For many years, systems administrators have needed a way to keep the network secure by automatically deploying security patches to all the computers in a network. Microsoft provided Windows Update a few years ago, but this program is only for individual users and small organizations because it doesn't include provisions for bandwidth utilization or management features for update testing and approval.
Fortunately, Microsoft has now released Software Update Services (SUS), which is one of the first fruits of the Strategic Technology Protection Program (STPP). For once, I must give Microsoft kudos. SUS fills a glaring gap in the management and security of the Windows family. In this article, I show you how SUS works and how to install and configure the various SUS components. In Part 2, I'll show you more complex SUS configurations, such as those that let you track update installation activity, balance bandwidth demands, and make allowances for scalability.
Understanding the Basics
SUS provides a way to automatically deploy crucial updates (hotfixes that solve non—security-related bugs), crucial security updates (security-related hotfixes), and security rollups to computers throughout a network—without requiring you to visit each computer or write any scripts. SUS is fairly flexible; you retain control over which updates to deploy, when to deploy them, and which computers should receive them. SUS doesn't deploy service packs for you, but the lack of deployment isn't a problem for Active Directory (AD) domains. Since Windows 2000 Service Pack 1 (SP1), Microsoft has supported service pack installation through IntelliMirror and group policies. With IntelliMirror and SUS, you can fully automate the process of keeping Windows XP and Win2K computers up-to-date.
SUS isn't perfect. It has some limitations:
- SUS doesn't support Windows NT or Windows 9x computers.
- SUS doesn't support Microsoft Office or Microsoft BackOffice products. SUS updates the OS, Microsoft IIS, and Microsoft Internet Explorer (IE) only.
- SUS currently supports many languages but not every language that XP and Win2K support.
- SUS doesn't have an uninstall option to automatically remove an update it has deployed, so testing the updates before installing them with SUS is important. However, you can use the manual uninstall method to remove updates.
SUS consists of three components: SUS, which runs on your server; Automatic Updates (AU), which runs on client machines; and Group Policy settings, which control AU clients from AD. The SUS server is basically an IIS Web site. You use Web pages to administer and monitor SUS, and AU clients use Web pages to download updates. Microsoft stores the updates on its Windows Update servers. SUS's Windows Update Synchronization Service handles the periodic synchronization between the SUS server and Microsoft Windows Update servers.
AU clients use HTTP to communicate with an SUS server. The SUS server also uses HTTP to periodically contact the Windows Update servers and synchronize the database of updates available for download. This database is called the catalog. You can perform catalog synchronizations on demand, or you can schedule them. The catalog doesn't contain the actual updates. It contains a description of the updates and information that the AU clients need to determine whether an update is applicable for their XP or Win2K installations.
You can configure the SUS server to download and install the updates for each language you choose to support, or you can leave the updates on the Windows Update servers, in which case the AU clients download and install the updates. No matter which configuration you choose, SUS checks the updates against Microsoft's public certificate before downloading and installing the updates to prevent imposters from using SUS to insert malicious code into your computers.
Although downloading and installation often occur in one step in many programs, they're two separate processes in SUS. For example, suppose you want to have the AU clients download and install the updates. The AU client periodically checks your SUS server for any newly approved updates. When the AU client finds an update that it needs to download, it begins the download process by connecting to the appropriate Windows Update server. You can configure the AU client to automatically download the update from the Windows Update server or to notify the user that an update is ready for download. In the latter case, the AU client waits for the user to initiate the download.
After the AU client downloads the update to a temporary folder, the installation process begins. The AU client checks the options you set to determine when to install the update. You can configure the AU client to automatically install updates according to a schedule you've set, or you can configure the AU client to notify the user that updates are available for installation and wait for the user to initiate the installation. After installing the updates, the AU client restarts the computer if required. If a user is currently logged on, the AU client gives the person 5 minutes to save his or her work, close all programs, and log off. The AU client then restarts the computer. Because the AU client uses the Qchain tool, it needs to restart the machine only once, even if it installed several updates.
Now that you know the SUS basics, let's walk through a simple SUS installation in an AD domain. To use SUS, you need a server on which to run SUS. AD domain controllers (DCs) and machines running Microsoft Small Business Server (SBS) can't be SUS servers.
The SUS server as well as the DCs and workstations that SUS will manage all need to run Win2K SP2 or later and IE 5.5 or later. The SUS server also needs to run IIS 5.0 or later. You can install SUS on an IIS server that already hosts other Web sites. SUS can coexist with other Web sites because SUS uses only three IIS components: the Common Files folder, the Microsoft Management Console (MMC) Internet Information Services snap-in, and World Wide Web Server.
Typically, SUS installs in the default Web site. If you don't have a default Web site or you have a different Web site bound to port 80, see Appendix A in the Microsoft white paper "Deploying Microsoft Software Update Services." To access this paper, click the Software Update Services Deployment White Paper link on the Software Update Services Web page (http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp).
The Software Update Services Web page also contains a link to the SUS download. After you download SUS, open the sussetup.msi file to start the Setup Wizard. After reading and responding to the Welcome page and End User License Agreement (EULA), select the Typical installation option and click Next. When the wizard provides the SUS server's URL, make a note of it. You need this URL to configure the AU clients. Click Install.
During installation, SUS runs the IIS Lockdown Tool to secure IIS on the SUS server. This lockdown prevents an intruder who has cracked into your SUS server from accessing AU clients. The IIS Lockdown Tool disables options that present security risks, so it might break existing Web applications. If your SUS server hosts other Web applications and those applications depend on components such as WWW Distributed Authoring and Versioning (WebDAV), Microsoft FrontPage Server Extensions, or FTP, you might run into problems. Although you can get SUS to coexist with these applications, you might need to reenable certain options after installing SUS. For a full description of the changes SUS makes to IIS, see Appendix A in the "Deploying Microsoft Software Update Services" white paper.
Finally, the wizard displays the Finish page and provides the URL to SUS's administration Web page. Make a note of this URL. You'll need it to administer the SUS server in the future.
Configuring the SUS Server
The next step is to configure the SUS server. Through SUS configuration, you can control how and when the SUS server synchronizes with the Windows Update servers and which updates to approve for deployment.
You can configure your SUS server from any network computer that's running IE 5.5 or later. Open the IE browser and enter either your local intranet's name (e.g., //server/SUSAdmin) or the DNS name (e.g., server.acme.com/SUSAdmin) as a URL. The Welcome page, which Figure 1 shows, appears. The left pane on this page contains several important links, including the Set options link, the Synchronize server link, and the Approve updates link.
The Set options link. When you click the Set options link, the Set options page appears. This page has a scrollable box that contains five sections:
- In the Select a proxy server configuration section, you need to specify whether to use a proxy server configuration. If your network must access the Internet through a proxy server, you can configure SUS to authenticate to and use the proxy server to access the Windows Update servers. However, for this example, select the Do not use a proxy server to access the Internet option.
- In the Specify the name your clients use to locate this update server section, you can edit the name of your SUS server, if necessary. By default, the Server name field will contain your SUS server's NetBIOS name, but you can change it to the DNS name or IP address if you've disabled NetBIOS name resolution on your network. You'll also need to enter the SUS server name again in AU client configuration. Why you need to configure this setting in both the server and client configurations is unclear.
- In the Select which server to synchronize content from section, you must specify the data source with which you want the SUS server to synchronize. You have two options: the Synchronize directly from the Microsoft Windows Update servers option, which is the default, and the Synchronize from a local Software Update Services server option, which lets you synchronize your SUS server with another SUS server to accommodate scalability needs. If you synchronize with another SUS server, you must enter that server's NetBIOS or DNS name. You can also choose the Synchronize list of approved items updated from this location (replace mode) option. If you select this option, your SUS server will not only synchronize its catalog of updates with the other SUS server but also use the other server's list of approved updates.
- In the Select how you want to handle new versions of previously approved updates section, you need to specify how you want SUS to handle new versions of updates. Sometimes a bug in an update comes to light and Microsoft must rerelease the update. What happens if you've already approved that update? Do you want SUS to direct AU clients to automatically install the new version? If so, select the Automatically approve new versions of previously approved updates option. If you'd rather have SUS treat the new version of the update as a new update and wait for you to approve it before deployment, select the Do not automatically approve new versions of previously approved updates. I will manually approve these later option.
- In the Select where you want to store updates section, specify the location in which you want to store the updates. Remember that SUS always downloads the catalog, but you control whether you want to download the updates to the SUS server or leave the updates on the Windows Update servers. For this example, select Maintain the updates on a Microsoft Windows Update server option. (If you want to download the updates to the SUS server, select the Save the updates to a local folder option, then select the languages for which you want to maintain updates.)
After you select the options you want in these five sections, click Apply to save those settings. You're now ready to configure SUS's synchronization schedule and approve the updates you want to deploy.
The Synchronize server link. When you click the Synchronize server link, the Synchronize server page appears. This page displays two options: Synchronize Now, which you can click to manually perform an immediate synchronization, and Synchronization Schedule, which you can click to set up a schedule for automatic synchronizations. Click Synchronization Schedule. As the Schedule Synchronization dialog box in Figure 2 shows, you can configure SUS to synchronize only when you initiate it (i.e., not set up a schedule) or you can schedule SUS to synchronize once a day at a certain time or once a week on a certain day at a certain time. If you choose to set up a schedule, I recommend that you change the default time (i.e., 3:00 a.m.)—the Windows Update servers will probably be extremely busy at that time because all the default-configured SUS servers will be requesting updates. You can configure how many times SUS should retry synchronization if a synchronization attempt fails. The default is three attempts; SUS waits 30 minutes between attempts.
As an exercise, configure SUS to synchronize daily at 1:00 a.m. and click OK. Notice how the Synchronize server page now specifies the date and time of the next scheduled synchronization. Next, click the Synchronize Now button. Notice how SUS displays the system with which it's synchronizing and displays the progress of that synchronization.
The Approve updates link. When you click the Approve updates link, you can view a list of all the updates in the catalog and configure the updates' status, as Figure 3 shows. You can sort the catalog by the updates' date, title, platform (XP or Win2K), or status. An update can have the status of Approved (approved for distribution to the appropriate AU clients), Not Approved (not approved for distribution to any AU clients), New (recently downloaded update that hasn't been approved), Updated (new version of previously released update), or Temporarily Unavailable (update isn't available for download).
If you could scroll through the list of updates in Figure 3, you'd see that I approved all five of the IE security updates associated with Q321232, which includes IE 6.0 for XP, IE 6.0 for Win2K, IE 5.5 SP2, IE 5.5 SP1, and IE 5.01. Although I approved all these updates, each AU client installs only the update appropriate for its IE version.
To approve one or more updates, select the check box next to each update, then click Approve. In the confirmation dialog box that appears, click Yes. SUS then displays a dialog box that lists the updates you're approving and asks you to accept the EULA for these updates. Depending on your screen resolution and browser settings, the Accept and Don't Accept buttons might not appear if the dialog box is too small to display all the updates. You can't resize this dialog box. You can, however, put the mouse pointer in the list box and press Tab, which prompts the Accept and Don't Accept buttons to appear. Click Accept to approve your updates for distribution to the AU clients.
You need to install AU on your network computers so that they can obtain update information from the SUS server. You can perform the AU installation two ways:
- You can upgrade your XP computers to SP1 and your Win2K computers to SP3, which automatically installs AU.
- You can download AU from the Software Update Services Web page and install AU as a standalone component.
No matter which approach you follow, you can use a group policy and AD to automate the installation. The Web-exclusive sidebar "How to Programmatically Install AU When It's Part of a Service Pack" (http://www.secadministrator.com, InstantDoc ID 26768) provides instructions about how to programmatically install AU as part of Win2K SP3. The "Deploying Microsoft Software Update Services" white paper includes instructions about how to programmatically install AU as a standalone component.
Configuring the AU Clients
After you install AU, you need to configure the AU clients. Through AU client configuration, you can control how and when AU clients download and install approved updates.
AU client configuration is just a matter of setting a few registry values. However, if you have many computers, you don't want to set those values manually. Thankfully, you can use a group policy to configure AU clients. Because these registry settings are new, you might not see them when you edit Group Policy Objects (GPOs); it will depend on which service pack your workstation is running. If you edit a GPO from a computer running Win2K SP3, you're ready to configure AU client settings. To edit a GPO from a computer running Win2K SP2 or earlier, you need to either install SP3 or manually add a new administrative template for AU client configuration. To manually add a new administrative template, follow these steps:
- In Group Policy Editor (GPE), maneuver to Computer Configuration and right-click Administrative Templates. Select Add/Remove Templates, then click Add. Browse to the \%windir%\inf folder of any computer on which you've installed SP3 or AU. Select wuau.adm, click Open, then click Close.
- In GPE, maneuver to Computer Configuration, Administrative Templates, Windows Components, Windows Update. Click the Windows Update folder. In the right pane, you'll see two policies: Configure Automatic Updates and Specify intranet Microsoft update service location.
- Double-click the Configure Automatic Updates policy. In the Configure Automatic Updates Properties dialog box, which Figure 4 shows, select Enabled. In the Configure automatic updating drop-down list, select one of the following options:
- 2 - Notify for download and notify for install
- 3 - Auto download and notify for install
- 4 - Auto download and schedule the install
Options 2 and 3 let a local administrator control when to download and install updates. When an administrator is logged on and updates become available for download or installation, the AU client notifies the administrator. If the administrator clicks the notification balloon, the AU client opens a dialog box in which the user can click Remind Me Later or Install.
If you select option 4, you can configure the AU client to automatically install new updates at a certain time each day or a certain time one day of the week. AU clients frequently check the SUS server for newly approved updates. When the AU client finds a newly approved update that's applicable, the AU client downloads to a temporary folder that updates from either the SUS server or a Windows Update server. The AU client throttles its download (i.e., adjusts how much bandwidth it's using) so that the download doesn't slow down the network. The AU client can handle interrupted downloads, such as downloads interrupted by system reboots. After the updates are in a temporary folder, the AU client waits for the next scheduled install time to arrive to install the updates. After you finish configuring the Configure Automatic Updates policy, click OK.
secedit /refreshpolicy machine_policy
That computer should now start downloading any updates you've approved. If you're on an XP machine, run Gpupdate instead with no parameters.
Because you configured the SUS server to synchronize only the catalog, your AU clients will download the updates from a Windows Update server. When you come in the next morning, log on to one of your computers and open the Control Panel Add/Remove Programs applet. You should see the updates you approved earlier.
Save Your Soles
Congratulations—you've successfully set up SUS. In the future, all you need do is approve the necessary updates and SUS will take care of the rest for you. When new service packs come out, you can use IntelliMirror to deploy them. With IntelliMirror and SUS, you can quickly and automatically deploy security updates throughout your network without wearing holes in your soles.