7. SUS Backup and Recovery
As with any other server role or application, you must plan for recovery in the event of a server failure.
Backing Up SUS
To back up SUS, you must back up the folder that contains SUS content, the SUS Administration Web site, and the IIS metabase.
Tip
The
process described to back up the IIS metabase is useful not only for
backing up SUS, but for any other Web site or application running on
Windows Server 2003 and IIS 6.0. |
First,
back up the metabase—an XML database containing the configuration of
IIS. Using the Internet Information Services (IIS) Manager console,
select the server to back up and, from the Action menu, select All
Tasks, and then Backup/Restore Configuration. Click Create Backup, and
enter a name for the backup. When you click OK, the metabase is backed
up.
Then back up the following using Backup (Ntbackup.exe) or another backup utility:
The default Web site, which is located (unless otherwise configured) in C:\Inetpub\Wwwroot.
The
SUS Administration Web site. SUSAdmin is, by default, a subfolder of
C:\Inetpub\Wwwroot. In that event, it will be backed up when you back
up the default Web site.
The AutoUpdate virtual directory, also by a default a subfolder of C:\Inetpub\Wwwroot.
The
SUS content location you specified in SUS setup or the SUS options. You
can confirm the SUS content location in IIS Manager by clicking Default
Web Site and examining the path to the Content virtual root in the
details pane.
The metabase backup directory, %Windir%\System32\Inetsrv\Metaback, which contains the copy of the metabase made earlier.
This
process of backing up the metabase, and then backing up the components
of SUS, should be repeated regularly because updates will be added and
approved with some frequency.
SUS Server Recovery
To
restore a failed SUS server, perform the following steps. If a certain
step is unnecessary, you can skip it, but perform the remaining steps
in sequence.
1. | Disconnect the server from the network to prevent it from being infected with viruses.
|
2. | Install Windows Server 2003, being sure to give the server the same name it had previously.
|
3. | Install IIS with the same components it had previously.
|
4. | Install
the latest service pack and security fixes. If the server must be
connected to the network to achieve this step, take all possible
precautions to prevent unnecessary exposure.
|
5. | Install SUS into the same folder it was previously installed.
|
6. | Run
Backup to restore the most recent backup of SUS. This will include the
SUS content folder, the Default Web Site, including the SUSAdmin and
AutoUpdate virtual directories, and the IIS metabase backup.
|
7. | Open
the IIS Manager, and select the server to restore. From the Action
menu, select All Tasks and then Backup/Restore Configuration, and
select the backup that was just restored. Click Restore.
|
8. | Confirm
the success of your recovery by opening the SUS Administration Web site
and clicking Set Options. Check that the previous settings are in place
and that the previously approved updates are still approved.
|
Note
The
preceding steps apply to Windows Server 2003 only. If you are
recovering a Windows 2000–based SUS server, refer to SUS documentation
for appropriate steps. |
8. Designing a Network Security Update Infrastructure
A network security update infrastructure is a series of policies that are designed to help the network administrator perform the following tasks:
Determine which computers need to be updated
In some cases, a new security update might apply only to computers
performing a specific function or using a specific application or
feature. Network administrators must understand each release’s specific
function and determine which computers require the update.
Test update releases on multiple system configurations
A security update that causes a malfunction might be just an annoyance
on a single computer, but on a large network, it could be a
catastrophe. Network administrators must perform their own tests of all
security updates before deploying them on the entire network.
Determine when updates are released
Microsoft frequently releases security updates that might or might not
be applicable to the systems on your network. Network administrators
must be aware of new releases when they occur and must understand the
specific issues each release addresses.
Deploy update releases on large fleets
Manually installing security updates on hundreds or thousands of
computers requires enormous amounts of time, effort, and expense. To
deploy updates on a large network efficiently, the process must be
automated.
Using Microsoft Baseline Security Analyzer
You
have learned in this lesson that SUS plays a major role in the creation
of a network security update infrastructure. SUS does not, however,
provide an easy way to confirm the update status of a specific
computer. The Microsoft Baseline Security Analyzer (MBSA) is a
graphical tool (shown in Figure 8)
that can check for common security lapses on a single computer or
multiple computers running various versions of the Windows operating
system. These lapses are typically due to incorrect or incomplete
configuration of security features and failure to install security
updates. The security faults that MBSA can detect are as follows:
Missing security updates
Using a list of current update releases obtained from a Microsoft
Internet server or from a local Microsoft Software Update Services
(SUS) server, MBSA determines whether all the required service packs
and security updates have been installed on the computer, and if not,
it compiles a list of the updates that need to be installed.
Tip
MBSA
replaces an earlier security checking utility named Microsoft Network
Security Hotfix Checker (Hfnetchk.exe), which operates from the command
line and checks computers only for missing updates. MBSA includes all
the functionality of Hfnetchk.exe, including the command-line
interface, which you can activate by running Mbsacli.exe with the /hf
parameter. |
Account vulnerabilities
MBSA checks to see whether the Guest account is activated on the
computer; whether there are more than two accounts with Administrator
privileges; whether anonymous users have too much access to the
computer; and whether the computer is configured to use the Autologon
feature.
Improper passwords
MBSA checks the passwords on all the computer’s accounts to see whether
they are configured to expire, are blank, or are too simple.
File system vulnerabilities MBSA checks to see whether all the disk drives on the computer are using the NTFS file system.
IIS and SQL vulnerabilities If the computer is running IIS or Microsoft SQL Server, MBSA examines these applications for a variety of security weaknesses.
In
addition, MBSA displays other information about security on the
computer, such as a list of shares, the Windows operating system
version number, and whether auditing is enabled.
See Also
MBSA is not included with Windows Server 2003, but it is available without charge from the Microsoft Web site at http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi. |
MBSA
is an informational tool that can display security information about a
computer, but it cannot do anything to remedy the vulnerabilities that
it finds. You can use MBSA to determine which security updates to
install on specific computers, but to develop an effective security
update infrastructure, you must implement a system to keep track of
which security updates have been installed on every computer in the
enterprise.
