Understanding patch management options for student computers
Updated: July 18, 2006
Every fall, higher education institutions host the return of thousands of students to campus. While this return is a challenge on many fronts, in recent years it has become increasingly challenging for IT staff to mitigate the threat posed by unmanaged student machines. For the 2006 back to school timeframe, Microsoft has several options for managing the patching and vulnerability assessment process, most of which are no-cost service add-ons to Windows Server 2003.
Options for student-computer patch management
Microsoft offers three flavors of patch management tools, listed below in order of increasing flexibility, features, and capability as well as acquisition and implementation cost.
1. Microsoft Update
This service offers all the features and benefits of Windows Update, plus downloads for other Microsoft applications: Microsoft Office 2003, Office XP, Microsoft Exchange Server, and Microsoft SQL Server.
Microsoft Update is the primary means for patching consumer machines. It can be used alone where the organization prefers to use a low-maintenance approach to patching student machines. Another method of utilizing the ubiquitous nature of Windows Update is to configure the Update Client on the student machine to run in parallel with a richer, enterprise-level tool, such as Systems Management Server. This approach allows for fine-tuned delivery of updates to student machines when they are on the school network, and also ensures that student machines still receive patches when they are removed from the University network for holidays and other extended periods of time.
It is important to understand that the Microsoft Update service will address only the most recent versions of operating system and application software. Although existing updates for older service pack levels will remain available from the update site, new updates will not be available. Where it is necessary to maintain legacy software from Microsoft (such as Windows 98 or older versions of Office), or third-party software updates, optimal operating efficiencies will dictate the use of another tool.
Microsoft Update is free and is activated by setting the Windows Automatic Update (AU) client to periodically query the Microsoft Update site for changes. The AU client must be configured manually, via Group Policy, or via registry changes.
2. Windows Server Update Service (WSUS) Service Pack 1
WSUS offers enhanced administrative capabilities for Microsoft Update that allow organizations to host and distribute to their internal users a subset of the updates provided by Microsoft Update: critical updates, security updates and service packs.
WSUS is version 2 of Software Update Services. Like Microsoft Update, WSUS is a free product that incorporates the expanded scope of application patching. Additionally however, WSUS allows for administrative review and approval of security updates before they are distributed, and for local hosting of patches on a central server, if desired. WSUS also utilizes the Windows AU client, and, on the server side, scales to support distribution hierarchies.
3. Systems Management Server (SMS) 2003 R2
Systems Management Server 2003 R2 offers enterprise-level control and administration of the patching process with options for targeting, reporting and customization not found in either of the update solutions. SMS can be used to manage both machines that are members of Active Directory domains and stand-alone machines. SMS is also an appropriate choice where it is necessary to manage Windows 98 and NT 4.0 clients, and may also be used to re-image machines in the context of an emergency triage effort. Using SMS will allow for distribution of updates of any kind from any vendor.
SMS scales to very large distributed infrastructures, and, along with providing a richer set of services, should be expected to require a higher level of administrative expertise. Microsoft's partnership with Quest allows customers to add rich management capabilities to SMS for Linux, Unix and Mac OS X platforms.
Organizations with a Campus Agreement with Student Option already own the "Core CAL" for students and will not incur extra licensing fees for using the SMS client on student computers. However, expect additional costs for licensing of the SMS Server.
The current patching tool for SMS is the Inventory Tool for Microsoft Updates (ITMU), which offers the same scanning engine and framework as WSUS from a security update perspective.
Addressing the unique challenges of managing student machines
Student machines are distinct from university-owned and managed client machines in a number of ways, and they present a unique set of challenges. Staff-owned computers and “nomad”-type employee-owned machines, such as those purchased via grant or other funding vehicles, may also fall into the same management category because they are not officially organization assets. This page will provide guidance and solutions to address what our higher education customers tell us are the primary roadblocks to successful patch management programs.
New Licensing Option for Update Distribution to Student Machines
In response to customer feedback, we've made it easier for education institutions to provide a more secure student computing environment. Microsoft Academic Volume Licensing customers are now allowed to redistribute software updates, such as security patches, to students. Learn more today about this new policy and the acceptable distribution methods.
Providing Coverage for Off-Campus Student Machines
Student machines that use Windows Update will function equally well whether on-campus or off-campus because they depend on globally-available Microsoft services for their security updates. However, where finer control of the management process is desired and the organization has decided to deploy WSUS or SMS for their student machines, it may be necessary to reset the Automatic Update Client on student machines to use Windows Update when they leave and will no longer be connecting to the organizational network.
Where WSUS has been selected as the primary patching mechanism, the AU client on the student machine must be reconfigured to point to Windows Update when the student will no longer participate in the schools management program, either permanently, or for long periods of time, such as summer break.
Where a high degree of control of the patching process is required, and SMS has been selected as the appropriate tool, it is necessary to install client software. After it’s installed, the SMS client can be used in conjunction with the Windows Update client to provide patch management during holidays and other long absences from the school network. The SMS client software should be removed from the machine when the student no longer participates in organizational management.
Dealing with Unmanaged or Infected Student Machines
The appearance of new student machines on the campus network introduces significant risk—to managed hosts that have not yet received a scheduled security update, and to the well-being of the network itself. It should be assumed that new incoming machines are not patched, and that they may be infected with malicious software. While the industry looks forward to the maturity of network access protection technology for the wired and wireless network (such as currently exists in Microsoft’s VPN solution,) to provide computer "health" services on the network, it is a current best practice for campus helpdesks to configure a "triage" WSUS server on an isolated network segment to provide malicious software detection, vulnerability testing services, update, antivirus and antispyware services before allowing the machine on the campus network. Instructions for setting up WSUS for this scenario may be found in the WSUS Deployment Guide.
Patching Over Slow Links
Despite high-speed on-campus networks, many students continue to utilize dial-up connections for access. Microsoft’s patching architecture utilizes two new technologies to minimize bandwidth consumption. BITS (Background Intelligent Transfer Service) is used to throttle downloads as well as perform check-point restarts for unexpected disconnections. New patches are also much smaller in size as they are taking advantage of delta binary compression—a patch development feature that allows the update of changed code bits, rather than entire files.
Automation
Campus IT departments are not staffed to manually or frequently touch all student machines to ensure patch levels. Features in WSUS and SMS allow automation of almost all phases of the patch management process—vulnerability assessment, patch identification, patch evaluation and planning, and patch deployment. The Microsoft Solutions for Management for specific operational guidance provides best practices for both SMS and WSUS solutions.
Cost
Most enterprise-level change and configuration or patch management tools are too costly (or too complex) to justify for the campus environment. Windows Software Update Services offers excellent functionality for customers without enterprise-level granularity and targeting requirements. As a free download, it can be installed on existing Windows 2000 Server SP4 or Windows 2003 Server SP1 machines, utilizes a free version of SQL Server, and can realistically support up to 15,000 users on a single machine. For customers already owning a Core CAL for their students, SMS Server is a highly scalable, enterprise-ready package with a modest cost for the educational environment.
Summary
For several years, Microsoft has been advocating proactive patch management as a function of its Trustworthy Computing initiative. With the recent introduction of Microsoft Update, Windows Server Update Services 2.0 and SMS 2003 R2, most of the roadblocks impeding higher education customers to implement successful patch management strategies for students have been removed. Be sure to use the tools and references provided here to ensure your campus is adequately protected for the return of students this fall.
