Finally, the company overhauled the TechNet security site by adding more content, making it easier to search for specific security information, and adding a Microsoft Guide to Security Patch Management (Version 1, July 2003). The 2.5-MB download is a 2-part, 11-chapter PDF file designed for both IT management and in-the-trenches staff.
Proposed patch management remedies
Consumers have always been able to use the Web to apply updates -- Windows Update for operating systems and Office Update for its flagship product. But this has never been a good solution for IT departments, because you don't want users adding patches before they've been tested (you probably lock down their workstations to keep them from doing so). What solutions are available for IT staff?
To help with patch and update testing, Microsoft makes available Software Update Services (SUS). After network administrators approve a patch, SUS helps them deploy the update to Windows 2000 servers, and Windows XP Professional and 2000 Professional desktops. Microsoft's Systems Management Server Feature Pack adds SUS capabilities to the System Management Server (SMS). The drawback to this technology is that SUS only downloads critical updates. Other patches have to be applied manually, and they lack a standardised interface, patching method, and even standardised command line switches.
In response to this problem, Charney stated at TechEd that IT customers could expect the following improvements in the near future (these promises are repeated in the white paper):
- An automatic, online update service for security patches and other critical updates that covers more products
- An SUS 2.0 release, which will include the ability to update more Microsoft products Systems Management Server 2003, to be released this year, which will add the ability to automatically install patches during downtime
- A standardised look, feel, and behavior of all patch installers; for example, all patches will register with the system (and be recognised as a patch by other patches) the same way, and all patches will use consistent command line flags (no more "/quiet" flag on one package and "/silent" flag on another)
- The ability to uninstall or roll back the patch
It's a lot for the Patch Management Task Force to take on, but Charney said he'd have all of it done in six months; a time line that is, frankly, unrealistic. Nevertheless, he said, "by the end of the year, instead of eight installer technologies, we will have two: one for operating systems and one for applications." In addition to consistent, better designed patches, Charney said the new releases will be more stable and will have been tested more than in the past.
What's next?
So this is Microsoft's plan, spearheaded by Charney, and it is certainly an ambitious and credible one. How long it will take, and whether Microsoft will be able to follow through on all these customer concerns remains to be seen. In the meantime, make use of the new security notification system, look for the SUS and SMS updates, check Microsoft's Web sites periodically for signs of progress, and keep your fingers crossed.
Talkback
when you install XP,on a new PC,you have not only got to keep to its very strict rules regarding copyright,only one copy per computer,you then after installing XP,after install Service pack one and its updates and thats a lot of time,and a system thats patched to hell is no good,Microsoft should allow you to go back to your supplier and get a new copy of the software,so it installs with the not a lot of fuss,its clear of patches,an installer not only has to install XP,but anti virus and motherboard stuff,soundcards and ati stuff in my case,regarding graphic cards.also microsoft should let you install XP on more than one computer,and make it easy for you to do this,even paying a small fee extra,i have 4 PCS,and i have bought 2 copies of XP,COSTING SOME £260 QUID.