ORLANDO, Fla. -- Are the darkest days of patch management and security woes in the past? IT professionals at Microsoft's TechEd conference don't think so, and while there are many new products to ease the burden, managing the software patching process is still a tough job.
From finding adequate time to test critical patches to making sure those critical patches are deployed before an exploit hits, patch management is still time consuming.
"Our biggest challenges are serving various platforms," said Jason Hayes, network administrator for Winter Haven Hospital in Winter Haven, Fla. Hayes patches systems from Windows 95 to Windows XP with Service Pack 2.
First priority is on critical patches
What else causes patch stress? "Ensuring that we have the most critical, high vulnerability patches out to lower the threat and scheduling server downtime," he said.
To help administrators keep up to date on security patches, on Monday Microsoft announced the availability of its Windows Server Update Services (WSUS) and Microsoft Update. Additional products, the Microsoft Baseline Security Analyzer 2.0 and the Systems Management Server (SMS) 2003 Inventory Tool for Microsoft, are due this summer, CEO Steve Ballmer told attendees in his keynote address.
Tim Strawn, senior systems engineer with Orlando-based Harcourt Education, used the beta of WSUS to patch more than 320 servers. He found it to be a marked improvement over its predecessor, Software Update Services (SUS). "SUS didn't work right," Strawn said. "It was not hitting servers when it should [have]. [With WSUS] things just worked."
WSUS better than SUS, but no panacea
WSUS, however, isn't the silver bullet of patch management, and IT doesn't see the job going the way of the dinosaur any time soon.
"I think there's always room for improvement," said Lane McMullen, systems administrator with Noel-Levitz Inc., an Iowa City, Iowa, consulting firm. "I think it's an ever-going battle, but over the long haul, these tools do make your job easier." His firm is piloting WSUS after evaluating both SUS and SMS 2003.
Julie Hayes, a senior network analyst with Publix Super Markets Inc., in Lakeland, Fla., said she hopes to see better reporting tools in future Microsoft patching tools. "Any kind of tool that you've got out there is just not perfect," she said. However, being able to create reports on the patch status of her machines -- something she can't do with SMS 2.0 -- would make her job easier, she said.
Striving for client uniformity
Eric Cox, a lead engineer at the Department of Defense, said the agency uses SMS to patch its desktops. Keeping them up to date with the latest patches isn't his biggest problem. "That would be getting all of the clients to become uniform," he said. "You might get better tools, but you're still going to have to do it."
Jenn Davis, senior systems engineer with Science Applications International Corp., in Washington, D.C., agreed. "I don't expect Microsoft to get to the point where they're going to stop delivering patches," Davis said. "That's just not realistic."