Security Patching Using Windows Server Update Services

Jeff Alexander IT Pro Evangelist Microsoft Australia http://blogs.technet.com/jeffa36

Agenda

• Update Services Goals and Design Principles • Features • • Architecture Deployment – Scenarios – Migration from SUS 1.0

– Considerations

• • • •

What is Update Services?

Corporate update management offering – Gets content from Microsoft Update (MU) service RTW component of Windows Server – Free to Windows Server (2000 and above) licensees – Requires Windows Server / Core CAL for target systems Does not change currently available offerings – SUS 1.0 continues to get content from WU Core component of Microsoft’s Patch & Update Management solutions & roadmap

WSUS Goals and Design Principles

• Deliver easy to use, fully functional

solution

to address update management scenarios for all Microsoft products – Automate the update management process as much as possible – – – Support more than just Windows patches Address customer requests from SUS 1.0

Optimize administrator experience for IT generalist • Build the core patch management

infrastructure

for the Windows platform – – – Leveraged by other tools (e.g., SMS & 3 rd party products) Rich set of APIs to allow for extensibility and customization Scale to large Internet services (Microsoft Update)

Solution Overview

Microsoft Update WSUS Server WSUS Administrator Desktop Clients Target Group 1 Server Clients Target Group 2

• • •

Supported Products and Content

Content Partners – Windows, Office, SQL, Exchange at RTM.

– Additional products added over time OS platforms – Client/agent • Win2k SP3 and later, WinXP RTM and later (incl. XP embedded) • Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and IA64) – Server • Win2k SP4 and later • Win2k3 RTM and later (32-bit only) International support – Client is localized to 25 Windows client locale – – Server is localized to 17 Windows Server locales MUI support

•

Features

Administrator defined target groups – Group Policy defines client membership for AD environments – WSUS Server defined group membership for non-AD environments • Administrator control of approvals – – – – “Detect only” evaluation of machines for patch applicability Approve for install and uninstall (requires update support) Date-based deadlines Per target group approval: • • • Different updates to different target groups Different deadlines to per target group Different action per target group

Features

• Flexible Agent Configuration – Polling frequency – Notification and Install behaviors – Reboot behaviors – Port configurability – Non-administrators can install updates (like administrators) – Install at Shutdown (XP SP2 only)

•

Network Optimization Features

Resilient and transparent – – BITS* for client-server and server-server downloads Downloads are in the background • Minimized data downloads – – Update subscriptions – only download updates for products, classifications and languages that *you* need Support for “delta compression” technologies for client server communications – Option to only download approved updates (download on demand) – Option to download only update descriptions & detection – binaries stay on MU

*Background Intelligent Transfer Service

demonstration

User Interface

Reporting Features

• Synchronization reports – What’s new, what changed • • Event log integration – Agent and server status events sent to local event log All reporting information available via Server .NET API

Deployment/Management Flexibility

• Server deployment options – Stand alone server – Hierarchical deployments of servers • Independent servers – no replication of approvals • Replica servers - approvals and target groups replicated between Update Services servers – Disconnected Servers • Manageability (and extensibility) – Server • • .NET based Server APIs Simple rules for automatic “headless” deployment of updates – Client • • Client Command line options to trigger update detection COM based APIs with scripting & remoting support

• • • • • • • •

Server

Simple to use web UI allows administration from any computer Synchronization engine to download updates from Microsoft Update SQL database holds all data other than content (software files) Can be set up in a hierarchy to suit organizational needs Completely built on managed code Uses BITS to efficiently utilize the network Secure – – Validates all downloaded content All content download locations securely ACL’ed Scalable – – Supports up to 15k clients on a single 1ghz 512Mb server Replica servers for scale out

Server Architecture

Clients WSUS Servers/MU Reporting Web service Client/Server Web service Admin workstation Admin UI Server/Server Web service Catalog sync Content sync Server API Metadata Store MSDE/SQL File Store (NTFS)

• • • • •

Client

Win32 Service (Agent) implements most functionality Extensible architecture based on Update type Handlers – Handlers for MSI, update.exe, drivers etc. Automatically self-updates to newer versions offered on the server Automatic Updates feature controllable by policy Secure – Validates all downloaded content for Microsoft certificates – All content download locations securely ACL’ed

Client Architecture

WU Service or WSUS IE (WU Site) WU Client Update Handlers Update Manager Custom Scripts Scripts WU Client API Automatic Updates BITS Content Store Metadata Store

demonstration

Deploying Updates Using WSUS

Deployment Options

• Server Options – Single Server – Multiple Servers • • Replica Autonomous – Disconnected Servers • Client Options – Detection frequency – Client side vs Server side targeting mode

Single Server: Small organization or simple network

• Configure single server to talk to MU • Synchronize all relevant updates (e.g. Windows XP critical and security updates) • Configure clients to point to the WSUS server • Optionally: – – – Create target groups for different groups of machines Configure clients to be members of a target group Configure auto approval rules to approve updates for install automatically

Multiple Servers

Microsoft Update WSUS Server Desktop Clients WSUS Server Desktop Clients

Multiple Server Scenario: Large organization/complex network

• • • • • Configure single/multiple servers to talk to MU Synchronize all relevant updates (e.g. All Windows XP, 2000, 2003 critical, security updates) Create a hierarchy of servers – Independent WSUS servers in the intranet – Replica servers Configure clients to point to respective WSUS servers Optionally: – Create target groups for different groups of machines – Configure clients to be members of a target group

Disconnected Servers

Microsoft Update WSUS Server WSUS Server Desktop Clients

Disconnected Server: Disconnected networks

• • • • • Setup an external server to talk to MU Synchronize all relevant updates (e.g. All Windows XP, 2000, 2003 critical, security updates) Export update data and content to media Import update data and content to WSUS server on disconnected network – Server will validate Microsoft certificates on content and data relationships integrity Configure clients to point to respective WSUS servers

Migration SUS 1.0 to WSUS

• Single server – WSUS and SUS 1.0 on a single server • Multiple servers – WSUS and SUS 1.0 on separate servers – Multiple SUS 1.0 servers to a single WSUS server – Multiple SUS 1.0 servers to multiple WSUS servers

Environment Considerations

• • • Ease of updating client settings – E.g., policy or scripted • New clients coming into environment which are not yet WSUS compatible Branch office scenarios Targeting group model

Migration Considerations

• • • • WSUS and SUS 1.0 can not synchronize metadata with each other Only one way SUS 1.0 to WSUS migration Migration of update approvals overwrites any pre-existing approvals per target group What doesn’t migrate – proxy server settings – Internet Information Services (IIS) settings

Single Server Migration

• • • • • For customers with few servers Requires WSUS to be initially installed on a different port than SUS 1.0

Requires updating all clients as they connect once the WSUS server is installed Potentially requires redirecting clients to a different port on the same server Clients will still use SUS 1.0 for updates until redirected to the WSUS port, or SUS 1.0 is decommissioned

Multiple SUS server migration

• To a single WSUS server – Take advantage of target groups – Consolidate Windows Servers • To multiple WSUS servers – Maintain organizational structures with different administrators – Support branch offices

Migration Tool

• • • • WSUSUTIL.EXE migratesus /content – Migrate content from a SUS 1.0 /approvals – Migrate approvals from the SUS 1.0 server “target_group” – – Apply approvals to the target group "target_group".

Requires /approvals to be specified.

/log – Log the migration activities to the file

Deployment Considerations

• • • • • • • Hardware requirements – Number of clients, how often will clients poll the server Database & storage – Local or remote SQL vs MSDE Bandwidth – Single site, multi-site, branch office, low bandwidth Security – Customize ports Scalability – Server hierarchy Target options – Client side vs server side targeting mode Management – Automated with scripts vs Web UI

Comparing Microsoft Update, Windows Update Services, and SMS 2003

Adopt the solution that best meets the needs of your organization

Capability Microsoft Update Windows Server Update Services SMS 2003 Supported Software and Content

Supported Software for Content Same as Windows Update Services + WinXP Home Win2K, WS2003, WinXP Pro, Office 2003, Office XP, Exchange 2003, SQL Server 2000, MSDE Same as Windows Update Services + NT 4.0 & Win98 + can update any other Windows based software Supported Content Types for Supported Software All software updates, critical driver updates, service packs (SPs), and feature packs (FPs)

Update Management Capabilities

All software updates, critical driver All updates, SPs, & FPs + supports update & app installs for any updates, SPs, & FPs Windows based software Targeting Content to Systems Network Bandwidth Optimization Patch Distribution Control Patch Installation & Scheduling Flexibility N/A

Yes

N/A Manual & end user controlled

Simple Yes Simple Simple Advanced Yes Advanced Advanced

Patch Installation Status Reporting Deployment Planning Inventory Management Install errors reported to user. Lists missing updates for accessing computer N/A N/A

Simple Simple

No

Advanced Advanced Yes

Choosing A Patch Management Solution

Typical Customer Decisions

*Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by Windows Update Services or Microsoft Update

Customer Type Scenario Large or Medium Enterprise

Want single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OSes and Applications, as well as an integrated asset management solution Want update management-only solution that provides simple updating for Microsoft software and initially supports Windows (Win2K & later versions), Office (2003 & XP), Exchange 2003, SQL Server 2000, and MSDE 2000 Have at least 1 Windows server and 1 IT administrator

Small Business

All other scenarios

Customer Chooses SMS 2003 WSUS

*

WSUS

*

Microsoft Update

*

Consumer

All scenarios

Microsoft Update

*

Summary

• Windows Server Update Services is a platform infrastructure as well as a solution • Provides significantly more functionality and flexibility than SUS 1.0

– Default implementation is very simple – Complex implementations will require planning

Resources

WSUS homepage: http://www.microsoft.com/updateservices WSUS Server download Deployment and Operations Guides SDK and Troubleshooter WSUS community Online Help WSUS Wiki: www.wsuswiki.com

WSUS Community: www.wsus.info

Microsoft Update: http://update.microsoft.com/microsoftupdate