Windows Server Update Services (WSUS)
Automated Patching – it is the first step to secure Network; I will discuss the importance of maintaining patch deployment, strategies and how to utilize Microsoft’s Windows Server Update Services 3.0.
When people think about IT security, they think about firewalls and antivirus. Firewalls are important but only go so far as to protect your network against a direct attack. A firewall will only prevent illegitimate forms of traffic from the internet. It doesn’t stop traffic on legitimate ports or downloads. Firewall defenses have been compared to eggs: hard on the outside but soft on the inside. Anti-virus will only protect you against known threats. Many organizations have made the mistake of thinking that firewalls combined with antivirus will give them a complete defense against threats.
WSUS, is a free to use Microsoft product, services all of the Microsoft product range and makes it easier for administrators or security officers to test and deploy updates on a production network.
I aim to show how you can manage updating your entire Microsoft network with minimal manual effort by using WSUS 3.0.
- Windows Server 2003 Service Pack 1 and UP
- Microsoft Internet Information Services (IIS) 6.0 or later
- Background Intelligent Transfer service (BITS) 2.0 or later
- Windows Installer 3.1 or later
- Microsoft .NET Framework 2.0
WSUS Deployment Scenarios
This is the best deployment solution where there is a single security policy. It is efficient because:
- The internet connection is used only once to download updates.
- Administrative effort is minimized; all update testing/approval, is performed at the WSUS server that is the point of entry.
WSUS clients have the location of their WSUS server configured from Active Directory.
Installing WSUS 3.0
You have a chance to decide if this server will be root WSUS server or a downstream server.
Downstream server gets updates from an upstream WSUS server on your network.
For a downstream server:
- You can choose to use SSL if the upstream server requires it.
- Make this a replica of the upstream server. This is how you can centralize management to your upstream or root servers.
Enter any required credentials to enable your new WSUS server to get through a proxy. Keep in mind not use your user account or an administrator account use a dedicated service account.
Start your initial synchronization. This will only download the necessary information to complete the wizard. It will not download an updates or metadata about any updates.
Choose the languages you want to download updates.
Choose what products on our network wish to update using WSUS.
Choose with types of update you want to download.
Configure synchronization; you have the option to set a schedule for daily automatic synchronization.
Configurations are complete. We can start now the initial synchronization to download update metadata
Create Computer Group and move computer from “Unassigned Computer” appropriate group.
Choose the update you to apply.
Approve the update for all computers or for specific group