Using Windows Server Update Services

One of the main drawbacks to Windows security has been the difficulty in keeping servers and workstations up to date with the latest security fixes. For example, the security fix for the Index Server component of IIS was available for more than a month before the Code Red and Nimbda viruses erupted onto the scene. If the deployed Web servers had downloaded the patch, they would not have been affected. The main reason that the vast majority of the deployed servers were not updated was that keeping servers and workstations up to date with the latest security patches was an extremely manual and time-consuming process. For this reason, a streamlined approach to security patch application was required and realized with the release of Software Update Services (SUS) and its subsequent and newer iterations, Windows Server Update Services (WSUS).

Understanding the Background of WSUS: Windows Update

In response to the original concerns regarding the difficulty in keeping computers properly patched, Microsoft made available a centralized Web site called Windows Update to which clients could connect, download security patches, and install them. Invoking the Windows Update Web page remotely installed an executable, which ran a test to see which hotfixes had been applied. Those that were not applied were offered up for download, and users could easily install these patches.

Windows Update streamlined the security patch verification and installation process, but the major drawback was that it required a manual effort to go up to the server every few days or weeks and check for updates. A more efficient, automated process was required.

Deploying the Automatic Updates Client

The Automatic Updates Client was developed to automate the installation of security fixes and patches and to give users the option to automatically "drizzle" patches across the Internet to the local computer for installation. Drizzling, also known as Background Intelligent Transfer Service (BITS), is a process in which a computer intelligently utilizes unused network bandwidth to download files to the machine. Because only unused bandwidth is used, there is no perceived effect on the network client itself.

The Automatic Updates Client was included as a standard feature that is installed with Windows 2000 Service Pack 3 and Windows XP Service Pack 1. It is also available for download as a separate component.

Understanding the Development of Windows Server Update Services

The Windows Update Web site and the associated client provided for the needs of most home users and some small offices. However, large organizations, concerned about the bandwidth effects of downloading large numbers of updates over the Internet, often disabled this service or discouraged its use. These organizations often had a serious need for Windows Update's capabilities. This fact led to the development of Software Update Services, which was later improved into the new product, Windows Server Update Services.

WSUS is a free download from Microsoft that effectively gives organizations their own, independent version of the Windows Update server. WSUS runs on a Windows Server 2003 machine that is running Internet Information Services. Clients connect to a central intranet WSUS server for all their security patches and updates.

WSUS is not considered to be a replacement technology for existing software deployment solutions such as Systems Management Server (SMS), but rather it is envisioned as a solution for mid- to large-size businesses to take control over the fast deployment of security patches as they become available. Current SMS customers may decide instead to use the SMS 2.0 Value Pack, which includes security-patch functionality similar to that offered by WSUS.

WSUS Prerequisites

Deploying WSUS on a dedicated server is preferable, but it can also be deployed on a Windows Server 2003 member server, as long as that server is running Internet Information Services. The following list details the minimum levels of hardware on which WSUS will operate:

• 700MHz x86-compatible processor

• 512MB RAM

• 6GB available disk space

In essence, a WSUS server can easily be set up on a workstation-class machine, although more enterprise-level organizations might desire to build more redundancy in to a WSUS environment.

In addition to these hardware requirements, WSUS also requires the installation of IIS 5.0 or greater and Background Internet Transfer Service (BITS) 2.0 or greater.

Installing a Windows Server Update Services System

The installation of WSUS is straightforward, assuming that IIS has been installed and configured ahead of time (for more information on installing IIS, refer to Chapter 11, "Internet Information Services v6"). The executable for WSUS can be downloaded from the WSUS Web site at Microsoft, currently located at the following URL:

http://www.microsoft.com/wsus

To complete the initial installation of WSUS, follow these steps:

1.	Run the WSUS Setup from the CD or the download executable.
2.	Click Next at the Welcome screen.
3.	Review and accept the license agreement to continue. Click Next to continue.
4.	Select to store updates locally and accept the default location. Click Next to continue.
5.	Select to install the SQL Desktop engine on the computer, and click Next.
6.	Select to use the existing IIS Web site, as shown in Figure 12.9. Click Next to continue. Figure 12.9. Installing WSUS.
7.	Do not check to inherit settings from a different server, as shown in Figure 12.10. Check this only if an existing WSUS server exists from which settings should be copied. Click Next to continue. Figure 12.10. Reviewing WSUS installation settings.
8.	Click Next after reviewing the settings on the Ready to Install dialog box.
9.	The installation will complete and the admin Web site URL will be displayed after you click Finish.

The administration Web page (http://servername/WSUSAdmin) will be automatically displayed after installation. This page is the main location for all configuration settings for WSUS and is the sole administrative console. By default, it can be accessed from any Web browser on the local network. All further configuration will take place from the Admin console, as illustrated in Figure 12.11.

Figure 12.11. Viewing the WSUS Admin Console.

Setting WSUS Options

After installation, WSUS will not physically contain any security patches. The first task after installation should be configuring all the options available to the server. You can invoke the option page by clicking Options in the upper pane of the WSUS Admin page.

The Options page in WSUS allows you to set specific settings such as Synchronization Options, Automatic Approval Options, and Computer Options (refer to Figure 12.11). These options provide for critical information such as how often the server will synchronize itself, whether a proxy server will be used, and how to manage computer groups.

Synchronizing a WSUS Server

After configuring all the options in WSUS, particularly the options regarding which security patch languages will be supported, the initial synchronization of the WSUS server can take place. To perform the synchronization, follow these steps:

1.	Open the WSUS Admin Web page by launching Internet Explorer on the WSUS server and going to http://localhost/WSUSAdmin.
2.	Click the Synchronize Now link in the main pane.
3.	The next screen to be displayed, shown in Figure 12.12, gives you the option of synchronizing with the WSUS site now or setting up a synchronization schedule. It is advised to do a full WSUS synchronization first and to schedule subsequent downloads on a daily basis thereafter. So, in this example, click the Synchronize Now button. Figure 12.12. Setting WSUS synchronize server options.
4.	An updated WSUS catalog will then be downloaded in addition to all the security patches that exist on the corporate WSUS server. Downloading may take a significant amount of time, depending on the Internet connection in use.

Note

Plan to run the initial synchronization of WSUS over a weekend, beginning the download on Friday evening. Given the number of security patches that you will need to download and the overall Internet connection bandwidth consumption used, it is wise to limit the impact that this procedure will have on the user population.

Approving WSUS Software Patches

After the initial synchronization has taken place, all the relevant security patches will be downloaded and ready for approval. Even though the files are now physically downloaded and in the IIS metadirectory, they cannot be downloaded by the client until the approval process has been run on each update. This allows administrators to thoroughly test each update before it is approved for distribution to corporate servers and workstations. To run the approval process, follow these steps:

1.	Open the WSUS Admin Web page by launching Internet Explorer on the WSUS server and going to http://localhost/WSUSAdmin.
2.	Click the Updates link in the top pane.
3.	Select all updates that will be approved (you can select multiple ones and click the Change Approval link, as shown in Figure 12.13). Figure 12.13. Approving updates. Depending on the number of updates downloaded, the preceding steps may need to be repeated several times before all updates are approved.
4.	From the drop-down box, select Install and click OK.
5.	Select to replace any existing approvals, and click OK.
6.	The updates will then be approved.

Note

A good approach to testing updates is to download them first on a client with direct access to Windows Update on the Internet. After the test server or workstation has successfully downloaded and all functionality has been verified, that particular security patch can be approved in WSUS for the rest of the corporate clients.

Automatically Configuring Clients via Group Policy

As previously mentioned, the Automatic Updates client can be downloaded from Microsoft and deployed on managed nodes in an environment, either manually or through automated measures. Service Pack 3 for Windows 2000 includes the client by default, as well as Service Pack 1 for Windows XP. After the client is installed, it can be configured to point to a WSUS server, rather than the default Internet Windows Update location.

The configuration of each client can be streamlined by using a Group Policy in an Active Directory environment. Windows Server 2003 domain controllers automatically contain the proper Windows Update Group Policy extension, and a Group Policy can be defined by following these steps:

1.	Open Active Directory Users and Computers (Start, All Programs, Administrative Tools, Active Directory Users and Computers).
2.	Right-click the organizational unit that will have the Group Policy applied and click Properties.
3.	Select the Group Policy tab.
4.	Click the New button and name the Group Policy.
5.	Click the Edit button to invoke the Group Policy Object Editor.
6.	Expand the Group Policy Object Editor to Computer Configuration\Administrative Templates\Windows Components\Windows Update, as illustrated in Figure 12.14. Figure 12.14. Configuring Windows Update Group Policy settings.
7.	Double-click the Configure Automatic Updates setting.
8.	Set the Group Policy to be enabled, and configure the automatic updating sequence as desired. The three options given2, 3, and 4allow for specific degrees of client intervention. For seamless, client-independent installation, choose option 4.
9.	Schedule the interval that updates will be installed, bearing in mind that some updates require reboots.
10.	Click Next Setting to configure more options.
11.	Click Enabled to specify the Web location of the WSUS server. Entering the fully qualified domain name is recommended, as indicated in Figure 12.15. Enter both settings (usually the same server) and click OK to save the Group Policy settings. Figure 12.15. Setting the WSUS server location via a Group Policy.
12.	Repeat the procedure for any additional organizational units. (The same Group Policy can be used more than once.)

Note

Organizations that do not use Active Directory or Group Policies have to manually configure each client's settings to include the location of the WSUS server. This can be done through a local policy or manually through Registry settings, as defined in the WSUS Help.

Tip

A useful trick for automating the testing of new WSUS patches is to deploy two WSUS servers and two sets of Group Policies. The first WSUS server serves as a pilot WSUS server, and all updates are approved as soon as they become available. A subset of the client population then points to this server through a GPO and installs the patches immediately. After the patch has been validated on this pilot group, the real WSUS server can then be set to approve the patch, deploying the update to the rest of the user population. This model requires more hardware resources but streamlines the WSUS update process.

Deploying Security Patches with WSUS

Depending on the settings chosen by the Group Policy or the Registry, the clients that are managed by WSUS will automatically download updates and install them on clients at a specified time. Some computers may be configured to allow for local interaction, scheduling proper times for the installation to take place and prompting for "drizzle" downloading.

Clients that are configured to use WSUS will not be prompted to configure their Automatic Update settings, and they will be grayed out to prevent any changes from occurring. Users without local administrative access will not be able to make any changes to the installation schedule, although local admin users will be able to postpone forced installs.

Note

Generally, it is good practice to allow servers to control the download and installation schedule, but to force clients to do both automatically. Depending on the political climate of an organization, this may or may not be a possibility.