Everybody in the IT business knows that patching can be a pain. Consumers can take the easy way out: turn on auto updates, set it and forget it. But businesses can’t afford to be quite that cavalier when one bad patch can bring the network – and the user productivity that depends on it – to a grinding halt. Patching server products can be an especially dicey operation. And having to wade through a slew of security bulletins each month that may or may not even apply to the software you’re using just makes it even more of a hassle. Wouldn’t it be nice if admins had something to take all the guesswork out of it?
Microsoft has recognized this problem and on May 28, in keeping with their new emphasis on providing services rather than just selling software, they released a new service targeted at small business admins to help with the patch deployment process. It’s called MyBulletins and according to the MSRC blog, it was developed in response to customer input and allows admins to customize the list of security bulletins for Microsoft products based on the software versions that you have running on your network.
Using it is pretty simple. You log on at the MyBulletins web site on TechNet with your Microsoft account and you’ll first be taken to a page for selecting the server and client software that you’re running. Then when you log on, you’ll see your Security Bulletins Dashboard as shown in the screenshot.
Now you’ll see only those bulletins that are relevant to your software configurations, and they’re color coded for quick reference so you’ll know at a glance which are critical, important or moderate and which will require a reboot. You can even download the info to an Excel spreadsheet.
It’s a nice idea, and anything that simplifies a busy IT pro’s life is a good thing. I did notice a few things that you might want to be aware of, though. Not all Microsoft products are shown in the list, so you might have to do a search to find some of the programs that are running on your network. Oddly, “Internet Security and Acceleration Server” (ISA Server) was in the list, but to find its successor, TMG, I had to do a search – and it turned up no results when I typed “TMG.” You’ll have to type the full name (Threat Management Gateway) to find it.
Also note that because you have to add each piece of software for which you want to see bulletins, rather than flagging those for which you don’t want to see bulletins, if you forget to enter one of the programs running on your computers, your dashboard might be missing important information.
The larger caveat is that as long as you’re diligent when you set it up, this service will probably do what it sets out to do – allow you to filter the lists of Microsoft security bulletins and clear out those that don’t matter to you – but that’s as far as it goes. And that might not be far enough.
Currently, there is no provision for receiving notifications via email or other communications venues when patches are released, so you have to log in to the service to get the information. That’s fine for regular Patch Tuesday releases, but what about emergency out-of-band patches? And it’s an additional burden on admins who already probably have multiple consoles for monitoring various aspects of the network. Centralized management is good; keeping up with two or three (or eight or 10) management interfaces, not so much.
Probably the biggest failing of the service is that it addresses only Microsoft software. Much of the threat today comes by way of vulnerabilities in third-party programs. It’s not that I think Microsoft should be responsible for delivering other vendors’ security bulletins to customers; it’s just that there are better solutions out there that are designed for the express purpose of patch management across many different vendors. I think most organizations will find it most efficient and more admin-friendly to have all bulletins and patches in one place instead of having to shift back and forth between multiple sources, sites and consoles.