months.  Microsoft is stating that at the very latest, a patch will be released on October 10th (patch Tuesday) but they will attempt to release an update before then.

Microsoft Live Local and Google Maps

Some wil be aware of Google Maps but I suspect much fewer people are aware of Microsoft’s Live mapping service, Live Local.  I am fan of most of what Google has been doing.  Their competitive spirit has forced Microsoft to wake up from the slumber they had fallen into.  One example is how Microsoft has developed their Live service to compete with Google’s web offerings.  As a person who once said to an MS salesman that MS search engines were $h^te, I must admit that Live is pretty good, possibly as good as Google, especilly since it often comes up with different but equally good results.

As someone who likes to get out an about in my car on road trips, for photography, work, etc, knowing where I am going is pretty important.  Earlier this year, I navigated around the backroads and cities of Virginia courtesy of Live Local without gettings lost or making a wrong turn.  I’ve just found (it might have been like this for a while) that Live Local now has Irish and European maps.  A true test of Live versus Google is now possible.  Irish digital mapping is a joke as anyone who has tried to use a GPS in the Republic outside of the main roads or cities can testify.

I’ve taken screen shots of my town from Live and from Google.  Note that Live shows all of the rural roads.  Google stops at the edge of the town.  Strangely, Google does not show any detail at all for the neighbouring town of Newbridge, one of the major towns in County Kildare and it’s a much bigger town than Kildare town.

Live allows you to cleanly right-click on the map to quickly add pushpins, add way points and search for routes.  Google cannot do this at all.  This is pretty important because Google can’t even search the Irish map.  I tried searching for Leeson Street, Grafton Street and Merrion Square and it failed all three.  Live failed with Grafton Street, came close (next street) to Leeson Street (it’s actually shown as N11) and hit Merrion Square bang on.  Another test was to find my family home which is 4 miles from the nearest town.  Live Local had the road clearly marked whereas Google Maps barely even mentioned the aforementioned town, let alon my home area.  WHile I give with one hand I take with another.  Live Local does not show the M1 bypassing Dundalk nor the completion of the M50.  But, like I said, digital mapping in Ireland is a joke.  This might not be the fault of Microsoft because my GPS unit doesn’t show them either. 

Faced head to head, I give Live Local the edge. 

Screen shots are attached.

Windows Services for UNIX Version 3.5

Yesterday, Microsoft released an updated version of Windows Service for UNIX 3.5.  This suite features a set of tools for integrating a Microsoft network with a UNIX network.

"Windows Services for UNIX 3.5 provides a full range of supported and fully integrated cross-platform network services for enterprise customers to use in integrating Windows into their existing UNIX-based environments".

Intel Duo, MSI Motherboard and WXP64 with 4GB RAM (?)

I recently bought a kit machine with an Intel Duo CPU (64 bit) and an MSI P965 Neo-F motherboard.  I’d put it together with the intention of using it for Photoshop stuff and for running labs in VMware.  I stocked it with 4GB RAM (the motherboard limit) and installed Windows XP x64 Professional.  I went 64bit to limit memory problems and also so I could run 64 bit VM’s for Exchange 2007.

I’d installed the OS, patched it up and then checked it over.  Winver told me I only had 3.2GB of RAM.  Funny, because BIOS told me I had a working 4GB.  I went googling for ages but couldn’t find the correct answer.  It was clear though, that lots of people were having this problem.  Some stuff I found:

  • Add /PAE to the boot.ini string.  No joy there, and I didn’t think there would be on x64.
  • Enable or disable in BIOS – Advanced Chipset the Memory Hole function.  No one was clear on whether it should be enabled or disabled. 
  • Configure in BIOS – Advanced Chipset a function called Memory Mapping.  I didn’t have that setting.

I was beginning to lose hope and starting to believe that 3/4 of GB of RAM was wasted.  I then found some forum posts sayiong that the motherboard was dedicating memory to PCI devices.  What!  I knew graphics cards with no native RAM might do this but I’d bought a good card with native RAM.  The articles claimed other devices could take 3/4 of GB of RAM and nothing could be done about it.

I then went to the source, MSI.  I tried to search their support forum but their search engine is useless.  I tried searching for "MSI P965 x64 RAM 4GB" but was told that was too generic a search.  Rubbish!  I had to manually browse through their forums and eventually found what I wanted.  Someone had raised the same issue I had.  Eventually someone had told them to installed v1.5 of the BIOS update (fairly new).  It’s readme said it "resolved memory issues" but didn’t go into any detail.  But the person posted back saying the problem was resolved by the update.  Excellent.

I downloaded the update.  Now MSI were sending me back to the stoneage.  The installer was a DOS program and required a floppy drive and DOS diskettes.  Luckily, I’d bought a floppy drive (I thought I’d need it for SATA drivers – which I didn’t in the end) but I had no diskettes.  A trip to PC World and luckily the had about 5 boxes tucked away in a dusty, dark corner.  MSI might want to consider an online updater like the one HP use.  Most PC’s don’t come with floppy drive anymore and Microsoft is moving away from DOS towards WinPE.

The instructions were very unclear but I had to copy two files (an exe and a flash image) to one diskette and make a system drive with another.  I booted into DOS amd seitched diskettes.  I ran the exe.  It then asked me in garbled non-English to type in the name of the image file.  It took me 30 seconds to grasp what it was trying to ask me … some English lessons for the programmers please!

One flash update and a reboot later and I was sorted.  Windows reported 4GB RAM was available.  A by result was that the Realtek audio drivers needed to be reloaded.

Now I’ve got a powerful PC ready to run lots of VM’s!

TechEd Videos

The Microsoft Windows Server Division posted a series of links to high quality videos from this year’s TechEd in the US.  TechEd is a great source of information on currting edge Microsoft technology.  I’ve learned more there over the last two years than I did anywhere else.