wsus windows update services n.
Skip this Video
Loading SlideShow in 5 Seconds..
WSUS Windows Update Services PowerPoint Presentation
Download Presentation
WSUS Windows Update Services

WSUS Windows Update Services

1967 Views Download Presentation
Download Presentation

WSUS Windows Update Services

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. WSUSWindows Update Services Robert CultraraWorld Health Organization

  2. Purpose of the presentation • How to make an assessment of the security on your windows network • Get started with Microsoft and Windows update • How to install, manage and troubleshoot WSUS • How WSUS can be used in a low-bandwidth environment

  3. The problem: • Viruses (self inflicted) • Worms (network inflicted) • *.ware - Malware/Spyware • Users countering policy • Service and Network Outage (due to saturation and loss)

  4. Microsoft Baseline Security Analyzer (MBSA) • MBSA makes an assessment of your windows network security • It provides you clear instruction how to make your windows network more secure

  5. Windows and Microsoft updates

  6. WU and MU • Windows Update • Just patches Windows • • Microsoft update • • Patches • Windows • Office • Exchange • More to come • Engine is the same - Troubleshoot the same

  7. MU is optional • How to activate Microsoft update

  8. MU steps • Accept EULA • Need to install software to get it to use it • Downloads activeX files • \Windows\Downloaded Program Files • The following ActiveX controls will be installed: • MUWebControl Class • WUWebControl Class

  9. Is it safe? • If first visit will get ‘authenticode’ prompt

  10. Checking for updates

  11. Two options to install • Express Install: This option is recommended and provides the easiest method for installing high priority updates. • Custom Install: This option enables a user to select which specific updates are installed.

  12. Better ‘history’ interface

  13. Revert to WU • Go back • Click on Change settings • Check the box

  14. File updated • Windows Genuine Advantage control • Windows Installer 3.1 • Background Intelligent Transfer Service (BITS) update

  15. Auto updates options • Download • Will allow you to install them at a later time

  16. WSUSHow to update an entire network

  17. WSUS installation • Install on Windows server • As default it goes on port 8530 • On standard loads up a MSDE instance • Remember …clients may need in registry http://servername:8530, or Group Policy

  18. WSUS:Services • SUS 1.0 synchronizes with WU • WSUS synchronizes with MU • Both services built on customized version of Windows Update Services

  19. WSUS: How it Works Microsoft Update WUS Server Desktop ClientsTarget Group 1 Server ClientsTarget Group 2 WUS Administrator Administrator approves updates Administrator puts clients in different target groups Administrator subscribes to update categories Server downloads updates from Microsoft Update Clients register themselves with the server Clients install administrator approved updates

  20. Update Management Features • Target Groups • Registry-based policy support for AD environments • Server-side lists for non-AD environments • Administrator control • Initiate scan of machines for patch applicability • Approve for install and uninstall (requires update support) • Date-based deadlines for approved updates • Deploy different updates to target groups • Configurable client polling frequency • Configurable reboot behavior • Port configurability • Non-administrators can install updates (like administrators) • Install at Shutdown (XP SP2 only)

  21. WSUS issues • Clients may not check in • Manually put in registry • Sync process takes a long time • About 24 hours if you pull down all files

  22. Install WSUS… • Double-click the installer file WSUSSetup.exe. • Note: • The latest version of WSUSSetup.exe is available on the Microsoft Web site for Windows Server Update Services at • 2. On the Welcome page of the wizard, click Next. • 3. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next. • 4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates. • Keep the default options, and click Next. • Select Update Source Page

  23. Install • Needs a LOT of disk space • 6 GB

  24. WMSDE is default • On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003. • If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper. • Keep the default options, and click Next. • Database Options Page

  25. WSUS install Now up to 8 gigs

  26. Web admin console • WSUS will chose 8530

  27. To get to WSUS • Admin tools • http://servername:8530/WSUSAdmin/

  28. WSUS sync

  29. WSUS console Missing the computers!

  30. Adding the WUAU template • 1. In Group Policy Object Editor, click either of the Administrative Templates nodes. • 2. On the Action menu, click Add/Remove Templates. • 3. Click Add. • 4. In the Policy Templates dialog box, click wuau.adm, and then click Open. • 5. In the Add/Remove Templates dialog box, click Close.

  31. Connect the clients • In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. • In the details pane, click Specify Intranet Microsoft update service location. • Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server. • Click OK, and then configure the behavior of Automatic Updates

  32. Assigning groups • Two methods • Group policy • Move computers

  33. Group Policy • Add a new policy to active directory

  34. Drill down to the setting • Computer config • Admin • Components • Windows Update

  35. WU – point it • First point your intranet updating • Remember 8530

  36. Change the check in interval • If you like – change the detection frequency

  37. Adding ZONES • Key decision making right here • What risk • What zone • What deployment strategy • Who gets what patches when? • At least have a Zone for the server[s] • One for workstations • More zones?

  38. Groups are your Risk areas • Create the ‘groups’ to match your risk zones

  39. Approve updates • Approval

  40. Approval • Approval – be patient

  41. Troubleshooting • Main causes of issue are simple configuration errors • “http://wsusservernome/” in a GPO Object • SelfUpdate tree needs to be on port 80 • Tools with the RC • Clientdiag.exe – diagnoses some issues • Logs • %systemroot%\WindowsUpdate.log

  42. Securing WSUS traffic • Forcing WSUSAdmin site to use SSL is simple • Obtain and install a web certificate • Enable SSL on WSUSADMIN directory

  43. Low-bandwidth tips • Some initial configuration requires • Synchronisation options • Schedule • What types of updates • Proxy server settings • Languages (ALL languages is the default) • Automatic Approval options • Which updates should be automatically approved