Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Windows Server 2003 : Designing a Security Infrastructure - Planning a Security Update Infrastructure

5/23/2011 6:17:31 PM
Securing a network is not simply a matter of designing a protected environment and implementing it. You must also maintain that environment, because the threats to your network are constantly changing and you must continually compensate for those threats. Microsoft regularly releases updates and patches for its operating systems, but obtaining and deploying these releases on a large network installation is more complicated than updating a single computer. To keep your network protected, you must create a plan for obtaining the latest security update releases on a timely basis and deploying them on your network in a controlled manner.

Understanding Software Update Practices

Virtually all software products have to be updated, some more frequently than others. Operating systems are usually updated on a regular basis, and Microsoft releases its primary updates in the form of service packs. A service pack is a collection of patches and updates that have been tested as a single unit. Service packs are a distinct improvement over the previous system, in which operating system updates were released as a series of individual patches, each addressing a separate issue. For support personnel, the large number of patches available and the uncertainty surrounding which patches had been installed on a particular computer made the task of troubleshooting software problems extremely difficult. Service packs install all the available patches at one time, enabling the support staff to know which updates are present on the computer.

See Also

Microsoft uses service packs to update all its major applications, as well as its operating systems. Other software manufacturers also use the same basic method for updating their products, although their releases often have different names.

Service packs are not the only updates that Microsoft releases, however. Because service packs require a great deal of testing, Microsoft releases them relatively infrequently. In between service pack releases, Microsoft releases individual patches called hotfixes. A hotfix is a small patch designed to address a specific issue. While Microsoft recommends that all users install the service pack releases, hotfixes are often intended only for computers experiencing a particular problem.

Update releases might include bug fixes, new features, or drivers, but for network administrators, security updates are often the most important releases. In many cases, Microsoft releases hotfixes to address specific security issues that cannot wait until the next service pack release. Security updates are relatively frequent, and in some cases, must be installed as quickly as possible, to eliminate a potential hazard.

Using Windows Update

Windows Update is a World Wide Web site that Microsoft maintains, which enables any computer running any version of the Microsoft Windows operating system to locate and download the latest operating system and driver updates and patches. When a computer connects to the Windows Update site, it downloads an application that examines the computer’s current configuration and compiles a list of all the updates and patches the system needs (see Figure 1). The user can then download and install all the selected updates at once, simplifying the maintenance process.

Figure 1. The Windows Update Web site interface

For a single user running a home computer, Windows Update is a great way to keep a computer current, but it is generally not suitable for use on networks, for the following reasons:

  • Bandwidth Each time a computer receives an update release using Windows Update, it downloads the software from a Microsoft server on the Internet. On a large network, this would mean that hundreds or thousands of computers are downloading the same files. For small updates, this might not be a problem, but Windows service packs are usually more than 100 megabytes (MB), and downloading the same file for every computer could monopolize an enormous amount of the network’s Internet bandwidth.

  • Testing Although Microsoft tests its updates carefully before releasing them, the company cannot possibly test every combination of configuration settings and software products. Therefore, it is possible for a particular update to cause problems with some or all of the computers on your network. Here again, for a single computer, this might not be a major issue, but if an update causes a problem on all a network’s computers, the loss of productivity and the added burden on technical support personnel could be catastrophic.

Updating a Network

In a network environment, deciding which updates to install and when to install them should not be left up to the individual user. Administrators must be responsible for obtaining updates when they are released and deploying them on the network in a timely manner. However, network administrators should not immediately install every update that appears. It is important to test the update releases first. This is one of the reasons that a network installation should have a security update infrastructure.

A network security update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:

  • Determine which computers need to be updated— In some cases, a new security update might apply only to computers performing a specific function or using a specific application or feature. Network administrators must understand each release’s specific function and determine which computers require the update.

  • Test update releases on multiple system configurations— A security update that causes a malfunction might be just an annoyance on a single computer, but on a large network, it could be a catastrophe. Network administrators must perform their own tests of all security updates before deploying them on the entire network.

  • Determine when updates are released— Microsoft frequently releases security updates that might or might not be applicable to the systems on your network. Network administrators must be aware of new releases when they occur and must understand the specific issues each release addresses.

  • Deploy update releases on large fleets— Manually installing security updates on hundreds or thousands of computers requires enormous amounts of time, effort, and expense. To deploy updates on a large network efficiently, the process must be automated.

Microsoft has made tools available that help the administrator accomplish these tasks, such as those discussed in the following sections.

Using Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a graphical tool (see Figure 2) that can check for common security lapses on a single computer or multiple computers running various versions of the Windows operating system. These lapses are typically due to incorrect or incomplete configuration of security features and failure to install security updates. The security faults that MBSA can detect are as follows:

Figure 2. The Microsoft Baseline Security Analyzer interface

  • Missing security updates Using a list of current update releases obtained from a Microsoft Internet server or from a local Microsoft Software Update Services (SUS) server, MBSA determines whether all the required service packs and security updates have been installed on the computer, and if not, compiles a list of the updates that need to be installed.


    MBSA replaces an earlier Microsoft update checking utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates. MBSA includes all the functionality of Hfnetchk.exe, including the command line interface, which you can activate by running Mbsacli.exe with the /hf parameter.

  • Account vulnerabilities MBSA checks to see if the Guest account is activated on the computer; whether there are more than two accounts with Administrator privileges; whether anonymous users have too much access to the computer; and whether the computer is configured to use the Autologon feature.

  • Improper passwords MBSA checks the passwords on all the computer’s accounts, to see if they are configured to expire, are blank, or are too simple.

  • File system vulnerabilities MBSA checks to see whether all the disk drives on the computer are using the NTFS file system.

  • IIS and SQL vulnerabilities If the computer is running Microsoft Internet Information Services (IIS) or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses.

In addition, MBSA displays other information about security on the computer, such as a list of shares, the Windows operating system version number, and whether auditing is enabled.

See Also

MBSA is not included with Windows Server 2003, but it is available without charge from the Microsoft Web site at http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi.

MBSA is an informational tool that can display security information about a computer, but it cannot do anything to remedy the vulnerabilities that it finds. You can use MBSA to determine which security updates to install on specific computers, but to develop an effective security update infrastructure, you must implement a system to keep track of which security updates have been installed on every computer in the enterprise.

Testing Security Updates

Before you deploy security updates on a network, you must test them to make sure they are compatible with all your system configurations. The amount and type of testing depends on the nature of the updates and the complexity of your network. For a major update like a service pack, testing should be extensive. You might want to test the release in a lab environment first, and then do a pilot deployment on a part of your network before proceeding with the general deployment. For smaller, minor updates, a pilot deployment might be sufficient, followed by a general deployment if no problems occur.

Using Microsoft Software Update Services

Deploying any software on a large network is a complicated task, and security updates are no exception. What might be a simple task on a single computer turns into a major project when you have hundreds or thousands of computers. Microsoft Software Update Services (SUS) is a free product that notifies administrators when new security updates are available, downloads the updates, and then deploys them to the computers on the network (see Figure 3).

Figure 3. The Microsoft Software Update Services interface

See Also

Microsoft Software Update Services Server with Service Pack 1 (SP1) is available for downloading from Microsoft’s Web site at http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en.

SUS is essentially an intranet version of the Windows Update Web site that eliminates the need for each computer to download software updates from the Internet and eliminates the need to manually deploy the updates on multiple computers. Administrators can control which updates are applied to the network computers and when, automating the process so that users do not need to know or do anything.

SUS consists of the following components:

  • Synchronization server One computer, running SUS, functions as a synchronization server, downloading all software updates from the Windows Update Web site as they are released. The administrator can allow the downloads to occur as needed; schedule them to occur at specific times (such as off-peak traffic hours); or trigger them manually. Once SUS downloads the updates, it stores them on the server. This eliminates the need for the administrator to continually check the Windows Update Web site for new releases.

  • Intranet Windows Update server Once the SUS server has downloaded the updates, the administrator must decide whether the server deploys them immediately to the network or saves them for testing and later deployment. When updates are ready for deployment, SUS functions as the Windows Update server for the computers on the network, except that this server is on the intranet and does not require the clients to access the Internet.

  • Automatic updates Automatic Updates is a Windows operating system feature that enables computers to download and install software updates with no user intervention. You can configure this feature on your client computers so that they get the updates from an SUS server on the local network rather than from the Windows Update Web site, restricting the updates to those approved by the network administrator.


The SUS server runs only on Windows Server 2003 and Microsoft Windows 2000 Server with Service Pack 2 or later. SUS clients must be running Windows Server 2003, Windows 2000, or Microsoft Windows XP.

To configure the computers on a network to retrieve and install updates from an SUS server, you can use group policies to avoid having to configure each system individually. The Computer Configuration\Administrative Templates\Windows Components\Windows Update container (see Figure 4) contains four policies that enable you to configure the Automatic Update behavior for all your network computers.

Figure 4. Windows Update group policies


Be sure to understand the differences between the functions of Microsoft Baseline Security Analyzer and Microsoft Software Update Services.

Other -----------------
- Windows Server 2008 : Network Addressing (part 3) - IPv4 to IPv6 Transitional Techniques
- Windows Server 2008 : Network Addressing (part 2) - Addressing IPv6
- Windows Server 2008 : Network Addressing (part 1) - Addressing and Subnetting IPv4
- Exchange Server 2010 : Implementing Compliance (part 4) - Implementing a Discovery Search & Creating and Configuring Ethical Walls
- Exchange Server 2010 : Implementing Compliance (part 3) - Using MailTips
- Exchange Server 2010 : Implementing Compliance (part 2) - Configuring Journaling
- Exchange Server 2010 : Implementing Compliance (part 1) - Configuring IRM
- Windows Server 2003 : Troubleshooting Name Resolution
- Windows Server 2003 : Planning DNS Security
- Windows Server 2003 : Implementing a NetBIOS Name Resolution Strategy
- BizTalk 2010 Recipes : Business Activity Monitoring - Deploying BAM Activities and Views
- BizTalk 2010 Recipes : Business Activity Monitoring - Creating BAM Activities and Views
- SharePoint 2010 Command Line Backup and Restore: Setting the Stage
- SharePoint 2010 Command Line Backup and Restore: Granular Backup and Restore via PowerShell
- SharePoint 2010 Command Line Backup and Restore: Reviewing Your Backup and Restore History
- Windows Server 2008 : Choosing Server Roles
- Windows Server 2008 : Overview of Site and Replication Topology
- Windows Server 2008 : Overview of Physical Requirements and Physical Topology
- Windows Server 2008 : Overview of Forest and Domain Trust Models
- Exchange Server 2010 : Managing Records (part 2) - Administrating Managed Folders
Most view of day
- Windows Server 2008 R2 : Creating and Administering Hyper-V Virtual Machines (part 2) - Installing the guest operating system
- BizTalk Server 2006 : Pipeline Component Best Practices and Examples - Using PGP (part 1) - PGP Encode Component
- Microsoft Lync Server 2010 : Planning for Voice Deployment - Devices, Response Groups
- Windows Server 2008 R2 file and print services : File Server Resource Manager
- Microsoft Visio 2010 : Working with Data - Creating Reports (part 1) - Introducing the Report Definition Wizard
- Windows Phone 7 : Running Silverlight Projects in the Browser (part 2)
- Microsoft PowerPoint 2010 : Animating Slide Content (part 4) - Working with Motion Paths
- Printing Your Photographs, Printing Web Pages - Print the Pictures, Fix the Layout
- Windows Server 2012 : Managing Users with Local Security and Group Policies (part 1) - Viewing Policies with the Group Policy Management Console, Creating New Group Policies
- Microsoft Visio 2010 : Modifying a Graphic (part 2) - Wrapping Text Around a Graphic
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro