What's all the fuss about WSUS?

By Bill Brenner, News Writer 13 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Tom Kroll and Jeffrey Jarzabek are two IT managers with a different take on the newly-released Windows Server Update Services [WSUS]. Kroll thinks it'll be an improvement over Software Update Services (SUS) and is eager to use it. Jarzabek thinks SUS is good enough and sees no reason to switch now.

Their views capture the wider discussion that has unfolded since WSUS came out last week. Some IT shops want to deploy it now, enticed by extra features that allow greater control over the patch management process. Others are taking the wait-and-see approach that followed last summer's SP2 release. They want to make sure it actually works before diving in.

"I want to get on WSUS right away," said Kroll, network systems and security administrator for Chicago-based law firm Hinshaw & Culbertson. "There's no reporting in SUS. But from what I've seen and heard, WSUS reports which machines are patched and which ones are not. And with SUS, if I approve something it's out there. What do you do when you approve SP2 and you have a remote office of 25 machines with a partial T1? You'll kill the bandwidth. With WSUS, you can approve SP2 for one office and not another."

It is like buying last year's model off the lot while next year's models are being delivered. Jeffrey Jarzabek IT Director, Matocha Associates

That's better than the all-or-nothing approach he sees as the hallmark of SUS. "With all or nothing, sometimes it's better going with nothing," he said.

"The release of WSUS to manufacturing won't change anything here," said Jarzabek, IT director for Matocha Associates, an Oakbrook Terrace, Ill., firm specializing in architecture, engineering, general contracting and construction management. "We are using SUS and some other applications/processes and have patch management taken care of."

It's not that he thinks WSUS is a waste of computer space. Jarzabek just thinks it's better suited for companies that never used SUS and are now looking for a patching solution. While Microsoft plans for WSUS to ultimately replace SUS, he's content to keep using the latter as long as it keeps functioning.

"It is like buying last year's model off the lot while next year's models are being delivered," he said by e-mail. "If you don't need the latest car and yours gets you from point A to point B just fine, there is no need to get a new car. Had we not already had a great solution in place, we would be installing WSUS."

Microsoft's patch management overhaul
Microsoft said WSUS is just one piece of its plan to make the patching process less painful. CEO Steve Ballmer used last week's TechEd confab to announce the availability of WSUS and Windows Update, plus the summer release of additional products like Baseline Security Analyzer 2.0 and the Systems Management Server (SMS) 2003 Inventory Tool.

On its Web site, the software giant describes WSUS as the successor to SUS, saying it'll let IT administrators deploy the latest Microsoft updates to Windows Server 2000 and 2003, and Windows XP operating systems. Microsoft said it builds on the features of SUS by providing:

• A larger menu of updates;
• The ability to automatically download updates from Microsoft Update by product and type;
• Additional language support for customers worldwide;
• Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0;
• The ability to target updates to specific computers and computer groups;
• The ability to verify that updates are suitable for each computer before installation;
More flexible deployment options, reporting capabilities and database options;
• Data migration and import/export capabilities; and
• Extensibility through the application programming interface (API).<.li>

Ready for a test spin
Lee Benjamin, chairman of the ExchangeServerBoston user group and owner of ExchangeGuy Consulting Services, said he sees WSUS, Microsoft Update and Windows Update as a major step toward getting all update resources into one technology with different distribution methods for scalability.

"A year ago MS [Microsoft] had six different ways to get patches and updates," he said by e-mail. "Now you can go to one place or an internal server to get updates for desktop OS [operating systems], Office applications, server OS, and server applications. That's nice and efficient."

Related news on WSUS Software patching remains a laborous process It's not all about patching

Dick Davis, information systems director for Vista, Calif.-based Jif-Pak Manufacturing, said WSUS isn't the right fit for his operation at the moment. His is a Small Business Server 2003 environment. Of the company's 150 employees, only 42 need to use the computer network. But he plans to give it a try soon and start preparing for a possible future deployment.

"Right now it makes more sense for me to install patches on individual desktops," he said. "Given the size of the operation it only takes me about three days each month and it gives me a chance to see how each machine is working and if users are downloading things that aren't allowed."

But he anticipates the possibility that his company will grow and eventually need a more centralized, automated patching process. So he's interested in using WSUS to get familiar with it and be ready for the day he might need it.

Proceeding with caution
Cheryl Goehler, senior IT auditor for Metro, St. Louis' public transportation system, said her organization takes a skeptical approach to Microsoft patches in general. After talking to Metro's network analyst, she found that patching is only done on an as-needed basis. Will the release of WSUS change that? Goehler's not so sure.

"Metro doesn't trust the reliability of Microsoft patches and would not automatically install them," she said. "When Metro network analysts determine that a released patch is needed, it is first thoroughly tested. After it's tested and ready for installation, installation is postponed until users make a request for a problem correction or enhancement."

Even those who are ready to try it are moving cautiously. Davis said he'll monitor other IT shops' experiences and let them work out the kinks first.

"I'm going to let someone else test it," he said. "I don't have the luxury of a testing environment, so I'll watch to see how others fare by talking to other admins and keeping an eye on the message boards. I need to know it works before I deploy it."

Tags: Security Patch Management,  Configuration Management Planning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Configuration Management Planning Integrated change management reduces security risks EMC adds configuration management with Configuresoft acquisition McAfee to acquire Solidcore Systems for whitelisting Product Review: Shavlik's NetChk Compliance Security services: Fiberlink's MaaS360 Mobility Platform CISSP Essentials training: Domain 10, Operations Security 5 Steps for Developing Strong Change Management Program Best Practices Misconfiguration issues could have contributed to Hannaford breach Misconfigured networks create huge security risks Private sector should learn from government insecurity Configuration Management Planning Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary