baltrusch by liaoxiuli


									Experiences with WSUS/SUS as
Patch Deployment Solution for
      Windows at DESY
   Reinhard Baltrusch,
   Melvin Alfaro

               HEPiX Fall Meeting, SLAC 12.10.2005   1


    Over 2500 Windows clients in the domain to manage.
    Discovered security holes requires more and more a quicker patch deployment
    In former times group administrators install service packs and security fixes on
    PCs of their group. Today it is absolute necessary and more efficient to
    centralize these task.
    SUS (Software Update Service) was for us the first suitable and free Microsoft
    solution to deploy security fixes, but some functionality is missing.
    Main problem was and still is, to control the success of security fix deployment
    on every machine. Solutions in old manner are several scripts used for checking
    status of patch installation. The development of programs like the “Microsoft
    Baseline Security Analyzer” was a great step in the right direction.
    WSUS 2.0 (Windows Server Update Service) as successor of SUS is the more
    sophisticated solution and stands after IT internal tests in front of its DESY wide
    XP Service Pack 2 is distributable over WSUS, but the rollout starts before WSUS
    was available.
    Server systems are managed over HFNetCheckPro.

                          HEPiX Fall Meeting, SLAC 12.10.2005                       2

The idea of updating clients with WSUS/SUS
            Windows Update



Microsoft               Firewall
                                                           Automatic Update Clients
                                                                Services :
                                                                Automatic Update
                                                                Background Intelligent
                                                                      Transfer Service

                          HEPiX Fall Meeting, SLAC 12.10.2005                            3

Software Update Service (SUS)
    Working on a Windows 2003 Server with IIS 6.0 (HP Blade 20p).
    Supports most of the clients in the domain, has approved updates only for
    Windows XP and Windows 2003 in english, but not for Windows 2000.
    No integrated function to control success of deployment (only log files).
    Clients are configured over group policy (“Automatically download updates
    and install them on the schedule specified below”).
    Laptop presentation problem (every day at 11:00 AM).
    Users without local admin rights unable to hold up reboot after update

                       HEPiX Fall Meeting, SLAC 12.10.2005                      4

SUS Admin web interface

              HEPiX Fall Meeting, SLAC 12.10.2005             5

WSUS (Windows Server Update Service)
    Next generation deployment service with advanced features, builds on the
    features of SUS.
    Windows 2003 Server with IIS6 (HP Blade 20p).
    Better client side options per group policy (e.g.“Allow non-administrators to
    receive update notifications”).
    Update client (wuauclt) with command line options (e.g. force update
    detection with : “wuauclt /detectnow”).
    Options to define groups of computers for testing, reporting and other
    purposes (“Targeting”).
    Problems with updates of administrative Office installations (over NetInstall),
    so at the moment no approval for installation of Office updates, only detection
    of needed updates.
    No approval for installation of “Service Packs”.

                        HEPiX Fall Meeting, SLAC 12.10.2005                     6

WSUS Admin web interface

             HEPiX Fall Meeting, SLAC 12.10.2005             7

New functions and advantages of WSUS
    More updates for Microsoft products .
    Ability to automatically download updates from Microsoft Update by product
    and type.
    Additional language support for customers worldwide (18 different languages).
    Maximized bandwidth efficiency through Background Intelligent Transfer
    Service (BITS) 2.0. (BITS 2.0 is not installed by WSUS, but is available on
    Windows Update).
    Ability to target updates to specific computers and computer groups.
    Ability to verify that updates are suitable for each computer before
    installation (this feature runs automatically for critical and security updates).
    Flexible deployment options.
    Reporting capabilities.
    Flexible database options.
    Data migration and import/export capabilities.
    Extensibility through the application programming interface (API).
    Better options for client configuration.

                         HEPiX Fall Meeting, SLAC 12.10.2005                      8

Overview of update classes from Microsoft

   Connectors Software         Critical Updates * #
   Development Kits            Drivers *
   Feature Packs *             Guidance
   Security Updates * #        Service Packs *
   Tools   *                   Updates (non-critical, non-security) *
   Update Rollups *

   * class can be distributed over WSUS
   # class is automatically approved for detection

                          HEPiX Fall Meeting, SLAC 12.10.2005               9

Supported products for update over WSUS

     Windows XP
     Windows XP 64-bit edition
     Windows Server 2003 (all editions, 64-bit)
     Windows 2000 (all edtions)
     Office 2002/XP applications (incl. Project, Visio etc.)
     Office 2003 applications (incl. Project, Visio etc.)
     SQL server
     Exchange Server 2003
     All products in different languages

                        HEPiX Fall Meeting, SLAC 12.10.2005             10

WSUS Admin - Updates

            HEPiX Fall Meeting, SLAC 12.10.2005            11

WSUS Admin - Update Approval

                                                 Approval actions :

                                                      • Remove (this action is
                                                        possible only if the update
                                                        supports uninstall)
                                                      • Detect-only

                                                      • Decline
           HEPiX Fall Meeting, SLAC 12.10.2005                                        12

WSUS Admin - Reporting

            HEPiX Fall Meeting, SLAC 12.10.2005            13

WSUS Admin – Status of Updates

            HEPiX Fall Meeting, SLAC 12.10.2005            14

WSUS Admin – Status of Computers

            HEPiX Fall Meeting, SLAC 12.10.2005            15

WSUS Admin - Computers

            HEPiX Fall Meeting, SLAC 12.10.2005            16

Targeting of clients in different groups
                                                             Group A

Group A
Group B
                                                                       Group B
Group C …
All Computers
Unassigned Computers
                                                             Group C

                       HEPiX Fall Meeting, SLAC 12.10.2005                        17

WSUS chains

                                        WSUS                        WSUS
                                  (upstream server)          (downstream server)


                                       Database                      Database

                                  (MS tested max. 5 server/ recommended max. 3 server)

                       HEPiX Fall Meeting, SLAC 12.10.2005                               18

Update of clients without direct Internet

                                        WSUS                              WSUS
                                  (upstream server)                (downstream server)

            Internet                                         CD / DVD

                                       Database                          Database

                       HEPiX Fall Meeting, SLAC 12.10.2005                          19

The database of WSUS

    Contains WSUS server configuration information.
    „Metadata“ for every update (information about update, among others
    Information about client, about updates and update state of client
    Every WSUS Server has it’s own database.
    With W2K3 WMSDE will be recommended (free and without spacelimit).
    Interaction with database (MSDE or WMSDE) only over WSUS engine.

                      HEPiX Fall Meeting, SLAC 12.10.2005            20

Storage of updates on the WSUS server
   During synchronisation only the metadata of updates and one hash
   value for the updates are downloaded from the Microsoft Update
   Not until after the approval for installation the update files will be
   saved locally on the WSUS server (under WSUS Content).
   The size of the necessary storage capacity varied intensely
   depending on the quantity of approved updates (min. 6 GB,
   recommended 30 GB).

                       HEPiX Fall Meeting, SLAC 12.10.2005                  21

Impact for the network through WSUS

   Not until after the approval action „Install“ the necessary files for an
   update were downloaded from the MU server to the WSUS server.
   The approval action „Detect only“ allows to determin first if and for
   how many computers an update is needed.
   Through the usage of „Express installation files“ the Intranet can be

        ~300MB                       ~30MB                       Express enabled
        ~100MB                      ~100MB                       Express disabled
  MU                    WSUS                            CLIENT

                        HEPiX Fall Meeting, SLAC 12.10.2005                         22

Background Intelligent Transfer Service
(BITS 2.0)
     Windows Service which allows the asynchronous download of files
     over http.
     Organizes transfer jobs through a system of queues with different
     priorities and a time window for every priority.
     Works inbetween foreground jobs with full bandwidth and background
     jobs with unused bandwidth.
     Reacts tolerant on interruption of synchronization.
     BITS never initialize a network connection by itself.
     Is „not“ distributable over WSUS, but is part of XP SP2.
     API can be used for/with other applications.
     XP supporttool „bitsadmin“ allows to use the service over a command
     line for other purposes.

                      HEPiX Fall Meeting, SLAC 12.10.2005            23

Problems / To do / Outlook
   How to handle PCs where nobody log on locally (“somewhere in the
   tunnel”) ?
   How to handle Laptops which seldom connected to DESY network ?
   How to handle “DESY-Home”-PCs which only connected from time to
   time over VPN ?
   How to handle Windows computers which are not in the domain ?
   (local computer policy/registry)
   Look for solution for the problem with administrative Office
   Test service pack installations.
   Find a good targeting structure.
   Looking forward whether other products become available to get
   updates over WSUS.
   No look on advanced solutions like SMS 2003 in the near future.

                   HEPiX Fall Meeting, SLAC 12.10.2005            24


                   HEPiX Fall Meeting, SLAC 12.10.2005            25

The end – Questions ?

             HEPiX Fall Meeting, SLAC 12.10.2005            26

To top