Home > Windows > Automating Windows Patch Management (Part I, II and III) Automating Windows Patch Management (Part I, II and III) Submitted by TTF 2004-05-11 Windows 7 Comments Patch management could easily be called the bane of every administrator’s existence, the pain in the rear of system management, or that never ceasing headache that pounds at CIOs everywhere. Here are three articles on the topic, Part 1, 2 and 3. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 7 Comments 2004-05-11 12:28 pm SMS really costs a lot, but it’s a lot better than sus, it allow you to deploy your own packages on windows based machines, not only security updates, and it give you a lot more management options… on linux nothing beats apt for binary packages simply copy the repository from one of the debian mirrors and set the source to your internal server for each client (BTW it’s the same thing that SUS does, the only advantage SUS has here is that it can use AD group policies to update the sus repository on every client remotely, but you can do that with linux too simply copying the correct sources.lst in /etc/apt) i still think it’s easier to write an ebuild than to create a deb… 2004-05-11 7:06 pm Windows XP already has the ability to automate updates for the OS but it would great to take this a few steps further. Windows XP integrated Windows Update is similar to SuSE Linux Yast Online Update (YOU) in that it updates the OS with security fixes but it needs to go further. Such as SuSE Linux has a few features included that would benefit Microsoft to look into. Such as automated scanning of installed inhouse and 3rd party programs to ensure if there is an available update or security patch. This is a feature of SuSE Watcher and something I’m sure both common Windows users and specially Administrators would enjoy having. Wouldn’t it be nice to have such an automated program watcher included free with Windows that doesn’t require an Administrator to set it up? Such a program could keep an eye out for important OS and program updates instead of letting your system get comprimised. Also having the ability to update online new Windows versions (ie: going from Win2000 to WinXP to Longhorn). This again is a feature found in certain Linux distros such as SuSE Linux and something Microsoft should look into. Providing this for their customers would not only cut down on retail packaging but also provide a quick installation method. When a new version is to be released subscribers could install their update version via a secure login connection. This would certainly be beneficial to businesses that have yearly maintenance packages by including the updates as part of their subscription at no added cost. Also having the ability to install updates with out the need to reboot. This is something Linux users are very familiar with. Rebooting after each and every patch can take up valuable time both on the Administrator and home user. Program Managers such as Yast install multiple updates and new programs then reintialize the programs in what appears to be a virtual boot with out requiring a full system reboot or even logging out. This is all done in a matter of seconds. If Linux developers can do this then why can’t Microsoft find a way to do it too? Instead of developers such as Microsoft making feable attempts to attack the competition they should look at the advancements made by their competitors. It would be better for developers of Windows, OSX and Linux to look at each other and realize the postive benefits of new technology so mistakes are not repeated. This would then benefit all users no matter what OS you use. 2004-05-11 8:53 pm I was overwhelmed with the fact that it reqires 3 large write ups to produce an article on patch management. Granted, it was indeed a good article imo, but the progression of windows is taking on a huge uneeded bloat policy. MicroSoft needs to rethink their future operating system strategies. Longhorn will be larger than Xp. Xp of course larger (imo bloated) than any previous operating systems created. With the current issues in security being a huge factor with MS, why would they need to contiually bloat their code to new heights? Continually needing huge (and I mean huge) updates and patches to fix issues. MicroSoft’s next strategy should be to produce a “Light” version of new operating systems for home use. XP home is not a “Light” version in anyone’s calculations. Do you have 56K dialup? A 9600baud modem? Do you need to patch your Windows operating system? The 2 or 3 hundred MB of patching is insane. Insane for broadband let alone the millions of dial up access users. There is no way in the world to patch machines online for home users on dial up. Thus the web continues to be a more contaminated environment do to the use of the current bloat of modern Windows operating systems. I do not blame home/office users for contaminating the internet, or allowing their machines to be a part of the situation, I blame MicroSoft for lack of research and development and balancing current technology with their new operating systems. Until dialup is not a factor anymore and everyone has a 20MB connection to the internet, I suggest Microsoft go back and re-evaluate their future. The next time you poke on Windows Update, read the patch for a patch scheme they use and make your own decisions. MicroSoft is mis-managed and they need to take a larger look at their future operating system strategy verses modern networking hardware for the average at home user. It takes me a few commands and less than a few minutes to update my current operating sytem. But then again, I don’t have the luxery of having an animated pet guide my file searches. 2004-05-11 10:39 pm Let me offer a word of warning, to any who might be planning to download MSN 9, beware. I reformatted somebody’s computer for them last week and went to the MSN site (via the cd) to get 9, and picked up the Sasser worm there about halfway through the download. So if you happen to be headed that way, get the patch first… 2004-05-12 2:04 pm Sasser doesn’t spread by visiting websites. As long as you are connected to the internet you are at risk. It had nothing to do with MSN. By allowing the computer to be connected to internet without the proper patches or updated antivirus, you are at fault for this computer becoming infected. http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html 2004-05-12 7:44 pm “Sasser doesn’t spread by visiting websites….” Nice try. Sasser doesn’t teleport. I didn’t even have an internet connection yet, thus the reason I was at MSN. The download site is not just a site that anybody can connect to, you have to be running the CD. Besides, the main point is, a new computer user trying to get online for the first time shouldn’t have to deal with such nonsense. How is a new user supposed to get the patch if they can’t connect?? 2004-05-13 2:00 pm Let me try again to clarify… If you were connected to MSN, then YES you had an IP Address and were connected to the Internet. Sasser DOES NOT infect you by visiting a particular site. Infected computers on the internet scan for other vulnerable IP Addresses on the internet. If it finds one, it attempts to connect and infect that computer. Again it has ABSOLUTELY NOTHING to do with MSN. I agree that Microsoft should provide a way for users to update new systems with all of the latest patches WITHOUT having to first connect to the internet, thus exposing their still vulnerble system. But the same can be said of any freshly installed Linux or Mac system.