Microsoft delivers stronger security and simpler patching

Redmond adds "advanced security" to its firewall and unfurls WSUS 3.0 Beta 2

Microsoft's been up to several things in the past week or so. Not the least surprising was the company's invite to Mozilla developers to come up to Redmond and make sure that Firefox and Thunderbird run correctly on Vista. Microsoft also took Small Business Server 2003 R2 out of circulation with a sudden recall. But the company tossed a few new things out there for IT managers, too, just to balance the scales. Unfortunately, they both require some upgrade time.

First there's an updated version of the Windows Firewall available. Fittingly, it's called Windows Firewall with Advanced Security -- no wisecracks, please. The straight Windows Firewall was decent enough as an incoming traffic filter, but Advanced Security adds a few new bells and whistles.

For one, you get a MMC (Microsoft Management Console) snap-in instead of the Control Panel configuration screen. This adds some good tools for admins rolling it out to several users because it allows them to use AD Group Policy to set configuration policies and perform software distribution.

On the security front, the new firewall integrates IPSec functions, which means an easier time with VPN and authentication rollouts. You also get much more granular security rules, including the ability to filter on things such as port number, group policies, specific IP addresses, and more. Worth a download for at least some testing time.

But while the new firewall is an optional bit of downloading fun, this next bit isn't. Microsoft has announced that it's going to be phasing out patch support on the original SUS (Software Update Services) service by this December. That means if you haven't upgraded to the new WSUS (Windows Server Update Services), you should. Microsoft released this in 2005, adding a number of improvements including support for low-bandwidth connections. There's even a service pack for the thing that gives optimized support for SQL Server and (supposedly) full compatibility with Windows Vista.

But if you are going to take the trouble to install WSUS with SP1, you should also take the time to look at WSUS 3.0 Beta 2. We've had it running for a week or so now, and it's stable enough for low-priority stuff. Just be sure the server you're using has IIS 6, the BITS 2.0 update, MMC 3.0, and the Microsoft Report Viewer installed before configuring WSUS 3.0. Oh, and stick with 32-bit Windows Server 2003 because other platforms are still too shaky.

Once installed, WSUS 3.0 gives you a bunch of new features. For one, there's a new MMC UI with more intuitive management tools and a richer display. Part of that includes advanced filtering; stuff such as individual client update statuses and patch approval management. There's also custom views for larger shops that allow admins to see patch information based on client groups, software package, OS platform, and more. Rollouts should become easier, too, with new support for nested target groups.

Overall, the new WSUS finally adds a little support for patch testing. Not directly, mind you, that'd be too much to hope for. But by allowing all these granular views on patches and updates that are approved or unapproved for specific platforms and users, you've got a much easier time organizing the testing process. Combine that with an up-to-date library of your departmental images using Virtual PC or Virtual Server, and Microsoft can finally say it's given its administrators at least a rudimentary set of patch testing tools.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies