With Microsoft discontinuing support next year for Software Update Services (SUS), organizations using the patch management tool have a decision to make. Do they adopt Windows Server Update Services -- Microsoft's next generation replacement for SUS -- or Microsoft Systems Management Server, or do they turn to a third-party solution? Let's look at the differences between SUS, WSUS, and SMS and when or if companies might want to invest in a non-Microsoft patching and update tool.
Sorting through the acronyms
Microsoft Windows Server Update Services (WSUS) started shipping in June of 2005 and is available free of charge. WSUS is an update to its predecessor, SUS, and is the Microsoft recommended patching and update tool for the SMB market. WSUS runs on Windows Server 2000 and 2003, and interacts with the Microsoft Update agent on Windows 2000 (with SP3) and XP hosts to support patch delivery and installation. While functional, the tool doesn't support some features that are required by large enterprises such as complex flexible scheduling and inventory management.
If your organization is willing to shell out a few dollars, Microsoft offers Systems Management Server 2003. SMS provides more advanced administrator management features than WSUS. Specifically, SMS includes control over installation and rebooting, an inventory component piece to help with compliance reporting and a customizable interface.
While SMS provides relatively robust patch and update support, there are some drawbacks. SMS doesn't support non-Windows systems. Enterprises with mixed systems, such as *NIX and MacOS still need to find a way to manage patching and updates on those systems. Many large organizations invest time and effort into configuring vulnerability management components that are managed and overseen by network or desktop operations teams. For example, a company that gathers and stores asset inventory information using IBM's Tivoli or performs all software update and package delivery using CA's Unicenter may not want to change operational procedures to perform these functions via SMS. In fact, there may be a compelling reason to keep these functions where they are.
Is the third party the charm?
A complete vulnerability management solution is comprised of more than simply sending patches to Windows devices. Comprehensive vulnerability management includes keeping a current inventory of all systems and applications on the network, using scanning and informational mechanisms to determine current vulnerabilities and exposures, and maintaining correct patch and configuration levels on systems. Robust management and reporting is also of high importance for most enterprises. Before deciding on any solution, be sure to document business requirements for the solution, such as which systems must be covered and how granular reporting capabilities need to be.
For companies that are concerned about vulnerabilities related to Windows-based but non-Microsoft applications, sifting through the alerts and advisory postings can be extremely time consuming. Third-party vulnerability management vendors keep current lists of vulnerabilities for a variety of systems and applications, and can send alerts and updates to customers.
Many third-party vulnerability management providers also offer coarse-grained prioritization of vulnerabilities and the ability to change classification levels of assets based on importance to the organization. By classifying important assets and ranking vulnerability severity, companies can prioritize their remediation efforts. For larger enterprises that may not be able to send out all patches or updates at once, the ability to first target the most critical and vulnerable systems can mean the difference between dodging a worm and shutting down production servers.
One more option
There's one more Microsoft tool that bears mention -- the Microsoft Baseline Security Analyzer. MBSA is intended for the SMB market and scans Windows systems for current patch and update level and configuration state. It can be used in conjunction with security solutions from third-party vendors Citadel Security, IBM's Tivoli and PatchLink.
Microsoft has a number of offerings for patch and update management, but patching is only part of the vulnerability management story. For some enterprises, SMS 2003 may fit business needs, but for many, the best fit is found in the more robust and feature-rich offerings of third-party vulnerability management vendors.
About the author: Diana Kelley is a Senior Analyst with Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
This was first published in December 2005