To maintain a secure computing environment,
it is critical to keep systems up to date with security patches. Since
1998, Microsoft has provided Windows Update as a Webbased source of
information and downloads. With Windows XP and Windows 2000 Service
Pack 3, Microsoft added Automatic Updates, whereby a system
automatically connects to Windows Update and downloads any new,
applicable patches or “hotfixes.” Although the Windows Update servers
and Automatic Updates client achieve the goal of keeping systems
current, many administrators are uncomfortable with either computers or
users deciding which patches should be installed, because a patch might
interfere with the normal functioning of a business-critical
application.
The latest improvements to
these technologies deliver Software Update Services (SUS). SUS is a
client-server application that enables a server on your intranet to act
as a point of administration for updates. You can approve updates for
SUS clients, which then download and install the approved updates
automatically without requiring local administrator account interaction.
1. Understanding SUS
Since
1998, Microsoft Windows operating systems have supported Windows
Update, a globally distributed source of updates. Windows Update
servers interact with client-side software to identify critical
updates, security rollups, and enhancements that are appropriate to the
client platform, and then to download approved patches.
Administrators
wanted a more centralized solution that would assure more direct
control over updates that are installed on their clients. Software
Update Services is a response to that need. SUS includes several major
components:
Software Update Services, running on an Internet Information Services (IIS) server
The server-side component is responsible for synchronizing information
about available updates and, typically, for downloading updates from
the Microsoft Internet-based Windows Update servers or from other
intranet servers running SUS.
The SUS administration Web site All
SUS administration is Web-based. After installing and configuring SUS,
administration typically consists of ensuring that the SUS server is
synchronizing successfully, and approving updates for distribution to
network clients.
Automatic Updates
The Automatic Updates client is responsible for downloading updates
from either Windows Update or an SUS server, and installing those
updates based on a schedule or an administrator’s initiation.
Group Policy settings
Automatic Updates clients can be configured to synchronize from an SUS
server rather than the Windows Update servers by modifying the clients’
registries or, more efficiently, by configuring Windows Update policies
in a Group Policy Object (GPO).
2. Installing SUS on a Windows Server 2003 Computer
SUS
has both client and server components. The server component runs on a
Windows 2000 Server (Service Pack 2 or later) or a Windows Server 2003
computer. Internet Information Services (IIS) must be installed before
setting up SUS and, IIS is not installed by default on Windows Server 2003. For information about how to install IIS.
SUS is not included with the Windows Server 2003 media, but it is a free download from the Microsoft SUS Web site at http://go.microsoft.com/fwlink/?LinkID=6930. The client and server components are available in separate downloads.
Note
The
SUS download is not available in every localized language. However,
this download determines the installation and administrative interface
for the server component only. Patches for all locales can be made available through SUS. |
After
downloading the latest version of SUS, double-click the installation
file for the server component and the installation routine will start.
After you agree to the license agreement, choose Custom setup and the
Setup Wizard will prompt you for the following information:
Choose File Locations
Each Windows Update patch consists of two components: the patch file
itself and metadata that specifies the platforms and languages to which
the patch applies. SUS always downloads metadata, which you will use to
approve updates and which clients on your intranet will retrieve from
SUS. You can choose whether to download the files themselves and, if
so, where to save the updates.
Tip
If
you elect to maintain the update files on Microsoft Windows Update
servers, Automatic Updates clients will connect to your SUS server to
obtain the list of approved updates and will then connect to Microsoft
Windows Update servers to download the files. You can thereby maintain
control of client updating and take advantage of the globally dispersed
hosting provided by Microsoft. |
If
you choose the Save The Updates To This Local Folder option, the Setup
Wizard defaults to the drive with the most free space and will create a
folder called SUS on that drive. You can save the files to any NTFS
partition; Microsoft recommends a minimum of 6 gigabytes (GB) of free
space.
Note
The SUS partition and the system partition must be formatted as NTFS. |
Language Settings
Although the SUS administrative interface is provided in English and a
few additional languages, patches are released for all supported
locales. This option specifies the localized versions of Windows
servers or clients that you support in your environment.
Handling New Versions Of Previously Approved Updates
Occasionally, an update itself is updated. You can direct SUS to
automatically approve updates that are new versions of patches that you
have already approved, or you can continue to approve each update
manually.
Ready To Install Before installation begins, the Setup Wizard will remind you of the URL clients should point to, http://SUS_servername. Note this path because you will use it to configure network clients.
Installing Microsoft Software Update Services The Setup Wizard installs SUS.
Completing the Microsoft Software Update Services Setup Wizard The final page of the Setup Wizard indicates the URL for the SUS administration site, http://SUS_servername/SUSAdmin.
Note this path as well, because you will administer SUS from that Web
location. When you click Finish, your Web browser will start and you
will be taken automatically to the SUS administration page.
Software Update Services installs the following three components on the server:
The Software Update Synchronization Service, which downloads content to the SUS server
An IIS Web site that services update requests from Automatic Updates clients
An SUS administration Web page, from which you can synchronize the SUS server and approve updates
|
When
you run the SUS installation on Windows 2000, the SUS Setup Wizard
launches the IIS Lockdown Wizard to secure IIS 5.0. Windows Server 2003
is locked down by default, so IIS Lockdown is not necessary.
If
you have Web applications running on an IIS server, those applications
might not function properly after SUS has been installed. You can
re-enable Internet Server Application Programming Interface (ISAPI)
filters and open other components that are secured by IIS Lockdown.
However, because of the sensitive nature of operating system updates,
you should consider running SUS on a dedicated server without other IIS
applications.
|
