WSUS Windows Update Services Robert Cultrara
WSUS Windows Update Services Robert Cultrara World Health Organization Purpose of the presentation How to make an assessment of the security on your windows network Get started with Microsoft and Windows update How to install, manage and troubleshoot WSUS How WSUS can be used in a lowbandwidth environment The problem: Viruses (self inflicted) Worms (network inflicted) *.ware Malware/Spyware Users countering policy Service and Network Outage (due to saturation and loss) Microsoft Baseline Security Analyzer (MBSA) MBSA makes an assessment of your windows network security It provides you clear instruction how to make your windows network more secure Windows and Microsoft updates WU and MU Windows Update • Just patches Windows • http://update.microsoft.com/windowsupd ate Microsoft update • http://update.microsoft.com/microsoftupd ate • Patches • Windows • Office • Exchange • More to come Engine is the same - Troubleshoot the same MU is optional How to activate Microsoft update MU steps Accept EULA Need to install software to get it to use it Downloads activeX files \Windows\Downloaded Program Files The following ActiveX controls will be installed: • MUWebControl Class • WUWebControl Class Is it safe? If first visit will get ‘authenticode’ prompt Checking for updates Two options to install Express Install: This option is recommended and provides the easiest method for installing high priority updates. Custom Install: This option enables a user to select which specific updates are installed. Better ‘history’ interface Revert to WU Go back Click on Change settings Check the box File updated Windows Genuine Advantage control Windows Installer 3.1 Background Intelligent Transfer Service (BITS) update Auto updates options Download Will allow you to install them at a later time WSUS How to update an entire network WSUS installation Install on Windows server As default it goes on port 8530 On standard loads up a MSDE instance Remember …clients may need in registry http://servername:8530, or Group Policy WSUS: Services Supported Applications Windows (2000 SP3+, XP+, WS2003) Office (XP & 2003) SQL Server 2000, MSDE 2000 Exchange 2003 Additional products over time Windows Update Microsoft Update √ √ √ √ √ √ SUS 1.0 synchronizes with WU WSUS synchronizes with MU Both services built on customized version of Windows Update Services WSUS: How it Works Microsoft Update WUS Server Windows WindowsUpdate UpdateServices Services <<Back Back Finish Finish Cancel Cancel Desktop Clients Target Group 1 WUS Administrator Administrator updates puts clients in different target groups Server downloads Clients register subscribes themselves updates to from with update Microsoft the categories server Update install approves administrator approved updates Server Clients Target Group 2 Update Management Features Target Groups • Registry-based policy support for AD environments • Server-side lists for non-AD environments Administrator control • Initiate scan of machines for patch applicability • Approve for install and uninstall (requires update support) • Date-based deadlines for approved updates • Deploy different updates to target groups • Configurable client polling frequency • Configurable reboot behavior • Port configurability • Non-administrators can install updates (like administrators) • Install at Shutdown (XP SP2 only) WSUS issues Clients may not check in • Manually put in registry Sync process takes a long time • About 24 hours if you pull down all files Install WSUS… Double-click the installer file WSUSSetup.exe. Note: The latest version of WSUSSetup.exe is available on the Microsoft Web site for Windows Server Update Services at http://go.microsoft.com/fwlink/?LinkId=47374. 2. On the Welcome page of the wizard, click Next. 3. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next. 4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates. Keep the default options, and click Next. Select Update Source Page Install Needs a LOT of disk space 6 GB WMSDE is default On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003. If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper. Keep the default options, and click Next. Database Options Page WSUS install Now up to 8 gigs Web admin console WSUS will chose 8530 To get to WSUS Admin tools http://servername:8530/WSUSAdmi n/ WSUS sync WSUS console Missing the computers! Adding the WUAU template 1. In Group Policy Object Editor, click either of the Administrative Templates nodes. 2. On the Action menu, click Add/Remove Templates. 3. Click Add. 4. In the Policy Templates dialog box, click wuau.adm, and then click Open. 5. In the Add/Remove Templates dialog box, click Close. Connect the clients In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. In the details pane, click Specify Intranet Microsoft update service location. Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server. Click OK, and then configure the behavior of Automatic Updates Assigning groups Two methods • Group policy • Move computers Group Policy Add a new policy to active directory Drill down to the setting Computer config Admin Components Windows Update WU – point it First point your intranet updating Remember 8530 Change the check in interval If you like – change the detection frequency Adding ZONES Key decision making right here What risk What zone What deployment strategy Who gets what patches when? At least have a Zone for the server[s] One for workstations More zones? Groups are your Risk areas Create the ‘groups’ to match your risk zones Approve updates Approval Approval Approval – be patient Troubleshooting Main causes of issue are simple configuration errors • “http://wsusservernome/” in a GPO Object SelfUpdate tree needs to be on port 80 Tools with the RC • Clientdiag.exe – diagnoses some issues Logs • %systemroot%\WindowsUpdate.log Securing WSUS traffic Forcing WSUSAdmin site to use SSL is simple • Obtain and install a web certificate • Enable SSL on WSUSADMI N directory Low-bandwidth tips Some initial configuration requires • Synchronisation options – Schedule – What types of updates – Proxy server settings – Languages (ALL languages is the default) • Automatic Approval options – Which updates should be automatically approved
© Copyright 2024