SUS, WSUS, SMS and beyond

With Microsoft discontinuing support next year for Software Update Services (SUS), organizations using the patch management tool have a decision to make. Do they adopt Windows Server Update Services – Microsoft's next generation replacement for SUS – or Microsoft Systems Management Server, or do they turn to a third-party solution? Let's look at the differences between SUS, WSUS, and SMS and when or if companies might want to invest in a non-Microsoft patching and update tool.

Sorting through the acronyms

Microsoft Windows Server Update Services (WSUS) started shipping in June of 2005 and is available free of charge. WSUS is an update to its predecessor, SUS, and is the Microsoft recommended patching and update tool for the SMB market. WSUS runs on Windows Server 2000 and 2003, and interacts with the Microsoft Update agent on Windows 2000 (with SP3) and XP hosts to support patch delivery and installation. While functional, the tool doesn't support some features that are required by large enterprises such as complex flexible scheduling and inventory management.

If your organization is willing to shell out a few dollars, Microsoft offers Systems Management Server 2003. SMS provides more advanced administrator management features than WSUS. Specifically, SMS includes control over installation and rebooting, an inventory component piece to help with compliance reporting and a customizable interface.

MORE INFORMATION Learn step-by-step how to deploy a patch, from pre-testing to review Undo your Windows patching mistakes Use these tips to conserve bandwidth during Windows patching

While SMS provides relatively robust patch and update support, there are some drawbacks. SMS doesn't support non-Windows systems. Enterprises with mixed systems, such as *NIX and MacOS still need to find a way to manage patching and updates on those systems. Many large organizations invest time and effort into configuring vulnerability management components that are managed and overseen by network or desktop operations teams. For example, a company that gathers and stores asset inventory information using IBM/Tivoli or performs all software update and package delivery using CA/Unicenter may not want to change operational procedures to perform these functions via SMS. In fact, there may be a compelling reason to keep these functions where they are.

Is the third party the charm?

A complete vulnerability management solution is comprised of more than simply sending patches to Windows devices. Comprehensive vulnerability management includes keeping a current inventory of all systems and applications on the network, using scanning and informational mechanisms to determine current vulnerabilities and exposures, and maintaining correct patch and configuration levels on systems. Robust management and reporting is also of high importance for most enterprises. Before deciding on any solution, be sure to document business requirements for the solution, such as which systems must be covered and how granular reporting capabilities need to be.

For companies that are concerned about vulnerabilities related to Windows-based but non-Microsoft applications, sifting through the alerts and advisory postings can be extremely time consuming. Third-party vulnerability management vendors keep current lists of vulnerabilities for a variety of systems and applications, and can send alerts and updates to customers.

Many third-party vulnerability management providers also offer coarse-grained prioritization of vulnerabilities and the ability to change classification levels of assets based on importance to the organization. By classifying important assets and ranking vulnerability severity, companies can prioritize their remediation efforts. For larger enterprises that may not be able to send out all patches or updates at once, the ability to first target the most critical and vulnerable systems can mean the difference between dodging a worm and shutting down production servers.

One more option

There's one more Microsoft tool that bears mention -- the Microsoft Baseline Security Analyzer. MBSA is intended for the SMB market and scans Windows systems for current patch and update level and configuration state. It can be used in conjunction with security solutions from third-party vendors Citadel Security, IBM/Tivoli and PatchLink.

Microsoft has a number of offerings for patch and update management, but patching is only part of the vulnerability management story. For some enterprises, SMS 2003 may fit business needs, but for many, the best fit is found in the more robust and feature-rich offerings of third-party vulnerability management vendors.

About the author
Diana Kelley is a Senior Analyst with Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Enterprise Vulnerability Management,   Security Patch Management,   Windows Security: Alerts, Updates and Best Practices,   Operating System Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >> VIEW ALL IN THIS CATEGORY RELATED CONTENT Threat Monitor How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware When BIOS updates become malware attacks Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.