"Lawrence Garvin [MVP]" <lawrence@news.postalias> wrote in message
news:ePzo6uM1JHA.1380@TK2MSFTNGP05.phx.gbl...
> "WSUS Admin 411" <WSUSAdmin411@discussions.microsoft.com> wrote in message
> news:14C07207-9202-42E8-8FCA-B5CB59A5D694@microsoft.com...
>> Lawrence and PA Bear,
>>
>> I appreciate your confirmation that KB894199 is the authoritative source
>> for updates released via WSUS.
>>
>> However, if one were to follow this Silverlight update related KB article
>> (http://support.microsoft.com/kb/960353), one would find that it was
>> released in February 2009 (this is Microsoft's release date, not mine).
And, I'll concede this point, KB960353 is not listed in KB894199.
>The *CURRENT* Silverlight package is published under KB960353, but that's
>the only update published in 2009.
This is what happens when one (-=me=-) writes a reply under a time pressure,
rather than waiting to research/write until I have more than 2 minutes to
finish the work.
> In the 'audit-fearin' world I now find myself in, this is a very big
> omission.
Okay.. so... your concern is that KB960353 is not listed in KB894199 (or,
more generally, that KB894199 appears to be not as comprehensive as you
expected). I can appreciate that concern; however...
> So, I'm hoping someone (maybe from MS?) can give me a website (or KB or
> Technet page, etc...) that will list every patch released through WSUS for
> a given month.
That's the challenge here.. KB894199 is intended to be an informational
article. It's actually authored/maintained by the WSUS documentation team,
but that documentation group isn't the gatekeeper of the content that gets
published, so there is a potential for errors. To that point, while I stated
the KB article was "authoritative" for updates released via WSUS -- I
probably misused the word "authoritative", if that word is interpreted to
mean the 'official/always correct - must be in this list to get published"
list.
I used the word to mean that it was the only Microsoft published list, and
to the extent that any such list exists - this is the most trustworthy one
that exists.
To be perfectly honest with you -- the BEST source for updates published via
WSUS are the updates that actually arrive on your machine. In fact, not all
published updates are actually published to WSUS. For example, there are
some Windows Home Server updates -- not in WSUS. Internet Explorer v8 -- not
in WSUS (yet, but will be in July). You wanta send a SOX auditor in a
tizzy-spin.. point out to them that not even your WSUS Server is guaranteed
to contain all of the updates you need to apply to your systems.
To the question of auditors --- and, again, accept that I'm not particularly
fond of auditors -- particularly SOX auditors -- most of whom don't have a
clue about the realities of Technology Management -- it's virtually
*impossible* to keep up with, or maintain, anything resembling a
comprehensive list of every update released by Microsoft. Any auditor who
thinks that can be done, simply stated, proves my point that most "don't
have a clue". I'd go one step farther -- if an auditor tells you something
has to be done -- and you know it's not practical -- ask them to provide an
example of how another client of theirs complies with that requirement --
and then ask for a second example (and I bet you get two different examples,
neither of which achieve the stated objective to 100% certainty).
Although, If you wanted to do that, you could make a list by KB article and
start accounting for each and every KB article (oh .. yeah... make note that
about half the KB article numbers in a sequence never actually appear on a
publication list). There is, btw, a BLOG that lists each and every KB
article released for publication -- although, again, it's not guaranteed to
be perfect and its not impossible that a KB article could get published and
not actually make it on the list.
At the end of the day -- SOX Auditors are merely supposed to be ensuring
that an organization complies with THEIR OWN organizational policies -- not
to be imposing new policies on organizations -- which seems to be the
self-appointed role of many SOX auditors (generally, again, those that don't
have a clue). That is to say -- it's up to you (and your bosses) to
determine the WHAT and HOW of Patch Management that's appropriate for the
needs of your organization. All that the auditor should be interested in is
that you can document that you're actually in compliance with *your* stated
policies and procedures. So, rather than stating that "All Updates Published
By Microsoft" will be evaluated/approved, etc; try a variation that says
"All Updates Available on our WSUS Server" will be evaluated/approved, etc.
Furthermore, any given organization is probably concerned about less than a
quarter of the products in Microsoft's catalog, so of those several thousand
per year non-security related updates that are published... you'd have to
expend a lot of effort filtering out the thousand or so you might actually
need to be concerned with -- just to make sure they're on the WSUS Server?
(It would be more reliable to install a second "control" WSUS Server,
synchronizing all products and classifications, with no assigned clients --
just so you have a second database to reconcile the production server
against.)
In the end, the best you can do from the standpoint of inventorying
published updates is keep up with a comprehensive list of SECURITY updates,
which can be tracked by MSRC number, which generally count in the under 100
per year range, as opposed to KB articles, which number in the several
thousand per year range, when all products are considered.
And for the non-security updates, the best you can do is monitor KB894199
(and it's successors), and make sure *those* updates are accounted for, and
properly configured -- and accept that it's not going to be a perfect or
comprehensive document -- I doubt that any such suggestion or guarantee has
ever been made. And, perhaps, maintain a supplemental log that documents
"Updates on my WSUS Server not listed on KB894199" and the actions taken
with respect to those updates.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)
MS WSUS Website:
http://www.microsoft.com/wsus
My Websites:
http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile:
http://mvp.support.microsoft.com/pro...awrence.Garvin
Linear Mode
