Windows Enterprise WSUS Server Proposal Steven L. Kunz (ITS) May 16, 2006 Request A request has been received by ITS to provide a means to filter some Microsoft updates from Windows systems pointed to the Enterprise WSUS server (sus.iastate.edu). Specifically, the request is to not supply optional updates (such as the.net framework) and drivers. Ideally a choice could be made by the client system administrator as to whether they wanted all updates or only critical/security updates provided by the new option. This request was discussed in the WinAdmin meeting on May 12, 2006. In that meeting the original proposal was slightly changed and this altered proposal accepted. People at that meeting felt in general that updates containing Drivers should NOT be supplied by default. This modified proposal removes Drivers from the default group and creates a new group (named All ) for those people desiring Drivers. The SC ( Security and Critical updates only) group is retained unchanged. WSUS Capabilities WSUS updates arrive from Microsoft with a classification indicating the broad type of update it addresses. WSUS update classifications currently defined are listed in Appendix A. WSUS servers serve out updates based on WSUS groups. The WSUS groups are NOT Active Directory groups, but are rather groups defined only on the WSUS server by the WSUS server administrator. Computers can be made members of these WSUS groups by group policy (using the Enable client-side-targeting setting in the Windows Update policy area). If a computer is a member of a group it only receives the updates targeted for that group by the WSUS server administrator. Each time a new set of updates is received from Microsoft it is the WSUS server administrator s role to filter and target each update (based on classification) to the appropriate WSUS group(s). This can get complex quite quickly if more than a very few groups are defined. By default all computers pointed to a specific WSUS server are a member of a WSUS group named Unassigned Computers. This is the only group currently present on the Enterprise WSUS server and it currently receives all updates for all update classifications (again, see Appendix A). As a result any computer pointed to the Enterprise WSUS server currently receives all available updates. An additional group could be created which contains a subset of the available update classifications to satisfy the request. A WSUS client computer can be made a member of one (and only one) WSUS group if client side targeting is enabled on the WSUS server. Once an additional group is defined and client side targeting is enabled, group policy can be used to indicate that a computer should be made a 1
member of the newly defined WSUS group. Computers that do not have a WSUS target group defined by group policy fall into the Unassigned Computers group. Proposed Solution 1. Enable Client-Side Targeting on the Enterprise WSUS server. 2. Retain the current Unassigned Computers (the group all systems join if client-side targeting does not specify another group). This group will be CHANGED to not receive Driver updates. As a result, by default, systems pointing to the Enterprise WSUS server will receive all updates for all products EXCEPT Drivers. 3. Create a new WSUS group named SC (for Security and Critical ) that contains the following classifications: Critical Updates Definitions Security Updates Service Packs Update Rollups The new SC group would NOT receive the following classifications: Drivers Feature Packs (there are currently no updates of this classification on the WSUS server) Tools (there are currently no updates of this classification on the WSUS server) Updates (see Appendix B for a current list of these updates) This means you would get critical/security updates and definitions (for things like antispyware, etc) for the OS and all Microsoft WSUS-updated software products on the system made a member of the SC group. Systems not made members of the SC group would continue to receive all updates EXCEPT Drivers. 4. Create a new WSUS group named All (for all updates for all products ). This group will be similar to Unassigned Computers except it WILL receive the Drivers updates. Discussion and Feedback Does the Proposed Solution provide a new capability that will satisfy most departmental IT admins needs? Recognize that ITS cannot possibly provide a WSUS service that is custom tuned for specific groups of updates for a wide combination of systems for each department. It is hoped that one (or 2
two) broad swath groups defined on the Enterprise WSUS service will enhance this service for most IT admins. Specific hardware/software update needs will still best be handled by a department running their own WSUS server. The proposed solution is meant for the general public. For public discussion use the WinAdmin list at winadmin@iastate.edu For private discussion send email to Steven Kunz (ITS) at skunz@iastate.edu 3
Appendix A -- WSUS Update Classifications Update Classification Critical Updates Definitions Drivers Feature Packs Security Updates Service Packs Tools Update Rollups Updates Description A broadly released fix for a specific problem addressing a critical, nonsecurity related bug. A broadly-released and frequent software update containing additions to a product's definition database. Definition databases are often used to detect objects with specific attributes, such as malicious code, phishing Web sites, or junk e-mail. A software component necessary to control or regulate another device. New product functionality that is first distributed outside the context of a product release, and usually included in the next full product release. A broadly released fix for a product-specific security-related vulnerability. Security vulnerabilities are rated based on their severity which is indicated in their Microsoft security bulletin as critical, important, moderate, or low. A tested, cumulative set of all hotfixes, security updates, critical updates and updates, as well as additional fixes for problems found internally since the release of the product. Service packs may also contain a limited number of customer-requested design changes or features. A utility or feature that aids in accomplishing a task or set of tasks. A tested cumulative set of hotfixes, security updates, critical updates, and updates packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS). A broadly released fix for a specific problem addressing a non-critical, non-security-related bug. (See Appendix B for specific updates) 4
Appendix B Current Contents of the WSUS Updates Classification [These updates would NOT be received by members of the proposed SC group] Update for Windows XP SP2 Bulgarian Language Interface Pack (KB883921) Update for Windows XP SP2 Croatian Language Interface Pack (KB883921) Update for Windows XP SP2 Estonian Language Interface Pack (KB883921) Update for Windows XP SP2 Hindi Language Interface Pack (KB883921) Update for Windows XP SP2 Icelandic Language Interface Pack (KB883921) Update for Windows XP SP2 Indonesian Language Interface Pack (KB883921) Update for Windows XP SP2 Latvian Language Interface Pack (KB883921) Update for Windows XP SP2 Lithuanian Language Interface Pack (KB883921) Update for Windows XP SP2 Malay Language Interface Pack (KB883921) Update for Windows XP SP2 Romanian Language Interface Pack (KB883921) Update for Windows XP SP2 Serbian-Cyrillic Language Interface Pack (KB883921) Update for Windows XP SP2 Serbian-Latin Language Interface Pack (KB883921) Update for Windows XP SP2 Thai Language Interface Pack (KB883921) Update for Windows XP (KB883921) Update for Exchange Server 2003 (KB911829) - Non Cluster Update for Exchange Server 2003 (KB911829) - Cluster Windows Desktop Search 2.6.5 (KB911993) Update for LIP SP2 MUI Resource Loading (KB913808) Update Rollup for Windows XP Media Center 2005 (KB914548) Phishing Filter for Windows Live Toolbar Update Update for Windows XP (KB904942) Update for Windows Server 2003 x64 Edition (KB904942) Update for Windows Server 2003 for Itanium-based Systems (KB904942) Update for Windows Server 2003 (KB904942) Update for Windows XP x64 Edition (KB904942) Hotfix for Windows Small Business Server 2003: KB 833992 Microsoft.NET Framework 2.0: ia64 (KB829019) Microsoft.NET Framework 2.0: x64 (KB829019) Microsoft.NET Framework 2.0: x86 (KB829019) Update for Windows Server 2003 (KB908521) Update for Windows Server 2003 for Itanium-based Systems (KB908521) Update for Windows Server 2003 x64 Edition (KB908521) Update for Windows XP (KB908521) Update for Windows XP x64 Edition (KB908521) Update for SQL Server 2000 Desktop Engine (SharePoint) on Windows Server 2003 (KB909544) Update for Exchange Server 2003 (KB888619) Update for Exchange 2000 Server (KB892986) Windows XP Application Compatibility Update, April 2002 5