Next-Generation Patch Management: Introducing Windows Server Update Services
At a Glance:
- Get to know Windows Server Update Services
- Scanning and deployment options
- Walk through an update scenario
- Choose the right update system for your organization
Windows Server Update Services
Vulnerability assessment and remediation can be a time-consuming task. However, it’s an important one that every company, big and small, needs to focus attention on. As the
amount of time between vulnerabilities being discovered and exploits for those vulnerabilities being found in the wild decreases, it becomes increasingly critical to obtain and deploy updates more quickly. The tools used to identify vulnerable machines and keep them up-to-date need to be easy to use and effective. By reducing the amount of time, money, and effort spent to keep computers more secure, company resources can, in turn, be better spent on other tasks that benefit the bottom line.
Windows® Server Update Services (WSUS) was released by Microsoft in early June to help IT administrators and Value Added Providers (VAPs) spend less time worrying about update management and make the task of actually securing the environment more efficient. WSUS, which replaces Software Update Services (SUS), is a component of both Windows 2000 Server and Windows Server™ 2003 and can be downloaded from the Windows Server Update Services site.
IT administrators are the primary users of WSUS. The development team spent countless hours meeting with administrators and listening to feedback on how they used SUS, what they liked about the product, and, most importantly, what features would make their lives easier.
For starters, WSUS was designed to handle more than just Windows deployments. WSUS uses the new Microsoft® Update infrastructure to scan for and deploy updates for Microsoft products beyond just Windows client and server operating systems. In fact, at release WSUS supported updates to a variety of current and older operating systems and applications, including those shown in Figure 1. Plans are in place to support additional Microsoft products over time.
|WSUS client runs on:|
|Windows 2000 or later|
|Windows Server 2003|
|WSUS server runs on:|
|Windows 2000 SP4 and later|
|Windows Server 2003|
|Supports updates for:|
|Windows XP Professional|
|Windows Server 2003|
|SQL Server 2000|
|SQL Server Desktop Engine (MSDE) 2000|
|Exchange Server 2003|
Ease of use is also a key tenet for WSUS. When you start the administrator console for the first time, you see a task-based user interface that includes a status section and the To Do List (see Figure 2). The status section provides a quick glance into the number of updates available, how many have been approved, not approved, or declined, and a count of how many computers require updates. The status section also provides a view into the current synchronization status, telling you when the last synchronization occurred (either with Microsoft Update or another WSUS server, as described later) and the result of that sync.
The To Do List, which counts how many new security and critical updates are available, tells you whether there are new products supported, and how many computers have not contacted the WSUS server in the past 30 days. The To Do List will even alert you if secure sockets layer (SSL) is not configured for use with the WSUS server (using SSL is highly recommended).
WSUS can group computers that have similar update needs, allowing you to manage the approval and deployment of updates for each group of computers separately. Clients in a test group, for example, may have one set of updates approved for download, while servers in another group may not have those updates approved until validated by the test group. Groups can be configured either manually through the administrator console or automatically through Group Policy. Grouping systems with varying detection cycles can provide phased deployment capabilities for greater control over the impact on your network environment.
The approval process for each update is very flexible (see Figure 3). You can choose to approve an update, causing it to be installed on each managed computer during the computer’s next detection cycle. Separate installation behavior settings, such as automatic installation and restart options, allow you to ensure updates are installed in a manner that is appropriate for each individual system. You can also choose not to approve an update, or even remove an update if it supports uninstalling (not all do).
Figure 3 Approval Options for Updates
One additional option, which is new to WSUS, is Detect only. The Detect only option instructs the managed computer to scan for whether it needs the update, but not to download and install it. Instead, the update status is simply reported into the WSUS database, indicating whether the computer should receive the update. Reporting on which computers require an update in this manner allows you to better plan software update deployments based on accurate data regarding counts and locations of systems that actually need the updates.
Finally, you can set a deadline for when an update must be installed on each machine. An update can have separate installation rules and deadlines for each computer group. If the computer installing the updates is running either Windows XP with SP2 or Windows Server 2003 with SP1, the updates can be installed at shutdown, thus not forcing the user to have to reboot the machine until they are ready to do so, without interrupting their work in progress.
One of the top points of feedback regarding SUS was the lack of reporting. As a result, WSUS includes features that provide reports on the status of each update, each computer, and the synchronization status of the WSUS server itself. Each report can be filtered by the computer group or the status of the update (installed, needed, and so on). In addition, the WSUS Software Development Kit documents how you can create custom reports, if necessary. The SDK, API samples, and various tools are available from the WSUS Web site.
There was also strong customer feedback asking for flexibility in the configuration of the client. As a result, WSUS lets you specify whether the client should install updates without any user intervention or notify the user about an impending update regardless of whether the user is a local administrator. The client can even be configured to automatically install new updates within a set number of minutes following system startup. By using this feature, you can ensure that the client will not miss an update because it was not connected to the network.
You can also increase or decrease how often a client checks the server for approved updates. This time can be reduced to every hour for the highest possible security (in other words, to deploy a security update very quickly). Immediate forced detection and download of approved updates is also supported, via command-line scripting.
Choosing the Right Update Management Solution
Microsoft offers a number of different update management products, including Microsoft Update, Windows Server Update Services, and Systems Management Server (SMS) 2003. So how do you choose the right solution for your organization?
The first step is to identify your needs. Each product provides a set of features geared towards a specific business scenario. The very smallest company, with just a handful of computers and little to no IT staff, can simply configure Automatic Updates on each computer to contact Microsoft Update on a scheduled basis and automatically download and install all critical and security updates. There is no additional management with this solution, so you would not have much control over which updates are installed and when.
For WSUS and SMS, it is important to look at which scenario your environment falls under. The basic scenario includes the need to manage updates to groups of computers and report on the compliance of each computer or update. WSUS is an appropriate choice for this scenario. And since it can be easily downloaded and installed on any licensed Windows Server 2003 installation, many mid-sized organizations will choose to use WSUS.
The advanced scenario requires support for deploying updates to software that includes, but is not limited to, full applications (Microsoft Office 2003, for example). In this scenario, you may also need to update or install operating system images, as well as gather full hardware and software inventory data, provide remote control capabilities for a help desk, and monitor license usage. This scenario calls for a product like SMS 2003, which is used by many large organizations.
A comparison matrix for these technologies is available at Comparing MBSA, MU, WSUS, and SMS 2003.
Where Do Updates Come From?
One of the design goals for WSUS was to provide an infrastructure that could deliver updates to managed computers without using a lot of network and hardware resources. One factor in enabling this ability is the method by which updates are stored and delivered. WSUS can obtain its updates from one of two sources: Microsoft Update or another WSUS server. At least one WSUS server in your organization must synchronize its update metadata (which is stored in a database) with Microsoft Update. The update binaries themselves can be downloaded by and stored in the WSUS server (in a folder on an NTFS volume secured with an access control list). Alternatively, each managed computer can be instructed to download the updates directly from Microsoft Update. This option is useful if users roam from site to site, work from home, or work at one of the organization’s other locations. Of course, this also helps to save storage space on the WSUS server.
The first WSUS server you install should synchronize with Microsoft Update to host the metadata and binaries for other down-level update servers in your organization. Such hierarchical designs can help you deploy WSUS across an enterprise over WAN links. The down-level servers refer to the primary WSUS server for their content. This way, you can save on network bandwidth by not having multiple servers go across the Internet to obtain the data directly from Microsoft Update.
WSUS uses Background Intelligent Transfer Service (BITS) 2.0 on the server and each managed computer. BITS provides check-point restart of downloads if the connection breaks between Microsoft Update, the WSUS server, and managed clients. Furthermore, to ensure that downloading of multiple updates will not take up a large percentage of network bandwidth, you can configure BITS to limit the amount of bandwidth used for a download.
WSUS can be configured to download updates only when they have been approved by the administrator; if you don’t approve an update, it simply isn’t downloaded. An improvement over SUS 1.0, this option offers a more efficient way to manage disk space and network bandwidth.
A Day in the Life
In the past, the administrator had to look to several sources of update content— Windows Update, Office Update, and Microsoft Download Center—to identify which updates were required. With WSUS, all of this content is identified directly from Microsoft Update without the need to deploy additional scanning engines.
With WSUS, your day starts with viewing the home page. As an example, WSUS may have completed a successful sync with Microsoft Update, and now states that there are new product categories available. In this case, you notice that Office XP is now supported. Because Office XP is deployed in your organization, you make sure to include it in the synchronization and client scanning processes, as shown in Figure 4. You then have WSUS perform another synchronization with Microsoft Update to obtain any updates for Office XP. The To Do List on the home page then advises whether you need to review any security and critical updates.
Figure 4 Selecting Products to Include in the Scan
You can then review updates, as shown in Figure 5. Here you might be concerned about the Security Update for Microsoft Word 2002 (as discussed in KB 895589) and instruct WSUS to install the update on every machine that requires it. Since the update must reboot the computer to complete the installation, you may want to specify that the update should only be installed when the machine is shut down (if it is running Windows XP SP2). You might also notice that there is a Security Update for Windows 2000 (see KB 893066), but it is superseded by SP4. If you’re not certain how many computers in your organization are still running Windows 2000, you can opt for the security update to only detect whether that update is necessary (but not install it). After scanning, you can view a report on how many computers are affected.
After the next detection cycle—when the clients check in with the WSUS server—each client will learn that it needs to scan for these two updates. If the Word 2002 update is required, it will be installed when the user shuts down the computer. If the computer requires the Windows 2000 update, it will report this back to the WSUS database. Finally, you can report on the compliance of both updates to ensure that each machine has been updated as expected.
The Bottom Line
WSUS gives administrators several new features that help identify updates that are available, report on computers that require or have those updates, and flexibly deploy those updates throughout the organization. Scanning and updates coverage includes Windows, Office, Exchange Server, and SQL Server™. Over time, this will expand to include additional Microsoft products. Keeping your systems as secure and up-to-date as possible still takes time and effort, but WSUS makes those tasks less of a burden, streamlining the scanning process and letting you configure custom deployments. With WSUS, you can focus on other priorities, rather than spending your time scrambling to keep up with the latest updates.
Jason Leznek is the Senior Product Manager for Windows Server Update Services at Microsoft.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.