Home > Samples > Update > January 2004
          Back to associated article: Client Patching at Microsoft
  Critical Patch Process (Illustration)    
   

Posted: Dec. 15, 2003

0104cpam_illo.gif (14228 bytes)

Microsoft’s Corporate Security (CorpSecIT) and Global Client Software (GCS) groups work together to keep Microsoft’s client PCs up-to-date on critical patches. CorpSecIT monitors external (such as antivirus vendor sites) and Microsoft sources for security alerts and information about software vulnerabilities. The group also monitors Microsoft's Windows Update site for the availability of patches. CorpSecIT determines the threat level of vulnerabilities and, for threats deemed critical, sets enforcement guidelines for patching clients (for example, the time given to clients to voluntarily install the patch) and notifies the GCS group.

When notified of a critical threat, the GCS group allows about 72 hours to test the corresponding patch, alert clients to the threat, and distribute the patch to them, using SMS 2003 to reach managed clients and e-mail to notify unmanaged clients (such as PCs managed in product development lab domains). Following patch distribution, GCS monitors patch installation compliance against the guidelines set forth by the CorpSecIT team. The compliance deadline is between zero and 14 days depending on the nature of the threat. When the deadline for voluntary patch installation has passed, GCS and CorpSecIT move to forcibly install the patch on managed client machines and remove noncomplying unmanaged clients from the corporate network.

The CorpSecIT group also serves as a quality assurance gate for the public release of patches—it verifies the efficacy of patches and tests their stability before they are released to the public by the Microsoft Security Resource Center (MSRC), the group responsible for the Windows Update site and other external security resources for customers. However, beyond providing this testing function, CorpSecIT gets no special treatment from the company’s development arms, nor does it trigger Microsoft’s corporate patching process based on this early information. Only when vulnerabilities and patches are made publicly known does the group initiate Microsoft’s internal patching process.

  
Member Log On | Contact Us | About Us | Samples | Subscribe | Jobs
©Directions on Microsoft