Docstoc

baltrusch

Document Sample
baltrusch Powered By Docstoc
					Experiences with WSUS/SUS as
Patch Deployment Solution for
      Windows at DESY
   Reinhard Baltrusch,
   Melvin Alfaro
   DESY IT




               HEPiX Fall Meeting, SLAC 12.10.2005   1
                                                                      WIN.DESY.DE


Situation

    Over 2500 Windows clients in the domain to manage.
    Discovered security holes requires more and more a quicker patch deployment
    mechanism.
    In former times group administrators install service packs and security fixes on
    PCs of their group. Today it is absolute necessary and more efficient to
    centralize these task.
    SUS (Software Update Service) was for us the first suitable and free Microsoft
    solution to deploy security fixes, but some functionality is missing.
    Main problem was and still is, to control the success of security fix deployment
    on every machine. Solutions in old manner are several scripts used for checking
    status of patch installation. The development of programs like the “Microsoft
    Baseline Security Analyzer” was a great step in the right direction.
    WSUS 2.0 (Windows Server Update Service) as successor of SUS is the more
    sophisticated solution and stands after IT internal tests in front of its DESY wide
    usage.
    XP Service Pack 2 is distributable over WSUS, but the rollout starts before WSUS
    was available.
    Server systems are managed over HFNetCheckPro.



                          HEPiX Fall Meeting, SLAC 12.10.2005                       2
                                                                               WIN.DESY.DE


The idea of updating clients with WSUS/SUS
            Windows Update

                                      WSUS/SUS

             Internet




Microsoft               Firewall
 Update
                                         Database
                                                           Automatic Update Clients
                                                                Services :
                                                                Automatic Update
                                                                Background Intelligent
                                                                      Transfer Service

                          HEPiX Fall Meeting, SLAC 12.10.2005                            3
                                                                 WIN.DESY.DE


Software Update Service (SUS)
    Working on a Windows 2003 Server with IIS 6.0 (HP Blade 20p).
    Supports most of the clients in the domain, has approved updates only for
    Windows XP and Windows 2003 in english, but not for Windows 2000.
    No integrated function to control success of deployment (only log files).
    Clients are configured over group policy (“Automatically download updates
    and install them on the schedule specified below”).
    Laptop presentation problem (every day at 11:00 AM).
    Users without local admin rights unable to hold up reboot after update
    installation.




                       HEPiX Fall Meeting, SLAC 12.10.2005                      4
                                                    WIN.DESY.DE


SUS Admin web interface




              HEPiX Fall Meeting, SLAC 12.10.2005             5
                                                                   WIN.DESY.DE


WSUS (Windows Server Update Service)
    Next generation deployment service with advanced features, builds on the
    features of SUS.
    Windows 2003 Server with IIS6 (HP Blade 20p).
    Better client side options per group policy (e.g.“Allow non-administrators to
    receive update notifications”).
    Update client (wuauclt) with command line options (e.g. force update
    detection with : “wuauclt /detectnow”).
    Options to define groups of computers for testing, reporting and other
    purposes (“Targeting”).
    Problems with updates of administrative Office installations (over NetInstall),
    so at the moment no approval for installation of Office updates, only detection
    of needed updates.
    No approval for installation of “Service Packs”.




                        HEPiX Fall Meeting, SLAC 12.10.2005                     6
                                                   WIN.DESY.DE


WSUS Admin web interface




             HEPiX Fall Meeting, SLAC 12.10.2005             7
                                                                     WIN.DESY.DE


New functions and advantages of WSUS
    More updates for Microsoft products .
    Ability to automatically download updates from Microsoft Update by product
    and type.
    Additional language support for customers worldwide (18 different languages).
    Maximized bandwidth efficiency through Background Intelligent Transfer
    Service (BITS) 2.0. (BITS 2.0 is not installed by WSUS, but is available on
    Windows Update).
    Ability to target updates to specific computers and computer groups.
    Ability to verify that updates are suitable for each computer before
    installation (this feature runs automatically for critical and security updates).
    Flexible deployment options.
    Reporting capabilities.
    Flexible database options.
    Data migration and import/export capabilities.
    Extensibility through the application programming interface (API).
    Better options for client configuration.




                         HEPiX Fall Meeting, SLAC 12.10.2005                      8
                                                                  WIN.DESY.DE


Overview of update classes from Microsoft

   Connectors Software         Critical Updates * #
   Development Kits            Drivers *
   Feature Packs *             Guidance
   Security Updates * #        Service Packs *
   Tools   *                   Updates (non-critical, non-security) *
   Update Rollups *

   * class can be distributed over WSUS
   # class is automatically approved for detection




                          HEPiX Fall Meeting, SLAC 12.10.2005               9
                                                               WIN.DESY.DE


Supported products for update over WSUS

     Windows XP
     Windows XP 64-bit edition
     Windows Server 2003 (all editions, 64-bit)
     Windows 2000 (all edtions)
     Office 2002/XP applications (incl. Project, Visio etc.)
     Office 2003 applications (incl. Project, Visio etc.)
     SQL server
     Exchange Server 2003
     All products in different languages




                        HEPiX Fall Meeting, SLAC 12.10.2005             10
                                                  WIN.DESY.DE


WSUS Admin - Updates




            HEPiX Fall Meeting, SLAC 12.10.2005            11
                                                                      WIN.DESY.DE


WSUS Admin - Update Approval




                                                 Approval actions :

                                                          Install
                                                      •
                                                      • Remove (this action is
                                                        possible only if the update
                                                        supports uninstall)
                                                      • Detect-only

                                                      • Decline
           HEPiX Fall Meeting, SLAC 12.10.2005                                        12
                                                  WIN.DESY.DE


WSUS Admin - Reporting




            HEPiX Fall Meeting, SLAC 12.10.2005            13
                                                  WIN.DESY.DE


WSUS Admin – Status of Updates




            HEPiX Fall Meeting, SLAC 12.10.2005            14
                                                  WIN.DESY.DE


WSUS Admin – Status of Computers




            HEPiX Fall Meeting, SLAC 12.10.2005            15
                                                  WIN.DESY.DE


WSUS Admin - Computers




            HEPiX Fall Meeting, SLAC 12.10.2005            16
                                                                         WIN.DESY.DE


Targeting of clients in different groups
                                                             Group A



Group A
                        WSUS
Group B
                                                                       Group B
Group C …
All Computers
Unassigned Computers
                                                             Group C
                       Database




                       HEPiX Fall Meeting, SLAC 12.10.2005                        17
                                                                        WIN.DESY.DE


WSUS chains

                                        WSUS                        WSUS
                                  (upstream server)          (downstream server)

            Internet



Microsoft
 Update
                                       Database                      Database

                                  (MS tested max. 5 server/ recommended max. 3 server)




                       HEPiX Fall Meeting, SLAC 12.10.2005                               18
                                                                        WIN.DESY.DE

Update of clients without direct Internet
connection

                                        WSUS                              WSUS
                                  (upstream server)                (downstream server)

            Internet                                         CD / DVD



Microsoft
 Update
                                       Database                          Database




                       HEPiX Fall Meeting, SLAC 12.10.2005                          19
                                                            WIN.DESY.DE


The database of WSUS

    Contains WSUS server configuration information.
    „Metadata“ for every update (information about update, among others
    EULA).
    Information about client, about updates and update state of client
    computers.
    Every WSUS Server has it’s own database.
    With W2K3 WMSDE will be recommended (free and without spacelimit).
    Interaction with database (MSDE or WMSDE) only over WSUS engine.




                      HEPiX Fall Meeting, SLAC 12.10.2005            20
                                                               WIN.DESY.DE


Storage of updates on the WSUS server
   During synchronisation only the metadata of updates and one hash
   value for the updates are downloaded from the Microsoft Update
   server.
   Not until after the approval for installation the update files will be
   saved locally on the WSUS server (under WSUS Content).
   The size of the necessary storage capacity varied intensely
   depending on the quantity of approved updates (min. 6 GB,
   recommended 30 GB).




                       HEPiX Fall Meeting, SLAC 12.10.2005                  21
                                                                        WIN.DESY.DE


Impact for the network through WSUS

   Not until after the approval action „Install“ the necessary files for an
   update were downloaded from the MU server to the WSUS server.
   The approval action „Detect only“ allows to determin first if and for
   how many computers an update is needed.
   Through the usage of „Express installation files“ the Intranet can be
   relieved.




        ~300MB                       ~30MB                       Express enabled
        ~100MB                      ~100MB                       Express disabled
  MU                    WSUS                            CLIENT



                        HEPiX Fall Meeting, SLAC 12.10.2005                         22
                                                            WIN.DESY.DE

Background Intelligent Transfer Service
(BITS 2.0)
     Windows Service which allows the asynchronous download of files
     over http.
     Organizes transfer jobs through a system of queues with different
     priorities and a time window for every priority.
     Works inbetween foreground jobs with full bandwidth and background
     jobs with unused bandwidth.
     Reacts tolerant on interruption of synchronization.
     BITS never initialize a network connection by itself.
     Is „not“ distributable over WSUS, but is part of XP SP2.
     API can be used for/with other applications.
     XP supporttool „bitsadmin“ allows to use the service over a command
     line for other purposes.




                      HEPiX Fall Meeting, SLAC 12.10.2005            23
                                                         WIN.DESY.DE


Problems / To do / Outlook
   How to handle PCs where nobody log on locally (“somewhere in the
   tunnel”) ?
   How to handle Laptops which seldom connected to DESY network ?
   How to handle “DESY-Home”-PCs which only connected from time to
   time over VPN ?
   How to handle Windows computers which are not in the domain ?
   (local computer policy/registry)
   Look for solution for the problem with administrative Office
   installations.
   Test service pack installations.
   Find a good targeting structure.
   Looking forward whether other products become available to get
   updates over WSUS.
   No look on advanced solutions like SMS 2003 in the near future.




                   HEPiX Fall Meeting, SLAC 12.10.2005            24
                                                         WIN.DESY.DE


References/Links

   http://www.microsoft.com/wsus
   http://www.wsuswiki.com/




                   HEPiX Fall Meeting, SLAC 12.10.2005            25
                                                   WIN.DESY.DE


The end – Questions ?




             HEPiX Fall Meeting, SLAC 12.10.2005            26

				
DOCUMENT INFO