Mar 18 2008

Patch Patrol

Active Directory and Group Policy can aid your efforts to manage security and update patches — on a small or large scale.

It’s no secret: Operating systems and applications are not perfect. They have flaws. Some are security-related, and some are purely functional issues that need resolving.

If it’s your job to ensure that Windows systems on the agency network are secure and operational, then you know this task is not so easy. Sure, users typically have Microsoft Windows Update at their disposal, but effective patch management within a large organization requires granular control.

If you’re not using Active Directory and Group Policy Objects to get a handle on your network’s patches, you should be. AD/GPO enables detailed user administration, workstation and server configuration management, security settings, functional mapping and even application installation from a central console. You can configure separate policies to customize settings by system type, user type, function or almost any other criteria.

Although it is possible to perform patch management without an Active Directory configuration, having one in place will make patching much easier to implement. It removes the need for repetitive analysis and configuration routines every time you need to make an update and lets you establish sets of patch strategies based on the affected systems.

On the Right Path

To keep users — even systems and network administrators — from updating directly from Microsoft’s Web site, the company provides a free tool as an incentive: Windows Server Update Services. To implement WSUS, it’s best to have at least one separate system as a dedicated WSUS server and a full Microsoft SQL Server back end (as opposed to the free, lightweight runtime that comes with WSUS), along with a hefty amount of disk space (to store patches and hot fixes).

One of the first tasks you must perform for WSUS is to identify what software and operating systems are in your environment and the languages you need to support. This initial customization step reduces the download size of the first synchronization and streamlines future updates.

Although you will generally perform WSUS administrative work from Internet Explorer, Microsoft has also provided a command-line tool — wsusutil.exe — that can aid in troubleshooting WSUS problems. You can configure the synchronization schedule with WSUS to suit your network bandwidth requirements (for example, synchronize only during off hours), and for large WSUS deployments, you can tell a downstream WSUS server to synchronize from your primary internal master instead of going back out to Microsoft’s update servers.

Marching Orders

At minimum, establishing a repository of WSUS patches will require 6GB of hard-disk space, but depending on the size of your agency, you could need 30GB or more.

Once you have identified the software and OS components, you need to configure deployment strategies. You can configure all your AD-managed systems to talk to your internal WSUS server with a simple GPO configuration. For non-AD environments, you must script registry edits to accomplish the same task. WSUS lets you target updates to groups of client computers so you can ensure that specific computers always get the right updates at the most convenient times.

If all the computers in one part of your organization have a unique configuration, you can create groups (or map your AD configurations) for that section and decide which updates are needed, along with the installation schedules. You can assign systems to computer groups through server-side targeting or client-side targeting. With server-side targeting, you manually move one or more client computers to one computer group at a time. With client-side targeting, you use Group Policy or edit the registry settings on client computers to enable

those computers to automatically add themselves to previously created computer groups. This is extremely handy when you have clients or servers in highly regulated environments and must follow strict guidelines for applying updates. Intelligent grouping and scheduling policies will help facilitate proper management practices for these systems.

Even with the patching under internal control by the IT team, it’s easy in a large organization to miss updates and have occasional patching errors occur and for some systems to expose the agency’s infrastructure to vulnerabilities. You can use WSUS reporting facilities to review all update activity on your network and identify which systems are having issues. More important, you can determine the currency of your environment at a glance. That’s beneficial when a major vulnerability arises in the wild, because to mitigate risk to your network you will need to focus on only those systems most in need of repair.