For many years, systems administrators have needed a way to keep the network secure by automatically deploying security patches to all the computers in a network. Microsoft provided Windows Update a few years ago, but this program is only for individual users and small organizations because it doesn't include provisions for bandwidth utilization or management features for update testing and approval.
Fortunately, Microsoft has now released Software Update Services (SUS), which is one of the first fruits of the Strategic Technology Protection Program (STPP). For once, I must give Microsoft kudos. SUS fills a glaring gap in the management and security of the Windows family. In this article, I show you how SUS works and how to install and configure the various SUS components. In Part 2, I'll show you more complex SUS configurations, such as those that let you track update installation activity, balance bandwidth demands, and make allowances for scalability.
Understanding the Basics
SUS provides a way to automatically deploy crucial updates (hotfixes that solve non—security-related bugs), crucial security updates (security-related hotfixes), and security rollups to computers throughout a network—without requiring you to visit each computer or write any scripts. SUS is fairly flexible; you retain control over which updates to deploy, when to deploy them, and which computers should receive them. SUS doesn't deploy service packs for you, but the lack of deployment isn't a problem for Active Directory (AD) domains. Since Windows 2000 Service Pack 1 (SP1), Microsoft has supported service pack installation through IntelliMirror and group policies. With IntelliMirror and SUS, you can fully automate the process of keeping Windows XP and Win2K computers up-to-date. . . .
Register
