Staying one step ahead of new exploits of known vulnerabilities takes time and effort. At a minimum, such preparedness requires that Microsoft has patched the vulnerability and that you've protected your systems with the most current updates. In "Patching Windows with SUS," March 2003, http://www.winnetmag.com, InstantDoc ID 37938, I wrote about Microsoft Software Update Services (SUS) and IntelliMirror, two mechanisms that can help you automatically deploy critical Windows updates and service packs in small to midsized environments.
Microsoft offers a third service that provides more robust update management, typically for larger environments. The SMS Software Update Services Feature Pack, which runs on top of Microsoft Systems Management Server (SMS) 2.0, provides update-inventory scanning of both Windows and Microsoft Office platforms, as well as detailed and customizable Web reports that provide the status of updates and patches. Although SMS is generally regarded as a complex enterprise product for large organizations, your small to midsized business can benefit from the Feature Pack's enhanced inventory and reporting capabilities, even if you use it in conjunction with the lighter-weight in-house version of Windows Update (aka SUS). With the capabilities of the Feature Pack, everybody wins.
Built On Top of SMS
The Feature Pack, which you can download at http://www.microsoft.com/smserver/downloads/20/featurepacks/suspack/default.asp, is a set of add-on modules that you install into an SMS site. These modules provide Windows Security Update scanning, Office Update scanning, Web reports, and an update-deployment wizard to help you create SMS packages to deploy your updates.
The SMS platform, a powerful enterprise tool with which you can centrally manage your client machines, includes features such as hardware and software inventory, software distribution, software metering, and remote control services. To assess and install updates for Windows Security and Office products, the Feature Pack leverages SMS's inventory and software-distribution mechanisms. To provide a flexible query and reporting engine for presenting a variety of highly customizable update summary reports, the Feature Pack also includes an enhanced version of the SMS Web Reports.
To take advantage of these features and enhancements, you must first conquer the relatively steep learning curve of successfully deploying and managing SMS 2.0. Fortunately, many resources are available to help answer questions you might have about this multifaceted product. For a primer about the base SMS installation, see "The SMS 2.0 SUS Feature Pack," January 2003, http://www.winnetmag.com, InstantDoc ID 27373. For SMS 2.0 planning, deployment, and administration tutorials, check out http://www.microsoft.com/smserver/default.asp.
Installing the Feature Pack
Compared with the base SMS installation, setup and configuration of the Feature Pack modules are quick and straightforward. Although the modules are interdependent, you install and configure them separately. This modular approach greatly increases the Feature Pack's flexibility to incorporate future scanning tools and might permit some of the modules to plug into the future SMS 2003. To inventory a client's updates, the Feature Pack relies on two update-scanning modules: SMS-tweaked versions of the Office Update tool and the Microsoft Baseline Security Analyzer (MBSA). Using existing tools in these modules not only leverages systems administrators' familiarity with the tools but also lets Microsoft release this Feature Pack quickly.
The inventory modules' installation wizards configure the scanners to work within your SMS framework and create SMS objects to conduct weekly Office and Security Update scans on specified SMS clients. SMS collects the results of these scans during the next scheduled SMS client hardware inventory, so be sure that you have hardware inventory turned on within your site. (Navigate to Site Database, Site Hierarchy, Site Name, Site Settings, and click Client Agents. In the right pane of the resulting Microsoft Management Console—MMC—window, double-click the names of the agents you want to install. Enable Hardware Inventory Client Agent. Additionally, to deploy updates, enable Software Inventory Client Agent and Advertised Programs Client Agent.) In addition to the weekly client-inventory scans, SMS configures the Office Update tool and MBSA to synchronize their update database with Microsoft on a weekly basis.
To create SMS packages that contain the client-update binary files, install the Distribute Software Updates Wizard module. Install the Web Reports module to view the update-inventory scan results for installed or applicable Office or Security updates. Setup wizards walk you through the relatively clean process of installing and configuring the modules.
After you fully configure the Feature Pack, recurring tasks such as running the scanning tools, downloading the update catalog, and installing the update executables on client machines are automated. However, unlike the more transparent, behind-the-scenes approach of the Windows Updatepowered SUS, the Feature Pack requires you to follow several manual steps for creating a package of updates that you want to deploy. A wizard guides you through the necessary steps.
Previous
Register
