Title: Security Patching Using Windows Server Update Services
1Security Patching Using Windows Server Update
Services
Jeff Alexander IT Pro Evangelist Microsoft
Australia http//blogs.technet.com/jeffa36
2Agenda
- Update Services Goals and Design Principles
- Features
- Architecture
- Deployment
- Scenarios
- Migration from SUS 1.0
- Considerations
3What is Update Services?
- Corporate update management offering
- Gets content from Microsoft Update (MU) service
- RTW component of Windows Server
- Free to Windows Server (2000 and above) licensees
- Requires Windows Server / Core CAL for target
systems - Does not change currently available offerings
- SUS 1.0 continues to get content from WU
- Core component of Microsofts Patch Update
Management solutions roadmap
4WSUS Goals and Design Principles
- Deliver easy to use, fully functional solution to
address update management scenarios for all
Microsoft products - Automate the update management process as much as
possible - Support more than just Windows patches
- Address customer requests from SUS 1.0
- Optimize administrator experience for IT
generalist - Build the core patch management infrastructure
for the Windows platform - Leveraged by other tools (e.g., SMS 3rd party
products) - Rich set of APIs to allow for extensibility and
customization - Scale to large Internet services (Microsoft
Update)
5Solution Overview
Microsoft Update
WSUS Server
Desktop ClientsTarget Group 1
Server ClientsTarget Group 2
WSUS Administrator
Administrator puts clients in different target
groups
Administrator approves updates
Administrator subscribes to update categories
Server downloads updates from Microsoft Update
Clients register themselves with the server
Agents install administrator approved updates
6Supported Products and Content
- Content Partners
- Windows, Office, SQL, Exchange at RTM.
- Additional products added over time
- OS platforms
- Client/agent
- Win2k SP3 and later, WinXP RTM and later (incl.
XP embedded) - Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and
IA64) - Server
- Win2k SP4 and later
- Win2k3 RTM and later (32-bit only)
- International support
- Client is localized to 25 Windows client locale
- Server is localized to 17 Windows Server locales
- MUI support
7Features
- Administrator defined target groups
- Group Policy defines client membership for AD
environments - WSUS Server defined group membership for non-AD
environments - Administrator control of approvals
- Detect only evaluation of machines for patch
applicability - Approve for install and uninstall (requires
update support) - Date-based deadlines
- Per target group approval
- Different updates to different target groups
- Different deadlines to per target group
- Different action per target group
8Features
- Flexible Agent Configuration
- Polling frequency
- Notification and Install behaviors
- Reboot behaviors
- Port configurability
- Non-administrators can install updates (like
administrators) - Install at Shutdown (XP SP2 only)
9Network Optimization Features
- Resilient and transparent
- BITS for client-server and server-server
downloads - Downloads are in the background
- Minimized data downloads
- Update subscriptions only download updates for
products, classifications and languages that
you need - Support for delta compression technologies for
client-server communications - Option to only download approved updates
(download on demand) - Option to download only update descriptions
detection binaries stay on MU
Background Intelligent Transfer Service
10 demonstration
User Interface
11Reporting Features
- Synchronization reports
- Whats new, what changed
- Event log integration
- Agent and server status events sent to local
event log - All reporting information available via Server
.NET API
12Deployment/Management Flexibility
- Server deployment options
- Stand alone server
- Hierarchical deployments of servers
- Independent servers no replication of approvals
- Replica servers - approvals and target groups
replicated between Update Services servers - Disconnected Servers
- Manageability (and extensibility)
- Server
- .NET based Server APIs
- Simple rules for automatic headless deployment
of updates - Client
- Client Command line options to trigger update
detection - COM based APIs with scripting remoting support
13Server
- Simple to use web UI allows administration from
any computer - Synchronization engine to download updates from
Microsoft Update - SQL database holds all data other than content
(software files) - Can be set up in a hierarchy to suit
organizational needs - Completely built on managed code
- Uses BITS to efficiently utilize the network
- Secure
- Validates all downloaded content
- All content download locations securely ACLed
- Scalable
- Supports up to 15k clients on a single 1ghz 512Mb
server - Replica servers for scale out
14Server Architecture
WSUS Servers/MU
Clients
Admin workstation
Server/Server Web service
Client/Server Web service
Reporting Web service
Admin UI
Content sync
Catalog sync
Server API
Metadata Store MSDE/SQL
File Store (NTFS)
15Client
- Win32 Service (Agent) implements most
functionality - Extensible architecture based on Update type
Handlers - Handlers for MSI, update.exe, drivers etc.
- Automatically self-updates to newer versions
offered on the server - Automatic Updates feature controllable by policy
- Secure
- Validates all downloaded content for Microsoft
certificates - All content download locations securely ACLed
16Public APIs
- Both client and server expose public APIs
- .NET based Server APIs (for admin tasks)
- Scriptable COM based client APIs
- Sample scripts and code in SDK
17Client Architecture
18Server API
- Extremely functional .Net API
- API provides access to a superset of the UI tasks
- Configure server
- Approve Updates
- Add/remove Target groups
- Add/remove clients set target group membership
- Create custom reports
- All of the Update Services UI uses this public
API - The bad news
- Not exposed as COM interface
- No remoting support - must be called from local
machine
19 demonstration
Deploying Updates Using WSUS
20Client API
- Public APIs, implemented as wrappers around Agent
and Automatic Updates feature - Exposed through COM and fully scriptable
21Deployment Options
- Server Options
- Single Server
- Multiple Servers
- Replica
- Autonomous
- Disconnected Servers
- Client Options
- Detection frequency
- Client side vs Server side targeting mode
22Single Server Small organization or simple
network
- Configure single server to talk to MU
- Synchronize all relevant updates (e.g. Windows XP
critical and security updates) - Configure clients to point to the WSUS server
- Optionally
- Create target groups for different groups of
machines - Configure clients to be members of a target group
- Configure auto approval rules to approve updates
for install automatically
23Multiple Servers
Microsoft Update
WSUS Server
WSUS Server
24Multiple Server Scenario Large
organization/complex network
- Configure single/multiple servers to talk to MU
- Synchronize all relevant updates (e.g. All
Windows XP, 2000, 2003 critical, security
updates) - Create a hierarchy of servers
- Independent WSUSÂ servers in the intranet
- Replica servers
- Configure clients to point to respective WSUS
servers - Optionally
- Create target groups for different groups of
machines - Configure clients to be members of a target group
25Disconnected Servers
Microsoft Update
WSUS Server
WSUS Server
26Disconnected Server Disconnected networks
- Setup an external server to talk to MU
- Synchronize all relevant updates (e.g. All
Windows XP, 2000, 2003 critical, security
updates) - Export update data and content to media
- Import update data and content to WSUS server on
disconnected network - Server will validate Microsoft certificates on
content and data relationships integrity - Configure clients to point to respective WSUS
servers
27Migration SUS 1.0 to WSUS
- Single server
- WSUS and SUS 1.0 on a single server
- Multiple servers
- WSUS and SUS 1.0 on separate servers
- Multiple SUS 1.0 servers to a single WSUS server
- Multiple SUS 1.0 servers to multiple WSUS servers
28Environment Considerations
- Ease of updating client settings
- E.g., policy or scripted
- New clients coming into environment which are not
yet WSUS compatible - Branch office scenarios
- Targeting group model
29Migration Considerations
- WSUS and SUS 1.0 can not synchronize metadata
with each other - Only one way SUS 1.0 to WSUS migration
- Migration of update approvals overwrites any
pre-existing approvals per target group - What doesnt migrate
- proxy server settings
- Internet Information Services (IIS) settings
30Single Server Migration
- For customers with few servers
- Requires WSUS to be initially installed on a
different port than SUS 1.0 - Requires updating all clients as they connect
once the WSUS server is installed - Potentially requires redirecting clients to a
different port on the same server - Clients will still use SUS 1.0 for updates until
redirected to the WSUS port, or SUS 1.0 is
decommissioned
31Multiple SUS server migration
- To a single WSUS server
- Take advantage of target groups
- Consolidate Windows Servers
- To multiple WSUS servers
- Maintain organizational structures with different
administrators - Support branch offices
32Migration Tool
- WSUSUTIL.EXE migratesus
- /content ltcontent sharegt
- Migrate content from a SUS 1.0 ltcontent sharegt
- /approvals ltserver namegt
- Migrate approvals from the SUS 1.0 server
- target_group
- Apply approvals to the target group
"target_group". - Requires /approvals to be specified.
- /log ltlog_filegt
- Log the migration activities to the ltlog filegt
file
33Deployment Considerations
- Hardware requirements
- Number of clients, how often will clients poll
the server - Database storage
- Local or remote SQL vs MSDE
- Bandwidth
- Single site, multi-site, branch office, low
bandwidth - Security
- Customize ports
- Scalability
- Server hierarchy
- Target options
- Client side vs server side targeting mode
- Management
- Automated with scripts vs Web UI
34Comparing Microsoft Update, Windows Update
Services, and SMS 2003
- Adopt the solution that best meets the needs of
your organization
35Choosing A Patch Management SolutionTypical
Customer Decisions
Customer uses Windows Update, another update
tool, or manual update process for OS versions
applications not supported by Windows Update
Services or Microsoft Update
Â
36Summary
- Windows Server Update Services is a platform
infrastructure as well as a solution - Provides significantly more functionality and
flexibility than SUS 1.0 - Default implementation is very simple
- Complex implementations will require planning
37Resources
- WSUS homepage http//www.microsoft.com/updateserv
ices - WSUS Server download
- Deployment and Operations Guides
- SDK and Troubleshooter
- WSUS community
- Online Help
- WSUS Wiki www.wsuswiki.com
- WSUS Community www.wsus.info
- Microsoft Update http//update.microsoft.com/micr
osoftupdate
38(No Transcript)