1. Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer ken.hoover@yale.edu Copyright Ken Hoover 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Background and Numbers  ~18,000 hosts, est. 75% WinTel (~13.5K)  Mature Active Directory ~49K users, ~12K computers, 1000+ OU’s ~49K users, ~12K computers, 1000+ OU’s  Many semi-independent IT groups  We needed a solution that: Was open to all managed systems Was open to all managed systems Had a convincing case for adoption Had a convincing case for adoption Accommodated all levels admin ability Accommodated all levels admin ability Easy to implement at the client level Easy to implement at the client level Didn’t look like a takeover to departmental IT Didn’t look like a takeover to departmental IT … and cheap. … and cheap.

3. A Look at SUS  Software Update Services (SUS) v1 One server can deliver updates to a large number of clients One server can deliver updates to a large number of clients Client settings managed with Group Policy Client settings managed with Group Policy  Boundary of administration for SUS is the server Clients associate with one server Clients associate with one server Admin approves updates Admin approves updates Servers can be linked Servers can be linked

4. How Yale Implemented SUS  First SUS server went online in October 2003  General scheme of operation: SUS @ Yale FAQ posted on web SUS @ Yale FAQ posted on web Sample GPO provided with functional settings Sample GPO provided with functional settings SUS admins compare test results on new updates before releasing them SUS admins compare test results on new updates before releasing them Notification of client support staff when updates are released Notification of client support staff when updates are released  Currently three dominant SUS servers run by large IT groups plus a few “local” ones.  The large servers together have approximately 5,900 clients.

5. More on Implementation…  Education/adoption push to department-level IT staff  Support groups may use an existing SUS server or set up their own If someone associates their system with a SUS server, they are implicitly agreeing to live with that server’s administrators’ judgment on releasing updates. If someone associates their system with a SUS server, they are implicitly agreeing to live with that server’s administrators’ judgment on releasing updates.  The reboot “problem” If updates are installed automatically, client systems may reboot automatically at the designated time. If updates are installed automatically, client systems may reboot automatically at the designated time. Information provided on how to have specified systems “opt out” of the SUS policy. Information provided on how to have specified systems “opt out” of the SUS policy.

6. SUS Limitations and Workarounds  Can not approve an update for subsets of client systems  No reporting of client activity, but information can be pulled from IIS logs… “SUS Client Status Checker” web site “SUS Client Status Checker” web site Configured to limit information “leakage” to outsidersConfigured to limit information “leakage” to outsiders amt-sus1.its.yale.edu/checkamt-sus1.its.yale.edu/check Another SUS Reporting Utility Another SUS Reporting Utility www.susserver.com/software/SUSreportingwww.susserver.com/software/SUSreporting

7. SUS 2.0  In beta, currently named “Windows Update Services”  Better tracking, reporting and forced-uninstall capability  Delivery of many more kinds of updates All Windows 2000+ OS’s (incl. Datacenter) All Windows 2000+ OS’s (incl. Datacenter) Exchange, SQL Server, Office XP and Office 2003 Exchange, SQL Server, Office XP and Office 2003 Service Packs, SDK’s, Tools, Feature Packs Service Packs, SDK’s, Tools, Feature Packs Drivers Drivers  Updates can be targeted to groups of systems  Can’t delegate authority over part of the SUS client base to an “untrusted” admin

8. Closing Ken Hoover <ken.hoover@yale.edu> SUS @ Yale Q&A web page (for Yale departmental IT) wss.yale.edu/win2k/sus-information.html “SUS Client Status Checker”: amt-sus1.its.yale.edu/check Useful SUS information, tools and resources www.susserver.com