Windows 7 / Getting Started

Tools for Auditing Software Updates

One of the most important concepts in security is "Trust, but audit." Auditing provides a critical layer of protection against human error and omission. In the case of software update management, auditing enables you to verify that updates are distributed correctly and are not removed after distribution.

Microsoft provides the following tools for auditing software updates and the software update process:

  • WSUS WSUS enables you to view which updates have been distributed to which computers. To detect updates that are removed after distribution and new computers that do not have the proper updates installed, use WSUS reporting in conjunction with one of the other tools in this list.
  • Configuration Manager 2007 R2 Configuration Manager 2007 R2 monitors installed updates and can generate reports showing whether updates are successful.
  • MBSA The Microsoft Baseline Security Analyzer (MBSA) actively connects to computers on your network and, with proper credentials, generates reports displaying the installed updates and a list of other security vulnerabilities. MBSA is a graphical tool that simplifies manual, interactive auditing. MBSACLI and Configuration Manager 2007 R2, described next, use the MBSA engine.
  • MBSACLI The MBSA command-line interface (MBSACLI) allows you to script MBSA auditing, enabling you to audit large numbers of computers in an automated fashion. You can generate Extensible Markup Language (XML)-based reports that you can view with the MBSA interface, or you can create tools that process the XML-based MBSACLI reports. MBSACLI is included with MBSA.

WSUS and Configuration Manager 2007 R2 were described earlier in this tutorial. The sections that follow describe MBSA and MBSACLI.

[Previous] [Contents] [Next]