wsus windows update services robert cultrara world health organization
Post on 17-Dec-2015
230 Views
Preview:
TRANSCRIPT
WSUSWindows Update
Services
Robert CultraraWorld Health Organization
Purpose of the presentation
How to make an assessment of the security on your windows network
Get started with Microsoft and Windows update
How to install, manage and troubleshoot WSUS
How WSUS can be used in a low-bandwidth environment
Viruses (self inflicted) Worms (network
inflicted) *.ware -
Malware/Spyware Users countering policy Service and Network
Outage (due to saturation and loss)
The problem:
Microsoft Baseline Security Analyzer (MBSA)
MBSA makes an assessment of your windows network security
It provides you clear instruction how to make your windows network more secure
Windows and Microsoft updates
WU and MU Windows Update
• Just patches Windows
• http://update.microsoft.com/windowsupdate Microsoft update
• http://update.microsoft.com/microsoftupdate
• Patches
• Windows
• Office
• Exchange
• More to come Engine is the same - Troubleshoot the same
MU is optional
How to activate Microsoft update
MU steps
Accept EULA Need to install software to get it to use it Downloads activeX files \Windows\Downloaded Program Files The following ActiveX controls will be installed:
• MUWebControl Class• WUWebControl Class
Is it safe?
If first visit will get ‘authenticode’ prompt
Checking for updates
Two options to install
Express Install: This option is recommended and provides the easiest method for installing high priority updates.
Custom Install: This option enables a user to select which specific updates are installed.
Better ‘history’ interface
Revert to WU
Go back Click on Change settings Check the box
File updated
Windows Genuine Advantage control
Windows Installer 3.1 Background Intelligent Transfer
Service (BITS) update
Auto updates options
Download Will allow you to install them at a
later time
WSUSHow to update an
entire network
WSUS installation
Install on Windows server As default it goes on port 8530 On standard loads up a MSDE
instance Remember …clients may need in
registry http://servername:8530, or Group Policy
WSUS: Services
Supported Applications Windows Update
Microsoft Update
Windows (2000 SP3+, XP+, WS2003) √ √Office (XP & 2003) √SQL Server 2000, MSDE 2000 √Exchange 2003 √Additional products over time √
SUS 1.0 synchronizes with WU WSUS synchronizes with MU Both services built on customized version of
Windows Update Services
Administrator subscribes to update categories
< Back Finish Cancel
Windows Update ServicesWindows Update Services
Server downloads updates from Microsoft UpdateClients register themselves with the serverAdministrator puts clients in different target groupsAdministrator approves updatesClients install administrator approved updates
< Back Finish Cancel
Windows Update ServicesWindows Update Services
Microsoft Update
WUS Server
Desktop ClientsTarget Group 1 Server
ClientsTarget Group 2
WUS Administrator
WSUS: How it Works
Update Management Features Target Groups
• Registry-based policy support for AD environments
• Server-side lists for non-AD environments Administrator control
• Initiate scan of machines for patch applicability
• Approve for install and uninstall (requires update support)
• Date-based deadlines for approved updates• Deploy different updates to target groups• Configurable client polling frequency• Configurable reboot behavior• Port configurability • Non-administrators can install updates (like
administrators)• Install at Shutdown (XP SP2 only)
WSUS issues
Clients may not check in• Manually put in registry
Sync process takes a long time• About 24 hours if you pull down all
files
Install WSUS… Double-click the installer file WSUSSetup.exe. Note: The latest version of WSUSSetup.exe is available on the
Microsoft Web site for Windows Server Update Services at http://go.microsoft.com/fwlink/?LinkId=47374.
2. On the Welcome page of the wizard, click Next. 3. Read the terms of the license agreement carefully,
click I accept the terms of the License Agreement, and then click Next.
4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.
Keep the default options, and click Next. Select Update Source Page
Install
Needs a LOT of disk space 6 GB
WMSDE is default
On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003.
If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper.
Keep the default options, and click Next. Database Options Page
WSUS install
Now up to 8 gigs
Web admin console
WSUS will chose 8530
To get to WSUS
Admin tools
http://servername:8530/WSUSAdmin/
WSUS sync
WSUS console
Missing the computers!
Adding the WUAU template
1. In Group Policy Object Editor, click either of the Administrative Templates nodes.
2. On the Action menu, click Add/Remove Templates.
3. Click Add. 4. In the Policy Templates dialog box,
click wuau.adm, and then click Open. 5. In the Add/Remove Templates
dialog box, click Close.
Connect the clients
In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
In the details pane, click Specify Intranet Microsoft update service location.
Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server.
Click OK, and then configure the behavior of Automatic Updates
Assigning groups
Two methods • Group policy• Move computers
Group Policy
Add a new policy to active directory
Drill down to the setting
Computer config Admin Components Windows Update
WU – point it
First point your intranet updating Remember 8530
Change the check in interval
If you like – change the detection frequency
Adding ZONES
Key decision making right here What risk What zone What deployment strategy Who gets what patches when? At least have a Zone for the server[s] One for workstations More zones?
Groups are your Risk areas Create the ‘groups’ to match your
risk zones
Approve updates
Approval
Approval
Approval – be patient
Troubleshooting
Main causes of issue are simple configuration errors• “http://wsusservernome/” in a GPO Object
SelfUpdate tree needs to be on port 80 Tools with the RC
• Clientdiag.exe – diagnoses some issues Logs
• %systemroot%\WindowsUpdate.log
Securing WSUS traffic
Forcing WSUSAdmin site to use SSL is simple• Obtain and
install a web certificate
• Enable SSL on WSUSADMIN directory
Low-bandwidth tips
Some initial configuration requires• Synchronisation options
– Schedule– What types of updates– Proxy server settings– Languages (ALL languages is the
default)
• Automatic Approval options– Which updates should be automatically
approved
top related