One of the main drawbacks to Windows security has been the difficulty in keeping servers and workstations up to date with the latest security fixes. For example, the security fix for the Index Server component of IIS was available for more than a month before the Code Red and Nimbda viruses erupted onto the scene. If the deployed Web servers had downloaded the patch, they would not have been affected. The main reason that the vast majority of the deployed servers were not updated was that keeping servers and workstations up to date with the latest security patches was an extremely manual and time-consuming process. For this reason, a streamlined approach to security patch application was required and realized with the release of Software Update Services (SUS) and its subsequent and newer iterations, Windows Server Update Services (WSUS). Understanding the Background of WSUS: Windows UpdateIn response to the original concerns regarding the difficulty in keeping computers properly patched, Microsoft made available a centralized Web site called Windows Update to which clients could connect, download security patches, and install them. Invoking the Windows Update Web page remotely installed an executable, which ran a test to see which hotfixes had been applied. Those that were not applied were offered up for download, and users could easily install these patches. Windows Update streamlined the security patch verification and installation process, but the major drawback was that it required a manual effort to go up to the server every few days or weeks and check for updates. A more efficient, automated process was required. Deploying the Automatic Updates ClientThe Automatic Updates Client was developed to automate the installation of security fixes and patches and to give users the option to automatically "drizzle" patches across the Internet to the local computer for installation. Drizzling, also known as Background Intelligent Transfer Service (BITS), is a process in which a computer intelligently utilizes unused network bandwidth to download files to the machine. Because only unused bandwidth is used, there is no perceived effect on the network client itself. The Automatic Updates Client was included as a standard feature that is installed with Windows 2000 Service Pack 3 and Windows XP Service Pack 1. It is also available for download as a separate component. Understanding the Development of Windows Server Update ServicesThe Windows Update Web site and the associated client provided for the needs of most home users and some small offices. However, large organizations, concerned about the bandwidth effects of downloading large numbers of updates over the Internet, often disabled this service or discouraged its use. These organizations often had a serious need for Windows Update's capabilities. This fact led to the development of Software Update Services, which was later improved into the new product, Windows Server Update Services. WSUS is a free download from Microsoft that effectively gives organizations their own, independent version of the Windows Update server. WSUS runs on a Windows Server 2003 machine that is running Internet Information Services. Clients connect to a central intranet WSUS server for all their security patches and updates. WSUS is not considered to be a replacement technology for existing software deployment solutions such as Systems Management Server (SMS), but rather it is envisioned as a solution for mid- to large-size businesses to take control over the fast deployment of security patches as they become available. Current SMS customers may decide instead to use the SMS 2.0 Value Pack, which includes security-patch functionality similar to that offered by WSUS. WSUS PrerequisitesDeploying WSUS on a dedicated server is preferable, but it can also be deployed on a Windows Server 2003 member server, as long as that server is running Internet Information Services. The following list details the minimum levels of hardware on which WSUS will operate:
In essence, a WSUS server can easily be set up on a workstation-class machine, although more enterprise-level organizations might desire to build more redundancy in to a WSUS environment. In addition to these hardware requirements, WSUS also requires the installation of IIS 5.0 or greater and Background Internet Transfer Service (BITS) 2.0 or greater. Installing a Windows Server Update Services SystemThe installation of WSUS is straightforward, assuming that IIS has been installed and configured ahead of time (for more information on installing IIS, refer to Chapter 11, "Internet Information Services v6"). The executable for WSUS can be downloaded from the WSUS Web site at Microsoft, currently located at the following URL: http://www.microsoft.com/wsus To complete the initial installation of WSUS, follow these steps:
The administration Web page (http://servername/WSUSAdmin) will be automatically displayed after installation. This page is the main location for all configuration settings for WSUS and is the sole administrative console. By default, it can be accessed from any Web browser on the local network. All further configuration will take place from the Admin console, as illustrated in Figure 12.11. Figure 12.11. Viewing the WSUS Admin Console.Setting WSUS OptionsAfter installation, WSUS will not physically contain any security patches. The first task after installation should be configuring all the options available to the server. You can invoke the option page by clicking Options in the upper pane of the WSUS Admin page. The Options page in WSUS allows you to set specific settings such as Synchronization Options, Automatic Approval Options, and Computer Options (refer to Figure 12.11). These options provide for critical information such as how often the server will synchronize itself, whether a proxy server will be used, and how to manage computer groups. Synchronizing a WSUS ServerAfter configuring all the options in WSUS, particularly the options regarding which security patch languages will be supported, the initial synchronization of the WSUS server can take place. To perform the synchronization, follow these steps:
Note Plan to run the initial synchronization of WSUS over a weekend, beginning the download on Friday evening. Given the number of security patches that you will need to download and the overall Internet connection bandwidth consumption used, it is wise to limit the impact that this procedure will have on the user population. Approving WSUS Software PatchesAfter the initial synchronization has taken place, all the relevant security patches will be downloaded and ready for approval. Even though the files are now physically downloaded and in the IIS metadirectory, they cannot be downloaded by the client until the approval process has been run on each update. This allows administrators to thoroughly test each update before it is approved for distribution to corporate servers and workstations. To run the approval process, follow these steps:
Note A good approach to testing updates is to download them first on a client with direct access to Windows Update on the Internet. After the test server or workstation has successfully downloaded and all functionality has been verified, that particular security patch can be approved in WSUS for the rest of the corporate clients. Automatically Configuring Clients via Group PolicyAs previously mentioned, the Automatic Updates client can be downloaded from Microsoft and deployed on managed nodes in an environment, either manually or through automated measures. Service Pack 3 for Windows 2000 includes the client by default, as well as Service Pack 1 for Windows XP. After the client is installed, it can be configured to point to a WSUS server, rather than the default Internet Windows Update location. The configuration of each client can be streamlined by using a Group Policy in an Active Directory environment. Windows Server 2003 domain controllers automatically contain the proper Windows Update Group Policy extension, and a Group Policy can be defined by following these steps:
Note Organizations that do not use Active Directory or Group Policies have to manually configure each client's settings to include the location of the WSUS server. This can be done through a local policy or manually through Registry settings, as defined in the WSUS Help. Tip A useful trick for automating the testing of new WSUS patches is to deploy two WSUS servers and two sets of Group Policies. The first WSUS server serves as a pilot WSUS server, and all updates are approved as soon as they become available. A subset of the client population then points to this server through a GPO and installs the patches immediately. After the patch has been validated on this pilot group, the real WSUS server can then be set to approve the patch, deploying the update to the rest of the user population. This model requires more hardware resources but streamlines the WSUS update process. Deploying Security Patches with WSUSDepending on the settings chosen by the Group Policy or the Registry, the clients that are managed by WSUS will automatically download updates and install them on clients at a specified time. Some computers may be configured to allow for local interaction, scheduling proper times for the installation to take place and prompting for "drizzle" downloading. Clients that are configured to use WSUS will not be prompted to configure their Automatic Update settings, and they will be grayed out to prevent any changes from occurring. Users without local administrative access will not be able to make any changes to the installation schedule, although local admin users will be able to postpone forced installs. Note Generally, it is good practice to allow servers to control the download and installation schedule, but to force clients to do both automatically. Depending on the political climate of an organization, this may or may not be a possibility. |