wsus windows update services robert cultrara world health organization

WSUSWindows Update

Services

Robert CultraraWorld Health Organization

Purpose of the presentation

How to make an assessment of the security on your windows network

Get started with Microsoft and Windows update

How to install, manage and troubleshoot WSUS

How WSUS can be used in a low-bandwidth environment

Viruses (self inflicted) Worms (network

inflicted) *.ware -

Malware/Spyware Users countering policy Service and Network

Outage (due to saturation and loss)

The problem:

Microsoft Baseline Security Analyzer (MBSA)

MBSA makes an assessment of your windows network security

It provides you clear instruction how to make your windows network more secure

Windows and Microsoft updates

WU and MU Windows Update

• Just patches Windows

• http://update.microsoft.com/windowsupdate Microsoft update

• http://update.microsoft.com/microsoftupdate

• Patches

• Windows

• Office

• Exchange

• More to come Engine is the same - Troubleshoot the same

MU is optional

How to activate Microsoft update

MU steps

Accept EULA Need to install software to get it to use it Downloads activeX files \Windows\Downloaded Program Files The following ActiveX controls will be installed:

• MUWebControl Class• WUWebControl Class

Is it safe?

If first visit will get ‘authenticode’ prompt

Checking for updates

Two options to install

Express Install: This option is recommended and provides the easiest method for installing high priority updates.

Custom Install: This option enables a user to select which specific updates are installed.

Better ‘history’ interface

Revert to WU

Go back Click on Change settings Check the box

File updated

Windows Genuine Advantage control

Windows Installer 3.1 Background Intelligent Transfer

Service (BITS) update

Auto updates options

Download Will allow you to install them at a

later time

WSUSHow to update an

entire network

WSUS installation

Install on Windows server As default it goes on port 8530 On standard loads up a MSDE

instance Remember …clients may need in

registry http://servername:8530, or Group Policy

WSUS: Services

Supported Applications Windows Update

Microsoft Update

Windows (2000 SP3+, XP+, WS2003) √ √Office (XP & 2003) √SQL Server 2000, MSDE 2000 √Exchange 2003 √Additional products over time √

SUS 1.0 synchronizes with WU WSUS synchronizes with MU Both services built on customized version of

Windows Update Services

Administrator subscribes to update categories

< Back Finish Cancel

Windows Update ServicesWindows Update Services

Server downloads updates from Microsoft UpdateClients register themselves with the serverAdministrator puts clients in different target groupsAdministrator approves updatesClients install administrator approved updates

< Back Finish Cancel

Windows Update ServicesWindows Update Services

Microsoft Update

WUS Server

Desktop ClientsTarget Group 1 Server

ClientsTarget Group 2

WUS Administrator

WSUS: How it Works

Update Management Features Target Groups

• Registry-based policy support for AD environments

• Server-side lists for non-AD environments Administrator control

• Initiate scan of machines for patch applicability

• Approve for install and uninstall (requires update support)

• Date-based deadlines for approved updates• Deploy different updates to target groups• Configurable client polling frequency• Configurable reboot behavior• Port configurability • Non-administrators can install updates (like

administrators)• Install at Shutdown (XP SP2 only)

WSUS issues

Clients may not check in• Manually put in registry

Sync process takes a long time• About 24 hours if you pull down all

files

Install WSUS… Double-click the installer file WSUSSetup.exe. Note: The latest version of WSUSSetup.exe is available on the

Microsoft Web site for Windows Server Update Services at http://go.microsoft.com/fwlink/?LinkId=47374.

2. On the Welcome page of the wizard, click Next. 3. Read the terms of the license agreement carefully,

click I accept the terms of the License Agreement, and then click Next.

4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

Keep the default options, and click Next. Select Update Source Page

Install

Needs a LOT of disk space 6 GB

WMSDE is default

On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003.

If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper.

Keep the default options, and click Next. Database Options Page

WSUS install

Now up to 8 gigs

Web admin console

WSUS will chose 8530

To get to WSUS

Admin tools

http://servername:8530/WSUSAdmin/

WSUS sync

WSUS console

Missing the computers!

Adding the WUAU template

1. In Group Policy Object Editor, click either of the Administrative Templates nodes.

2. On the Action menu, click Add/Remove Templates.

3. Click Add. 4. In the Policy Templates dialog box,

click wuau.adm, and then click Open. 5. In the Add/Remove Templates

dialog box, click Close.

Connect the clients

In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

In the details pane, click Specify Intranet Microsoft update service location.

Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server.

Click OK, and then configure the behavior of Automatic Updates

Assigning groups

Two methods • Group policy• Move computers

Group Policy

Add a new policy to active directory

Drill down to the setting

Computer config Admin Components Windows Update

WU – point it

First point your intranet updating Remember 8530

Change the check in interval

If you like – change the detection frequency

Adding ZONES

Key decision making right here What risk What zone What deployment strategy Who gets what patches when? At least have a Zone for the server[s] One for workstations More zones?

Groups are your Risk areas Create the ‘groups’ to match your

risk zones

Approve updates

Approval

Approval

Approval – be patient

Troubleshooting

Main causes of issue are simple configuration errors• “http://wsusservernome/” in a GPO Object

SelfUpdate tree needs to be on port 80 Tools with the RC

• Clientdiag.exe – diagnoses some issues Logs

• %systemroot%\WindowsUpdate.log

Securing WSUS traffic

Forcing WSUSAdmin site to use SSL is simple• Obtain and

install a web certificate

• Enable SSL on WSUSADMIN directory

Low-bandwidth tips

Some initial configuration requires• Synchronisation options

– Schedule– What types of updates– Proxy server settings– Languages (ALL languages is the

default)

• Automatic Approval options– Which updates should be automatically

approved