WSUS Windows Update Services

1
WSUSWindows Update Services

• Robert CultraraWorld Health Organization

2
Purpose of the presentation

• How to make an assessment of the security on your
  windows network
• Get started with Microsoft and Windows update
• How to install, manage and troubleshoot WSUS
• How WSUS can be used in a low-bandwidth
  environment

3
The problem

• Viruses (self inflicted)
• Worms (network inflicted)
• .ware - Malware/Spyware
• Users countering policy
• Service and Network Outage (due to saturation and
  loss)

4
Microsoft Baseline Security Analyzer (MBSA)

• MBSA makes an assessment of your windows network
  security
• It provides you clear instruction how to make
  your windows network more secure

5
Windows and Microsoft updates
6
WU and MU

• Windows Update
• Just patches Windows
• http//update.microsoft.com/windowsupdate
• Microsoft update
• http//update.microsoft.com/microsoftupdate
• Patches
• Windows
• Office
• Exchange
• More to come
• Engine is the same - Troubleshoot the same

7
MU is optional

• How to activate Microsoft update

8
MU steps

• Accept EULA
• Need to install software to get it to use it
• Downloads activeX files
• \Windows\Downloaded Program Files
• The following ActiveX controls will be installed
• MUWebControl Class
• WUWebControl Class

9
Is it safe?

• If first visit will get authenticode prompt

10
Checking for updates
11
Two options to install

• Express Install This option is recommended and
  provides the easiest method for installing high
  priority updates.
• Custom Install This option enables a user to
  select which specific updates are installed.

12
Better history interface
13
Revert to WU

• Go back
• Click on Change settings
• Check the box

14
File updated

• Windows Genuine Advantage control
• Windows Installer 3.1
• Background Intelligent Transfer Service (BITS)
  update

15
Auto updates options

• Download
• Will allow you to install them at a later time

16
WSUSHow to update an entire network
17
WSUS installation

• Install on Windows server
• As default it goes on port 8530
• On standard loads up a MSDE instance
• Remember clients may need in registry
  http//servername8530, or Group Policy

18
WSUS Services

• SUS 1.0 synchronizes with WU
• WSUS synchronizes with MU
• Both services built on customized version of
  Windows Update Services

19
WSUS How it Works
Microsoft Update
WUS Server
Desktop ClientsTarget Group 1
Server ClientsTarget Group 2
WUS Administrator
Administrator puts clients in different target
groups
Administrator approves updates
Administrator subscribes to update categories
Server downloads updates from Microsoft Update
Clients register themselves with the server
Clients install administrator approved updates
20
Update Management Features

• Target Groups
• Registry-based policy support for AD environments
• Server-side lists for non-AD environments
• Administrator control
• Initiate scan of machines for patch applicability
• Approve for install and uninstall (requires
  update support)
• Date-based deadlines for approved updates
• Deploy different updates to target groups
• Configurable client polling frequency
• Configurable reboot behavior
• Port configurability
• Non-administrators can install updates (like
  administrators)
• Install at Shutdown (XP SP2 only)

21
WSUS issues

• Clients may not check in
• Manually put in registry
• Sync process takes a long time
• About 24 hours if you pull down all files

22
Install WSUS

• Double-click the installer file WSUSSetup.exe.
• Note
• The latest version of WSUSSetup.exe is available
  on the Microsoft Web site for Windows Server
  Update Services at http//go.microsoft.com/fwlink/
  ?LinkId47374.
• 2. On the Welcome page of the wizard, click Next.
• 3. Read the terms of the license agreement
  carefully, click I accept the terms of the
  License Agreement, and then click Next.
• 4. On the Select Update Source page, you can
  specify where clients get updates. If you select
  the Store updates locally check box, updates are
  stored on the WSUS server and you select a
  location in the file system to store updates. If
  you do not store updates locally, client
  computers connect to Microsoft Update to get
  approved updates.
• Keep the default options, and click Next.
• Select Update Source Page

23
Install

• Needs a LOT of disk space
• 6 GB

24
WMSDE is default

• On the Database Options page, you select the
  software used to manage the WSUS database. By
  default, WSUS Setup offers to install WMSDE if
  the computer you are installing to runs
  Windows Server 2003.
• If you cannot use WMSDE, you must provide a SQL
  Server instance for WSUS to use, by clicking Use
  an existing database server on this computer and
  typing the instance name in the SQL instance name
  box. For more information about database software
  options besides WMSDE, see the Deploying
  Microsoft Windows Server Update Services white
  paper.
• Keep the default options, and click Next.
• Database Options Page

25
WSUS install

• Now up to 8 gigs

26
Web admin console

• WSUS will chose 8530

27
To get to WSUS

• Admin tools
• http//servername8530/WSUSAdmin/

28
WSUS sync
29
WSUS console
Missing the computers!
30
Adding the WUAU template

• 1. In Group Policy Object Editor, click either of
  the Administrative Templates nodes.
• 2. On the Action menu, click Add/Remove
  Templates.
• 3. Click Add.
• 4. In the Policy Templates dialog box, click
  wuau.adm, and then click Open.
• 5. In the Add/Remove Templates dialog box, click
  Close.

31
Connect the clients

• In Group Policy Object Editor, expand Computer
  Configuration, expand Administrative Templates,
  expand Windows Components, and then click Windows
  Update.
• In the details pane, click Specify Intranet
  Microsoft update service location.
• Type the HTTP URL of the same WSUS server in both
  Set the intranet update service for detecting
  updates and Set the intranet statistics server.
  For example, type http//servername8530 in both
  text boxes, where servername is the name of your
  WSUS server.
• Click OK, and then configure the behavior of
  Automatic Updates

32
Assigning groups

• Two methods
• Group policy
• Move computers

33
Group Policy

• Add a new policy to active directory

34
Drill down to the setting

• Computer config
• Admin
• Components
• Windows Update

35
WU point it

• First point your intranet updating
• Remember 8530

36
Change the check in interval

• If you like change the detection frequency

37
Adding ZONES

• Key decision making right here
• What risk
• What zone
• What deployment strategy
• Who gets what patches when?
• At least have a Zone for the servers
• One for workstations
• More zones?

38

• Groups are your Risk areas
• Create the groups to match your risk zones

39
Approve updates

• Approval

40
Approval

• Approval be patient

41
Troubleshooting

• Main causes of issue are simple configuration
  errors
• http//wsusservernome/ in a GPO Object
• SelfUpdate tree needs to be on port 80
• Tools with the RC
• Clientdiag.exe diagnoses some issues
• Logs
• systemroot\WindowsUpdate.log

42
Securing WSUS traffic

• Forcing WSUSAdmin site to use SSL is simple
• Obtain and install a web certificate
• Enable SSL on WSUSADMIN directory

43
Low-bandwidth tips

• Some initial configuration requires
• Synchronisation options
• Schedule
• What types of updates
• Proxy server settings
• Languages (ALL languages is the default)
• Automatic Approval options
• Which updates should be automatically approved