In the first quarter of 2010, according to reports from industry security leaders Secunia, Symantec, and McAfee, third-party applications were responsible for the largest increase in security vulnerabilities—even overtaking OS flaws. Microsoft provides Windows Server Update Services (WSUS) as a free component in Windows Server to update third-party apps; Windows Update is the consumer equivalent. But small companies that don’t have access to enterprise-class management systems are left without a simple means of updating third-party applications that are installed on Windows systems.
Even though many popular applications such as Adobe Macromedia Flash Player and Google Chrome have their own update mechanisms, such third-party software might be limited by certain conditions. For example, third-party update mechanisms might not be enforceable, or they might not be able to be centrally managed. In addition, they often require users to have elevated privileges. Considering that several update mechanisms can be running on each device, the landscape soon becomes muddled.
WSUS vs. GPSI
Active Directory (AD) includes Group Policy Software Installation (GPSI), which gives administrators a rudimentary means of updating or deploying software to clients by using Windows Installer (.msi) files. But GPSI wasn’t designed to scale for large networks, nor has Microsoft invested in the technology since the introduction of AD 10 years ago.
Starting with version 3.0, WSUS includes local publishing APIs that, for the first time, let developers write code to publish custom updates to WSUS. But there’s no free tool from Microsoft for leveraging these new APIs, although local publishing methods can be accessed from Visual Basic scripts or from other programming languages. (See “System Center Updates Publisher and Windows Server Update Services Partner Catalogs” for more information about local publishing tools.) Despite this, using WSUS to deploy third-party software and updates has many advantages over GPSI, including the following:
- In addition to .msi packages, command-line executables and drivers can be deployed natively without requiring users to have administrative privileges.
- The Background Intelligent Transfer Service (BITS) is used to throttle the transfer of installation files to clients by using idle bandwidth. This is ideal for slow network links.
- WSUS is designed to be part of an enterprise-wide distributed architecture.
- WSUS includes basic reporting features.
WSUS Local Publishing
The following procedures demonstrate how easy it is to publish third-party updates to WSUS. All the operations in these examples, including WSUS client updates, are performed on a Windows Server 2008 R2-based computer that’s a domain member in a test environment. Before you follow these procedures, use the Server Manager wizard to install and configure WSUS to the default settings.
Configure WSUS for client-side targeting. To be able to separate which computers will receive your custom updates in the test environment, you need to create a computer group.
1. Log on to Server 2008 R2 as a domain administrator.
2. Open the Microsoft Management Console (MMC) Windows Server Update Services snap-in from Administrative Tools on the Start menu.
3. In the console’s navigation pane, expand your WSUS server and click Options.
4. In the Options pane, scroll down the list of configuration options and click Computers.
5. In the Computers dialog box, select Use Group Policy or registry settings on computers and click OK.
6. In the navigation pane, expand Computer, right-click All Computers, and click Add Computer Group.
7. In the Add Computer Group dialog box, name the new group Local Updates, then click OK.
Configure local machine policy for Windows Update. In a production environment, the following settings would be configured in a Group Policy Object (GPO) and linked to an organizational unit (OU) that contains computers that we want to update by using WSUS. To simplify this demo, we’ll set the local machine policy to configure Windows Update on the local computer only.
8. Click Start, type MMC in the Start Search box, and press Enter.
9. In the new console window, press Ctrl+M to add a new snap-in.
10. In the Add or Remove Snap-ins window, select Group Policy Object Editor under Available snap-ins and click Add.
11. In the Select Group Policy Object dialog box, leave the default selection of Local Computer and click Finish.
12. In the Add or Remove Snap-ins window, click OK.
13. In the MMC navigation pane, expand Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components. Double-click Windows Update.
14. In the center pane, double-click Configure Automatic Updates.
15. In the Configure Automatic Updates window, select Enabled, then click OK.
16. In the center pane, double-click Specify intranet Microsoft update service location, then click Enabled.
17. Under Options, type http:// followed by the name of the WSUS local server in both boxes. Then click OK. (Note: In this example, the WSUS server is named WINMEM1 and all services are located on one server. Therefore, I entered http://winmem1 both for Set the intranet update service for detecting updates and for Set the intranet statistics server.)
18. In the center pane, double-click Enable client-side targeting.
19. In the Enable client-side targeting window, click Enable. In the Target group name for this computer box, type Local Updates. Click OK.
20. Double-click Allow signed updates from an intranet Microsoft update service location, click Enable, and click OK.
21. Close the MMC snap-in.
22. Open a command-prompt window, and run the gpupdate /force command to make sure that the new settings are applied to the server immediately.
Install Local Update Publisher. Local Update Publisher is an open-source tool that you can download for free from SourceForge. The only prerequisite for the Local Update Publisher program is the .NET Framework 3.5, which you can install by using Server Manager on Server 2008 R2. You can do this quickly by opening a PowerShell window and running the following commands:
import-module servermanager add-windowsfeature net-framework
After the .NET Framework is set up, install the Local Update Publisher tool on the WSUS server. Then follow these steps:
1. Start the Local Update Publisher tool from the Start menu under All Programs. (Note: You’ll be prompted to connect to a WSUS server. Because you’re working on the local WSUS server, you can leave the Name field blank, then click Connect.)
2. In the Local Update Publisher program window, click LOCALHOST under Update Services.
3. In the No WSUS Certificate found window that displays, click Yes.
4. In the Certificate Information dialog box, click Create Certificate. (Note: A second window opens to indicate that a self-signed certificate has been successfully created and that it must be installed on all clients that will receive local updates.)
5. In the installation confirmation window, click OK.
6. In the Certificate Information dialog box, click Export Cert, then save a copy of the certificate to your desktop.
7. Click OK.
In a production environment, you should consider using a certificate issued by a Certification Authority (CA) that’s part of your organization’s public key infrastructure (PKI).
Prepare WSUS for local updates. Before you continue, you must install the self-signed certificate on the WSUS server. In a production environment, you need to install the certificate on WSUS and on all clients that will receive local updates from WSUS.
1. Click Start, type MMC in the Start Search box, and press Enter.
2. In the new console window, press CTRL+M to add a new snap-in.
3. In the Add or Remove Snap-ins dialog box, select Certificates under Available snap-ins and click Add.
4. In the Certificates snap-in dialog box, select Computer account and click Next.
5. Leave the default selection of Local Computer and click Finish.
6. In the Add or Remove Snap-ins dialog box, click OK.
7. In the MMC navigation pane, expand Certificates (Local Computer), then expand Trusted Root Certification Authorities.
8. Right-click Certificates, point to All Tasks, and click Import.
9. In the Certificate Import wizard, click Next.
10. On the File to Import page, click Browse.
11. Select the certificate file that you saved to your desktop and click Next.
12. On the Certificate Store page, leave the default selection and click Next.
13. Click Finish.
After the import finishes, click OK in the notification box. The WSUS Publishers Self-signed certificate will display in the MMC window’s center pane. Repeat steps 7 through 13 to import the same certificate in the Trusted Publishers container. You can then close the MMC Certificates snap-in.
Create a local update. To create a local update, you should work with a Windows Installer file whenever necessary because the Local Update Publisher tool automatically creates rules for applying updates through WSUS. If you must use an .exe file, and if you can’t extract a Windows Installer package from it, you’ll have to familiarize yourself with System Center Update Publisher Basic Rules. You can find more information about these rules here.
To install the latest version of Flash Player via WSUS, first download the Flash Player Windows Installer file. Then follow these steps to create a local update:
1. On the Tools menu, click Create Update.
2. In the Import Update from File window, which Figure 1 shows, click Browse. Then select the Flash Player .msi file that you previously downloaded. (Note: All the installation files are packaged inside the Flash Player MSI installer.)
3. Click Next. (Note: The next page, which Figure 2 shows, already includes all the required information except Vendor and Product.)
4. In the Vendor box, type Adobe. In the Product box, type Flash Player 10.1.85.3 or the appropriate program version.
5. Click Next. (Note: Because we provided the Local Update Publisher tool with a .msi file to create the update, rules are automatically populated over the next few pages of the installation wizard. You can modify or add to these rules later.)
6. On the Package Level – Installed Rules page, which Figure 3 shows, click Next to accept the default rules.
7. Repeat step 6 on the following pages: Package Level – Installable Rules, Installation Item Level – Superseded Rules, and Installation Item Level – Rule Metadata.
8. Review the XML information for the update, then click Finish.
After a few seconds, you should be notified that the update has been successfully published to WSUS.
Approve the local update. One disadvantage of using local updates is that they don’t display in the WSUS admin console; you must manage them by some other means. Fortunately, the Local Update Publisher tool lets you manage and approve local updates.
1. In Local Update Publisher, expand LOCALHOST, Updates, Adobe, Flash Player 10.1.85.3.
2. In the details pane, right-click the update and click Approve.
3. In the Approve Update dialog box, which Figure 4 shows, click No Approval to the right of the Local Updates group, then click Approve for Install on the menu.
4. At the bottom of the Approve Update dialog box, click Approve.
5. When you’re prompted to update the approvals, click OK.
6. Click Close.
Verify installation. The final step is to verify that the Windows Update client installed the local update.
1. On the WSUS server, click Start, type Windows Update in the Start Search box, and press Enter.
2. In the search results, click Check for updates.
3. In the Control Panel Windows Update applet, click Check for updates again on the left.
4. After about one minute, you should see the option to install an important update.
5. Click 1 important update is available, and check the update name to verify that it’s the local update that was just published, as Figure 5 shows.
6. After you verify the update, click Install updates to install Flash Player.
Local Update Publisher also has basic reporting so that you can see which computers in a group have successfully received updates, as Figure 6 shows. In a production environment, there should be no reason to install Flash Player directly on a WSUS server.
Disabling Flash Player auto update. By default, the standard installation of Flash Player checks every 30 days to see whether a new version is available. In a corporate environment, you’ll probably want to disable this feature and manage updates centrally by using WSUS. You could modify the MSI database by using a free tool such as Microsoft Orca to include the necessary configuration file. However, that’s a rather complicated undertaking if you’re not experienced in authoring Windows Installer packages. A simpler solution is to create a configuration file (mms.cfg) to disable the auto update feature. This process is explained in the Adobe article “IT Administration: Configure Flash Player auto-update notification.” You’d then use Group Policy preferences to copy the file to the appropriate location on the client computers.
Don’t Leave Updates to Chance
The October 2010 update for Adobe Acrobat Reader alone patched 23 security vulnerabilities that, in some cases, could have allowed a remote attacker to launch malicious software. In light of such vulnerability, timely updates of ubiquitous software shouldn’t be left to chance. Systems administrators often hope that users will initiate updates themselves—but such local updates typically require that users have administrative privileges, which would further increase the likelihood of malware infection.
Using WSUS to publish third-party updates or even your own custom updates can significantly reduce the chance of computer infection. Thanks to its bandwidth throttling for slow networks and its ability (if the right architecture is in place) to reach notebooks that might not always be connected to the corporate network, WSUS is a better solution for making sure that all the computers in an organization are able to receive updates.
If you’re not comfortable using free, open-source software to publish updates to WSUS, you still have the option to rely on scripting or to create your own application. In addition, EminentWare offers two commercial solutions: the WSUS Extension Pack, for publishing local WSUS updates, and the 3rd Party Updates Pack, which contains continually updated and tested catalogs for third-party applications.