Aidan Finn, IT Pro

Microsoft has confirmed that there are no security updates this "Patch Tuesday".  A number of hotfixes have been made available over the last few days.  And something called Windows 2003 Service Pack 2 was released yesterday.

Microsoft has just released Service Pack 2 for Windows Server 2003.  Note that this also upgrades Windows XP x64 to Service Pack 2.  As usual, it’s a cumulative update, i.e. if you build Windows 2003 with no service pack then you can bring it up to date by applying this service pack and any post SP2 updates.

There’s a whole bunch of releases:

• X86 Installer
• X86 Checked Build
• X86 ISO Image
• Itanium Installer
• Itanium Checked Build
• X64 Installer
• X64 Checked Build
• X64 ISO Image

There’s also some deployment preparation tools available:

• KB Analyser Tool for Windows Server 2003 Service Pack 2 Deployment: After you install Microsoft Windows Server 2003 Service Pack (SP2), the system does not trust binaries that are installed by out-of-band updates. (An out-of-band update is an update that Microsoft makes available outside the regular product shipment cycle.) The Oobmig.exe tool restores trust to these out-of-band updates.  There is also an Itanium version.
• Hotfix Scan Tool for Windows Server 2003 Service Pack 2: You can use this tool to scan for hotfixes that will potentially regress after you install Microsoft Windows Server 2003 Service Pack 2.
• System Preparation Tool for Windows Server 2003 Service Pack 2:  This is an updated version of Sysprep.  There is an x86 and x64 version.

The Support Tools have also been updated:

• X86 Windows Server 2003 SP2 Support Tools

Have a read of the document that I wrote on Windows 2003/Windows XP x64 SP2 while it was still in beta if you want to know what is included and how to deploy it.

Learn how Microsoft deployed the following on their own networks:

• System Center Operations Manager 2007 (Podcast) (RTM’s soon)
• Office 2007

The Register is reporting that Symantec is buying a firm called 4FrontSecurity.  I’m sure they’re a great company with a great product but I’m not interested in this with regards to this story.

As you may or may not know, Microsoft started branding their security products under the "Forefront" banner last year, e.g. Forefront Client Security.  We all know that Symantec are ticked off with Microsoft for entering the corporate anti-malware market. 

Call me paranoid (some do … but I’ve always been right, eh Baz?)  but you wouldn’t think that maybe Symantec bought a firm called 4FrontSecurity so that they could stake a claim to any naming of security products called 4Front or Forefront?  I’m not saying that’s their motivation or that it has even crossed their minds.  I don’t know what 4FrontSecurity does … maybe they do have fantastic products and people that are worthy of an acquisition.  But it does make me wonder.

Credit: The Register.

It looks like there will be no new security updates included in the March Patch Tuesday release.  There will be a number of fix updates available via Windows Update.

Quest Software announced that they have signed onto Microsoft’s program for server protocol interoperability, a program that was founded after a decision by the European Union.  This program allows competitors and partners to access Microsoft’s protocol specifications so that they can interoperable with Microsoft server technology.

Readers of my blog (I know there’s a few of you!) will have read a recent post where I talked about MOM and SMS and how you can use 3rd party software to manage heterogeneous platforms, not just the obvious Microsoft products.  The 3rd party I kept mentioning was Quest.  They’ve got a range of products, some resulting from the Vintela acquisition, for integrating UNIX and LINUX into the Windows network and Microsoft management products.

This is sure to develop in really advantageous ways for customers of Linux/UNIX and Microsoft server technology.  As much of a Microsoft-phile that I am, I know that UNIX and Linux do have a deserved place on the network.  I would just love to see them being integrated into what I believe are best of breed products, i.e. Active Directory, SMS and MOM.

Already, you can integrate these platforms into Microsoft management technologies, e.g. Active Directory for single-sign on by leveraging Kerberos and schema extensions.  I can’t wait to see what else Quest will come up with now they will have full access to know how Microsoft’s server protocols work.

Disclaimer: I’ve not personally seen or implemented Quest or Vintela products … but their reputation is superb.

Microsoft has released a 12 page document that describes, at a high level, how Microsoft manages their own internal infrastructure.

This is just the latest in a series of these "How Microsoft do …" documents to be released.  I can’t recommend enough that you read them if you are carrying out similar projects.  You’ve possibly heard how Microsoft "eats their own dog food".  MS IT will deploy MS products long before they reach the public.  By doing this they can test the products but they also learn the best ways to deploy and use them and share this information via whitepapers, TechNet, best practices documents, seminars and MS Press.  Reading these documents gives you a different perspective … telling you why the driving factors or decisions were for their designs.  Plus you get a handle on how the product scales.

Microsoft has released a document that describes how they deployed SCOM 2007 to manage their infrastructure.  OM 2007 is the successor to MOM 2005.  It allows:

• Hardware monitoring
• Application monitoring
• Product expertise in the form of modular management packs to be built into the network
• Audit Collection Services for centralised security logging
• End to end service monitoring using the ITIL/MOF concept of a service
• Detailed reporting

OM 2007 is currently available as a release candidate.  It’s expected to be RTM soon, probably at MMS 2007 in Las Vegas.  A signs of the imminent release is the launch of the official website.

The Register is reporting that Riverbed has added support to its Steelhead appliance for SSL acceleration in an upgrade of the operating system, RiOS 4.0.  Riverbed believes that 15% of enterprise WAN traffic is SSL and that this is growing by 50% each year.

What is a Steelhead and what can it do for you?  The Steelhead appliance is a Wide Area Data Network solution.  You may have heard of Wide Area File Networks (WADN).  These promise to accelerate file serving across the WAN, thus allowing you to centralise your file servers.  Great … but what about your other servers …. Oracle, SQL, Notes, Exchange, 3rd party applications?  They don’t use CIFS or file sharing as their primary client/server protocol.  How do you accelerate that?

The Steelhead implements a WADN by placing an appliance at each office, the central offices and the branch offices.  All servers hosting TCP based services can be centralised.  The Steelheads break up TCP based traffic into uniquely identified blocks and locally cache those blocks.  Repeated blocks are locally served rather than copying them across the WAN.  This is kind of like the bandwidth saving you get with Cross File Replication in Windows 2003 R2 DFS Replication on and Enterprise server.  Because it’s working at the TCP level you add support for nearly all TCP based protocols .. file sharing/CIFS, SQL, Notes, Exchange, Oracle, the list goes on and on.  Difficulties arise with signed or encrypted traffic because the Riverbed Steelhead is a silent "man in the middle", the very thing that security solutions such as encryption and signing hope to defeat.  The Steelhead can be configured to let those protocols pass unaffected or you can configure CIFS not to require signing.  Riverbed are working on solutions such as the now added support for SSL.

The bandwidth savings are impressive to see in person.  The device gives you some great reporting to see how successful it is.  I’ve installed some low end appliances in a couple of sites.  One had huge CAD drawings being copied across the WAN, a basic DSL line.  As time goes by, the performance improves as the Steelheads cache more and more blocks.  The first copy of a diagram could have taken 2 minutes.  After that, any cross-WAN transfer by anyone in the branch was almost instantaneous.  A similar diagram would have similar results … only those blocks of the file that were different would have to be copied across the WAN.  Saving changes would be accelerated too …. only the blocks that changed would transfer.  My past employer used to do a "try and buy".  The result this particular demo was predictable within 30 minutes of the installation.  The client ended up buying the devices for this new branch and was asking questions about how to implement them across their existing branches to centralise their servers.  Oh … installation is a breeze!  Install the appliance between your network and the router, configure addresses of the 3 interfaces, configure partner devices and acceleration rules.  Your network and your servers don’t need to know a thing about the appliances. 

If you’re interested then I would recommend that you contact Riverbed to be put in touch with a local partner so you can have a closer look at this technology in action.

Credit: The Register.

Microsoft has released a document that describes how they deploy and manage security updates for their servers.  As you can imagine on a 55,000-71,000 user network (size varies depending on what you read), MS has a lot of servers around the world.  Even though they have applied centralisation and consolidation practices, there is always a need to run operating systems and machines in various locations.

In my travels over the years since automated patch management solutions became commonplace, I’ve come across three types of sites/administrators:

• Complete Automation:  I say complete but there’s always a couple of machines that are manually managed for some reasons.  But the idea is that they automatically manage not only the desktops but also the servers.  I’ve been in this category as an admin.  It worked beautifully.  You can maintain your security levels with confidence using differing installation and reboot schedules for servers than you would for desktops.  Reports can indicate your success levels.  Using something like MOM 2005 you can monitor the health of your network afterwards.  In the two years that I managed a network with SUS/WSUS 2.0, I never had a bad patch.  Despite some misconceptions, MS patches are quite healthy (the reason they take their time releasing them is so they can hammer them in testing) and you can be in complete control over what you deploy.
• Automation of desktop patching:  They don’t trust the patch deployment solution to patch their servers or they don’t trust the patches.  OK … so you won’t deploy patches to 100 servers that are in easy reach of you and that you have backups of but you will patch 10,000 PC’s automatically?  That makes sense … NOT!  If there’s something I want to get updates onto ASAP it’s my servers.  That’s where my data is and where my applications are hosted.  I want those resources secured and quick.  I hear loads of of comments like "we patch them every X months" or "we patch them when there’s a real threat" but honestly, I often never see a single update on these servers.  And these are the people who get hammered by the Nimdas and Blasters of the world.  Usually these are also the admins who don’t keep up to date with security alerts or IT news so even if their latter excuse was truthful, they’d probably only update after an infection has hit them.
• No updates of any kind: "We don’t trust patching", "We’ve got a firewall", "We’ve got anti malware".  Hah!  I hope you’ve got insurance or you’re not attached to the idea of bringing in a pay check on a regular basis.  Since I started working with automated patching in 2003, I’ve not had a single MS update break a PC, server or application that was under my control.  I personally don’t know anyone who has either.  The arguments about firewalls … that makes me laugh.  They’ve no understanding of what a firewall is.  Does your firewall block email attachments?  How about web downloads?  Nope, because if they did then you’d break basic functionality of these tools.  How about an application filter to strip malformed traffic, e.g. ISA?  Even then, you sometimes hear of threats that use legitimate traffic but exploit buffer overflows (a much less common threat in MS products since a code review in 2003).  The anti-malware solution … that’s OK if you’re talking about a known virus.  But that didn’t stop Nimda or Blaster or SQL Slammer which hammered in the Internet in a matter of minutes.  And what about other attacks such as DOS or hacking?  Anti-malware doesn’t stop those … don’t forget that it is estimated that 75% of all security threats are from employees, not malcontent teenagers in their parents basements or big-bad spies from competing countries/companies.

I would urge anyone to take a read of Microsoft’s document.  It’s evidence of their "eat our own dog food" approach.  I’d also urge you to have a read of my WSUS 3.0 beta guide.