As administrators, we constantly strive to maintain a secure and functional computing environment for our users. In the perfect world, administrators would never have to update an installation of Windows ; unfortunately , this is just not the case. Between weaknesses that are inherent to Windows (through coding mistakes or other issues) and the insatiable desire of Black Hats (bad hackers, as opposed to White Hats, which are good hackers) to find new and more devious ways to open up your network like a can sardines, you will soon have your hands full trying to keep your network's security stance up to date with the latest patches and hot fixes. Realizing that it needed to become more proactive in helping Windows network administrators understand and correct the issues associated with the various security flaws that occur in the Windows operating systems, Microsoft has provided you with several tools that you can use to identify, categorize, and correct security- related issues on your network. The choice of what tool you use really depends on how you want to go about keeping your network updated. The following options are available for you to use in identifying and installing required security updates on your network's computers:
Planning for Software Update ServicesAlthough Windows Server 2003 provides native support for Software Update Services, it does not by default include SUS. You can easily enough acquire the SUS installation package, however, and begin work configuring and implementing SUS on a network. But what, really, is SUS? It is nothing more than a locally controlled and managed Windows Update server. Instead of configuring the Automatic Updates client on your client workstations to download updates directly from the Microsoft Windows Update servers, you can install and configure one or more SUS servers on your internal network and point your client workstations toward those servers. As you might imagine, the ability to have your client workstations use an internal server for Windows Update can be a tremendous benefit to you because it means decreased bandwidth usage. As important as bandwidth savings might be, there is actually a larger benefit to be realized by implementing a SUS solution on your internal network: the ability to approve specific updates that are to be installed on your clients. When you use Windows Update, your client computers install any available update that matches their needs, but with SUS you can specify which of the available updates are authorized to be pushed to the clients after you are satisfied that the update will pose no problems for the systems. This is a tremendous benefit that often goes unrealized. As previously implied , SUS is actually one part of a two-part system. The other part, the Automatic Updates client, runs on the servers and client workstations that you want to download updates. Although the Automatic Updates client was included in Windows XP (pre “Service Pack 1), it was not the correct version to participate in SUS. You need to install Windows 2000 Service Pack 3 (or higher) or Windows XP Service Pack 1 (or higher) on client workstations to get the updated version that can interact with SUS. Alternatively, you can install the updated version of the Automatic Updates client, which you can download from www.microsoft.com/windows2000/windowsupdate/sus/default.asp. You can also download the SUS installation package from this location. Unlike the previously released version of SUS, this one can be installed on a domain controller, which provides a great benefit to small organizations in which only one server is in use at some locations. The requirements to install SUS on a Windows Server 2003 computer are as follows :
SUS provides the following client-side features:
SUS provides the following server-side features:
EXAM TIP Know SUS SUS is a key part of Microsoft's security update infrastructure. You need to have a very good understanding of what it does, how it works, and how you can configure it to meets your needs and requirements. The actual process to install and configure SUS and Automatic Updates is covered in Exam 70-291, "Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure." Refer to the MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure (2003, Que Publishing; ISBN: 0789729482) by Dave Bixler and Will Schmied for more information on installing and configuring your SUS solution. Using the Microsoft Baseline Security AnalyzerYou can quickly learn to use the Microsoft Baseline Security Analyzer. After downloading the most current version from www.microsoft.com/technet/security/tools/tools/mbsahome.asp and installing it, you are just a few mouse clicks away from performing security analysis of your network's computers. When you launch the MBSA utility, you are presented with the option to scan one computer, scan multiple computers, or review previous scan reports , as shown in Figure 8.30. Figure 8.30. You can quickly scan multiple computers with just a few clicks of the mouse using MBSA.
By clicking the Scan More Than One Computer link, you can enter the NetBIOS domain name or IP address range that you want scanned, as shown in Figure 8.31. Figure 8.31. You can enter an entire domain to scan or scan a specific portion of the network.
After the scan has been completed, you can see the results of each computer's scan, as shown in Figure 8.32. As you can see, this computer is missing a critical security update that creates a severe risk situation on the computer. Figure 8.32. This computer is at severe risk due to a missing security update.
As mentioned previously, MBSA scans your computers not only for Windows security updates, but also for updates associated with other Microsoft products. MBSA 1.1.1 (the current version as of this writing) scans for security updates in the following products:
Maintaining a Security Update InfrastructureIn newly implemented Windows Server 2003 Active Directory networks, implementing a SUS solution to download and install approved security updates is most likely going to be your best bet. If you have an existing security update architecture in place, such as SMS or some other third-party solution, you may need to evaluate the benefits and costs of changing over to SUS. If you are relying only on Windows Update or Automatic Updates (without SUS) to keep your systems up to date, you need to seriously look into rolling out SUS. One possible scenario for using SUS and MBSA on your network to monitor and maintain security goes like this: You install and configure one or more SUS servers on your network, as determined by the number of clients that will be accessing them (each server can handle approximately 15,000 clients) and the geographical dispersion of your network. You configure SUS to automatically synchronize content nightly when network traffic is at its lowest . You also configure Automatic Updates via a GPO to download, install, and restart computers as required nightly, thus installing any newly approved updates. You also make it a habit to review, test, and approve new security updates one or more times a week to keep your systems up to date. Lastly, you could run MBSA against your network computers twice monthly to spot-check the effectiveness of SUS in keeping your computers updated with the patches you have approved. |