As you know, Microsoft Software Update Services (SUS) is a free download that lets you download all critical updates to a Windows 2000 or later server, then distribute them to your network's Windows servers and workstations. You can download SUS from http://www.microsoft.com/windowsserversystem/sus/default.mspx. For networks with at least one Windows 200x Server, SUS gives the network administrator a way to automate patch management and eliminates the need to manually download and install critical updates on individual workstations. In the second half of 2004, Microsoft will release the successor to SUS, Windows Update Services (WUS). WUS will expand SUS capabilities to include patching server applications such as Microsoft SQL Server and Microsoft Exchange Server. Because of the recent Download.Ject browser highjack attacks that exploit a MIME Encapsulation of Aggregate HTML Documents (MHTML) and an ADODB weakness, you might want to implement SUS now and upgrade to WUS as soon as Microsoft releases it. For more information about this attack, visit http://www.winnetmag.com/windowssecurity/article/articleid/43088/windowssecurity_43088.html.
If you're thinking about installing SUS, consider the following points:
1. SUS supports only Win2K and later and XP. If you have mostly Windows 9x workstations, then SUS isn't for you.
2. Make sure you have a fast Internet connection. The initial SUS download might take a day or longer, depending on the connection speed.
3. Make sure you have enough space on your server before you install SUS. Downloading all the critical updates will take roughly 11GB of disk space. When you install SUS, the installation stores the patches on the drive with the most amount of free disk space but verify that you have 11GB of free space on your server.
4. If you have a WAN with multiple servers, you typically install SUS on a server in each WAN location. Then you designate a server as a master SUS server, distribute all the updates to the remote servers, then have the workstations receive their updates from the local SUS server. The initial download can place a tremendous load on your WAN so consider performing the initial SUS synchronization over a long weekend.
5. SUS can't push out service packs.
6. SUS can't push out patches to other server and workstation applications such as Exchange, SQL Server, and Microsoft Office.
7. SUS doesn't let you scan your network for missing patches, so verifying that all patches were correctly installed is difficult.
8. By default, the SUS installation installs the URLscan tool on the server. If you install SUS on a server running Exchange 2000, URLscan might break Microsoft Outlook Web Access (OWA). To work around this problem, you must uninstall URLscan tool or configure it to work with OWA. For more information about this problem, refer to the Microsoft article "IIS lockdown and URLscan configurations in an Exchange environment" (http://support.microsoft.com/?kbid=309508).
Although WUS will address many SUS limitations, SUS is still useful if you want a tool to deploy critical OS, IIS, and Internet Explorer (IE) updates. Make sure you test all updates on a select group of workstations before deploying the update to your entire network. If you have multiple SUS servers, consider setting up a master approval server, so you don't have to individually approve the updates on each server. Avoid consuming excessive WAN bandwidth by making sure that workstations receive their updates from a local SUS server.
You can use Group Policy to configure workstations to receive updates from a SUS server rather than from the Internet. If you runWindows Server 2003 or XP, consider installing the Group Policy Management Console (GPMC) to manage Group Policy. You can download the GPMC from http://www.microsoft.com/windowsserver2003/gpmc/default.mspx. If you have more than a few policies to manage, the GPMC makes Group Policy management much easier. If you haven't yet downloaded the tool, make your life easier and download the GPMC.
Tip
Sysinternals' Autoruns is a utility that displays all the programs that automatically load when you start Windows. You can download the tool from http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml. This utility is useful if your machine gets a virus or you suspect that a hacker has compromised your system. A compromised machine is often configured to auto-load the virus or hacking program each time the machine restarts or a user logs on. Autoruns can help you identify and prevent rogue programs from automatically loading when your system starts. I recommend you download the tool now, so you have it when you need it. Best of all, it 's free!
