Windows Patch Management, Software Update Services (Part 1)
Thus far, our Windows Patch Management series has focused on a number of free solutions from Microsoft that offer patch deployment and inventory capabilities. This installment and the next will round out the picture with coverage of Software Update Services (SUS), another patch deployment mechanism from Microsoft. Unlike the free patch deployment tools previously covered in this series, Microsoft's Software Update Services tool is designed to enable a highly customized deployment infrastructure by facilitating patch selectivity. We discuss SUS' features and benefits, as well as how to install, configure, and administer it.
SUS was first released in June 2002 and is currently at version 1.0, Service Pack 1. Unlike the tools in the same category that we previously described (such as Critical Update Notification and Windows Update), which are intended primarily for non-managed environments and are limited in their ability to be centrally managed, SUS was designed to enable a higher level of customization for deployment infrastructure and patch selectivity.
In traditional Windows Update scenarios, client computers running the Automatic Update service pull a list of applicable updates directly from Microsoft servers. SUS also relies on the Automatic Update service running on client computers (which limits its scope to Windows 2000 and later operating systems), but it adds a layer of processing. This layer consists of at least one computer internal to a company's network running Windows 2000 SP2, or later, or Windows 2003 Server on which SUS software has been installed.
Windows update files are first downloaded to one or more of these servers from Internet-based Microsoft servers. This layer can have sublayers of additional SUS servers that simplify the coordination of patch deployment in larger environments: SUS servers are configured to synchronize content with other SUS servers -- not Microsoft Update Internet servers -- residing higher in this hierarchy. Appropriately configured client computers obtain the updates (using Automatic Update mechanism). The system administrator designates which updates are approved for distribution throughout the enterprise.
This approach provides several benefits:
- Control over which updates will be applied to computers
- Lowered bandwidth for the Internet connection
- The ability to manage the flow of patch downloads (this might be important in a multi-site environment separated by slow WAN links)
- The ability to deploy patches to computers without direct Internet access
- A solution for environments where proxy servers require authentication for secure access to the Internet (this causes problems with Automatic Update clients)
Service Pack 1 extends the basic feature set found in SUS 1.0. From an SMB point of view, one of the most important changes is ability to install SUS software on domain controllers. The lack of this functionality in the previous edition prevented SUS from being implemented in environments using Windows 2000 and 2003 Small Business Server editions, as they operate as domain controllers. The current incarnation of SUS also supports the deployment of Windows service packs (starting with Windows 2000 SP4 and Windows XP SP1), in addition to security patches. However, it does not allow updates to any other Microsoft products, such as Office, Exchange 2000, or SQL 2000 Servers.
SUS clients can be set to send information about patch operation to an SUS statistics server. This must be a Windows server running Internet Information Server, and it can be the one running the SUS component. If a different server is to be used, copy WUtrack.bin file from the SUS Web site root folder to the statistic server Web site root folder. Patch download and installation statistics sent by clients are recorded in the IIS logs.
More information about log content analysis is found in Appendix C of the "SUS SP1 Deployment Guide," downloadable from http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx.
Alternatively, you can also employ Microsoft Baseline Security Analyzer (by launching it from the command line using the syntax MBSACLI /hf /sus "http://SUSServer") to execute a security scan against list of locally approved updates rather than against a full list of the updates contained in mssecure.xml file on the Microsoft Internet Update servers.