As of this post the SMS 2003 R2 update is in beta. This update is basically an enhancement to allow SMS administrators the ability to publish software updates for non Microsoft software that may be running in their environment along with the ability to scan their environment for vulnerabilities associated with system configuration. Lets take some time to review both of these additions.
Custom Updates Tool-----------------------The Custom Update Tool is a welcome extension to the patch management capability that has been building over time in SMS. Historically patching through SMS has been limited to those patches that are vendor specific - such as Microsoft, Dell and IBM. The custom update tool adds the ability for any vendor to manage software patching through SMS - including any custom applications that may be running in the environment.
The custom update tool is supported on Windows XP SP2 or greater and Windows 2k3 SP1 or greater clients and is driven by a new MMC snapin that allows administrators to import updates from vendors or create updates specific to the environment and publish them all to the SMS server and ultimately the SMS clients for use in scanning and ultimately advertisement targeting. The nuts and bolts of the custom update tool are in many ways very familiar to SMS administrators who are experienced with existing patching - the main difference is the way the patches are imported and/or built in the environment.. Vulnerability Assessment Tool-------------------------------SMS has had the ability to detect and deploy missing software updates for some time now. But there are some vulerabilities that expose security risks to organizations that are beyond the scope of what has historically been addressed through software updates. These vulnerabilities fall into the category of systems that may be configured in a way that makes them more subject to a security breach. The vulnerability assessment tool was designed to detect such machines. The vulnerability assessment tool is based on MBSA technology but is not designed to use any of the patch detection features of MSSA. Instead, MBSA is used to detect common system fulnerabilities that may arise as a result of system configuration that may not be optimal for security. The analysis focuses in several areas:
Windows administrative vulnerabilityWeah passwords checkIIS administrative vulnerabilitySQL Server administrative vulnerability
SMS administrators familiar with our scanning techologies will be able to use the vulnerability assessment tool very easily. Install is similar to our other scan tools in that the collections, packages and advertisements can be created for you automatically for immediate use. There are two packages created:Vulnerability AssessmentMBSA 2.0
The Vulnerability Assessment package is runs the vulnerability assessment tool which scans the target computers and reports back vulnerability staus. This is the only package for which an advertisement is created at install. The MBSA 2.0 package is created to allow administrators to distribute MBSA to those computers that don't currently have MBSA installed. Administrators will need to create their own advertisement for the MBSA tool if needed for their environment.
When the vulnerability assessment tool runs it will report back the detected vulnerabilities as hardware inventory - again, just line our other scan tools.