In a move to better assist system administrators, Microsoft is working on an update to its Windows Update service that will include software patches to fix security holes in its server products.
"We've become increasingly aware that the ease of managing security fixes is a critical issue for administrators in small and medium- sized businesses. In fact, for many of these administrators, manageability is even more critical than configuration control," said Scott Culp, a security program manager at Microsoft's Security Response Center in an e-mail Tuesday.
Windows Update is an online service that scans systems, suggests updates, and installs them on request. In the past, corporate IT professionals told Microsoft they had no interest in a service that installs patches onto the server, Culp said. As a result Windows Update was oriented to the home user and didn't include fixes for many server products.
"We're in the process of changing Windows Update so that it will serve both home and corporate users. We've been working with the Windows Update team to ensure that security fixes for IIS and other server products are available on the site," said Culp.
Windows Update won't be pulled back and re-launched. The fixes for server software will be added to the site in the coming weeks and months, added a Microsoft spokeswoman. In the meantime, server administrators are advised to use Windows Update in tandem with Microsoft's TechNet Security Notification Service, a free e-mail alert service.
TechNet is Microsoft's Web site for IT professionals. Microsoft doesn't push the mailing list or the site as much as it does Windows Update, to which every Windows user has a shortcut in the Start menu.
The new Windows Update will be welcomed by at least one Windows 2000 server user, who said he trusted Windows Update to serve up the latest patches, until he found himself victim of a malicious Internet worm. He now feels he was given a false sense of security by Windows Update.
Casey Weaver administers a Windows 2000 server at a small consultancy firm in Austin, Texas. He was convinced that he had fully secured the system, but got hit by the "sadmind/IIS" Internet worm anyway. The worm, which takes advantage of a seven-month old hole in Microsoft's server software, placed an anti-American rant on Web sites Weaver maintains for his customers.
The sadmind/IIS worm was discovered last week by the Computer Emergency Response Team (CERT) and is said to have compromised thousands of servers. [See "Worm hits thousands of Solaris and IIS servers," May 11.]"I installed all of the critical updates that the Windows Update utility presented on Sunday May 6. We got hit by the worm on Thursday May 10," Weaver said in an e-mail. "I'm thinking that I might not be alone in my pickle barrel of assumptions that Microsoft's Windows Update would notify me of all critical updates that need to be applied," Weaver said.
Dutch Web site hosting company XS4ALL Internet BV, which runs Windows 2000 servers for customers, said Windows Update can confuse novice server administrators.
"Windows Update is somewhat deceptive, it looks like you get all the updates, but in fact you don't. For server patches you need to go to Microsoft's site for IT professionals," said XS4ALL spokeswoman Sjoera Nas. "After receiving the e-mail you have to manually download the patch and install it."
To help ensure that customers "aren't confused," Microsoft said it would soon add information to the Windows Update site that tells the users where the latest IIS patches can be found.