Keeping Your Business SAFE from Attack: Patch Management. By Jeff Fellinge



Similar documents
Managing Software Updates with System Center 2012 R2 Configuration Manager

Providing Patch Management With N-central. Version 7.2

Providing Patch Management with N-central. Version 9.1

Microsoft Windows Server Update Services Questions & Answers About The Product

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

FEATURE COMPARISON BETWEEN WINDOWS SERVER UPDATE SERVICES AND SHAVLIK HFNETCHKPRO

ACTIVE DIRECTORY DEPLOYMENT

Providing Patch Management With N-central. Version 7.1

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

XMap 7 Administration Guide. Last updated on 12/13/2009

SARANGSoft WinBackup Business v2.5 Client Installation Guide

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Print Audit 6 Network Installation Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Group Policy for Beginners

Lesson: Software Update Services

DriveLock Quick Start Guide

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

MailStore Outlook Add-in Deployment

Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide

Windows Server Update Services 3.0 SP2 Step By Step Guide

ProactiveWatch 2.0 Patch Management and Reporting

Deploying the DisplayLink Software using the MSI files

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

Windows Server Update Services 3.0 SP2 Operations Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Shavlik Patch for Microsoft System Center

Patch Management Table of Contents:

Deploying Software Updates Using Windows Server Update Services

VMware Mirage Web Manager Guide

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

THE POWER OF GROUP POLICY

SCCM How to guide deploying SCCM Client, setting up SUP and SCEP. Hans Chr. Andersen

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Installation Guide. Live Maps 7.4 for System Center 2012

System Center Configuration Manager

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

DeviceLock Management via Group Policy

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Exchange Server Backup and Restore

Outpost Network Security

Welcome to the QuickStart Guide

Kaseya Server Instal ation User Guide June 6, 2008

Patch Management Hands-On Exercises. Patch Management Hands-on Exercise

Synchronizer Installation

ALTIRIS Software Delivery Solution for Windows 6.1 SP3 Product Guide

Active Directory Software Deployment

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Administrator s Guide

Administration Quick Start

ILTA HANDS ON Securing Windows 7

Understanding BeyondTrust Patch Management

Best Practices. Understanding BeyondTrust Patch Management

1. Installation Overview

Deploying System Center 2012 R2 Configuration Manager

CLOUD SECURITY FOR ENDPOINTS POWERED BY GRAVITYZONE

Vector Asset Management User Manual

DeviceLock Management via Group Policy

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Active Directory Integration Guide

Installation Guide - Client. Rev 1.5.0

DisplayLink Corporate Install Guide

Silect Software s MP Author

enicq 5 System Administrator s Guide

Group Policy Objects: What are They and How Can They Help Your Firm?

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

WSUS (Windows Server Update Services) Benefits

safend a w a v e s y s t e m s c o m p a n y

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Module 8: Implementing Group Policy

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Keeping Up To Date with Windows Server Update Services. Bob McCoy, CISSP, MCSE Technical Account Manager Microsoft Corporation

Chapter 2 Editor s Note:

Configuration Guide. BES12 Cloud

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

4cast Client Specification and Installation

Automating client deployment

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Patch management with GFI LANguard and Microsoft WSUS

Create, Link, or Edit a GPO with Active Directory Users and Computers

PC-Duo Web Console Installation Guide

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

New Boundary Technologies, Inc Godward Street N.E. Suite 3100 Minneapolis, MN 55413

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

Nexio Connectus with Nexio G-Scribe

Administration GUIDE. SharePoint Server idataagent. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 201

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

Symantec AntiVirus Corporate Edition Patch Update

Designing Security for Network Managers

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

Managing Windows Environments with Group Policy

Transcription:

Keeping Your Business SAFE from Attack: Patch Management By Jeff Fellinge

vi Contents Chapter 6 Corporate Solutions: Microsoft SUS and WSUS............ 95 Centrally Managed Passive Protection................................ 95 Configuring Automatic Updates Clients with Group Policy................... 97 Exploring the Windows Update GPO Settings.......................... 99 Deploying Service Packs with SUS.................................... 100 SUS Reporting.................................................. 101 Configuring SUS Server Options...................................... 103 WSUS Revealed.................................................. 103 Exploring the New WSUS Interface.................................... 103 Approving Updates with WSUS...................................... 105 Support for Computer Groups....................................... 105 What if I don t see my computer in the list to choose from?................ 106 Approving Updates with WSUS...................................... 107 Reports Added in WSUS........................................... 110 Configuring WSUS Global Options.................................... 113 Corporate Solutions Reviewed...................................... 114

95 Chapter 6: Corporate Solutions: Microsoft SUS and WSUS So far this patch management book has looked at patching strategies and the technologies behind patching individual workstations. This chapter takes a look at Microsoft s free patch management software, which you can use to manage the approval and deployment process of Microsoft Security Updates. The benefit of a central service is that you can centrally approve all new updates before deploying them to potentially untested clients. Additionally, you can host the updates from within your LAN instead of requiring each client to download them directly from the Microsoft Web site. The process of downloading new updates only one time to an inhouse patch management server, then deploying the patches to client computers using your LAN can mean a huge savings of your WAN connections. In particular, small to midsize companies will appreciate the quick and reasonably transparent capabilities of Microsoft Software Update Services. SUS regularly and automatically distributes critical security updates (and now service packs, beginning with Windows XP Service Pack 2 SP2) from Microsoft and provides one point from which Windows clients can fetch applicable updates. Best of all, Microsoft provides SUS as a free download. Microsoft released SUS in 2002 and recently finalized the follow-on product renamed Windows Server Update Services (WSUS) during its beta, this product was called Windows Update Services (WUS) and the names in the figures in this chapter reflect the beta installation. Although these products do not offer as sophisticated pushing, tracking, and reporting features as some third-party patch management products their zero cost and ease-of-installation make them attractive to many organizations especially those without any other patch management software or when financial resources or staffing is tight. Plus WSUS overcomes many of the SUS limitations, so even if you looked at SUS before you should check out WSUS and its new features. This chapter will first examine the patch management architecture of these services, then dive into some of the features of each product. Centrally Managed Passive Protection SUS and WSUS provide a centralized method for deploying critical Microsoft updates to XP and Windows 2000 (Win2K) SP2 client computers. (Note that Microsoft no longer supports Win2K SP2, so if you are not running the latest service pack at least make sure that Microsoft still supports the version you are running. Also, although you might not choose to deploy a service pack immediately upon its release, it s important to consider a timely migration plan. This practice ensures that your systems remain up-to-date and continue to qualify for Microsoft security updates.) These products leverage the client-update technology from XP s builtin Windows Update feature and add improvements such as centralized configuration, an update-approval process, and inhouse deployment capability that are beneficial to corporate deployments. When you use inhouse deployment, your company downloads an update once from Microsoft, then your clients download the update from an

96 Keeping Your Business Safe from Attack: Patch Management inhouse location. This feature requires sufficient storage space for all approved security updates but reduces network load. Patch management using SUS or WSUS is more passive than using other Patch Management tools because after setting it up, you merely approve new updates that are then deployed automatically depending on your preconfigured preferences. Using Active Directory (AD) Group Policy Objects (GPOs) you can configure computers in your organization to use these products. For example, if you link an SUS configured GPO to an organizational unit (OU) containing your computers, then any new computer moved into this OU will automatically be patched according to the approved SUS updates. SUS and WSUS are client/server applications. The server component runs on Win2K SP2 or later and requires Microsoft Internet Information Server (IIS). You must install Automatic Updates 2.2 or later client software on SUS clients. An SUS-enhanced version of Automatic Updates comes with XP SP1 and Win2K SP3. Alternatively, you can use a standalone installation program available from the Win2K Web site at http://www.microsoft.com/windows2000/downloads/recommended /susclient/default.asp to install this version separately on a Win2K SP2 or later machine. The deceptively simple architecture will probably be popular in the intended market of small to midsize organizations that don t have sophisticated reporting or client-targeting needs. (Larger organizations that require more comprehensive update management features might consider Microsoft Systems Management Server (SMS) or a third-party patch management product. If you want to compare SUS and WSUS with SMS, you can read Chapter 7 of this book which covers the security update deployment features of SMS 2003.) The SUS and WSUS server maintain a synchronized catalog of Microsoft-obtained updates and push these updates to subscribing clients in your organization. The first synchronization takes some time because the SUS server must download all critical updates from the Microsoft Windows Update server, as Figure 6-1 shows.

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 97 Figure 6-1 Downloading updates to the SUS server Subsequent scheduled synchronizations complete much faster because the software downloads only new updates since the previous synchronization. You manage the SUS update server through an IIS Web-based interface (by default, http://susserver/susadmin). From this interface, you can review and approve each update intended for the SUS client base. Configuring Automatic Updates Clients with Group Policy The Automatic Updates client on each computer regularly checks with the SUS or WSUS server for approved and applicable updates, then obtains the updates and installs them according to that client s settings. In each client computer s registry, you can configure (as Chapter 5 covers) client settings such as whether to automatically download and install updates or prompt the end user to approve each update; however, most organizations will appreciate the capability to use AD s Group Policy to centrally configure the Automatic Updates client. You can use AD GPOs to configure all the settings discussed in Chapter 5 for the Automatic Updates client. Because the client portion of SUS and WSUS is the same as the Automatic Updates client, you can use these same AD GPO settings to manage SUS and WSUS clients too. You can configure the AD GPO settings from any computer with the latest Windows Update AD template (.adm file) installed. By default, any installed SUS or WSUS server and Windows Server 2003 and XP SP2 clients come with an updated Windows Update administrative template that you can use to create centrally managed Windows Update GPOs. On earlier versions of Windows (such as Win2K) you must install a new GPO administrative template to have this functionality. Alternatively,

98 Keeping Your Business Safe from Attack: Patch Management you can simply manage your SUS and WSUS GPO settings from the SUS or WSUS server, which add this template during installation. Checking whether you have the Windows Update GPO properties is easy. First, open the Group Policy Management Console (available from the Windows Server System Web site at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and expand the Computer Configuration node, Administrative Templates, and click Windows Components. Look for the node called Windows Update and left click it. On an XP SP2 computer you should see around 11 Windows Update GPO settings. If you do not have the Windows Update Administrative Template, you can add it fairly easily. Copy the new Windows Update Automatic Updates template from your SUS or WSUS server to the client that you use to manage your AD GPO settings. The file named wuau.adm is located in the Windows INF directory (%windir%\inf\wuau.adm). Next, on the computer that you want to install the template, go to the Group Policy Management Console and expand the Computer Configuration node. Right-click Administrative Templates and click Add/Remove Templates to load the new Windows Update administrative template (%windir%\inf\wuau.adm). Next, expand the Computer Configuration Windows Components node and select Windows Update to display the new SUS configuration settings. If you create a GPO that modifies Windows Update configuration settings, then view the details of these GPO settings on a computer without the administrative template installed, you will see the settings under Extra Registry Settings, as Figure 6-2 shows. Figure 6-2 Viewing the SUS GPO settings

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 99 This view does not impede the settings and occurs only because the computer that you are using to view these settings does not have the Windows Update Automatic Updates.adm template installed. Either install the template on this computer or manage the settings from a computer with the.adm template installed. Exploring the Windows Update GPO Settings Since the initial release of SUS to the latest pending version of WSUS, Microsoft has released new settings to control the Windows Update clients. As of the XP SP2 release, there are 11 configurable settings, which Figure 6-3 shows. Figure 6-3 Viewing configurable Windows Update settings Most of these settings are similar to the registry settings explained in Chapter 5. A few settings are new features that WSUS offers: Do not display Install Updates and Shut Down option in Shut Down Windows dialog box Do not adjust default option to Install Updates and Shut Down in Shut Down Windows dialog box Configure Automatic Updates Specify intranet Microsoft update service location Enable client-side targeting Reschedule Automatic Updates scheduled installations No auto-restart for scheduled Automatic Updates installations Automatic Updates detection frequency Allow Automatic Updates immediate installation Delay Restart for scheduled installations Re-prompt for restart with scheduled installations.

100 Keeping Your Business Safe from Attack: Patch Management In the GPO editor you can select any of these settings and read verbose descriptions of what each does. At the very least to configure clients to use an SUS or WSUS server, edit the properties of the item, Configure Automatic Updates, to specify the folder location, notification parameters, and schedules of automatic updates. For example, you can notify your users when updates are ready for installation or you can schedule automatic installations. Next, edit the item Specify intranet Microsoft update service location to define the location of the SUS or WSUS update server (e.g., http://susserver or http://wsusserver). Also, specify the statistics server that you want clients to use. The statistics server collects update report data. (SUS did a poor job with report data but WSUS includes better patch management result feedback.) You can set both to the same server; however, you might want to configure a separate statistics server to handle reporting from multiple SUS update servers (e.g., for different geographic offices). Another useful setting is Automatic Updates detection frequency, which lets you specify how often the Automatic Updates client will poll the SUS or WSUS server for any new updates. By default this setting is 22 hours. The setting Allow Automatic Updates immediate installation lets you configure Automatic Updates to install updates that will not interrupt the client (such as those that don t prompt the user or require a restart). Therefore, updates that are quiet can install without bothering your users. Some updates require a restart before they are effective, so be wary if you suppress a restart when installing these: They will not be fully installed until the computer is restarted. You ll notice that some of the features described in Chapter 5, such as prompting to install updates when the computer is shutdown or restarted, can be centrally configured using a GPO. In this example, you can specify patch deployment behavior during a computer restart under the Re-prompt for restart with scheduled installations setting. Deploying Service Packs with SUS The latest version of SUS supports the deployment of SP2 for XP and both SUS and WSUS will support future service packs. SUS doesn t support deployment of service packs earlier than XP SP2. With SUS and WSUS, installing a service pack is the same as installing a security update. In the SUS/WSUS console, you will see the service pack along side other security updates in the list of updates to be approved. Approve the service pack, then clients will download and install the service pack according to your SUS and WSUS update policy. However, to deploy service packs that SUS or WSUS do not support, you can use the AD Group Policy Software installation feature to install service packs, as Figure 6-4 shows. You can define Group Policy software installation for computers or users and commonly at an OU level. To deploy a mandatory software update, such as a service pack, to every machine regardless of who is logged on, you assign the software to the computer. Group Policy software installation supports Windows Installer (.msi) files, which come with most new service packs and other Microsoft corporate products. To verify or troubleshoot installation at the client level, you can review the Application event log for a failed or successful Application Installation message.

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 101 Figure 6-4 Showing the AD Group Policy Software installation feature SUS Reporting SUS reporting consists of recording client-update downloads to a standard IIS Web log on your specified SUS servers (by default, these files reside on the SUS Server in \%systemroot%\logfiles\w3svcx). Unfortunately, SUS offers no predefined reports, data aggregation, or other summary-level reporting to convey your organization s patch compliance. However, you can troll the logs to determine whether a specific machine has requested a specific patch. Reporting is a feature that has been greatly improved in WSUS. After you configure Group Policy, on an affected client refresh the policy (by running the program gpudate /force from a command prompt) and verify the SUS settings. Open the Control Panel System applet and select the Automatic Updates tab to review a client s settings. Figure 6-5 shows a client configuration in which the Automatic Updates client automatically downloads and installs approved patches every day at 3:00 A.M. Notice that the user cannot change these settings; they are configured centrally using the GPO.

102 Keeping Your Business Safe from Attack: Patch Management Figure 6-5 Verifying the SUS Automatic Update settings To begin deploying updates, you don t need to perform much additional configuration. This simple approach to patch deployment will be welcome news if you ve ever manually installed multiple patches. (New Microsoft Internet Explorer IE updates typically include three separate patches for IE 6.0, IE 5.5, and IE 5.0. Therefore, your installation logic must check the version and push the appropriate update.) SUS transparently handles patch management for you, ensuring that each client gets the correct version of an approved patch. One major drawback of SUS is its inability to manage different levels of patching for different groups of computers. If you want to use SUS to roll out updates to a set of test servers before rolling out to a wider production set, you must install multiple SUS update servers. (Alternatively, you can save updates to a local machine and manually install them for testing; however, this solution doesn t use the SUS deployment mechanism.) If you use multiple servers, be cautious when sharing existing IIS servers with SUS because upon installation SUS runs IIS Lockdown, which might cause the failure of other Web applications on a shared server. After you configure your SUS servers, separate your test computers from your production computers by placing them in different AD OUs. Configure an OU Group Policy to point the test OU computers to the staging SUS update server and the production OU computers to the production SUS update server.

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 103 Configuring SUS Server Options You can configure your SUS clients to synchronize their updates (and, optionally, approved items) from another local SUS server or directly from Windows Update servers. Doing so helps you scale SUS and offers a good solution for placing SUS servers in multiple offices. For example, you can configure a master SUS server at corporate headquarters to pull its catalog from Microsoft, then configure child SUS servers at satellite offices that pull their catalogs from the corporate SUS parent. Such a configuration eliminates the need for each SUS server to be connected to the Internet. However, at least one SUS server must have Internet access to communicate with the Windows Update server. WSUS Revealed WSUS is the follow-on product to SUS. WSUS improves on SUS in most every way. At publication time for this chapter WSUS was in a public beta test in early 2005 and has recently been released. (You can learn more about WSUS at http://www.microsoft.com/windowsserversystem /updateservices/default.mspx.) Users of SUS will feel at home with WSUS and immediately appreciate the additional granularity of patch management features that this updated product offers. WSUS requires IIS 5.0 or later,.net Framework 1.1 SP1, and Background Intelligent Transfer Service (BITS) 2.0. WSUS uses a database to manage the status and configuration of its patches. WSUS installs Windows SQL Server 2000 Desktop Edition or you can point WSUS to an existing SQL Server database instance. Like SUS, WSUS clients depend on the Automatic Updates client that comes with Win2K Professional or Server SP3 or later. During the WSUS installation process, the setup program asks you whether or not to store updates locally on the WSUS server. If you choose not to store the updates locally, then clients will need to download them directly from the Microsoft Web site (although you can still manage the approval process for these updates). Like SUS, storing updates on the WSUS server takes additional storage space: approximately 6GB. If you choose to perform installation with a locally installed database, you will need a total of approximately 8GB to install WSUS and have room for all the downloaded updates. Also like SUS, the administration interface for WSUS is via a Web page hosted on IIS at http://wsusserver/wsusadmin. However, the setup program for WSUS lets you customize the Web site location. Create a new GPO to configure the Automatic Updates clients to get their updates from the new WSUS server (e.g., http://wsusserver). In fact, the GPO and Automatic Updates configuration when using a WSUS server is almost identical to that of an SUS server. Exploring the New WSUS Interface Users familiar with SUS will immediately notice the updated WSUS interface, as Figure 6-6 shows. The program data displays in the main Window and you access all the WSUS features from the five navigation icon buttons in the upper right of the Window. These icons let you view an overall WSUS summary, approve updates, view reports that show the status of update deployment, configure the new WSUS computer groups, and configure WSUS options.

104 Keeping Your Business Safe from Attack: Patch Management Figure 6-6 Examining the updated WSUS interface The WSUS home page shows an overall summary of the program including update statistics status, synchronization status, download status, and a count of client computers. This page also shows a To Do List summarizing interesting information about the state of the product; for example, it informs you of any new unapproved updates or recently added products or classifications. To manually start an update synchronization task with the Microsoft updates Web site, you can click the Synchronize now link on this page. WSUS uses HTTP (TCP 80) and HTTP Secure (HTTPS TCP 443) to synchronize its updates with the Microsoft Windows Update Web site. After configuring your Automatic Update clients to point to the WSUS server, you need to configure your WSUS server. For basic installations start by synchronizing the WSUS server with the Microsoft Windows Update Web site. For more complex configurations, such as pointing the WSUS server to a proxy server or to install multiple WSUS servers, click the WSUS configuration button. (This chapter will cover those features in a bit.) The first time you synchronize your WSUS server be prepared to wait: the initial synchronization takes close to an hour. This length of time is not necessarily dependent upon your Internet connection. This synchronization process seems to dribble to your WSUS server and is regulated by the server instead of the available Internet bandwidth. This synchronization does not download the updates. The updates download after they are approved for installation. After you synchronize the updates, you will have populated the WSUS server and can

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 105 begin to approve and deploy the updates. Subsequent synchronization activities take much less time depending on the number of updates needed. Approving Updates with WSUS Because the Automatic Updates client more-or-less transparently takes care of the installation of the updates, the crux of the program revolves around the approval management of each individual update. This process consists of managing the computer groups, approving updates for the computer groups, and viewing reports to track the update process. The process for installing and configuring clients for WSUS is the same as for SUS as described earlier in this chapter. Configure the Specify intranet Microsoft update service location GPO setting to point to your WSUS server and set the options that pertain to your environment. Most of these settings were described in the earlier sections but new settings that WSUS supports will be described in the following sections. Support for Computer Groups A major improvement of WSUS over SUS is its ability to classify computers into different management groups for which you can then approve specific updates. (Recall previously that SUS requires a new installation of SUS on a separate computer when you want to deploy different updates to different computers.) This book has stressed the importance of testing patches before deployment to production environments and using the same patch processes and tools for your lab as you use for production. WSUS now supports this methodology. For example, let s say you want to approve a newly released set of updates for your lab computers but not for your production computers. Using SUS you would need to configure two GPOs (one linked to an OU containing the lab computers and one linked to an OU containing the production computers), then configure each GPO to point to two different SUS servers. This configuration requires the purchase and set up of two different servers and SUS installations and management of multiple GPOs. Using WSUS with its new support of Computer Groups you can create a single GPO for all your computers which points to a single WSUS server. Then, within the WSUS server you can define and populate multiple computer groups and set the approval status of an update for each computer group. In the previous example, this means that you need only one WSUS server and one GPO, then from the WSUS updates console you can approve updates for installation on the Lab Computers but not the Production Computers. Later when you are ready, you can simply approve the updates for the Production Computers. This feature dramatically increases the scalability of WSUS. Click the Computers icon from the WSUS navigation bar to access the Computers-group configuration page, as Figure 6-7 shows. This figure shows quite a bit, so let s look at it piece by piece. First off notice that there are three computers listed for the Computer Group All Computers. WSUS comes with two predefined builtin groups, All Computers and Unassigned Computers. By default the Unassigned Computers group is defined with the same approval and deadline parameters as the All Computers group. The All Computers group is a superset containing all computers configured to use this WSUS server. In Figure 6-7 you can see the computer name, OS, the date and time the computer was last contacted, and the specific computer group to which the computer is assigned. To use WSUS you don t need to configure any computer groups (in which case you approve updates for All Computers). The granularity lets you do a lot more with WSUS and most administrators will find this granularity an invaluable upgraded feature from SUS.

106 Keeping Your Business Safe from Attack: Patch Management Figure 6-7 Examining the WSUS Computers-group configuration page Figure 6-7 shows the computer named 2k3.security.local highlighted and selected. In the bottom pane you can see the status of updates for that specific computer. This feature is another terrific upgrade to WSUS. You can now see missing patches on a computer-by-computer basis. This capability of WSUS was not previously available in SUS. Lastly in the left pane in addition to the builtin groups All Computers and Unassigned Computers, you can see three custom groups named Employee Workstations, Lab Computers, and Production Servers. As you ll see in the next section, you can approve updates for each of these groups independently. To add a new group, click the task Create a computer group and name the group. To populate a group click the All Computers group (or another group that contains the computer you want to move) and click the Move the selected computer task and specify the target group. What if I don t see my computer in the list to choose from? Unlike many other patch management tools, you cannot add computers to WSUS by computer name, IP address, or other mechanism from within WSUS. Instead, you must create a GPO (or manually configure the client computer registry) to point its Automatic Update clients to the WSUS server. The first time the client contacts the WSUS server it is added to the WSUS server s database of client computers. If you do not see a computer in the list of All Computers, then check whether

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 107 the GPO is created and configured to use the WSUS server the GPO is linked to an OU, domain, or site containing your client computers the client computers Group Policy has been updated (either by rebooting or running the GPUPDATE command) This approach makes WSUS quite easy to manage. After you set it up, any new computer added to a WSUS GPO OU will be automatically added to WSUS. Furthermore, to specify the group at the AD Group Policy level, you can use the Windows Update GPO setting Enable client-side targeting. In this setting, specify the name of the group that you want any computers under this GPO to belong. This approach requires that you organize your different computer groups by OU but for many businesses this organization is already complete. For example, you might already have configured your OU hierarchy to separate Employee Workstations from Production Servers from Lab Computers. If you have not configured client-side targeting, all newly added computers to WSUS will be unassigned. If you remove a computer from a group, it reverts to belonging to the Unassigned Computers group. To configure the WSUS global setting to use client-side targeting, you must use the registry, a GPO, or else directly use WSUS. Another new GPO setting included with the new WSUS Automatic Updates client is the ability for nonadministrators to receive update notifications. Enabling the setting Allow non-administrators to receive update notifications lets your nonprivileged users receive and install approved updates. Approving Updates with WSUS Those of you familiar with SUS can recall its process of approving updates which consists of scrolling through a very long list of every update released by Microsoft and selecting those to approve. To improve upon this process WSUS adds a robust view-filter that lets you see specific updates and lets you approve updates by computer group. Additionally, WSUS improves how it displays update data, making it easier to scan information about an update before you approve it. To manage the WSUS list of updates, click the Updates icon in the WSUS navigation bar. WSUS lets you customize the view of all the updates but it defaults to showing only Critical and security updates, as Figure 6-8 shows. In the left pane of this figure you can see the criteria available to filter the list of updates including the classifications and products, approval status, and the timeframe when last synchronized.

108 Keeping Your Business Safe from Attack: Patch Management Figure 6-8 Viewing the Updates-group default settings You can show all updates or limit the view by product or classification. For example, you can customize your view to only include specific products by version such as Office updates (Office 2003, Office XP), updates by OS (Windows 2003, XP, Win2K), or Exchange Server (Exchange 2003, Exchange 2000). In addition to filtering by product, you can filter by classification. Classifications by which you can filter your view include critical updates, development kits, drivers, feature packs, security updates, service packs, tools, and others. You can also view all approved or not yet approved updates or filter the updates by time, such as displaying only updates within the last 2 months. If you know exactly what you want to find, you can sort by a text keyword, which is useful when you want to find a patch associated with a specific Knowledge Base article or to list all service packs. Furthermore, you can sort each of the categories. WSUS also integrates the deployment status of a specific update together with the approval status, which Figure 6-8 shows in the bottom pane. This window shows the approval status and deployment status for the selected update. In this example, the selected update named Windows Installer 3.0 is approved for installation for all computers but needs installed on two computers, one of which is the computer named 2k3.security.local located in the Lab Computers group. This lower pane contains three tabs that present information about the updates. The Details tab shows information about the update such as the summary of the update, whether the update is removable, if it requires a restart, and what other updates (if any) supersede the specific update. The

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 109 Status tab shows WSUS information about the update such as whether the installation files have been downloaded as well as the update status by computer group. When you approve an update you can check this tab for the status of the update download. The Revisions tab lists any revisions to an update including the revision number, title, the release date, and its approval status. One of the finest new features of WSUS is its ability to approve updates on an individual computer group basis. When WSUS first downloads a new update it classifies the update as Detect only. This classification means that your clients will immediately begin to report on the update s deployment status even if you have not approved it yet. To change the approval of an update, select it (or select multiple updates) and click the Change approval task to open a new Web dialog box, as Figure 6-9 shows. From this dialog box you can change the default behavior for the update as it applies to all computers or you can specify an overriding behavior for specific computer groups. Figure 6-9 shows how you can use this granularity to approve updates for different groups. Figure 6-9 Changing approval of an update from a Web Page Dialog box For example, let s say that Microsoft released five new patches on the Windows Update Web site. After your next update synchronization cycle, WSUS will begin to detect whether the patches are installed or missing. To begin testing these patches, in the WSUS update console you can select these five patches and approve them for Install on the Lab Computers computer group (which you previously defined as containing your test servers). After completing testing, you return to the approval page and approve the patches for Install on a different computer group representing a wider deployment.

110 Keeping Your Business Safe from Attack: Patch Management The first time you approve the updates will take a bit of time if you select to approve all the updates. As of January 2005, the initial backlog of updates necessary for a fresh WSUS installation is close to 300 updates. After you approve the updates, WSUS starts the background file transfer process using BITS to download each of the updates. This process will also take considerable time to build up the library of updates that must download to your WSUS server. WSUS has also improved the user interaction for when to install the updates. For each update you can also specify a deadline for installation, as Figure 6-10 shows. A new feature of WSUS lets you specify whether or not to let the users choose when to install the updates or else force the installation of the update by a specific date and time. Figure 6-10 Viewing the Edit Deadline dialog box Reports Added in WSUS To access the reporting features of WSUS, click the Reports icon in the WSUS navigation bar. WSUS includes three different patch management reports that help you assess the proliferation of a new patch deployment. These reports show you the Status of Updates, Synchronization Results, and Settings Summaries. The Status of Updates page, as Figure 6-11 shows, reports the count of computers with Installed, Needed, and Failed updates on a per-update and per-group basis. You can drill down to these aggregated numbers for detailed computer-by-computer status of any particular update.

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 111 Figure 6-11 Reporting the Status of Updates WSUS also stores information about the client computer. Click the name of a computer (such as the name 2k3.security.local in Figure 6-11) to retrieve data about the WSUS client, which Figure 6-12 shows. These drill-down and cross-section view reports can assist with tracking the deployment of patches across many computers.

112 Keeping Your Business Safe from Attack: Patch Management Figure 6-12 Retrieving data about a WSUS client The Synchronization Results report shows detailed information about the last time WSUS synchronized its updates with Microsoft. The report shows the time the synchronization Started and Finished, the Result (Success or Failure), and how many updates were retrieved or revised, which Figure 6-13 shows. Additionally, this report shows a list of all the new updates during this period.

Chapter 6 Corporate Solutions: Microsoft SUS and WSUS 113 Figure 6-13 Showing detailed Synchronization Results What is remarkable about this report is that you can specify the synchronization period. So for example, if you have a patch management meeting every week but you synchronize your updates nightly, you can run a report that shows all the updates in the past 7 days, then use this report as a meeting agenda from which to schedule the testing and deployment of the updates. The last report named Settings Summary shows at a glance the system-wide configuration settings of WSUS. This report is a great way to audit the configuration of a particular WSUS server. It tells you how the server is configured for automatic approval settings, revisions, the synchronization schedule, update source, and other settings. Configuring WSUS Global Options To access the WSUS Global Settings page, click the Options icon in the WSUS navigation bar. WSUS organizes its options by Synchronization, Automatic Approval, and Client Computer. In the Synchronization Options, specify whether to synchronize manually or daily at a time of your choosing. Additionally, you can configure WSUS to use a proxy server or another upstream WSUS server when synchronizing. WSUS adds new features for automatic approval of new updates. By default WSUS automatically approves Critical and Security Updates for Detection only and adds them to the All Computers group.

114 Keeping Your Business Safe from Attack: Patch Management You can also define how WSUS will approve updates for installation. Review these settings and select those that complement your patch testing and deployment process. For example, you might not want to automatically approve any updates for installation until your patch management team has triaged the updates. WSUS also lets you configure how to handle revisions to an update and the default action is to automatically approve the latest revision of the update. The final configuration setting lets you specify whether to Use the Move computers task in the Windows Update Services or else the Group Policy or registry settings to assign client computers to groups. Corporate Solutions Reviewed SUS and the upcoming and dramatically improved WSUS products from Microsoft offer a centrally managed, mostly hands-off approach to patch management that dramatically eases the deployment process of Microsoft patches. SUS and WSUS support deploying updates to only Microsoft products and they are somewhat passive meaning that you can t directly target and deploy a specific patch to a specific computer. But these products are free and very easy to use. SUS and WSUS use the Automatic Updates client, which is installed on every new version of Windows. This builtin client makes using SUS and WSUS for deployment and tracking of updates easier than using third-party patch management products that require a separate client installation. Even if you use a third-party patch management product, you might find benefit in using WSUS and SUS as a backup or to increase your defense-in-depth as yet another mechanism to ensure that your systems are up-to-date and patched. Some of SUS and WSUS features include: Central management using AD Group Policy Downloading updates directly from Microsoft Windows Update Web site Using the builtin Windows Update client that comes with every Windows platform WSUS s support for computer groups, granular update approval, and patch deployment reports (features sorely lacking in SUS) Support of only Microsoft products The WSUS features that support multiple computer groups and its improved reporting make it a necessary upgrade for SUS users. Some larger organizations that use a third-party patch management product might find that the new features in WSUS coupled with its ease of use and low administration requirements make it a compelling Microsoft software patch management solution. Keeping your software up-to-date is more important than ever. After you get SUS or WSUS running, you can maintain a current and applicable set of patches for all new production machines. Update scanning will occur regularly and approved patches will automatically flow to machines. This consistent and methodical approach will help ensure that new systems introduced into your production environment months after a flurry of patching will instantly be at the same patch level as their peers.