New Microsoft program: 'You patch, we pay'

Microsoft Patch Assurance Security Service offers free security audits

Microsoft's sales organization follows up on the recommendations with the customer. In addition, Microsoft's partner companies often land contract work stemming from the assessments they perform, Noelle said.

When patch management technology is needed, Blackstone & Cullen recommend Microsoft's SMS change and configuration management technology, Sie said.

"Naturally, Microsoft is recommending the use of their SMS, but its up to the customer to decide," he said.

That limited product focus could be a problem for Microsoft customers, said John Pescatore, vice president at Gartner Inc. "The problem is that SMS is not a strong product...When people ask us about (patch management), we talk about SMS but we don't consider it a leader," he said. Products from Novadigm Inc., Altiris Inc. and others outperform SMS and an independent assessment would mention such products in its findings, Pescatore said.

Microsoft is not the only company hoping to cash in on the recommendations that follow the assessments.

ISS is planning on Monday to formally announce a range of security assessment, remediation and management services for Microsoft customers.

ISS will offer a program to perform "deep assessments" of Microsoft customer networks with the goal of improving software patching processes and systems, said Kerry Armistead , product manager for professional security services and education at ISS.

The ISS program will offer its customers three levels of assessment, "basic," "gold" and "platinum," that couple vulnerability assessments with patch management plans. The company will add services such as system policy design and best practices recommendations for customers that select the higher level offerings, Armistead said.

"The goal is to leave you with a system in place to keep up with patches -- give you change and release management processes so that as new patches roll out, you have a well-oiled machine to distribute them before malicious code is released," he said.

At CareGroup Healthcare System in Boston, consultants from Microsoft's Services group did a free security assessment at Beth Israel Deaconess Medical Center (BIDMC) in late 2003, said John Halamka, CareGroup's chief information officer.

That followed a series of critical security alerts and Internet worms concerning Microsoft products at that time, he said. "When Microsoft had all those security issues, we decided that we needed an enterprise view of things. It was getting too hard to deal with the daily patch routine," Halamka said.

Following the assessment, CareGroup launched a "hardening project" with Microsoft Services consultants to move the nonprofit health care organization to the latest generation of Redmond's products including Microsoft Exchange 2003 and the latest versions of Windows XP and Microsoft Office. CareGroup will use SMS 2003 to apply patches and remotely manage 4500 Windows desktops, he said.

That project will be done by the end of 2004 and is going "very well," he said. However, not all customers have been receptive to the free offer, Noelle said. "We get all kinds of responses, some do it. Some just don't like Microsoft. There's all kinds of feedback," he said.