SBS 2003 SUS, BSA and Patching (chapter 5 book excerpt)

Howdy there - we continue todelve deep into chapter five of the Windows Small Business Server 2003 Best Practices book (SBS 2003; the purple book) and today the security conversation is about Baseline Security Analyzer, Software Update Service and Patching!
cheers...harrybbbb
Harry Brelsford ceo at smb nation www.smbnation.com
###
Microsoft Baseline Security Analyzer
In the world of biotech, a double-blind test is often run to validate research results. While I’m not going to suggest you go out and get a grant from the Springer Spaniels Limited Medical Research Foundation to accomplish this, I am going to suggest you take another update step to cover your backside as an SBSer.
While I’m a big fan of the Automatic Update capability in SBS 2003, I still sleep better when I also download, install, and run the Microsoft Baseline Security Analyzer (MBSA). This tool is similar to Automatic Update in that you analyze and apply suggested updates. You can download MBSA from www.microsoft.com/security (a file titled mbsasetup.msi as of this writing). Note you might be asked to install Microsoft XML Parser 3.0 Service Pack 2.5 which can be obtained from www.microsoft.com/msdn.
Software Update Service
A lot of noise is being made in the infrastructure community about Software Update Service (SUS). As of this writing, many of us in the SBS community have been “playing” with the first release and learning it along the way. I’ve found success in using it to update SBS server machines, but neither Burl (a gentleman who works for me) nor I have found out how to efficiently use SUS to support a wide and diverse range of workstations on a network. This is where the promise of SUS version 2.0 resides (and unfortunately was not available at press time for testing).
Notes:
Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
But back up just a second. What is SUS? The SUS experience is shown in Figure 5-7 and described step-wise below.
Figure 5-7
A well-worn Microsoft presentation slide has been recast and is shown in an SBS scenario.
The SUS / SBS process is as follows.
Step #1: Microsoft develops and releases security updates, security rollups, and service packs to its Windows Update site. Step #2: The SBS 2003 server machine you’ve configured with SUS rings the Windows Update site to receive these updates. Step #3: You approve selected updates and apply them on your mothership SBS 2003 server machine.
Step #4: Your customers’ sites have SBS server machines configured via Automatic Update to “phone home” to the mothership server and receive the approved updates. Again, as of this writing, this process works well at the server level and should be improved soon at the client computer level. (Note the Windows XP and
Windows 2000 releases are reasonably well supported here, but the process comes up short with Windows 9x workstations.)
BEST PRACTICE: Did you know this piece of SUS trivia? Upon its initial release in the second half of 2002, SUS wouldn’t work with SBS. That’s right! At that time, SUS wouldn’t work on a domain controller and the SBS server machine is a domain controller. But in late 2002, right around Christmas, Microsoft released SUS Service Pack 1 that fixed this shortcoming and allowed SUS to forever more run on an SBS server machine.
A few more comments on SUS and SBS include:
• Erin Bourke-Dunphy and SMB Nation (www.smbnation.com). Erin, a long-time program manager on the SBS development team, recently joined the team that has ownership of SUS. She graciously spoke at my SMB Nation conference in Indianapolis, Indiana, USA (September 2003). An interesting point in her excellent presentation was the fact that SUS was being positioned to serve the SMB, not enterprise space. And SBS plays, of course, in the SMB space. Enterprise sites would use System Management Server (SMS) with the SUS Feature Pack. Her speech, which covered a lot of ground and will be presented in its entirety in my advanced SBS 2003 book due out in mid-2004, brought out one point I want to share now: support for additional content. SUS version 2 will support updates for Office 2003 and other Microsoft server-based applications, such as Exchange and SQL Server. As of this writing, SUS is really about updating the networking infrastruc­ture.
• Steve Ballmer and the WWPC. I don’t know if it was irony or what, but if you review the transcripts of proceedings for the SBS 2003 launch at WWPC, you’ll see that SUS essentially was the warm-up band to the launch of SBS 2003. That’s right! Ballmer concluded his speech focus­ing on security topics and after a short question and answer session, followed by a break, SBS 2003 was launched! So SUS and SBS 2003 will always be married in time.

Visit www.microsoft.com/technet for the latest updates for any Microsoft product.
Patching Best Practices
If you’ve been looking for an area in the technology sector that hasn’t fully matured and offers lots of promise for good work, consider patch management. If you run your own SBS network, add “patch management” on your skill set list. Microsoft is giving intense focus on patch management to make its systems more and more secure. This is a welcome trend. One example of this is the “chaining” of updates to reduce reboots, as seen in a slide from a recent Microsoft partner “Go To Market” slide deck (Figure 5-8).
Figure 5-8
In the Windows Server 2003 time frame, which is the underlying network operating system in SBS 2003, SBS server machines experience fewer planned reboots and thus higher reliability because of chaining updates (see upper right).
One leading SBSer in New York City, Michael Klein, looks at patch management as a significant portion of his profitable SBS consulting practice. He can use the remote management capabilities in SBS 2003 to “terminal services” into his customer sites and perform patch management, saving an on-site visit. Another
SBSer, a highly rated instructor on the USA SBS 2003 hands-on lab tour in the fall of 2003 named Quinn Guiteras, has a tale to tell about patch management. He likens a lot of technology consultants, including SBSers, to being rejected firemen (we wanted to be fireman, but didn’t have the body). Some of us in the technology field are into the thrills of putting out network fires, even at the SBS level. But Quinn, a forward thinker, believes that yesterday’s frustrated fireman is today’s Smokey the Bear! That is, with the evolution of patch management, prevention is now the paradigm to embrace and should be the focus of network managers everywhere.
I hope this section on patch management has you convinced that preventative medicine is a preferred best practice.