Security Patching Using Windows Server Update Services - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Security Patching Using Windows Server Update Services

Description:

Gets content from Microsoft Update (MU) service. RTW component of Windows Server. Free to Windows Server (2000 and above) licensees ... – PowerPoint PPT presentation

Number of Views:692
Avg rating:3.0/5.0
Slides: 36
Provided by: deanan7
Category:

less

Transcript and Presenter's Notes

Title: Security Patching Using Windows Server Update Services


1
Security Patching Using Windows Server Update
Services
Jeff Alexander IT Pro Evangelist Microsoft
Australia http//blogs.technet.com/jeffa36
2
Agenda
  • Update Services Goals and Design Principles
  • Features
  • Architecture
  • Deployment
  • Scenarios
  • Migration from SUS 1.0
  • Considerations

3
What is Update Services?
  • Corporate update management offering
  • Gets content from Microsoft Update (MU) service
  • RTW component of Windows Server
  • Free to Windows Server (2000 and above) licensees
  • Requires Windows Server / Core CAL for target
    systems
  • Does not change currently available offerings
  • SUS 1.0 continues to get content from WU
  • Core component of Microsofts Patch Update
    Management solutions roadmap

4
WSUS Goals and Design Principles
  • Deliver easy to use, fully functional solution to
    address update management scenarios for all
    Microsoft products
  • Automate the update management process as much as
    possible
  • Support more than just Windows patches
  • Address customer requests from SUS 1.0
  • Optimize administrator experience for IT
    generalist
  • Build the core patch management infrastructure
    for the Windows platform
  • Leveraged by other tools (e.g., SMS 3rd party
    products)
  • Rich set of APIs to allow for extensibility and
    customization
  • Scale to large Internet services (Microsoft
    Update)

5
Solution Overview
Microsoft Update
WSUS Server
Desktop ClientsTarget Group 1
Server ClientsTarget Group 2
WSUS Administrator
Administrator puts clients in different target
groups
Administrator approves updates
Administrator subscribes to update categories
Server downloads updates from Microsoft Update
Clients register themselves with the server
Agents install administrator approved updates
6
Supported Products and Content
  • Content Partners
  • Windows, Office, SQL, Exchange at RTM.
  • Additional products added over time
  • OS platforms
  • Client/agent
  • Win2k SP3 and later, WinXP RTM and later (incl.
    XP embedded)
  • Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and
    IA64)
  • Server
  • Win2k SP4 and later
  • Win2k3 RTM and later (32-bit only)
  • International support
  • Client is localized to 25 Windows client locale
  • Server is localized to 17 Windows Server locales
  • MUI support

7
Features
  • Administrator defined target groups
  • Group Policy defines client membership for AD
    environments
  • WSUS Server defined group membership for non-AD
    environments
  • Administrator control of approvals
  • Detect only evaluation of machines for patch
    applicability
  • Approve for install and uninstall (requires
    update support)
  • Date-based deadlines
  • Per target group approval
  • Different updates to different target groups
  • Different deadlines to per target group
  • Different action per target group

8
Features
  • Flexible Agent Configuration
  • Polling frequency
  • Notification and Install behaviors
  • Reboot behaviors
  • Port configurability
  • Non-administrators can install updates (like
    administrators)
  • Install at Shutdown (XP SP2 only)

9
Network Optimization Features
  • Resilient and transparent
  • BITS for client-server and server-server
    downloads
  • Downloads are in the background
  • Minimized data downloads
  • Update subscriptions only download updates for
    products, classifications and languages that
    you need
  • Support for delta compression technologies for
    client-server communications
  • Option to only download approved updates
    (download on demand)
  • Option to download only update descriptions
    detection binaries stay on MU

Background Intelligent Transfer Service
10
demonstration
User Interface
11
Reporting Features
  • Synchronization reports
  • Whats new, what changed
  • Event log integration
  • Agent and server status events sent to local
    event log
  • All reporting information available via Server
    .NET API

12
Deployment/Management Flexibility
  • Server deployment options
  • Stand alone server
  • Hierarchical deployments of servers
  • Independent servers no replication of approvals
  • Replica servers - approvals and target groups
    replicated between Update Services servers
  • Disconnected Servers
  • Manageability (and extensibility)
  • Server
  • .NET based Server APIs
  • Simple rules for automatic headless deployment
    of updates
  • Client
  • Client Command line options to trigger update
    detection
  • COM based APIs with scripting remoting support

13
Server
  • Simple to use web UI allows administration from
    any computer
  • Synchronization engine to download updates from
    Microsoft Update
  • SQL database holds all data other than content
    (software files)
  • Can be set up in a hierarchy to suit
    organizational needs
  • Completely built on managed code
  • Uses BITS to efficiently utilize the network
  • Secure
  • Validates all downloaded content
  • All content download locations securely ACLed
  • Scalable
  • Supports up to 15k clients on a single 1ghz 512Mb
    server
  • Replica servers for scale out

14
Server Architecture
WSUS Servers/MU
Clients
Admin workstation
Server/Server Web service
Client/Server Web service
Reporting Web service
Admin UI
Content sync
Catalog sync
Server API
Metadata Store MSDE/SQL
File Store (NTFS)
15
Client
  • Win32 Service (Agent) implements most
    functionality
  • Extensible architecture based on Update type
    Handlers
  • Handlers for MSI, update.exe, drivers etc.
  • Automatically self-updates to newer versions
    offered on the server
  • Automatic Updates feature controllable by policy
  • Secure
  • Validates all downloaded content for Microsoft
    certificates
  • All content download locations securely ACLed

16
Public APIs
  • Both client and server expose public APIs
  • .NET based Server APIs (for admin tasks)
  • Scriptable COM based client APIs
  • Sample scripts and code in SDK

17
Client Architecture
18
Server API
  • Extremely functional .Net API
  • API provides access to a superset of the UI tasks
  • Configure server
  • Approve Updates
  • Add/remove Target groups
  • Add/remove clients set target group membership
  • Create custom reports
  • All of the Update Services UI uses this public
    API
  • The bad news
  • Not exposed as COM interface
  • No remoting support - must be called from local
    machine

19
demonstration
Deploying Updates Using WSUS
20
Client API
  • Public APIs, implemented as wrappers around Agent
    and Automatic Updates feature
  • Exposed through COM and fully scriptable

21
Deployment Options
  • Server Options
  • Single Server
  • Multiple Servers
  • Replica
  • Autonomous
  • Disconnected Servers
  • Client Options
  • Detection frequency
  • Client side vs Server side targeting mode

22
Single Server Small organization or simple
network
  • Configure single server to talk to MU
  • Synchronize all relevant updates (e.g. Windows XP
    critical and security updates)
  • Configure clients to point to the WSUS server
  • Optionally
  • Create target groups for different groups of
    machines
  • Configure clients to be members of a target group
  • Configure auto approval rules to approve updates
    for install automatically

23
Multiple Servers
Microsoft Update
WSUS Server
WSUS Server
24
Multiple Server Scenario Large
organization/complex network
  • Configure single/multiple servers to talk to MU
  • Synchronize all relevant updates (e.g. All
    Windows XP, 2000, 2003 critical, security
    updates)
  • Create a hierarchy of servers
  • Independent WSUS servers in the intranet
  • Replica servers
  • Configure clients to point to respective WSUS
    servers
  • Optionally
  • Create target groups for different groups of
    machines
  • Configure clients to be members of a target group

25
Disconnected Servers
Microsoft Update
WSUS Server
WSUS Server
26
Disconnected Server Disconnected networks
  • Setup an external server to talk to MU
  • Synchronize all relevant updates (e.g. All
    Windows XP, 2000, 2003 critical, security
    updates)
  • Export update data and content to media
  • Import update data and content to WSUS server on
    disconnected network
  • Server will validate Microsoft certificates on
    content and data relationships integrity
  • Configure clients to point to respective WSUS
    servers

27
Migration SUS 1.0 to WSUS
  • Single server
  • WSUS and SUS 1.0 on a single server
  • Multiple servers
  • WSUS and SUS 1.0 on separate servers
  • Multiple SUS 1.0 servers to a single WSUS server
  • Multiple SUS 1.0 servers to multiple WSUS servers

28
Environment Considerations
  • Ease of updating client settings
  • E.g., policy or scripted
  • New clients coming into environment which are not
    yet WSUS compatible
  • Branch office scenarios
  • Targeting group model

29
Migration Considerations
  • WSUS and SUS 1.0 can not synchronize metadata
    with each other
  • Only one way SUS 1.0 to WSUS migration
  • Migration of update approvals overwrites any
    pre-existing approvals per target group
  • What doesnt migrate
  • proxy server settings
  • Internet Information Services (IIS) settings

30
Single Server Migration
  • For customers with few servers
  • Requires WSUS to be initially installed on a
    different port than SUS 1.0
  • Requires updating all clients as they connect
    once the WSUS server is installed
  • Potentially requires redirecting clients to a
    different port on the same server
  • Clients will still use SUS 1.0 for updates until
    redirected to the WSUS port, or SUS 1.0 is
    decommissioned

31
Multiple SUS server migration
  • To a single WSUS server
  • Take advantage of target groups
  • Consolidate Windows Servers
  • To multiple WSUS servers
  • Maintain organizational structures with different
    administrators
  • Support branch offices

32
Migration Tool
  • WSUSUTIL.EXE migratesus
  • /content ltcontent sharegt
  • Migrate content from a SUS 1.0 ltcontent sharegt
  • /approvals ltserver namegt
  • Migrate approvals from the SUS 1.0 server
  • target_group
  • Apply approvals to the target group
    "target_group".
  • Requires /approvals to be specified.
  • /log ltlog_filegt
  • Log the migration activities to the ltlog filegt
    file

33
Deployment Considerations
  • Hardware requirements
  • Number of clients, how often will clients poll
    the server
  • Database storage
  • Local or remote SQL vs MSDE
  • Bandwidth
  • Single site, multi-site, branch office, low
    bandwidth
  • Security
  • Customize ports
  • Scalability
  • Server hierarchy
  • Target options
  • Client side vs server side targeting mode
  • Management
  • Automated with scripts vs Web UI

34
Comparing Microsoft Update, Windows Update
Services, and SMS 2003
  • Adopt the solution that best meets the needs of
    your organization

35
Choosing A Patch Management SolutionTypical
Customer Decisions
Customer uses Windows Update, another update
tool, or manual update process for OS versions
applications not supported by Windows Update
Services or Microsoft Update
 
36
Summary
  • Windows Server Update Services is a platform
    infrastructure as well as a solution
  • Provides significantly more functionality and
    flexibility than SUS 1.0
  • Default implementation is very simple
  • Complex implementations will require planning

37
Resources
  • WSUS homepage http//www.microsoft.com/updateserv
    ices
  • WSUS Server download
  • Deployment and Operations Guides
  • SDK and Troubleshooter
  • WSUS community
  • Online Help
  • WSUS Wiki www.wsuswiki.com
  • WSUS Community www.wsus.info
  • Microsoft Update http//update.microsoft.com/micr
    osoftupdate

38
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com