Windows Server 2003 : Security - Patch Management (part 2) - Obtaining Updates

3. Obtaining Updates

Microsoft has three basic methods for updating client and server computers: automatic updates from the Windows (or Microsoft) Update site, Windows Server Update Services (WSUS), and Microsoft Systems Manager Server (SMS).

Automatic Updates

Automatic updates, using either Windows Update or Microsoft Update sites, is not really a great option for most enterprise environments. It takes control of which updates are applied, and when, out of the hands of the system administrators and makes it difficult to know who has what patch applied.

For a small business, with less than 20 clients, automatic updates from Windows Update or Microsoft Update is probably an appropriate solution. Even here, though, we’d recommend setting your clients to automatically download updates but not install them. That will allow you to have one or two people test the release before you tell everyone else to go ahead and install it.

Windows Server Update Services

Windows Server Update Services (WSUS) has been through several name changes, along with the accompanying acronym changes, but the name seems to have finally settled down and the software is now officially released—which is a good thing. WSUS is Microsoft’s free software update tool, and it’s quite a useful tool. It doesn’t have the features and capabilities of SMS, but most of us don’t actually need SMS, and the costs of implementing SMS are significant.

Installation

WSUS can be installed on Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition. It cannot be installed on Windows Server 2003 Web Edition or on any 64-bit version of Windows Server.

WSUS requires Internet Information Server 6, Background Intelligent Transfer Service 2.0, and .NET Framework 1.1 Service Pack 1 installed prior to installation of WSUS. If SQL Server 2000 is not already installed, the Windows SQL Server 2000 Desktop Engine (WMSDE) will be installed as part of the installation of WSUS.

Note

Windows Server 2003 SP1 and later includes BITS 2.0 and .NET Framework 1.1 SP1, so these do not need to be installed separately.

Prerequisites

You need to download the necessary files before you begin the installation of WSUS. If your server is not already running Windows Server 2003 SP1, you should download the following items:

• .NET Framework 1.1 SP1, which is available at: http://go.microsoft.com/fwlink/?LinkId=47358

• BITS 2.0, which is available at: http://www.microsoft.com/downloads/details.aspx?FamilyID=3fd31f05-d091-49b3-8a80-bf9b83261372&DisplayLang=en

In all cases, you must download WSUS itself. This download requires a registration and a Passport account. You can download WSUS at: http://www.microsoft.com/windowsserversystem/updateservices/downloads/wsus.mspx.

Once you have downloaded the necessary software, you can begin installing the prerequisites:

• Install IIS6 on your WSUS server if it isn’t already installed. IIS6 can be installed using Add/Remove Programs, Add/Remove Windows Components.

• Install .NET Framework 1.1 SP1. If you’re already running Windows Server 2003 SP1, you won’t need to install this service pack because it is included in the Windows Service Pack.

• Install BITS 2.0. If you’re already running Windows Server 2003 SP1, you won’t need to install BITS 2.0 because it is included in the Windows Service pack.

If any of the prerequisite steps requires a reboot, you need to do that reboot before starting the WSUS installation.

To install Windows Server Update Services, perform the following steps:

1. Complete the prerequisite installations described previously.

2. Navigate to the location where you downloaded WSUS. Double-click WSUSSetup.exe to begin the installation and open the Microsoft Windows Server Update Services Setup Wizard.

3. Click Next to open the License Agreement dialog box. As usual, you can either agree to the license or cancel the installation.

4. Click Next to open the Select Update Source dialog box, which is shown in Figure 1.

   

   Figure 1. The Select Update Source dialog box of the Microsoft Windows Server Update Services Setup Wizard

5. Select Store Updates Locally, and enter a location on an NTFS formatted volume. You can also choose to download updates directly from Microsoft, which will slow down updating clients but save on hard drive space.

6. Click Next to open the Database Options dialog box. By default, WSUS uses WMSDE to store updates. If an existing SQL Server installation is present, you can choose to use the existing database server.

7. Click Next to open the Web Site Selection dialog box, which is shown in Figure 2. You can choose to use the IIS Default Web site, or create a special WSUS site.

   

   Figure 2. The Web Site Selection dialog box of the Microsoft Windows Server Update Services Setup Wizard

8. Click Next to open the Mirror Update Settings dialog box. You’ll use this dialog box if you’re creating a hierarchy of WSUS servers, but for standalone WSUS servers, leave the check box cleared.

9. Click Next and the actual installation will begin.

Basic Configuration

The basic configuration of WSUS requires you to configure and deal with quite a few things right at the beginning, but then the process should be straightforward. The steps to initial configuration are as follows:

1. Configure networking and proxy settings.  WSUS needs to be configured to work with your proxy and firewall server or servers.

2. Synchronize the WSUS server with Microsoft Update.  WSUS downloads the complete list of Critical and Security updates from Microsoft Update for the kinds of client computers on your network.

3. Update and configure automatic updates.  WSUS needs to update Automatic Updates on your client machines to the latest version. Use Group Policy to deploy the latest version.

4. Create computer groups.  WSUS creates two new groups by default (All Computers and Unassigned Computers), but you’ll likely want additional groups, such as Test and Beta groups to manage the deployment process.

5. Approve and deploy updates.  WSUS defaults to automatic approval of critical security updates, but you can change the settings and control details of approval. Software isn’t actually downloaded and deployed until approved.

   More Info

   For more information about WSUS, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/wsus/default.mspx.

4. Systems Management Server 2003

Microsoft SMS is not just a patch management application, but an entire network and infrastructure management solution. It has the ability to inventory your network; manage network devices; and deploy applications, operating systems, and patches across a diverse enterprise environment. It also has comprehensive reporting and asset-management features.

The setup and deployment costs for SMS are significant, but the payback for complex environments will be worth it in the long run. If you’re managing 50 desktops, don’t bother. But if you’re managing 500 or more desktops, SMS is worth investigating.