SWOCA TSS ACADEMY Implementing Patch Management and Systems Monitoring on Windows Server 2012
UPDATE MANAGEMENT Install and Configure Windows Server Update Services on Windows 2012
TYPES OF UPDATES - HOTFIX A single update that fixes a single issue. Normally generally released in Microsoft’s monthly update cycle. Some critical and security updates are released out of band of the schedule if needed. Some hotfixes are not generally released. Microsoft may require that a support call be initiated to verify your issue or a web form be filled out before it can be downloaded. After verification, MS sends an with a link to the specific hotfix. Hotfixes can be combined for a product like Internet Explorer or the.NET Framework. These are cumulative updates.
TYPES OF UPDATES – SERVICE PACKS Service Packs (SP) is an update that combines all previous updates. It will include security and performance improvements Support for new hardware New software features A version demarcation point for the software. Windows Server 2008 R2 is considered different than Windows Server 2008 R1 SP1. A Service Pack installation can be required for other software and feature installations.
CLASSIFICATION OF MICROSOFT UPDATES Important Updates: Improved security, privacy, reliability. Should be installed as soon as they become available and would be installed automatically if the computer is set to Install Updates Automatically. Recommended Updates: Address non-critical problems or enhance computer experience. Optional Updates: updates, newer hardware drivers and new software from Microsoft. Security Updates: Addresses an identified security vulnerability. Rated for severity, and are described in detail via Microsoft’s monthly security bulletin. Critical Updates: Addresses critical but non-security related bugs in the operating system.
MICROSOFT UPDATE CYCLE Microsoft releases monthly updates for all of their software. Security Bulletins and descriptions of each hotfix are provided on the Microsoft Security TechCenter. and RSS alerts are available. In North America, the update release is scheduled on the second Tuesday, known as, ‘Patch Tuesday’. Patches can be added to Microsoft’s Update servers on any day.
MICROSOFT SECURITY ADVISORIES AND BULLETINS
MICROSOFT SECURITY BULLETIN Released monthly – describes each hotfix that will be released for the month. History of all Security Advisories Sign up for Microsoft Technical Security Notifications Options: WWW, , RSS Basic, Comprehensive, Advisories Microsoft Security Response Center Blog WWW, RSS
PATCH INSTALLATION OPTIONS Windows / Automatic Updates Windows updates are set for manual or scheduled installation of updates. Updates are pulled down per machine, directly from the MS update servers. Changing from ‘Windows Update’ to ‘Microsoft Update’ allows other Microsoft applications to be patched through the service. Ideal for many small organizations. Each machine must have internet access. Windows Server Update Services (WSUS) Centrally manage updates. Choose which to install for which groups of servers. Free - Runs as a Server Role Can download updates directly from the Internet or from another WSUS server. Microsoft Systems Center Configuration Manager (SCCM) Not Free – Fully featured Microsoft operating system management platform
WINDOWS UPDATE – GROUP POLICY Group Policy is a feature within the Microsoft Windows Server products that allow administrators to centrally manage and configure the operating systems, applications and, user settings in an Active Directory (AD) environment. Group Policy Objects (GPO), linked to Organizational Units (OU) can be set to control the behavior of Windows / Automatic Update on target systems. Through GPO, administrators can configure different update settings for different types of machines.
WINDOWS & AUTOMATIC UPDATE Windows XP / Windows Server 2003 Windows Update Website – Use Internet Explorer to manually scan, choose and install updates adhoc. Automatic Updates – In the Control Panel, schedulable options exist for: Download and install updates automatically Download but do not install updates automatically Notify, but do not download or install updates Turn off Automatic Updates all together
WINDOWS & AUTOMATIC UPDATE Windows Server 2008 – 2012 R2, Windows Windows Update can be found in two places: Control Panel \ System and Security \ Windows Update Administrative Tools \ Server Manger \Windows Update
WINDOWS UPDATE – CHANGE SETTINGS
WINDOWS UPDATE - VIEW UPDATE HISTORY
PROGRAMS & FEATURES – INSTALLED UPDATES
CONFIGURE UPDATES VIA GROUP POLICY Reference: Configure Automatic Updates via Group Polices: Open Server Manager. Tools > Group Policy Management In Group Policy Management console, right click on Group Policy Objects > New Title the New GPO, choose (none) in Source Starter GPO In the Group Policy Management Editor window that opens, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. Configure the options desired, close the Group Policy Management Editor Link the created Group Policy Object. In Group Policy Management Console, Select an OU, right click, Link an Existing GPO. Choose your GPO and click OK
VERIFYING GPO WINDOWS UPDATE SETTINGS GPResult /R Displays the Group Policy Objects that are configured for the target computer and logged in user account. GPUpdate /force Refreshes Group Policy Objects for the logged in user account and computer. Processes new, removed and edited Group Policy Objects
WINDOWS SERVER UPDATE SERVICES
INSTALLING WSUS - REQUIREMENTS Windows Server Internet Information Services (IIS) Microsoft.NET Framework Microsoft Management Console (MMC) 3.0 Microsoft Report Viewer Redistributable SQL Server 2005 SP2 Express +, Windows Internal Database 100 GB of disk space for WSUS, database and, updates. Internet access for Autonomous WSUS servers
INSTALLING WINDOWS SERVER UPDATE SERVICES Create a folder to house the downloaded updates. This disk should have plenty of free space on it. It can be a remote share. Open Server Manager. Manage > Add Roles and Features. Before you Begin page – Next. Role-based or feature-based installation Select a server from the server pool. Select, Windows Server Update Services from the server roles. Add Features that are required for the WSUS role In Select Role Services, choose WSUS Server. Select WID Database if you will use the Windows Internal Database option or, Select Database if you will use a version of SQL Server. Choose the location to store the updates. Next through the IIS pages, Install.
CONFIGURE WSUS – POST INSTALLATION Open Server Manager > Tools > Windows Server Update Services Complete WSUS Installation dialog appears. Choose the folder created earlier to store your updates. This process creates your configuration database and folders. Close the dialog when complete. The Windows Server Update Services Configuration Wizard begins.
WSUS CONFIGURATION WIZARD BEFORE YOU BEGIN
WSUS CONFIGURATION WIZARD MICROSOFT IMPROVEMENT PROGRAM
WSUS CONFIGURATION WIZARD CHOOSE UPSTREAM SERVER
WSUS CONFIGURATION WIZARD SPECIFY PROXY SERVER
WSUS CONFIGURATION WIZARD CONNECT TO UPSTREAM SERVER
WSUS CONFIGURATION WIZARD CHOOSE LANGUAGES
WSUS CONFIGURATION WIZARD CHOOSE PRODUCTS
WSUS CONFIGURATION WIZARD CHOOSE CLASSIFICATIONS
WSUS CONFIGURATION WIZARD SET SYNC SCHEDULE
WSUS CONFIGURATION WIZARD FINISHED INITIAL CONFIGURATION OF YOUR SERVER
WSUS CONFIGURATION WIZARD WHAT’S NEXT
CONFIGURING WSUS COMPUTERS
WSUS COMPUTER GROUPS Computer groups are created to organize your computers in a way to determine which computers get which updates at what time. Computers are typically organized by the way you want updates to be installed. i.e.: Test, production, clustered or, manual updates only. Two methods exist for populating Computer Groups within WSUS: Server-side targeting – the administrator manually moves computers from group to group. Client-side targeting – the administrator assigns computers to their groups via Group Policy which modifies the registry of the target machine.
CLIENT-SIDE TARGETING Client side targeting allows for the most flexibility in automating the configuration of WSUS clients. It is the preferred method for computers that are a member of a Windows Active Directory domain. To enable client side targeting within WSUS, open the WSUS MMC console. Choose Options > Computers and choose Use Group Policy or registry settings on computers. To enable client side targeting on clients: Open Server Manager on a computer with Group Policy Management installed. Tools > Group Policy Management > ‘Your Domain’ > Group Policy Objects > New.. Type in a name to create the new GPO. Find that GPO, right-click and choose Edit. Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update. Enable Client-side Extensions, Enable Specify intranet Microsoft update services location. Choose other options as desired.
APPROVING UPDATES Besides the actions configured within Group Policy, all updates must be approved by an administrator. Approving the updates make them available to clients when they check in with WSUS. Open the WSUS Console. Expand Updates > All Updates. In middle pane, Approval: Unapproved. Status: Any. Releases can be sorted through the field headers. Select Updates you wish to Approve. Right-click on the selection, choose Approve. Updates that you do not want to ever be installed, choose Decline. Right click on the Computer Group(s) you wish to Approve the Updates. Inheritance can be by choosing Apply to children. Deadline (for installation) can also be set. This will force the installation before the Deadline date. Approving the Updates for Install, Removal or Not Approved for a set of computers within a Computer Group.
VIEWING REPORTS To view reports, Microsoft.Net Framework 2.0 and the Microsoft Report Viewer 2008 Redistributable packages must installed on the computer running the WSUS MMC. To view Reports, open the WSUS MMC, Expand Reports. Reports are available by Updates and by Computer Groups. Reports can be saved as in Excel and PDF formats and printed.
TROUBLESHOOTING Application Event Log – Includes Update Synchronization, WSUS (general), WSUS database errors. C:\Program Files\Update Services\LogFiles\Change.txt – Records every update installation, synchronization, and WSUS configuration change C:\Program Files\Update Services\LogFiles\softwareDistribution.txt – detailed log used by MS support if they need to see debug information.
MONITORING SERVERS Finding ways within the native operating system to let you know what is going on and correct them.
SERVICES CONSOLE Most Windows Server programs are installed as Services. Services are executables launched when the operating system starts or when another program needs it to function. Some services require other services to operate and visa-versa. Because these Services are critical to your normal operating state, it would be nice to know when they are having an issue. The Recovery tab of the Service has options to alert and correct a service when it fails. Run Program allows for custom programs, PowerShell scripts to run if a service fails
EVENT VIEWER The Event Viewer MMC snap-in enables you to browse and manage the Event Logs created by the OS and programs installed on the computer. Event Viewer assembles the OS’ System, Security, Application and Setup logs as well as application or Role specific logs in one location. Because so much information is collected, it is sometimes useful to Filter the data and create Custom Views. Event Viewer enables you to: View events from multiple event logs Save useful event filters Schedule a task to be run in response to an event Create and manage event subscriptions
EVENT VIEWER – FILTER EVENTS Each Event Log can contain 1000’s of entries. Events can be sorted by the column headers but when that fails or takes too long, Right click on an Event Log and choose Filter Current Log Logs can be filtered by Event Level, Time it was logged, Event Sources, Keywords, Task Category, User and Computer that was related to the Event.
EVENT VIEWER - CUSTOM VIEWS Some Custom Views are created when Server Roles and applications are installed. They read and filter the Event Logs and gather Events that pertain to the Role or application. The Administrative Events View contains Critical, Error and Warnings from all logs. Administrators can create their own Custom Views (Custom Views > Right-click > New Custom View Custom Views can be further modified by adjusting their filters. Custom Views can be saved for viewing, exported and imported to other computers.
EVENT VIEWER – EVENT SUBSCRIPTIONS Event Subscriptions allow an administrator to gather relevant events from multiple computers to a central location. Event Subscriptions require that Windows Remote Management (Server Manager > Windows Remote Management > Enabled) be enabled and the Windows Event Collector Service to be running and configured to automatically start with the computer. Events can be filtered. There are two ways to gather Subscribed events: Collector Initiated: The Collector computer polls the target computers’ Event Logs for information and gathers the events. Only works for Domain joined computers, which are selected individually. Source Computer Initiated: The forwarding computer contacts the collection computer. Works for domain and non-domain computers. Non-domain joined computers require certificate authentication. Events are gathered in Forwarded Events.
EVENT VIEWER – ATTACHING TASKS Sometimes an administrator would like to be notified or have an action taken (or both) when an event is generated. If so, Attach a Task to an event. Attaching a Task uses the Scheduled Tasks wizard using the Event generation as the Trigger The Wizard will ask you for a Name for the Task, populate the Trigger with the Event being generated and give the options for Actions. Start a program, preferably a PowerShell script, is the preferred Action to take. Send an and Display a Message (pop-up on the server console) is being depreciated.