Microsoft is to pay for security assessments of customers' networks to help improve patching policies and tackle fears about the security of its products.

The Microsoft Patch Assurance Security Service was started without fanfare late last year. As part of the program, the software giant is offering free security audits to all of its enterprise customers and paying for the services of third-party security consultants, including Internet Security Systems, to do the audits, according to interviews with those involved in the program.

In many cases, Microsoft's patch management products and services, including Systems Management Server (SMS) and Software Update Services (SUS), are recommended to customers as part of the audit, interviewees said.

Figures on the total cost of the Patch Assurance Security Service were not available, but it is an extensive program to reach out to Microsoft's entire enterprise customer base, defined as customers with 500 or more Windows desktops, said Peter Noelle, a partner account manager at Microsoft in Atlanta.

Microsoft has contacted around 75 percent of the 200 enterprise customers in the district that includes Atlanta regarding the program and the "vast majority", more than 90 percent of those companies, have signed up for the free service. The company hopes to contact all its enterprise customers by the end of its fiscal year in June 2004.

Microsoft is offering the same service in each of 17 regional districts in the US, using local and national consulting partners to perform the assessments, he said.

In the southeast district, Microsoft is working through Blackstone & Cullen, an Atlanta IT consulting company and Microsoft Gold Certified Partner. David Sie, security practice manager and Blackstone & Cullen, said: "We're an extension of Microsoft. Microsoft lets us know which of their customers they'd like us to help them perform the services, then they decide what the priority and the scope is for the customer," he said. In turn, Blackstone & Cullen has contracted with Internet Security Systems to conduct vulnerability assessments for the Microsoft customers, Sie said.

Microsoft pays for the services of both companies on behalf of its customers, which are typically Microsoft-centric organizations using a "significant amount" of Microsoft technology, Sie said.

The purpose of the program is to reduce the number of Microsoft customers who do not apply software updates by promoting patch management best practices. Microsoft also hopes to boost its credibility in the enterprise space on issues of security, Noelle said.

Assessments can last from days to weeks and range from "best practices" cases where few recommendations are needed to "dark pictures" where a "very significant" amount of work is required, he said. Typically, the assessment concludes with a set of recommendations and "actionable steps" that companies should take to improve their patch management processes, Noelle and Sie said.

Microsoft's sales organization follows up on the recommendations with the customer. In addition, Microsoft's partner companies often land contract work stemming from the assessments they perform, Noelle said. When patch management technology is needed, Blackstone & Cullen recommend Microsoft's SMS change and configuration management technology, Sie said. "Naturally, Microsoft is recommending the use of their SMS, but its up to the customer to decide," he said.

That limited product focus could be a problem for Microsoft customers, said John Pescatore, vice president at Gartner. "The problem is that SMS is not a strong product. When people ask us about [patch management], we talk about SMS but we don't consider it a leader," he said. Products from Novadigm, Altiris and others outperform SMS and an independent assessment would mention such products in its findings, Pescatore said.

Microsoft is not the only company hoping to cash in on the recommendations that follow the assessments. ISS is planning on Monday to formally announce a range of security assessment, remediation and management services for Microsoft customers.

ISS will offer a program to perform "deep assessments" of Microsoft customer networks with the goal of improving software patching processes and systems, said Kerry Armistead , product manager for professional security services and education at ISS.

The ISS program will offer its customers three levels of assessment - basic, gold and platinum - with system policy design and best practices recommendations for customers that select the higher level offerings. "The goal is to leave you with a system in place to keep up with patches - give you change and release management processes so that as new patches roll out, you have a well-oiled machine to distribute them before malicious code is released," he said.

Microsoft's free patch assessment program is similar to previous Redmond efforts to smooth over big technology shifts by giving away consulting services, Pescatore said, citing programs linked to the introduction of Active Directory and the Kerberos authentication protocol. The program might succeed in improving patching procedures at some organizations. However, for most companies, faster patching will not solve the problem of insecure products, he said.

Most enterprises still need a month to fully test Microsoft patches, distribute them to their user desktops and servers, and troubleshoot following deployment. In the meantime, software exploit and virus writers have shortened the length of time between disclosure of a vulnerability and the release of malicious code that takes advantage of that hole to just a few days, he said.

"You can't just say: 'Here's a new patch. Quick, push it out.' If it breaks an application, they're worse off than when they were unpatched," he said.