07 CHAPTER 5 Deploying Microsoft Software Update Services

Additional Resources233

Chapter 5

Deploying Microsoft Software Update Services

Microsoft® Software Update Services (SUS) helps you collect, approve, and distribute critical operating system patches to resolve known security vulnerabilities and stability issues. You can use these services on computers running the following operating systems: Microsoft® Windows®2000, Microsoft® Windows®XP, and the Microsoft® Windows®Server2003 family.

In This Chapter

Software Update Services Overview 198

Designing the Server Deployment 205

Deploying the SUS Server Component 211

Deploying Automatic Updates 226

Additional Resources 233

Related Information

·  For information about Group Policy, see “Designing a Group Policy Infrastructure” in this book.

·  For information about Group Policy–based software distribution and the Microsoft® Windows® Installer (MSI) packages, see “Deploying a Managed Software Environment” in this book.

·  For information about Network Load Balancing (NLB), see “Deploying Network Load Balancing” in Planning Server Deployments of this kit.

·  For an example using SUS in a simple managed environment, see “Deploying a Simple Managed Environment” in this book.

Software Update Services Overview

Prior to SUS, administrators had to continually check the Windows Update Web site for operating system patches, and then download, test, and distribute patches manually. SUS streamlines and automates these processes.

By using SUS, you can download the latest patches to an intranet server, test the patches in your operating environment, select the patches you want to deploy to specific computers, and then deploy the patches in a timely and efficient manner. SUS provides dynamic notification of critical updates to Windows-based computers, whether or not they have Internet access, and it provides a simple, automatic solution for distributing critical updates to networked clients and servers. For worksheets to assist you with the deployment of SUS, see “Additional Resources” later in this chapter.

Begin by determining the Internet connectivity, security requirements, and scale of your SUS server deployment. After deploying and testing the server configuration, deploy and configure Automatic Updates on the client computers that will connect to your servers that run SUS for critical updates. At the completion of these steps, you are ready to deploy critical patches by using SUS.

Implementing a SUS Solution

Deploying a software update solution involves determining your security and scalability needs and deciding how to stage content before distribution. You can then deploy and configure the server and client components of SUS to keep the computers in your organization updated and secure. Figure5.1 illustrates the process of deploying SUS.

Figure5.1.Deploying SUS

Technology Background

Many organizations do not want their computer users obtaining and installing critical or security updates from an Internet source without them being tested or approved by a system administrator. SUS allows users to install a Windows server component on an internal server running Windows2000 Service Pack2 (SP2) or later or Windows Server2003. Either of these operating systems can download all critical updates and security patches as soon as they are published on the Windows Update Web site. After a patch is downloaded, you can safely test and stage its content before deploying it to production environments.

Microsoft® Systems Management Server (SMS), with the SUS Feature Pack, provides an alternative to SUS for deploying and managing software patches. For information about choosing the best patch deployment solution for your organization, see “Choosing a Security Update Management Solution,” a white paper available from the Software Update Services link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Distinguishing Patch Designations

Several tools are available for analyzing client computers and determining what patches their operating systems need. Available tools include Microsoft Baseline Security Analyzer (MBSA), Windows Update, SUS, Automatic Updates, and SMS.

MBSA

MBSA is a scanning tool that runs on Windows2000 and WindowsXP operating systems to look for missing patches and service packs in Windows operating systems, Internet Information Services (IIS), and Microsoft® SQL Server™. MBSA can scan computers running WindowsNT®4.0, Windows2000, and WindowsXP operating systems. For more information about the MBSA tool, see the MBSA link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Windows Update

Windows Update is a tool that scans a Windows-based computer, searching for all applicable critical, important, or moderate Windows updates. At the Windows Update Web site,, a computer running Windows can be evaluated against a known list of applicable updates to determine which updates are needed for that computer. Those updates can then be installed from this Web site. In Windows2000, WindowsXP, and Microsoft® Windows®Millennium Edition, the Automatic Updates features are added to the Windows Update program that allow you to configure computers to automatically visit Windows Update and download critical updates. For other update options, see the Windows Update link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Note

Automatic Updates retrieves all critical updates and Microsoft Security Response Center security updates that are classified as moderate or important.

SUS

SUS is a server component that, when installed on a server running Windows2000, allows small and medium enterprises to bring critical updates from Windows Update inside their firewalls to distribute to Windows2000 and WindowsXP computers. The same Automatic Updates component that can direct Windows2000 and WindowsXP computers to Windows Update can be directed to a SUS server inside your firewall to install critical updates.

Automatic Updates

Automatic Updates scans only for critical updates, but if its server that runs SUS contains updates other than critical ones, Automatic Updates receives and applies those as well. SUS receives critical and moderate security updates.

SMS

SMS2.0 is already used by many large enterprises as the tool to distribute software updates to desktops and servers. SMS2.0 has been extended with the SMS2.0 Software Update Services Feature Pack to integrate with supported Microsoft scanning tools for Windows and Microsoft® Office security patches, so that entire enterprises can be scanned regularly, and the results stored by SMS as inventory. Then, the SMS administrator can automatically go to the Microsoft download center to acquire critical patches and deploy them across your enterprise.

The Microsoft Security Response Center rates the severity of an update as critical, important, moderate, or low as summarized in Table 5.1. For more information about the Severity Rating system, see the Security Response Center link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Table5.1Security Ratings

Rating / Definition
Critical / A vulnerability with an exploitation that can allow the propagation of an Internet worm without user action.
Important / A vulnerability with an exploitation that can result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.
Moderate / Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Low / A vulnerability that is extremely difficult to exploit or has minimal impact.

Multiple scans performed on the same computer can show different results depending on the tool you use. MBSA finds all missing updates; Windows Update finds missing critical, important, and moderate updates; and Automatic Updates finds missing critical updates only.

You can use Automatic Updates or Windows Update in combination with MBSA. For example, after using Automatic Updates to deploy updates, run MBSA to check the update status.

Server Component

The server component of SUS is installed on Windows2000 Server SP2 or later, or WindowsServer2003. The server running SUS synchronizes with the Windows Update Web site for operating system patches. The following discussion of SUS refers to SUS1.0, Service Pack1.

Note

The server component of SUS is available in English and Japanese. These languages are for the administration and installation of SUS only. Both the English and Japanese versions of SUS support clients of any locale supported by Windows.

The server component is made up of the following:

·  Windows Update Synchronization Service, a synchronization service that downloads content to the servers running SUS. This service also synchronizes data among multiple servers running SUS and distribution pointswithin the intranet.

·  An IIS Web site that responds to update requests from Automatic Updates clients.

·  A SUS Administration Web page.

SUS supports Windows critical updates and Windows security roll-ups only. You can apply other types of updates by using a different distribution mechanism.

Servers running SUS can be configured to synchronize content from the following sources:

·  A local server running SUS that retrieves updates directly from an external Web site.

·  A second-tier server on the intranet running SUS.

·  A SUS content distribution point.

You can use SUS to perform staged deployments that involve multiple servers. You can configure one server in a test environment to publish updates to test clients and then review the results. If the results are satisfactory, you can configure other servers running SUS to publish those updates to the rest of your organization.

Application Compatibility

The recommended configuration is to install SUS on a dedicated server because other applications that rely on IIS might be configured in ways that are not compatible with SUS. If your organization requires that you maximize the use of each server by loading additional applications onto it, be sure that you know what changes are made to IIS when SUS is installed and how those changes might affect your other applications.

The following applications have been tested and can be safely used on the same server with SUS:

·  Microsoft® FrontPage Server Extensions2002

·  Microsoft® Windows SharePoint™ Services

·  Active Server Pages .NET (ASP.NET) applications

Server Component Requirements

The SUS1.0, SP1 server component runs on Windows2000 Server with Service Pack2 or later, and on any operating system in the WindowsServer2003 family. It requires IIS5.0 or later and Internet Explorer5.5 or later.

You must install SUS on a partition that uses the NTFS file system, and the system partition on your server must also use NTFS.

The minimum configuration for a server running SUS follows:

·  Pentium III 700-MHz processor or greater

·  512 megabytes (MB) of RAM

·  6 gigabytes (GB) of free disk space for setup and security packages

This configuration supports approximately 15,000 clients that use one server running SUS. The number of clients per server can be greater than this base estimate, depending on the hardware used.

SUS Client Component

The client component of SUS consists of an update to the automatic updating technology in WindowsXP included with WindowsServer2003. This client component, Automatic Updates, is supported on WindowsXP Professional, Windows2000 Professional, Windows2000 Server, and Windows2000 Advanced Server Service Pack2 or later.

Automatic Updates checks the local server running SUS to determine which updates are needed. It then downloads administrator-approved updates and installs the updates on client computers. The SUS administrator creates schedules for downloading updates and determines to which server each Windows-based computer connects. The rules governing the behavior of Automatic Updates are set by using Group Policy in an Active Directory environment. In a non–Active Directory environment, the administrator edits the registry directly.

Automatic Updates does not need to be installed on Windows-based computers that run Windows2000 SP3, WindowsXP Service Pack1 or later, or a member of the WindowsServer2003 family because those operating systems already possess a SUS-compatible version of Automatic Updates. On all other intranet Windows-based servers and clients, Automatic Updates must be installed for them to connect to a server running SUS. Automatic Updates can download packages from either a local server running SUS or from the Microsoft® Windows Update Web site (a public Web site). Typically, administrators prefer the former method because it provides a greater degree of security for clients. For more information about the Windows Update Web site, see the Windows Update link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Automatic Updates adds support for the following:

·  Download of approved content from a server running SUS.

·  Scheduled installations of downloaded content.

·  Administrator-configurable options using either Group Policy object (GPO) or the registry.

·  Ability to download critical patches to client systems where no local administrators are logged on.

·  Windows2000 operating systems.

Automatic Updates is available with the following software:

·  The stand-alone setup package: MSI package.

·  Windows2000 Service Pack3(SP3).

·  WindowsXP Service Pack1.

·  WindowsServer2003 family.

Automatic Updates requires no particular hardware configuration. It can be used on any computer that runs any of the following Windows2000 or WindowsXP operating systems:

·  Windows2000 Professional, Windows2000 Server, or Windows2000 Advanced Server Service Pack2 or later.

·  WindowsXP Professional or Microsoft® Windows®XP Home Edition.

SUS Security Features

The server running SUS contains all the synchronization service and administrative tools for managing updates. Using the Hypertext Transfer Protocol (HTTP) protocol, it responds to requests for approved updates made by the client computers connected to it. SUS can download packages from either the public Microsoft Windows Update servers or from another intranet server running SUS. During these downloads, no server-to-server authentication is carried out. All content is checked to verify that it has been correctly signed by Microsoft. Any content that is not correctly signed is not trusted and not applied.

The administration of servers running SUS is completely Web-based. You can administer the server by using either a standard HTTP connection or a Secure Sockets Layer (SSL)–enabled HTTPS connection.

Additional SUS security provisions follow:

·  SUS benefits from the inherent security of NTFS because SUS must be installed on a hard disk that is formatted with NTFS.

·  If a proxy password is configured, SUS stores it securely as an LSA Secret.

·  Automatic Update checks the cyclical redundancy check (CRC) on each update to confirm that it was not tampered with en route.

After you run SUS Setup, you must install and configure the IIS Lockdown tool 1.0 and the Urlscan security tool 2.0 for servers running Windows Server2000. For servers running Windows Server2003, these tools are automatically installed and run.