Although it is an unpalatable subject, hackers are out there. And for whatever reason, the number one target of most hackers is the Microsoft Windows suite of operating systems. For this reason, it is important that computers in an organization be up to date with the newest security patches to keep the bad guys out. Traditionally, this task is handled by automatic software updating, a technology that delivers the latest updates to Windows over the internet via the Windows Update web site. The downside to this strategy is that any computer needing to access the Windows Update site must be able to access the internet, either in part or in whole. In many organizations, this may not be desirable, as internet bandwidth may be limited. This approach also limits the administrator in that there is no centralized way to administer updates:
By installing a service called Software Update Services (SUS) in an organization, clients receive updates from a server within the local intranet. Only the server running SUS needs to have access to the Windows Update site on the internet. This saves precious internet bandwidth, and also gives the administrator more centralized control of critical updates:
Before we get going on SUS installation and configuration, we must have the following installed on our SUS server:
Internet Information Services (IIS)
Software Update Services Server (SUS)
6GB of free hard disk space
700Mhz Pentium III (minimum)
In addition, our clients must be running Windows 2000 Service Pack 3 or above. If the clients are running with Service Pack 2, you should download and install either the SUS client ( link provided in step 4 of the following tutorial on SUS ) or update to Service Pack 3 or greater, located on Microsoft's website at http://www.microsoft.com.
The steps required to get a working SUS server are as follows :
Download and install the SUS package from Microsoft
Configure clients via a Group Policy Object
In the following tutorials, we install SUS on the DC01 domain controller. You may need to have your Windows Server 2003 installer CD handy for some of the installation procedures.
On the domain controller DC01, open the Add/Remove Programs control panel.
Click the Add/Remove Windows Components button on the left side of the window. In the list of items that appears, double-click Application Server .
A new list appears. Place a check in the item labeled Internet Information Services (IIS) . Click OK and Next . The installation proceeds normally.
Download the Software Update Services installer package from Microsoft's site:
Internet Explorer may warn you that the site you are trying to access is not trusted. If this is the case, click Add twice, and then click Close . The download is close to 33MB . If need be, download the SUS client and install it on your client computers ( Note: the client is located at the same link printed above ).
Once the download completes, launch the installer program. When asked about the type of installation, use Typical . When the installation finishes, Internet Explorer opens to the SUS administration page. If it does not open automatically, open Internet Explorer and point it to the following address:
This simply points DC01 to itself, and brings up the SUS configuration screen. The configuration is completely web based, making it very convenient to administer.
On the left side of the window, click the item labeled Set Options . Scroll downward until you see the heading labeled Select where you want to store updates . Make sure that Save the updates to a local folder is selected, and uncheck all unnecessary languages (e.g., if your client computers are running English only, uncheck every language except for English). This saves a ton in download time. Also select the option labeled Automatically approve new versions of previously approved updates . Click Apply .
On the left column of the window, click the option labeled Synchronize server . On the right column, click Synchronize Now . This tells our SUS server to download all new updates from the internet from Microsoft. Updates are stored on the SUS server which then provides them to clients. Be patient. Even on a very fast internet connection, this process can take some time.
Once the synchronization is complete, click the option labeled Synchronization Schedule . The synchronization window appears. Set the schedule to synchronize with the Microsoft Windows Update site daily by clicking Synchronize using this schedule and choosing Daily . Accept all other defaults.
On the left column, click the item labeled Approve Updates . This is the fun part. Check all items that you wish to be made available to client computers. It's safe to say that any items labeled Critical or Security are the ones that you are going to want to roll out to your clients. For this exercise, click only those items that are critical or security related .
We now configure our clients to use the SUS server instead of the Windows Update site on the internet. Since the SUS server is installed on DC01 in the guinea.pig domain, we shall service clients only in that domain (although we could configure clients in other domains to use DC01 as their SUS server). To help stave off increased network traffic between domains, it's wise to install an SUS server in each domain ( Note: we discuss multiple domains in the next chapter ).
To tell all clients in the domain to use SUS, we must create a GPO telling them to do so. We apply this GPO to the entire domain.
On DC01, open Active Directory Users and Computers .
On the left window pane, right-click guinea.pig and choose Properties . Select the Group Policy tab and click New . Give this new GPO a name of Software Update Services GPO .
Edit this new GPO. Since most of the updates provided by SUS are operating system and computer specific, we make this GPO computer based instead of user based. This being the case, navigate to and click the Windows Update folder located under Computer Configuration ˆ’ > Administrative Templates ˆ’ > Windows Components .
On the right side of the window pane are four options. Double-click the first item labeled Configure Automatic Updates .
Click the Enabled option. In the Configure automatic updating field are three options:
Notify for both download and install
Auto download and notify for install
Auto download and schedule install
This first item notifies the client that downloads are available. The user must manually initiate the download. He must also initiate the installation process. Suffice it to say that when using this option, very few updates will be applied to your client computers.
The second option does not give the client a choice as to whether or not to download updates, and downloads them automatically. However, the client still has to manually confirm the installation of new updates. Again, you will probably be hard-pressed to find users who will take the time to perform this task.
The third option does not give the user a choice, and automatically downloads all new updates and auto- installs them at a time of your choosing. This is the only real way that you are going to get critical updates deployed to your client computers without having to rely on user intervention. For this exercise, select Auto download and schedule install . Set the Scheduled install day to every day , and set the scheduled install time to noon. Click OK .
Double-click the item labeled Specify intranet Microsoft update service location . This item points clients to our SUS server. Select the Enabled option, and enter http://dc01.guinea.pig into both server fields and click OK :
Double-click the item labeled Reschedule Automatic Updates scheduled installations . This item pertains to clients with scheduled updates that for some reason or another were missed (a power outage , for example). This item sets the amount of time that a client should wait to install a previously scheduled update after it boots. Select Enabled and accept the default of 5 minutes. This tells the client to wait 5 minutes after it boots before installing the previously scheduled update. Click OK .
Double-click the item labeled No auto-restart for scheduled Automatic Updates Installations . This item, when enabled, warns the user that new updates have been installed and that the computer needs to be restarted before the updates will take effect. If left off, the client is warned that the computer will restart within five minutes, giving him or her time to save work. For the purpose of this exercise, click Enabled . Close the GPO editor and the guinea.pig Properties dialog.
Normally, the client will check in with the SUS server after a few hours. However, you may wish to test the SUS server immediately. To do this, you can "force" the client to check for updates. This requires delving a bit into the Windows Registry.
On the client (either Windows XP or 2000), log in as a local administrator.
Open the Services configuration tool. On Windows XP, this is located inside Control Panel ˆ’ > Administrative Tools . On Windows 2000, the location is just Control Panels .
On the right side of the Services window pane, right-click the entry labeled Automatic Updates and choose Stop . This prevents the computer from checking for updates. Be sure to keep the Services window open.
Click Start ˆ’ > Run and type regedit . The Windows Registry Editor appears. In the left column, expand the following:
Hkey_Local_Machine ˆ’ > Software ˆ’ > Microsoft ˆ’ > Windows ˆ’ > CurrentVersion ˆ’ >WindowsUpdate
Click once on the folder labeled Auto Update .
On the right side of the window, double-click the item labeled AUState .
A new window appears. In the Value data field, enter the number 2 and click OK .
If it exists, right-click the item labeled LastWaitTimeout and choose delete . Close the Registry Editor .
Back in the Services window, right-click Automatic Updates and choose Start . This restarts the auto-update service in the forced-check mode. Close Services .
The system checks for updates from the SUS server within 10 to 15 minutes.