You probably heard about Microsoft Security Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution) well before the Blaster worm's assault on August 11, 2003. But the worm's success proved that most of us did too little (or nothing) to protect our systems. Typically, IT departments are minimally staffed, and the effort required to manually ensure that patches are applied to every Windows system in the company is more than those departments can muster.
However, while the memory of the Blaster worm is fresh in your manager's mind, you can lay the groundwork to help you apply patches to holes that will be discovered in the future. Microsoft Software Update Services (SUS) is a free tool that helps you centrally manage and distribute patches and other OS updates to Windows clients and servers. For those responsible for maintaining the stability and security of Windows-based client systems, SUS provides at least two benefits. First, you no longer need to check the Microsoft Security & Privacy Web site and manually download patches to apply to your systems. Second, rather than letting individual users randomly choose and download updates from the Windows Update site, you can perform one download and control when and where updates are installed.
SUS Overview
Microsoft targets SUS at midsized organizations, loosely characterized as companies that have no more than 1000 desktop systems. SUS's combination of simplicity and functionality provides a good fit for organizations of that size. For larger companies that have more demanding change- and configuration-management needs, Microsoft recommends a combination of Microsoft Systems Management Server (SMS) and the recently released SMS Software Update Services Feature Pack, which you can download at http://www.microsoft.com/smserver/downloads/20/featurepacks/suspack.
SUS Server uses the same technology that Microsoft has used for its public Windows Update site for years. The SUS client uses Automatic Updates technology—the same mechanism that Windows XP uses for updates. The server and client pieces work together to give administrators a simple way to download, evaluate, and distribute approved updates to clients on their intranet without user intervention.
The release of SUS Server with Service Pack 1 (SP1) provides additional flexibility for implementing SUS in your environment. In my opinion, the most notable improvement in SP1 is the ability to run SUS on Windows Server 2003 and Windows 2000 Server domain controllers (DCs) as well as on Small Business Server 2000 SP1 or later. The ability to use DCs as SUS servers is important because you can leverage your installed DCs to enhance your update distribution hierarchy. SUS Server SP1 also enhances the Automatic Updates client, giving you more control over the way updates are installed, how reboots are performed, and the end-user experience. SUS Server with SP1 is available as a free download from Microsoft's Software Update Services home page (http://www.microsoft.com/windows2000/windowsupdate/sus).
Configuring SUS Servers
After you download the SUS Server software, install it on the system that will act as the primary SUS server in your environment. To ensure that the system from which you distribute security updates is itself secure, the SUS Server installation process will install and run the IIS Lockdown Wizard and URLScan security tools if they haven't already been run on the system.
Your primary SUS server will get its updates from the public Windows Update site. If your environment's size or topology warrants additional SUS servers, you can configure them to get updates from the Windows Update site, from another SUS server, or from a manually configured content distribution point. For details about server-side configuration options, consult the "Software Update Services Deployment White Paper," which is available at http://www.microsoft.com/windows2000/windowsupdate/sus/susdeployment.asp. To ensure that your SUS servers continue to receive all appropriate new security patches, configure your SUS servers to be clients of themselves.
After installation is finished, you can open the Software Update Services server administration page, which Figure 1, page 82, shows, by opening your Web browser and connecting to http://yourSUSserver/SUSAdmin. The two main tasks you perform through this interface are synchronizing content and approving updates. Because the initial download of applicable updates can take some time, I suggest you initiate a synchronization right away, then move on to subsequent tasks, such as configuring clients or Group Policy, while the synchronization runs. To ensure that you aren't wasting storage space and bandwidth, download the updates only for the locales (i.e., localized versions of the OS, such as German or French) that you require.
The Automatic Updates Client
To receive updates through your SUS implementation, your clients must run a current version of the Automatic Updates client on a supported platform. Supported platforms include the Windows 2003 family; XP Professional and XP Home Edition; and Win2K Professional, Win2K Server, and Win2K Advanced Server (all with SP2 or later). Systems running Windows 2003, XP SP1, or Win2K SP3 already have the current Automatic Updates client; for other systems, you can download the current client from http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp.
Notable benefits of the Automatic Updates client are Background Intelligent Transfer Service (BITS) downloading of updates and chained installation of multiple updates. BITS uses idle bandwidth and limits the bandwidth that downloads consume when the network is being used for other activities. Chained update installation postpones required reboots until after multiple updates are installed, then requests a single restart.
Configuring Client Behavior
After you've installed the appropriate Automatic Updates clients on your systems, you have several options for configuring the settings that control their behavior. Using Group Policy is the preferred approach to configuring clients, but you can also directly edit registry keys or use Windows NT 4.0 system policy.
To use Group Policy to configure clients, you need to download the Software Update Services 1.0 ADM File for Service Pack 1 Group Policy administrative template. You'll find a link to download the template by clicking Software Update Services with Service Pack 1 Now Available from the SUS home page. Copy the new template into the %windir%\inf directory on an Active Directory (AD) DC. To install the template, start Microsoft Management Console (MMC), add the Group Policy snap-in, right-click Administrative Templates beneath Computer Settings, and choose Add/Remove Templates. Select the wuau.adm template, then click Add.
After adding the template, navigate to Computer Configuration\Administrative Templates\Windows Update. You should see the four policies that Figure 2 shows. The Configure Automatic Updates policy lets you control the behavior of update installations. Options for this policy range from Notify for download and notify for install (option 2) to Auto download and schedule the install (option 4). When you select option 4, you must specify a schedule for update installations. The Specify intranet Microsoft update service location policy lets you define the servers from which the client pulls its updates and to which the client reports update installation statistics. Both settings can point to the same server. The Reschedule Automatic Updates scheduled installations policy lets you control how missed update installations are rescheduled. For example, if you set this value to 30, any scheduled updates that were missed will begin to be installed 30 minutes after the next system start-up.
The final policy, No auto-restart for scheduled Automatic Updates installations, lets you control how reboots are affected when updates requiring a reboot have been installed. Enabling this setting lets the user choose when to reboot. If the setting is disabled or not configured, Automatic Updates notifies the logged-on user that the system will be rebooted in 5 minutes. If you can't take advantage of Group Policy for client configuration, consult the SUS deployment white paper for information about using registry entries to configure your clients.
Downloading, Approving, and Distributing Updates
After the initial synchronization of your SUS server is finished, the SUS server administration page will display the list of updates that have been downloaded to your server. To approve updates for distribution, you simply select the check box next to each update that you want to approve, then click Approve. Microsoft frequently releases new versions of previously released updates. To automate ongoing management of new update versions, you can click Set options in the left pane of the administration page, then select Automatically approve new versions of previously approved updates. Predeployment testing of updates in a sample environment is a crucial step; however, the criteria you use to approve updates and the methods you use to test them are outside the scope of this article.
Monitor Updates
As I mentioned earlier, Automatic Updates clients can report information regarding their update installations to an intranet server. This capability uses Microsoft IIS logs, which are stored in sequentially named W3SVCx folders in the %windir%\system32\logfiles directory. By changing your IIS logging properties, you can filter out superfluous data in the logs so that you can concentrate on SUS data.
To change the properties, open the MMC Computer Management snap-in and navigate to Services and Applications, Internet Information Services. In the right-hand pane, right-click Default Web Site and choose Properties. Click the Home Directory tab, clear the Log visits check box, then click OK. In the left-hand pane, click the Default Web Site icon, then right-click the wutrack.bin file in the right-hand pane. Choose Properties, click the File tab, and select the Log visits check box. Thus configured, your IIS logs will log only events generated by Automatic Updates clients.
Automated Secure Patch Management
SUS is very good at what it's designed to do, which is to provide simple automated OS patch management. It doesn't do everything, though. Device driver updates, service packs, and updates for applications and other servers aren't currently supported. If you want a more full-featured patch-management solution, consider the products in "Enterprise Patch Management for Windows," page 45.
