New IT Showcase article: Securing the Microsoft Environment Using Desktop Patch Management

  • Article

IT Showcase just release a new article about how Microsoft uses SCCM to manage desktop updates. Some highlights:

Architecture

Microsoft IT implemented System Center Configuration Manager in a Windows Server® 2008 environment with Microsoft SQL Server® 2008 based on the following configuration:

  • One central site server. The central site server is a high-capacity, high-throughput server with eight processors and 16 gigabytes (GB) of RAM.
  • A dedicated SQL Server computer. SQL Server 2008 is used to maintain the System Center Configuration Manager database. The SQL Server computer has 16 processors and 32 GB of RAM.
  • Five primary site servers. Each primary site server has eight-processors and 4 GB of RAM. In the data center at headquarters, there is one cluster balanced through Network Load Balancing (NLB).
  • 20 dedicated distribution point servers. The distribution point servers contain two processors and 4 GB of RAM.
  • 26 shared secondary site servers. System Center Configuration Manager runs on approximately 26 secondary site servers providing the Distribution Point roles that are shared with other services, such as file and print services.
  • 120 shared distribution point servers. The distribution point servers contain two processors and 4 GB of RAM.

Based on Microsoft IT's examination of the software-updating requirements at Microsoft, it was determined that a best practice would be to create two separate System Center Configuration Manager infrastructures. One infrastructure was created just to update servers, while the other one would be exclusive to updating client computers. Microsoft IT's decision was based on the following factors:

  • It was determined in the Microsoft environment that security updates are more critical for servers than for client computers. Servers affect the security and workflow of large groups of workers. Microsoft IT determined that it could more easily meet the short time frame for updating servers if it did not have to share the infrastructure for updating servers with the client computers, and having a dedicated server infrastructure allowed for flexibility and longer patch windows than are realized for client desktops. It was determined that the software platform baseline for servers at Microsoft is uniform and unilaterally enforced, whereas client computers run a wide variety of software versions and service pack levels.

Advantages

The deployment of System Center Configuration Manager as a patch-management solution within Microsoft provided immediate benefits in the following areas:

  • High compliance rates. Using System Center Configuration Manager as one of several distribution methods, Microsoft IT now achieves a 95 percent compliance rate across its organization over nine business days of the publication of a critical security update. The remaining 1 percent includes assets that are not connected to the Microsoft network during deployment as well as computers in test labs.
  • Efficiency in deployments of software updates. Elimination of custom scripting has shortened the time required to package updates from 5–10 business days to no more than 4 business days. Most updates are ready to deploy within one day. By eliminating custom scripting, Microsoft IT saves money and human resources for scripting, testing, and deploying software.
  • Reduction of unplanned downtime. Users can choose the best time to install a software update within a specifically configured grace period.
  • Improved inventory capability. System Center Configuration Manager's robust inventory capability allows Microsoft IT to take a proactive approach to security by knowing the systems that exist on the network and their patch levels.