Dana Epp's ramblings at the Sanctuary: Automating Windows Patch Management


« Electronic Crime Scene Investigation: A Guide for First Responders \| Main \| New Productivity Virus on the Net » February 26, 2004 Automating Windows Patch Management One of my favorite things about Debian GNU Linux is the powerful tool apt. If I want to update my system with the latest patches I just type: apt-get update; apt-get upgrade It will check for new updates, find and meet dependancies, download and then install what is needed. I can even automate this in cron if I choose to. And of course, if I need to add a new package thats in my apt list, I just type: apt-get install new_package I can even use my own local repository if I like, not having to go to the Net if I choose to mirror it instead. One of the things I get bugged about a lot from the Linux crew I sometimes hang with is how there is no "clean" patch management system for Windows. In an almost condescending tone they like to comment on how good tools like apt, emerge and red carpet are and how bad Windows Update is. Well, today I decided I would point out a couple of great SecurityFocus articles on using Microsoft's Software Update Service (SUS) to do just that. Part 1: Automating Windows Patch Management Part 2: Automating Windows Patch Management This is something I have been looking into recently as I really want to get a handle on how to create MSI files which can be added to SUS to distribute and maintain our products in an automated manner. These articles were a good introduction. If you stay tuned, the author plans a third installment to the series to discuss tools (commercial and free) that can be used in conjunction with SUS. Should be an interesting read. Enjoy. Posted by SilverStr at February 26, 2004 08:27 AM \| TrackBack Comments We also bug you that even a "clean" update via windows update generally needs a reboot, whereas with apt or portage (gentoo version of apt) or in fact, pretty much any UNIX, you only reboot for hardware changes, kerenel updates, and odd screwy crashes (yes, it does crash as I am a fine example of). Posted by: Arcterex at February 26, 2004 08:55 AM You are debating symantics here. Most new Windows packages do NOT require a reboot. Stuff that does is because it is part of the core system. And this is no different than adding a new component into the Linux kernel. And its getting better. As an example, the new driver framework allows things like filter drivers to be loaded and unloaded on the fly without a reboot. (Yes I know insmod is your bitch) Very few things require a reboot... but sometimes lazy users (and lazy coders) don't keep up to date with such things. When was the last time you installed an new Office component that required a reboot? Yes it sucks that things like IE and MediaPlayer are in the core system... but its a core component, requiring a reboot. no different than if you had a core component in the kernel that is build in. However, very RARELY does a new Windows machine that is rebooted die on restart. With the last kernel rebuild you did you hosed two separate systems that required someone to reboot the boxes for you ;-) Yes little stupid things like fscking... but thats not the point. Point is every OS has its quirks. You just have bad hardware and software karma. Seems everything you touch lately chokes... guess you need to sacrifice more sheep. :P I have no such problems on my systems. Although Outlook 2003 is a piece of crap (I still think its a conspiracy to try to get me to drop S/IMAP) I don't "crash", everything just "works". Not sure what you keep doing to hose your system. Posted by: SilverStr at February 26, 2004 09:50 AM Considering that the majority of patches from Windows Update involve Internet Explorer, it is a bit strange to claim "very few things require a reboot." There is at least one new Windows patch every month. How often do you install new Office components? Posted by: Martey at February 26, 2004 09:18 PM Martey, What I was saying is that the days where common components require a reboot are gone. You only have to reboot when core components are changed. I don't like the fact IE is in the core. And yes, it requires a reboot once a month with the new patches. That sucks. But it's reality. And part of security best-practices when it comes to keeping machines up to date. But how is this any different than having to reboot the Linux kernel when a change is made? In the last quarter you are rebooting once a month for it as well. Posted by: SilverStr at February 27, 2004 12:22 PM If I want to know the dependancies of IE patch ?how should I know? Posted by: yadagiri Rao at June 2, 2004 02:58 AM If I want to know the dependancies of IE patch ?how should I know? where are these patch ids stored. How should one come to know that a IE has patch? How should one come to know that a machine has a patch? Posted by: yadagiri Rao at June 2, 2004 03:28 AM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

February 26, 2004

Automating Windows Patch Management