How simple it would be if our systems could just stay the way they are, or if they would work properly upon release. If there were no upgrades and no security flaws, the life of a systems administrator would be simpler. But, alas, change is inevitable, especially where Microsoft is concerned.
It would be simpler if change came all at once -- or even in big chunks. Unfortunately, that is not the case. Instead, it comes a bit at a time: a hotfix here, a service pack there, dragging out the administrator's headache ad infinitum. The only time changes occur on a large scale is with migrations, moving to new versions of the same software, or even completely different operating systems. But migration is a topic a little beyond the scope of this article. We will confine our subject to a more frequent pest, the hotfix.
So this situation is probably something like the one you are facing: You are an administrator managing about 100 (conservative estimate) servers, desktops, laptops, etc. all with different configurations and you need to find out which of the appropriate hotfixes is needed, then which is needed on which machine, and upload, download or otherwise magically transfer the hotfix to said machine. Sound about right? Oh, by the way, some of these hotfixes could mean the difference between your company's security and your job security. "These issues are critical for planning and decision making, and they can have serious consequences if not handled adequately,"
Gravity Storm Software, maker of Service Pack Manager 2000, estimates that Microsoft had released 257 hotfixes for various Windows OS versions up until August 2001. That includes hotfixes for Exchange, Windows 2000, SQL Server, Outlook and, of course, Internet Information Server. And the best part is you probably don't need them all.
What is an admin to do? Well, as with everything else in life, there are choices, each with its own tradeoffs. When it comes to service packs and hotfixes, the choices are actually pretty simple. You can suck it up and do everything yourself (if your company is larger than 200 machines, this isn't really an option), you can rely on a first-party product like Microsoft's HFNETCHK or the recently released GUIed-up Microsoft Baseline Security Analyzer (MBSA), or you can go the more costly route with a third-party tool.
Do-it-yourself is a viable option for a small company, but it is by no means easy. "Manual tracking of this information is too time consuming and expensive," Timashev said. With all things being equal, having a third-party tool is probably better, but in reality cost usually outweighs necessity. Network administrator Joel Johnson of TechTarget, parent company of SearchSystemsManagement in Needham, Mass., does not believe there is a business need to purchase third-party tools to protect his desktop environment. But desktops are really only part of the issue. Johnson considers servers to be in a different category. "Each time a patch is out you should ask yourself if it affects a mission-critical application or OS before you install it," Johnson said. Installing hotfixes also might involve downtime that the company cannot afford. But without a third-party tool, Johnson confided that he does find keeping up with changes "time-consuming and overwhelming."
Microsoft's free tool HFNETCHK, or hotfix network checker, is one possibility to help you keep up with your changes. HFNETCHK is a command-line tool that scans for the presence or absence of Service Packs and hotfixes. Though it seems to be a useful tool, and a pay version of the tool is available from tool creator Shavlik Technologies, it's received mixed reviews. Leon Havin, founder and CEO of Gravity Storm Software, a competitor of Shavlik Technologies, says HFNETCHK is a step in the right direction, but it is a case of "too little too late" for Microsoft. Johnson concurs with Havin, "We do use the Microsoft hotfix checker when updating desktops, but we do not rely on it. It is mostly inaccurate and does not always provide you with the correct evaluation -- Microsoft knows this."
Suddenly an administrator's options are dwindling. You practically need an extra body to constantly check Microsoft's Web site for security alerts and hotfixes, and the free tool might not be up to snuff. That seems to leave only the option of third-party software. Luckily many companies offer trial versions, and some -- like Gravity Storm -- offer free, lite versions of their software. "I was surprised at the publicity HFNETCHK got when it was released, since our lite version of Service Pack Manager 2000 is similar," Havin said. In fact, Microsoft's recent release of MBSA, a GUI version of HFNETCHK, could have been in response to the free software available from third-party vendors.
Havin and Timashev agree that third-party tools are necessary for keeping track of Service Packs and hotfixes. "You have to research your machines to see if hotfixes are installed and then afterwards you need to verify that they have been installed correctly. The whole thing can become a nightmare very quickly," Havin said.
So far, I have discussed only Windows operating systems because Windows is the most widely used and the most-often attacked operating system. So it isn't that Unix machines don't need patches or that their admins don't have trouble keeping track of them, it's just that with most desktop and laptop machines running Windows, those systems just get more attention from vendors. Most of the Unix OS vendors have their own tools. For instance, Sun has a patch checker as well as a downloadable Patch Manager on its site for Solaris operating systems. Sun also digitally signs its patches to insure security. Red Hat software calls their updates Errata and has a product called Red Hat Network that keeps you up to date on Errata and installs any updates for you. A demo is available on the site's home page.
"The events of 9/11 have raised a tremendous consciousness concerning security," Havin said. Unfortunately 90% of all operating systems are Windows, and to keep up with security, keeping up with hotfixes and service packs becomes a dire necessity. So if you find the constant flux of your systems overwhelming, there are places to turn for help. If you are working in a Unix environment, help usually will come from the OS vendor. If you are in a Windows environment, there are plenty of third-party vendors ready to help, at least until Microsoft gets it right.
About the author: Ben Vigil is the technical editor for TechTarget.
This was first published in June 2002