Implementing Windows Server Update Services (WSUS)

Objective:

Install and configure software update infrastructure.

• Install and configure software update services.

So far in this chapter, we have examined how you can implement a baseline server and network security program through the use of security templates and auditing. To keep a network secure as time goes by, you need to keep your servers and client workstations up-to-date with the latest patches and hot fixes. WSUS can handle this for you in an easy-to-use and easy-to-manage format.

Although Windows Server 2003 provides native support for the Windows Server Update Service (WSUS) and the older Server Update Service (SUS), it does not by default include WSUS. It's easy enough, however, to acquire the WSUS installation package and get to work configuring and implementing WSUS on a network. But what, really, is WSUS? WSUS is nothing more than a locally controlled and managed Windows Update server. Instead of allowing the Automatic Updates client on your client workstations and servers to download updates directly from the Microsoft Windows Update servers, you can install and configure one or more WSUS servers on your internal network and point your client workstations and servers toward those WSUS servers.

As you might imagine, the ability to have your client workstations use an internal server for Windows Update can be a tremendous benefit to you because it means decreased bandwidth usage. As important as bandwidth savings might be, there is actually a larger benefit to be realized by implementing a WSUS solution on your internal network: the ability to approve specific updates that are to be installed on your clients. When you use Windows Update, your client computers install any available update that matches their needs, but with WSUS, you can specify which of the available updates are authorized to be pushed to the clients after you are satisfied that the update will pose no problems for your clients. This is a tremendous benefit that often goes unrealized.

The requirements to install WSUS on a Windows Server 2003 computer are as follows:

• The system partition of the server must be formatted with the NTFS file system.

• The partition on which you install WSUS must be formatted with the NTFS file system.

• The system partition must have at least 1GB of free space available.

• The partition where you install WSUS must have a minimum of 6GB of free space available; however, it is recommended that it have at least 30GB of free space available.

• The partition where WSUS setup installs the Windows SQL Server 2000 Desktop Engine (WMSDE) must have at least 2GB of free available.

• The server must have Internet Information Services (IIS) 6.0 installed.

• The server must have the Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 software installed.

• The server must have the Background Intelligent Transfer Service (BITS) 2.0 update installed.

• The server must have Windows SQL Server 2000 Desktop Engine (WMSDE), which will be installed by the WSUS setup.

Note: NET Framework 1.1

Even though the .NET Framework is currently in version 2.0 for Windows Server 2003, WSUS installs only when using the .NET Framework 1.1 SP1 for Windows Server 2003. As of the time of this writing, WSUS did not support the .NET Framework 2.0, but that will likely change in the future. You can download the .NET Framework 1.1 and .NET Framework 1.1 SP1 for Windows Server 2003 from MSDN at the following location: http://msdn.microsoft.com/netframework/downloads/updates/version1/default.aspx.

Clients to be updated by WSUS must meet one of the following requirements:

• Microsoft Windows 2000 Professional with SP3 or SP4.

• Windows 2000 Server with SP3 or SP4 or Windows 2000 Advanced Server with SP3 or SP4.

• Microsoft Windows XP Professional, with or without SP1 or SP2.

• Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows Server 2003, Web Edition.

With the formalities out of the way, we can now get down to the business of installing and configuring a WSUS server. After that, we examine how you can take care of the client end of your business.

Installing the WSUS Server

To begin the process of installing and configuring WSUS, you need to first ensure that you have met the guidelines presented in the previous section. After that, you need to download the WSUS installation package from http://www.microsoft.com/windowsserversystem/updateservices/default.mspx. Step by Step 5.8 outlines the process you follow to get WSUS installed on a server.

Note: Installing IIS 6.0

Exam 70-291 covers the basic installation and configuration of IIS 6.0 on a Windows Server 2003 computer; thus we will not duplicate that coverage here. You will be expected to perform the installation of IIS that is required in order to install WSUS on your server. If you need a review, see this Web site for more information: http://www.microsoft.com/WindowsServer2003/iis/default.mspx.

Step By Step

5.8. Installing a WSUS Server

1.	Double-click the WSUS installation file to begin the installation on your new WSUS server. If prompted with a security warning, click Run to start the installer.
2.	If you haven't met the requirements to install WSUS, you'll be presented with an error dialog like the one seen in Figure 5.57. After installing the required components, start the installation again. Figure 5.57. It looks like we didn't meet all of the requirements to install WSUS on the server.
3.	If your server is ready for an installation of WSUS, you will be presented with the Welcome to the Microsoft Windows Server Updates Services Wizard dialog box. Click Next to dismiss the opening page wizard.
4.	On the License Agreement dialog box, click the I Accept the Terms of the License Agreement radio button and click Next to continue. You will not be able to continue the installation of WSUS without accepting the EULA.
5.	On the Select Update Source dialog box, as seen in Figure 5.58, WSUS will provide you with a default storage location for the update files. Recall that this location must be NFTS formatted and should not be the same volume as your system partition. If you want, you can change the location, but bear in mind the requirements that WSUS presents. You can also turn off the storing of updates locally if you like, although it is recommended that you leave it in the default configuration. Click Next to continue after making your selection. Figure 5.58. WSUS will provide you with a default location to store files.
6.	On the Database Options dialog box, shown in Figure 5.59, WSUS will provide you with a default path for the SQL Server desktop engine installation. If you want, you can change the location, but bear in mind the requirements that WSUS presents. If an existing SQL Server database was detected on the server, WSUS would allow you configure that for use. Click Next to continue after making your selection. Figure 5.59. WSUS will need a location to install the SQL Server desktop engine.
7.	On the Web Site Selection dialog box, which is shown in Figure 5.60, you will need to tell WSUS what IIS Web site to use. The default selection is the existing default IIS Web site, which will work fine in most cases, especially if this server will have no other user-facing Web sites. Note that the configuration you pick will change the connection information provided in the bottom half of the page. Click Next to continue after making your selection. Figure 5.60. The WSUS will need an IIS Web site made available to it.
8.	On the Mirror Update Settings dialog box, which is shown in Figure 5.61, WSUS allows you to configure this new WSUS server to inherit update approval information from. This can be useful if you are creating a hierarchy of WSUS servers, such as in a headquarters-branch office scenario, or if you have another WSUS server from which you want to get approved update information. After you make your selection, click Next to continue. Figure 5.61. WSUS allows your new server to inherit information about approved updates from another WSUS server.
9.	On the Ready to Install Microsoft Windows Server Update Services dialog box, shown in Figure 5.62, make a note of the URL that is specified. This is the URL you will need to use later when configuring the Group Policy for WSUS and Automatic Updates to point your Automatic Updates to the WSUS server. When you are ready to complete the installation phase, click Next. The wizard installs WSUS on your server. Figure 5.62. You should make a note of the URL to which you will be pointing your Automatic Updates clients.
10.	When the wizard has completed, click Finish to close the wizard. You can now administer your WSUS server from http://servername/WSUSAdmin.
11.	In most cases, the WSUS server administration page automatically appears at this time. If it does not, you can open your WSUS server administration page by entering http://servername/WSUSAdmin or by clicking the Microsoft Software Update Services item in the Administrative Tools folder. Either way, the WSUS administration page appears, as shown in Figure 5.63. Figure 5.63. All administration of WSUS takes place from within a Web browser.

Congratulations, you've just installed a WSUS serverbut your job is not done yet. Before you can start pushing updates to clients in need, you've got some more configuration work to do. We'll now move on to examining the different configuration areas you will need to work with in order to get the WSUS server up to speed.

Configuring the WSUS Server

The process of configuring a WSUS is fairly straightforward and shouldn't take all that long to complete. We'll examine each configuration area in the following sections. To access the WSUS server options page, simply click the Options link located in the top-right corner of the main window. This opens the Options page, shown in Figure 5.64.

Figure 5.64. You will need to spend a little time ensuring that all options are set and configured as required.

Synchronization Options

Clicking the Synchronization Options link seen in Figure 5.64 will bring you to the Synchronization Options page, as seen in Figure 5.65. From here you will configure basic networking information and synchronization schedulesall important items if your WSUS server is to work properly.

Figure 5.65. The Synchronization Options page allows you to get your server connected to the Internet and tell it how to process the downloading of updates.

Starting at the top of the page, you will need to configure the WSUS server with the correct information in the following areas:

• Schedule Specifies how often you want to download new updates.

• Products and Classifications Specifies for what versions of Windowssuch as Windows 2000 or Windows XPthe WSUS should provide updates. Additionally, you can specify what classification (severity level) of updates should be downloaded. These classifications include Critical Updates and Security Updates.

• Proxy Server If your network requires all Internet-bound traffic to pass through a proxy server, you can enter in the required information including credentials to allow your WSUS server to download updates. You should probably consider creating a special, dedicated user account under which the WSUS server should access the Internetthis will allow you to track Internet usage more accurately.

• Update Source Specifies whether this WSUS server will get its updates from another WSUS server or from the Windows Update site. Additionally, if the WSUS server, and its source for WSUS updates is configured for SSL, then you can enable SSL from this location.

• Update Files and Languages This allows you to configure how the updates are stored, and most importantly, it allows you to configure in which languages updates are downloaded. The default is to download updates in all languages, which can be a large waste of disk space, network bandwidth, and time if you don't need to do so. It's worth taking the time to click the Advanced button here and then configure your language options, as seen in Figure 5.66.

  Figure 5.66. Changing the language options for your WSUS server is a good practice.

  

After you're done making changes on the Synchronization Options page, be sure to click the Save Settings link at the top of the page. After that, click the Options button to get back to the main Options page.

Automatic Approval Options

By clicking the Automatic Approval Options link seen previously in Figure 5.64, you will be brought to the Synchronization Options page, as seen in Figure 5.67. From here you will configure how the WSUS server will handle updates.

Figure 5.67. The Automatic Approval Options page allows you to configure how your WSUS server will handle updates.

Starting at the top of the page, you will need to configure the WSUS server in the following areas:

• Updates By default, WSUS will detect that computers need updates, but it will not automatically approve them for installation. In most cases, this is the recommended configuration. You can also change what types of updates are detected and/or automatically approved and also for what computer groups they will be detected and/or approved.

• Revisions to Updates By default, WSUS will automatically approve revisions to updates that have been previously approved. For maximum control, you'll likely want to change this setting.

• Windows Server Update Services Updates By default, WSUS will automatically approve updates to the WSUS server itself. You can opt to disable this behavior, but it may have an adverse impact on the functionality of the WSUS server in some rare instances.

After you're done making changes on the Automatic Approval Options page, be sure to click the Save Settings link at the top of the page. After that, click the Options button to get back to the main Options page.

Computers Options

If you click the Computers Options link seen previously in Figure 5.64, you will be brought to the Computers Options page, as seen in Figure 5.68. From here you will configure how the WSUS server groups computers.

Figure 5.68. The Computer Groups page allows you to configure how WSUS groups computers.

You can opt to group computers within WSUS, or you can group computers by using Group Policy. To group them by Group Policy, click the Help icon and follow the instructions in the help document. After you're done making changes on the Automatic Approval Options page, be sure to click the Save Settings link at the top of the page. After that, click the Home button to get back to the main WSUS page.

The Computers Page

By clicking the Computers link at the top of any WSUS page, you will be brought to the Computers page, as seen in Figure 5.69.

Figure 5.69. The Computers page allows you to configure computer groups within WSUS.

The Computers page is the management location from which all computer grouping is done. Only computers that have been configured to receive updates from this WSUS server will be shown on this page; that is there are no computers listed (yet) in Figure 5.69. We'll examine this page in more detail after Group Policy has been configured for WSUS. If you want to, you can create new computer groups at this time by clicking the Create a Computer Group link to open the dialog box seen in Figure 5.70.

The Reports Page

By clicking the Reports link at the top of any WSUS page, you will be brought to the Reports page, as seen in Figure 5.71.

Figure 5.71. The Reports page is your central location for WSUS reporting.

Once you've synchronized the WSUS server and started updating clients with it, you can come back to the Reports page to run reports that will help you keep tabs on what the WSUS server is doing.

The Updates Page

By clicking the Updates link at the top of any WSUS page, you will be brought to the Updates page, as seen in Figure 5.72.

Figure 5.72. The Updates page details the status of all updates.

Once you've synchronized the WSUS server and started approving updates, you can come back to the Updates page to see the status of each update. Notice the fairly granular filtering options available to you on the left side of the page.

Updating Clients with WSUS

Now that you've performed all of the basic configuration required after the installation of WSUS, you're ready to take the next stepssynchronizing the server with the Windows Update servers, configuring Group Policy to push WSUS settings to your clients, and approving updates and having client computers download them. We explore these tasks in this section.

Synchronizing the WSUS Server

To get your initial WSUS server synchronization accomplished, you'll want to use the Synchronization Options page, as seen previously in 5.65, and click the Synchronize Now link in the top-left corner of the page. Note how the page changes after you start synchronization, as seen in Figure 5.73.

Figure 5.73. Once you start a synchronization event, you'll need to wait for it to finish before doing anything else.

If you go back to the Home page, you will be able to see the percent complete progress on the synchronization event.

Note: Sit Back and Relax

Once you start the initial synchronization event, you may be waiting for several hours (depending on how many languages you've selected) for all available updates to be downloaded. Of course, this is a good time to get your Group Policy Object created and in place.

Configuring Group Policy for WSUS

Once you've gotten WSUS installed and configured to your liking on your server, you need to configure Automatic Updates on your client workstations. Windows Server 2003 includes the administrative templates that allow you to start managing Automatic Updates from within Group Policy. In addition, in smaller organizations where Active Directory may not be in use, you can configure Automatic Updates directly on each local computer.

Step by Step 5.9 examines the process of configuring Automatic Updates through Group Policy in Windows Server 2003.

Step By Step

5.9. Configuring the Automatic Updates via Group Policy

1.	Open the Active Directory Users and Computers console by selecting Start, Programs, Administrative Tools, Active Directory Users and Computers.
2.	Navigate to the node for which you want to apply Automatic Updates settings, such as a specific OU or perhaps the domain. For this example, we'll apply the settings to the CORP OU, as shown in Figure 5.74. Figure 5.74. You can apply your Automatic Updates client settings to any OU or domain of your choosing.
3.	Right-click the CORP OU and select Properties from the context menu. The Sales Properties dialog box appears. Select the Group Policy tab, as seen previously in Figure 5.11.
4.	To create a new GPO, click the New button. Supply a name for the new GPO, such as WSUS Settings and press Enter.
5.	Click the Edit button to open the Group Policy Editor for the selected GPO.
6.	In the Group Policy Editor, expand the following nodes: Computer Configuration, Administrative Templates, Windows Components, and Windows Update, as seen in Figure 5.75. Figure 5.75. You can configure Automatic Updates client options from Group Policy, if desired.
7.	To configure an option from this node, double-click it.
8.	Configure the Configure Automatic Updates option by opening it and selecting the Enabled option, as shown in Figure 5.76. Click OK to close the dialog box when complete. You have four options available for installing updates: 2 Notify for download and notify for install 3 Auto download and notify for install 4 Auto download and schedule the install 5 Allow local admin to choose setting Figure 5.76. The Configure Automatic Updates option must be set to Enabled to allow WSUS to function.
9.	Configure the Specify Intranet Microsoft Update Service Location option by opening it and selecting the Enabled option. Provide the URL to your WSUS server, as shown in Figure 5.77. You can use the same IIS server for both WSUS and statistics, as shown. Figure 5.77. You need to ensure that you point your Automatic Updates clients to your internal servers.
10.	Configure the Reschedule Automatic Updates Scheduled Installations option by opening it and selecting the Enabled option. Configure the amount of time after which Automatic Updates should try again after a failed installation, as shown in Figure 5.78. Figure 5.78. You can configure Automatic Updates to retry failed installations.
11.	Configure the No Auto-Restart for Scheduled Automatic Updates Installations option by opening it and selecting the Enabled option to prevent the computer from automatically restarting after Automatic Updates has installed new updates or by selecting Disabled to allow the computer to be restarted, as shown in Figure 5.79. Figure 5.79. You should, in most cases, allow client computers to be restarted after the updates have been installed.

Configuring Local Group Policy for WSUS

In organizations where Active Directory is not in use, you can still easily configure the Automatic Updates client to download and install available updates from the Microsoft Windows Update Web servers. The options are available from either the Automatic Updates tab of the System applet or from the Automatic Updates applet, both of which are located in the Control Panel.

Alternatively, you can configure the local group policy on these computers to point towards an installed and configured WSUS server. To open the Local Computer Policy console, simply click Start, Run, enter gpedit.msc, and click OK. The Automatic Updates settings will be found in the same location as seen previously in Figure 5.75: Computer Configuration, Administrative Templates, Windows Components, Windows Update.

Approving WSUS Updates and Updating Client Computers

After you've completed all of the WSUS installation and configuration steps up to this point, only one basic task remainsactually getting the updates onto your client computers in need. This task encompasses three steps: having Group Policy apply to the clients, approving updates for download and/or installation, and verifying that the updates have been applied.

You can verify that Group Policy has taken effect on the server or workstation by examining the Automatic Updates applet or Automatic Updates tab in the System applet. Figure 5.80 shows that all options have been grayed out, thus indicating that some policy is configuring them and you cannot make changes to them directly.

To approve an update, you need only select it in the listing on the Updates page, as seen previously in Figure 5.72, and click the Change approval link found in the top-right corner of the page. You should not typically approve updates until you've conducted enough testing to verify that the update will not cause any problems in your environment under most conditions (because you can never, unfortunately, plan for everything). Clicking the Change Approval link will cause the Approve Updates page to open as seen in Figure 5.81, which allows you to change the approval status of the update. Note that you can select multiple updates to approve at a single time if desired.

Figure 5.81. You will need to approve updates to install after you've tested them.

If you ever need a reminder of what you should be doing next when it comes to administering your WSUS implementation, look no further than the bottom of the Home page. The To Do List, as seen in Figure 5.82, will keep you on top of your WSUS game.

Figure 5.82. The WSUS To Do List helps keep you on top of required management tasks.

You can verify update installation by checking the Add or Remove Programs applet on client computers or by examining the logs within WSUS.

Managing Updates for Legacy Operating Systems

Objective:

Install and configure software update infrastructure.

• Configure software updates on earlier operating systems.

The reality of your network may dictate that you provide support for legacy desktop clients such as Windows 98 clients. These older operating systems cannot participate in a WSUS server environment for multiple reasons, one of which is their inability to receive GPO settings. For clients such as these, you have a few options available when it comes to keeping them up-to-date.

Microsoft offers the old standby Windows Update that any of these legacy computers can use, regardless of their network status. Anyone who has used any version of Windows past Windows 95 is most likely familiar with Windows Update. You can connect to the Windows Update Web site at http://windowsupdate.microsoft.com.

Another Microsoft-provided option is to implement and use the Systems Management Server (SMS) application, which you can use to manage and monitor legacy versions of Windows, including rolling out updates and patches. A recent addition to the SMS package provides support for more easily determining and installing required updates on client computers; in addition, SMS provides some of the same support that WSUS does. You can find more information about SMS, currently in version 2003, at www.microsoft.com/smserver. A new version is coming shortly that promises even more powerful management features for administrators; you can find out more about it at http://www.microsoft.com/smserver/evaluation/2003/smsv4.mspx.