WSUS Windows Update Services Robert Cultrara World Health Organization
Purpose of the presentation How to make an assessment of the security on your windows network Get started with Microsoft and Windows update How to install, manage and troubleshoot WSUS How WSUS can be used in a low-bandwidth environment
The problem: Viruses (self inflicted) Worms (network inflicted) *.ware - Malware/Spyware Users countering policy Service and Network Outage (due to saturation and loss)
Microsoft Baseline Security Analyzer (MBSA) MBSA makes an assessment of your windows network security It provides you clear instruction how to make your windows network more secure
Windows and Microsoft updates
WU and MU Windows Update Just patches Windows http://update.microsoft.com/windowsupdate Microsoft update http://update.microsoft.com/microsoftupdate Patches Windows Office Exchange More to come Engine is the same - Troubleshoot the same
MU is optional How to activate Microsoft update
MU steps Accept EULA Need to install software to get it to use it Downloads activeX files \Windows\Downloaded Program Files The following ActiveX controls will be installed: MUWebControl Class WUWebControl Class
Is it safe? If first visit will get ‘authenticode’ prompt
Checking for updates
Two options to install Express Install: This option is recommended and provides the easiest method for installing high priority updates. Custom Install: This option enables a user to select which specific updates are installed.
Better ‘history’ interface
Revert to WU Go back Click on Change settings Check the box
File updated Windows Genuine Advantage control Windows Installer 3.1 Background Intelligent Transfer Service (BITS) update
Auto updates options Download Will allow you to install them at a later time
WSUS How to update an entire network
WSUS installation Install on Windows server As default it goes on port 8530 On standard loads up a MSDE instance Remember …clients may need in registry http://servername:8530, or Group Policy
WSUS: Services √ SUS 1.0 synchronizes with WU Supported Applications Windows Update Microsoft Update Windows (2000 SP3+, XP+, WS2003) √ Office (XP & 2003) SQL Server 2000, MSDE 2000 Exchange 2003 Additional products over time SUS 1.0 synchronizes with WU WSUS synchronizes with MU Both services built on customized version of Windows Update Services
WSUS: How it Works Microsoft Update WUS Server Desktop Clients Target Group 1 Server Clients Target Group 2 WUS Administrator Administrator approves updates Administrator subscribes to update categories Server downloads updates from Microsoft Update Clients register themselves with the server Administrator puts clients in different target groups Clients install administrator approved updates
Update Management Features Target Groups Registry-based policy support for AD environments Server-side lists for non-AD environments Administrator control Initiate scan of machines for patch applicability Approve for install and uninstall (requires update support) Date-based deadlines for approved updates Deploy different updates to target groups Configurable client polling frequency Configurable reboot behavior Port configurability Non-administrators can install updates (like administrators) Install at Shutdown (XP SP2 only)
WSUS issues Clients may not check in Sync process takes a long time Manually put in registry Sync process takes a long time About 24 hours if you pull down all files
Install WSUS… Double-click the installer file WSUSSetup.exe. Note: The latest version of WSUSSetup.exe is available on the Microsoft Web site for Windows Server Update Services at http://go.microsoft.com/fwlink/?LinkId=47374. 2. On the Welcome page of the wizard, click Next. 3. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next. 4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates. Keep the default options, and click Next. Select Update Source Page
Install Needs a LOT of disk space 6 GB
WMSDE is default On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003. If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper. Keep the default options, and click Next. Database Options Page
WSUS install Now up to 8 gigs
Web admin console WSUS will chose 8530
To get to WSUS Admin tools http://servername:8530/WSUSAdmin/
WSUS sync
WSUS console Missing the computers!
Adding the WUAU template 1. In Group Policy Object Editor, click either of the Administrative Templates nodes. 2. On the Action menu, click Add/Remove Templates. 3. Click Add. 4. In the Policy Templates dialog box, click wuau.adm, and then click Open. 5. In the Add/Remove Templates dialog box, click Close.
Connect the clients In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. In the details pane, click Specify Intranet Microsoft update service location. Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server. Click OK, and then configure the behavior of Automatic Updates
Assigning groups Two methods Group policy Move computers
Group Policy Add a new policy to active directory
Drill down to the setting Computer config Admin Components Windows Update
WU – point it First point your intranet updating Remember 8530
Change the check in interval If you like – change the detection frequency
Adding ZONES Key decision making right here What risk What zone What deployment strategy Who gets what patches when? At least have a Zone for the server[s] One for workstations More zones?
Groups are your Risk areas Create the ‘groups’ to match your risk zones
Approve updates Approval
Approval Approval – be patient
Troubleshooting Main causes of issue are simple configuration errors “http://wsusservernome/” in a GPO Object SelfUpdate tree needs to be on port 80 Tools with the RC Clientdiag.exe – diagnoses some issues Logs %systemroot%\WindowsUpdate.log
Securing WSUS traffic Forcing WSUSAdmin site to use SSL is simple Obtain and install a web certificate Enable SSL on WSUSADMIN directory
Low-bandwidth tips Some initial configuration requires Synchronisation options Schedule What types of updates Proxy server settings Languages (ALL languages is the default) Automatic Approval options Which updates should be automatically approved