DALLAS –- Microsoft Corp.'s top security chief this week gave customers an update on the company's patch management overhaul, a move that began last September.
At the annual TechEd conference, Scott Charney, Microsoft's chief security strategist, said that the company has developed a common nomenclature across its product groups and completed a road map toward the goal of making patch delivery and installation easier for customers.
Most immediately, Microsoft will reduce the number of patch installers from eight to two; that change is slated to happen by the end of this year. Additionally, the company plans to have only one installer by 2005, or whenever the Longhorn version of Windows ships.
Charney said that he convenes a patch management working group that meets once a month. The company developed a white paper with guidance for customers; it will be available in about one month, he said. Going forward, any new patch must work with Microsoft Installer (MSI) or update EXE, which registers the patch with the operating system. The company is also working on reducing the size and improving the overall quality of its patches, Charney said.
Last fall, Bill Anderson, product manager in Microsoft's management business group, said that the company would turn its attention to helping customers wade through the confusing mire of patches. At that time, each of the different product groups at Microsoft had its own way of developing and delivering patches. Customers received hotfixes, service packs, service releases, critical updates and patches, but there was no clear way to know what was in each release.
For many customers, there is no bigger problem when it comes to Windows administration. "This is the No. 1 issue [Microsoft] needs to resolve," said Douglas Spindler, Active Directory project coordinator at Berkeley National Laboratory. "They should devote whatever resources it takes to make patch management something you don't think about."
Charney said that Microsoft developers met last week to discuss how to migrate the old installers to the new ones. The company is also discussing how to better deliver patches to customers.
In the past, IT administrators would check Microsoft's Web site periodically to see whether new patches were ready. That method of notification was upgraded to e-mail notification, but the company then decided to release patches only on Wednesdays. Microsoft then became concerned that its Web servers would be overwhelmed by customers downloading patches, so it decided to add more servers and load balancing, Charney said.
The company is now running a pilot project where it hosts a conference call each Thursday with a select group of customers who have downloaded patches the previous Wednesday. Charney also meets twice per year with a chief security officer's council consisting of CSOs from 30 companies.
Today, Microsoft makes several of its own patch management tools, including Software Update Services, which updates Windows, and the Microsoft Baseline Security Analyzer, which identifies misconfigurations and scans for missing hotfixes. Earlier this year, Mike Nash, corporate vice president of Microsoft's security business unit, said that both products would be updated later in 2003.
FOR MORE INFORMATION: