1 / 35

Security Patching Using Windows Server Update Services

Security Patching Using Windows Server Update Services. Jeff Alexander IT Pro Evangelist Microsoft Australia http://blogs.technet.com/jeffa36. Agenda. Update Services Goals and Design Principles Features Architecture Deployment Scenarios Migration from SUS 1.0 Considerations.

isabelle
Download Presentation

Security Patching Using Windows Server Update Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Patching Using Windows Server Update Services Jeff Alexander IT Pro Evangelist Microsoft Australia http://blogs.technet.com/jeffa36

  2. Agenda • Update Services Goals and Design Principles • Features • Architecture • Deployment • Scenarios • Migration from SUS 1.0 • Considerations

  3. What is Update Services? • Corporate update management offering • Gets content from Microsoft Update (MU) service • RTW component of Windows Server • Free to Windows Server (2000 and above) licensees • Requires Windows Server / Core CAL for target systems • Does not change currently available offerings • SUS 1.0 continues to get content from WU • Core component of Microsoft’s Patch & Update Management solutions & roadmap

  4. WSUS Goals and Design Principles • Deliver easy to use, fully functional solution to address update management scenarios for all Microsoft products • Automate the update management process as much as possible • Support more than just Windows patches • Address customer requests from SUS 1.0 • Optimize administrator experience for IT generalist • Build the core patch management infrastructure for the Windows platform • Leveraged by other tools (e.g., SMS & 3rd party products) • Rich set of APIs to allow for extensibility and customization • Scale to large Internetservices (Microsoft Update)

  5. Solution Overview Microsoft Update WSUS Server Desktop ClientsTarget Group 1 Server ClientsTarget Group 2 WSUS Administrator Administrator approves updates Administrator puts clients in different target groups Administrator subscribes to update categories Server downloads updates from Microsoft Update Clients register themselves with the server Agents install administrator approved updates

  6. Supported Products and Content • Content Partners • Windows, Office, SQL, Exchange at RTM. • Additional products added over time • OS platforms • Client/agent • Win2k SP3 and later, WinXP RTM and later (incl. XP embedded) • Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and IA64) • Server • Win2k SP4 and later • Win2k3 RTM and later (32-bit only) • International support • Client is localized to 25 Windows client locale • Server is localized to 17 Windows Server locales • MUI support

  7. Features • Administrator defined target groups • Group Policy defines client membership for AD environments • WSUS Server defined group membership for non-AD environments • Administrator control of approvals • “Detect only” evaluation of machines for patch applicability • Approve for install and uninstall (requires update support) • Date-based deadlines • Per target group approval: • Different updates to different target groups • Different deadlines to per target group • Different action per target group

  8. Features • Flexible Agent Configuration • Polling frequency • Notification and Install behaviors • Reboot behaviors • Port configurability • Non-administrators can install updates (like administrators) • Install at Shutdown (XP SP2 only)

  9. Network Optimization Features • Resilient and transparent • BITS* for client-server and server-server downloads • Downloads are in the background • Minimized data downloads • Update subscriptions – only download updates for products, classifications and languages that *you* need • Support for “delta compression” technologies for client-server communications • Option to only download approved updates (download on demand) • Option to download only update descriptions & detection – binaries stay on MU *Background Intelligent Transfer Service

  10. demonstration User Interface

  11. Reporting Features • Synchronization reports • What’s new, what changed • Event log integration • Agent and server status events sent to local event log • All reporting information available via Server .NET API

  12. Deployment/Management Flexibility • Server deployment options • Stand alone server • Hierarchical deployments of servers • Independent servers – no replication of approvals • Replica servers - approvals and target groups replicated between Update Services servers • Disconnected Servers • Manageability (and extensibility) • Server • .NET based Server APIs • Simple rules for automatic “headless” deployment of updates • Client • Client Command line options to trigger update detection • COM based APIs with scripting & remoting support

  13. Server • Simple to use web UI allows administration from any computer • Synchronization engine to download updates from Microsoft Update • SQL database holds all data other than content (software files) • Can be set up in a hierarchy to suit organizational needs • Completely built on managed code • Uses BITS to efficiently utilize the network • Secure • Validates all downloaded content • All content download locations securely ACL’ed • Scalable • Supports up to 15k clients on a single 1ghz 512Mb server • Replica servers for scale out

  14. Server Architecture WSUS Servers/MU Clients Admin workstation Server/Server Web service Client/Server Web service Reporting Web service Admin UI Content sync Catalog sync Server API Metadata Store MSDE/SQL File Store (NTFS)

  15. Client • Win32 Service (Agent) implements most functionality • Extensible architecture based on Update type Handlers • Handlers for MSI, update.exe, drivers etc. • Automatically self-updates to newer versions offered on the server • Automatic Updates feature controllable by policy • Secure • Validates all downloaded content for Microsoft certificates • All content download locations securely ACL’ed

  16. WU Service or WSUS IE (WU Site) Custom Scripts Custom Scripts Custom Scripts WU Client API WU Client Update Handlers Update Manager Automatic Updates BITS Content Store Metadata Store Client Architecture

  17. demonstration Deploying Updates Using WSUS

  18. Deployment Options • Server Options • Single Server • Multiple Servers • Replica • Autonomous • Disconnected Servers • Client Options • Detection frequency • Client side vs Server side targeting mode

  19. Single Server:Small organization or simple network • Configure single server to talk to MU • Synchronize all relevant updates (e.g. Windows XP critical and security updates) • Configure clients to point to the WSUS server • Optionally: • Create target groups for different groups of machines • Configure clients to be members of a target group • Configure auto approval rules to approve updates for install automatically

  20. Desktop Clients Desktop Clients Multiple Servers Microsoft Update WSUS Server WSUS Server

  21. Multiple Server Scenario:Large organization/complex network • Configure single/multiple servers to talk to MU • Synchronize all relevant updates (e.g. All Windows XP, 2000, 2003 critical, security updates) • Create a hierarchy of servers • Independent WSUS servers in the intranet • Replica servers • Configure clients to point to respective WSUS servers • Optionally: • Create target groups for different groups of machines • Configure clients to be members of a target group

  22. Desktop Clients Disconnected Servers Microsoft Update WSUS Server WSUS Server

  23. Disconnected Server:Disconnected networks • Setup an external server to talk to MU • Synchronize all relevant updates (e.g. All Windows XP, 2000, 2003 critical, security updates) • Export update data and content to media • Import update data and content to WSUS server on disconnected network • Server will validate Microsoft certificates on content and data relationships integrity • Configure clients to point to respective WSUS servers

  24. Migration SUS 1.0 to WSUS • Single server • WSUS and SUS 1.0 on a single server • Multiple servers • WSUS and SUS 1.0 on separate servers • Multiple SUS 1.0 servers to a single WSUS server • Multiple SUS 1.0 servers to multiple WSUS servers

  25. Environment Considerations • Ease of updating client settings • E.g., policy or scripted • New clients coming into environment which are not yet WSUS compatible • Branch office scenarios • Targeting group model

  26. Migration Considerations • WSUS and SUS 1.0 can not synchronize metadata with each other • Only one way SUS 1.0 to WSUS migration • Migration of update approvals overwrites any pre-existing approvals per target group • What doesn’t migrate • proxy server settings • Internet Information Services (IIS) settings

  27. Single Server Migration • For customers with few servers • Requires WSUS to be initially installed on a different port than SUS 1.0 • Requires updating all clients as they connect once the WSUS server is installed • Potentially requires redirecting clients to a different port on the same server • Clients will still use SUS 1.0 for updates until redirected to the WSUS port, or SUS 1.0 is decommissioned

  28. Multiple SUS server migration • To a single WSUS server • Take advantage of target groups • Consolidate Windows Servers • To multiple WSUS servers • Maintain organizational structures with different administrators • Support branch offices

  29. Migration Tool WSUSUTIL.EXE migratesus • /content <content share> • Migrate content from a SUS 1.0 <content share> • /approvals <server name> • Migrate approvals from the SUS 1.0 server • “target_group” • Apply approvals to the target group "target_group". • Requires /approvals to be specified. • /log <log_file> • Log the migration activities to the <log file> file

  30. Deployment Considerations • Hardware requirements • Number of clients, how often will clients poll the server • Database & storage • Local or remote SQL vs MSDE • Bandwidth • Single site, multi-site, branch office, low bandwidth • Security • Customize ports • Scalability • Server hierarchy • Target options • Client side vs server side targeting mode • Management • Automated with scripts vs Web UI

  31. Comparing Microsoft Update, Windows Update Services, and SMS 2003 Adopt the solution that best meets the needs of your organization

  32. Choosing A Patch Management SolutionTypical Customer Decisions *Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by Windows Update Services or Microsoft Update

  33. Summary • Windows Server Update Services is a platform infrastructure as well as a solution • Provides significantly more functionality and flexibility than SUS 1.0 • Default implementation is very simple • Complex implementations will require planning

  34. Resources WSUS homepage: http://www.microsoft.com/updateservices • WSUS Server download • Deployment and Operations Guides • SDK and Troubleshooter • WSUS community • Online Help WSUS Wiki: www.wsuswiki.com WSUS Community: www.wsus.info Microsoft Update: http://update.microsoft.com/microsoftupdate

More Related