Security Patching Using Windows Server Update Services

1
Security Patching Using Windows Server Update
Services
Jeff Alexander IT Pro Evangelist Microsoft
Australia http//blogs.technet.com/jeffa36
2
Agenda

• Update Services Goals and Design Principles
• Features
• Architecture
• Deployment
• Scenarios
• Migration from SUS 1.0
• Considerations

3
What is Update Services?

• Corporate update management offering
• Gets content from Microsoft Update (MU) service
• RTW component of Windows Server
• Free to Windows Server (2000 and above) licensees
• Requires Windows Server / Core CAL for target
  systems
• Does not change currently available offerings
• SUS 1.0 continues to get content from WU
• Core component of Microsofts Patch Update
  Management solutions roadmap

4
WSUS Goals and Design Principles

• Deliver easy to use, fully functional solution to
  address update management scenarios for all
  Microsoft products
• Automate the update management process as much as
  possible
• Support more than just Windows patches
• Address customer requests from SUS 1.0
• Optimize administrator experience for IT
  generalist
• Build the core patch management infrastructure
  for the Windows platform
• Leveraged by other tools (e.g., SMS 3rd party
  products)
• Rich set of APIs to allow for extensibility and
  customization
• Scale to large Internet services (Microsoft
  Update)

5
Solution Overview
Microsoft Update
WSUS Server
Desktop ClientsTarget Group 1
Server ClientsTarget Group 2
WSUS Administrator
Administrator puts clients in different target
groups
Administrator approves updates
Administrator subscribes to update categories
Server downloads updates from Microsoft Update
Clients register themselves with the server
Agents install administrator approved updates
6
Supported Products and Content

• Content Partners
• Windows, Office, SQL, Exchange at RTM.
• Additional products added over time
• OS platforms
• Client/agent
• Win2k SP3 and later, WinXP RTM and later (incl.
  XP embedded)
• Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and
  IA64)
• Server
• Win2k SP4 and later
• Win2k3 RTM and later (32-bit only)
• International support
• Client is localized to 25 Windows client locale
• Server is localized to 17 Windows Server locales
• MUI support

7
Features

• Administrator defined target groups
• Group Policy defines client membership for AD
  environments
• WSUS Server defined group membership for non-AD
  environments
• Administrator control of approvals
• Detect only evaluation of machines for patch
  applicability
• Approve for install and uninstall (requires
  update support)
• Date-based deadlines
• Per target group approval
• Different updates to different target groups
• Different deadlines to per target group
• Different action per target group

8
Features

• Flexible Agent Configuration
• Polling frequency
• Notification and Install behaviors
• Reboot behaviors
• Port configurability
• Non-administrators can install updates (like
  administrators)
• Install at Shutdown (XP SP2 only)

9
Network Optimization Features

• Resilient and transparent
• BITS for client-server and server-server
  downloads
• Downloads are in the background
• Minimized data downloads
• Update subscriptions only download updates for
  products, classifications and languages that
  you need
• Support for delta compression technologies for
  client-server communications
• Option to only download approved updates
  (download on demand)
• Option to download only update descriptions
  detection binaries stay on MU

Background Intelligent Transfer Service
10
demonstration
User Interface
11
Reporting Features

• Synchronization reports
• Whats new, what changed
• Event log integration
• Agent and server status events sent to local
  event log
• All reporting information available via Server
  .NET API

12
Deployment/Management Flexibility

• Server deployment options
• Stand alone server
• Hierarchical deployments of servers
• Independent servers no replication of approvals
• Replica servers - approvals and target groups
  replicated between Update Services servers
• Disconnected Servers
• Manageability (and extensibility)
• Server
• .NET based Server APIs
• Simple rules for automatic headless deployment
  of updates
• Client
• Client Command line options to trigger update
  detection
• COM based APIs with scripting remoting support

13
Server

• Simple to use web UI allows administration from
  any computer
• Synchronization engine to download updates from
  Microsoft Update
• SQL database holds all data other than content
  (software files)
• Can be set up in a hierarchy to suit
  organizational needs
• Completely built on managed code
• Uses BITS to efficiently utilize the network
• Secure
• Validates all downloaded content
• All content download locations securely ACLed
• Scalable
• Supports up to 15k clients on a single 1ghz 512Mb
  server
• Replica servers for scale out

14
Server Architecture
WSUS Servers/MU
Clients
Admin workstation
Server/Server Web service
Client/Server Web service
Reporting Web service
Admin UI
Content sync
Catalog sync
Server API
Metadata Store MSDE/SQL
File Store (NTFS)
15
Client

• Win32 Service (Agent) implements most
  functionality
• Extensible architecture based on Update type
  Handlers
• Handlers for MSI, update.exe, drivers etc.
• Automatically self-updates to newer versions
  offered on the server
• Automatic Updates feature controllable by policy
• Secure
• Validates all downloaded content for Microsoft
  certificates
• All content download locations securely ACLed

16
Public APIs

• Both client and server expose public APIs
• .NET based Server APIs (for admin tasks)
• Scriptable COM based client APIs
• Sample scripts and code in SDK

17
Client Architecture
18
Server API

• Extremely functional .Net API
• API provides access to a superset of the UI tasks
• Configure server
• Approve Updates
• Add/remove Target groups
• Add/remove clients set target group membership
• Create custom reports
• All of the Update Services UI uses this public
  API
• The bad news
• Not exposed as COM interface
• No remoting support - must be called from local
  machine

19
demonstration
Deploying Updates Using WSUS
20
Client API

• Public APIs, implemented as wrappers around Agent
  and Automatic Updates feature
• Exposed through COM and fully scriptable

21
Deployment Options

• Server Options
• Single Server
• Multiple Servers
• Replica
• Autonomous
• Disconnected Servers
• Client Options
• Detection frequency
• Client side vs Server side targeting mode

22
Single Server Small organization or simple
network

• Configure single server to talk to MU
• Synchronize all relevant updates (e.g. Windows XP
  critical and security updates)
• Configure clients to point to the WSUS server
• Optionally
• Create target groups for different groups of
  machines
• Configure clients to be members of a target group
• Configure auto approval rules to approve updates
  for install automatically

23
Multiple Servers
Microsoft Update
WSUS Server
WSUS Server
24
Multiple Server Scenario Large
organization/complex network

• Configure single/multiple servers to talk to MU
• Synchronize all relevant updates (e.g. All
  Windows XP, 2000, 2003 critical, security
  updates)
• Create a hierarchy of servers
• Independent WSUS servers in the intranet
• Replica servers
• Configure clients to point to respective WSUS
  servers
• Optionally
• Create target groups for different groups of
  machines
• Configure clients to be members of a target group

25
Disconnected Servers
Microsoft Update
WSUS Server
WSUS Server
26
Disconnected Server Disconnected networks

• Setup an external server to talk to MU
• Synchronize all relevant updates (e.g. All
  Windows XP, 2000, 2003 critical, security
  updates)
• Export update data and content to media
• Import update data and content to WSUS server on
  disconnected network
• Server will validate Microsoft certificates on
  content and data relationships integrity
• Configure clients to point to respective WSUS
  servers

27
Migration SUS 1.0 to WSUS

• Single server
• WSUS and SUS 1.0 on a single server
• Multiple servers
• WSUS and SUS 1.0 on separate servers
• Multiple SUS 1.0 servers to a single WSUS server
• Multiple SUS 1.0 servers to multiple WSUS servers

28
Environment Considerations

• Ease of updating client settings
• E.g., policy or scripted
• New clients coming into environment which are not
  yet WSUS compatible
• Branch office scenarios
• Targeting group model

29
Migration Considerations

• WSUS and SUS 1.0 can not synchronize metadata
  with each other
• Only one way SUS 1.0 to WSUS migration
• Migration of update approvals overwrites any
  pre-existing approvals per target group
• What doesnt migrate
• proxy server settings
• Internet Information Services (IIS) settings

30
Single Server Migration

• For customers with few servers
• Requires WSUS to be initially installed on a
  different port than SUS 1.0
• Requires updating all clients as they connect
  once the WSUS server is installed
• Potentially requires redirecting clients to a
  different port on the same server
• Clients will still use SUS 1.0 for updates until
  redirected to the WSUS port, or SUS 1.0 is
  decommissioned

31
Multiple SUS server migration

• To a single WSUS server
• Take advantage of target groups
• Consolidate Windows Servers
• To multiple WSUS servers
• Maintain organizational structures with different
  administrators
• Support branch offices

32
Migration Tool

• WSUSUTIL.EXE migratesus
• /content ltcontent sharegt
• Migrate content from a SUS 1.0 ltcontent sharegt
• /approvals ltserver namegt
• Migrate approvals from the SUS 1.0 server
• target_group
• Apply approvals to the target group
  "target_group".
• Requires /approvals to be specified.
• /log ltlog_filegt
• Log the migration activities to the ltlog filegt
  file

33
Deployment Considerations

• Hardware requirements
• Number of clients, how often will clients poll
  the server
• Database storage
• Local or remote SQL vs MSDE
• Bandwidth
• Single site, multi-site, branch office, low
  bandwidth
• Security
• Customize ports
• Scalability
• Server hierarchy
• Target options
• Client side vs server side targeting mode
• Management
• Automated with scripts vs Web UI

34
Comparing Microsoft Update, Windows Update
Services, and SMS 2003

• Adopt the solution that best meets the needs of
  your organization

35
Choosing A Patch Management SolutionTypical
Customer Decisions
Customer uses Windows Update, another update
tool, or manual update process for OS versions
applications not supported by Windows Update
Services or Microsoft Update
 
36
Summary

• Windows Server Update Services is a platform
  infrastructure as well as a solution
• Provides significantly more functionality and
  flexibility than SUS 1.0
• Default implementation is very simple
• Complex implementations will require planning

37
Resources

• WSUS homepage http//www.microsoft.com/updateserv
  ices
• WSUS Server download
• Deployment and Operations Guides
• SDK and Troubleshooter
• WSUS community
• Online Help
• WSUS Wiki www.wsuswiki.com
• WSUS Community www.wsus.info
• Microsoft Update http//update.microsoft.com/micr
  osoftupdate

38
(No Transcript)