Security

Take another look at Microsoft Software Update Services

You probably gave up long ago on Microsoft's Software Update Services (SUS) for your enterprise. However, perhaps it's time to check it out again as the latest Service Pack makes SUS a practical solution for mass software updates.


By now, most IT managers have probably heard about Microsoft Software Update Services (SUS). Many of you have probably even looked at it seriously and then dismissed it as impractical. On Jan. 31, 2003, Microsoft released Service Pack 1 (SP1) for SUS, which finally makes SUS a viable production-ready product.

According to Microsoft, “SUS enables IT pros to quickly and reliably deploy critical updates to their Windows 2000-based servers and Windows 2003-based servers as well as desktop computers running Windows 2000 Professional or Windows XP Professional.” SUS is a patch-deployment utility that allows you to download and test updates once, and then deploy those updates automatically to PCs and/or servers on your network.

Tip
For a general overview of SUS, check out these other TechRepublic articles:

So what’s new?
No Service Pack update article would be complete without an explanation of what new features it includes. In this article, I will focus specifically on the enhancements provided to SUS by SP1.

Domain controllers
For small businesses everywhere, the initial release of SUS was not only disappointing; it was essentially not an option. SUS originally would not run on a domain controller—period. This included Microsoft Small Business Server. For small businesses with only one server, deploying SUS would have meant buying a whole new server just for patch management. It doesn’t take an MBA to figure out that that’s not a good investment. SP1 addressed this issue, and SUS can now be deployed to domain controllers.

IIS Lockdown and URL Scanner
As part of Microsoft’s Strategic Technology Protection Program (STPP), SUS installs IIS Lockdown and URL Scanner when you install SUS. This helps to keep your Web servers secure. However, if you haven’t already run IIS Lockdown and/or URL Scanner, and you have other Web sites running on your intended SUS server, these utilities could “break” your other sites. While you still don’t have the ability to completely bypass the installation of IIS Lockdown and URL Scanner, SP1 will check to see if they’ve already been installed; if they have, the SUS install will bypass that portion of the installation and will preserve your IIS metabase. My advice here is to manually install IIS Lockdown and/or URL Scanner before installing SUS. Get those two programs installed the way you want them and make sure your Web sites still work. Then when you install SUS, nothing will be changed.

Rescheduled wait time
Let’s say you want to automatically install updates to your client computers. After all, isn’t that the main reason you want this product? You schedule the updates to install automatically at 3 A.M. every night, but many of your users turn off their PCs at night. Those PCs miss the scheduled time, so the client is rescheduled to update the next night at 3 A.M. This turns into a vicious cycle, leaving some PCs never getting the necessary updates. SP1 fixes this by allowing you to configure a rescheduled wait time. If a PC misses a scheduled install period, it will automatically schedule a time for the install after it boots up, waiting from one to 60 minutes (whatever you specify) after startup to actually install the updates.

Note
You must activate this feature through Group Policy or the registry.

Automatic restart
Many of Microsoft’s updates require a reboot. When SUS completes one of these updates, the client is automatically rebooted, even if a user happens to be logged on. If your users are working during the install period, or if they leave their workstations logged on overnight with work open, then some of their work could be lost in the process. SP1 changes this by notifying logged-on users that a reboot is required, and lets them click the reboot button at their convenience.

Note
You must activate this feature through Group Policy or the registry.

Where do I sign up?
Before you rush into deployment with SUS SP1, there are a few closing remarks worth mentioning.
  • No Service Packs: SUS SP1 still doesn’t deploy Service Packs (Windows 2000 SP3, for example), so you’ll need to continue deploying these manually or through some other distribution channel. SUS SP1 provides Windows Critical Updates, Windows Critical Security Updates, and Windows Security Roll-ups.
  • No Office updates: SUS SP1 doesn’t provide updates to Microsoft Office or any other applications such as Exchange. The only exception to this is Internet Explorer updates.
  • WUAU.ADM: If you want to take advantage of Group Policy to set client behavior, you’ll need to download the newest WUAU.ADM file from Microsoft’s Web site. This template has all the newest policy settings.
  • Pre-Win2K clients: If you still have Windows 95/98/Me/NT4 machines on your network, remember that SUS won’t update these devices. SUS works only with Windows 2000 SP2 or later.

What do you think should be added?
There are a number of features I’d like to see added to this product. However, for the price (free), SUS SP1 is definitely worth considering. Are there any features missing with this version of SUS that you would like to see? Click on the Discuss button below to add your view on what future SUS Service Packs should include.

 

Editor's Picks

Free Newsletters, In your Inbox