Updating Windows Small Business Server

A key part of security is keeping your Windows Small Business Server current on updates. When vulnerabilities are exposed, Microsoft makes fixes available almost instantly. And “almost instantly” is none too soon for your network. Click the globe icon in the notification areas of the Taskbar to start the Automatic Updates Setup Wizard.

On the Notification Settings page, select the updating method you want. Essentially, the three methods are:

• Don’t do anything without telling me.

• Download updates but don’t install automatically.

• Download and install. Don’t bother me with the details.

The first option lends itself too much to delay. The third option is a bit aggressive for many users because some updates require a reboot and with this option the reboot occurs no matter what the server is doing or who is using it. The second option is an effective choice. Updates are downloaded when they become available but you can choose when to install them—important when a server reboot is required to complete the installation.

Updating Client Computers

Automatically updating your server with Windows Automatic Updates is easy enough, but what about client machines? You can’t count on users consistently updating their own machines nor do you want to have to deal with it manually. The solution is to use the Automatic Updates client on Windows XP, Windows 2000, and Windows Server 2003 systems to automatically download and install updates daily or weekly. (See the “Using Group Policy to Set Clients to Update Automatically” section in Chapter 10 for Group Policy settings that make this happen.)

Centralizing Updates

Software Update Services (SUS) is a free tool from Microsoft that provides a seamless patch, scanning, and installation service. SUS scans the machines on your network, lets you know which patches are needed, connects to Windows Update, downloads needed patches, and then applies your local policy for automatic distribution of patches.

SUS is a good solution for networks large enough to require centralized control over patch management (and the centralized downloading of updates), but it takes some time to set up and configure and requires a monthly commitment to reviewing patches.

Installing Software Update Services

To install Software Update Services, complete the following these steps:

1. Launch the Software Update Services installation program (available from the Microsoft Download Center at http://www.microsoft.com/downloads/).

2. Read and accept the terms of the Licensing Agreement, and then click Next.

3. For type of installation, click Typical and then click Install to install SUS, or click Custom to do a custom installation.

   Caution

   You can change most settings after installation; however, the only time you can easily change where SUS stores downloaded updates is during a Custom setup.

4. If you chose to perform a custom installation, click the first Browse button on the Choose File Locations page (Figure 6-14) to specify in which folder the Software Update Services Web site files should be installed.

   
   Figure 6-14: Choosing where to store update files.

5. To download all updates to the Windows Small Business Server and host them locally, select the Save The Updates To This Local Folder option and click Browse to specify in which folder updates should be stored; otherwise, select Keep The Updates On A Microsoft Windows Update Server, To Which I Will Direct Clients. Click Next to continue.

6. On the Language Settings page, select which languages are supported on the network and then click Next.

7. On the Handling New Versions Of Previously Approved Updates page, specify whether new versions of updates that you previously approved should be automatically approved, click Next, and then click Install.

Setting Options

After setup is complete, the Software Update Services administration Web site (http://localhost/SUSAdmin) opens automatically. This site is accessible only to users who are members of the SUS computer’s Local Administrators group and requires Internet Explorer 5.5 or later.

To set options, complete the following steps:

1. Click Set Options and then specify the proxy server settings, as shown in Figure 6-15. For Windows Small Business Server 2003, Standard Edition, select Do Not Use A Proxy Server To Access The Internet. For Windows Small Business Server 2003, Premium Edition, select Use A Proxy Server To Access The Internet, choose Use The Following Proxy Server To Access The Internet, type the Windows Small Business Server computer name and ISA server port number (usually 8080), and provide appropriate user credentials in the form of DOMAIN\USER.

   Planning

   Users of Windows Small Business Server 2003, Premium Edition, must host updates locally for clients to successfully download updates, unless ISA Server is configured not to require authentication. Additionally, users should either administer Software Update Services from the local computer (by logging on locally or via Remote Desktop) or configure Software Update Services to use SSL encryption. (Click the About Software Update Services hyperlink in the Software Update Services administration Web site for help with this.)

   
   Figure 6-15: Setting options on the Software Update Services administration Web site.

2. If Windows 2000 and Windows XP clients have NetBIOS Over TCP/IP disabled (this setting is located in the Advanced TCP/IP Settings dialog box on the client), type the SUS computer’s DNS name or IP address in the Server Name box.

3. In the Select How You Want To Handle New Versions Of Previous Approved Updates section of the page, specify whether new versions of updates that you previously approved should be automatically approved.

4. To download all updates to the Windows Small Business Server and host them locally, select the Save The Updates To A Local Folder option in the Select Where You Want To Store Updates section of the page; otherwise, select Maintain The Updates On A Microsoft Windows Update Server.

5. Select which languages are supported on your network, and then click Apply.

Setting a Synchronization Schedule

Software Update Services must synchronize with a Microsoft Windows Update server (or another SUS server) to provide updates to clients. This process can be time-consuming the first time when you’re hosting updates locally (SUS downloads around 600 MB and can be larger depending on your language choices), and when new service packs are released. For this reason, schedule Software Update Services to synchronize automatically during off-hours.

To synchronize Software Update Services and create a new schedule, complete the following steps:

1. On the Software Update Services administration Web site, click the Synchronize Server link.

2. Click Synchronize Now to perform an immediate synchronization, or click Synchronization Schedule to schedule synchronizations.

3. In the Schedule Synchronization dialog box, select Synchronize Using This Schedule, specify the time and days on which to synchronize, and specify how many times SUS should retry a failed synchronization (with a 30-minute retry interval).

Approving Updates

Software Update Services differs from Automatic Updates in that it allows administrators to select which updates to deploy to clients. You should plan on performing this process monthly, shortly after the regular release of the Microsoft Security Bulletin on the second Tuesday of the month. (View the bulletin at http://www.microsoft.com/security.) Install critical patches as they are released. (Subscribe to the Microsoft Security Update or Microsoft Security Notification Service at http://www.microsoft.com/security/security_bulletins/alerts.asp to ensure that you receive notification of these patches.)

To approve patches for deployment, complete the following steps:

1. On the Software Update Services administration Web site, click the Approve Updates link. This displays a list of available updates, as shown in Figure 6-16.

2. Click the Details link next to an update. In the Update Details dialog box, click the page icon in the Info column to view details about the update, or click the update’s file name to save the update to another location for testing. Click Close to return to the Approve Updates page.

   Tip

   If you want to save an update and then assign it to a computer for testing before you approve it for all clients, take note of the Setup Parameters listed in the Update Details dialog box and make sure to include them in the path when adding the update to the list of applications.

3. Select the check box next to an update to approve it for installation on client systems.

4. Click Approve when you’re finished. Click Yes to overwrite the previous list of approved updates, click Accept to accept the licensing agreement for the updates, and finally click OK. The Approve Updates page then shows that the specified updates are approved.

Figure 6-16: Selecting the updates to be deployed.

Configuring Client Systems

Computers on the network must be configured to take advantage of SUS. This is most conveniently done by creating a new Group Policy Object (GPO) with the appropriate settings. (See “Using Group Policy to Set Clients to Update Automatically” in Chapter 10.)