I'm sure that many of you have seen or experienced this type of Windows Update Service fiasco: One of your users is sitting at his or her workstation and is prompted to download the “latest” Windows update. “Sure, why not,” the user says and then downloads and installs this supposedly important patch. Next, because the patch hasn’t been tested, something breaks, and a help desk call is generated. Time and money are now being wasted to resolve a simple issue with a patch that has exploded on a machine.
Imagine that 100—or even 1,000—users downloaded and installed the patch. Now you are really in a bind. If you are one of the many admins who have tasted some of this pain before, take heart. With the advent of Microsoft’s Software Update Services (SUS), you'll be able to avoid this situation.
The role of SUS
Of course, the importance of patches and updates from Microsoft is clear. The real gripe that most administrators have is the way the updates are distributed with the Windows Update Service. Of course, a service that lets you know when a new update is released and then downloads and installs it for you is great. However, although the process works fine for your average home user, it is not acceptable for your average corporate network.
In a network environment, an administrator must control the software, service packs, and hot fixes that are deployed to the network. This almost always involves testing and the development of a deployment strategy—and perhaps even feasibility studies—before any updates are deployed.
Because it doesn't allow this level of control, Windows Update Service is not suitable for a corporate network. In fact, many administrators, myself included, have used a Group Policy setting to turn off the Windows Update Service capability on end user machines.
Fortunately, Microsoft listened to its corporate customers and is now providing SUS as the solution to the security patch conundrum. In a nutshell, SUS is a free client/server software package that allows network administrators to download, test, manage, deploy, and maintain the security patches and hot fixes for a corporate network. It's a solid solution for controlling exactly which updates get installed on your organization's systems. SUS is a two-part software product, with one piece existing on the server and the other piece, Automatic Updates, existing on the client.
I'm going to introduce the major features of SUS and show how it works and how it can help you.
Some of the features that your clients can benefit from with Automatic Updates teamed with SUS include:
- Better security—Only users who have local administrative rights can interact with Automatic Updates, so unauthorized users won't be able to alter or interfere with the installation of the critical updates. Also, before a downloaded update can be installed, Automatic Updates checks to see that a Microsoft digital signature exists on the files.
- Just-in-time updates—Automatic Updates uses the same technologies as the Windows Update Service to scan the system and determine which updates are applicable to a particular computer.
- Background downloads—Automatic Updates uses what is known as the Background Intelligent Transfer Service (BITS), a cool piece of code that throttles the bandwidth to avoid interfering with the computer's normal network activity.
- Chained installation—If multiple updates are being installed, and one of them requires a restart, Automatic Updates installs them all together and then requests a single restart. If you have been an administrator for a while, you know how valuable this feature can be. Installing multiple patches can often result in multiple restarts, which slows down the update process considerably.
- Manageability—In Microsoft’s Active Directory environment, Group Policies are a boon to the administrator, so being able to control SUS with Group Policies makes sense. You can configure the behavior of Automatic Updates using a Group Policy, or you can remotely configure it using registry keys via a logon script or similar mechanism.
On the server side, SUS technology is based on IIS and the technologies that Microsoft has been using as its back end to the Windows Update Service. The server portion of SUS has many of the client-side benefits mentioned above, in addition to some key features available only from the server side. These include:
- Enhanced security—As with the client side, the administrative functions of SUS are restricted to local administrators on the computer that hosts the updates. In addition, SUS uses synchronization to compare the digital certificates on any downloads to the update server. If the certificates are not from Microsoft, the packages are deleted.
- Selective content approval—Any updates downloaded to your SUS server are not made automatically available to the client computers. The administrator gets a chance to review, test, and then deploy them if appropriate. This provides the kind of control that admins really need.
- Content synchronization—The server is synchronized with Microsoft's database of updates either manually or automatically. An administrator can schedule the update to occur at preset times or can download the desired patches one at a time to the local SUS server.
- Server-to-server synchronization—SUS can point to another server running SUS rather than directly to Microsoft. Therefore, if you need more than one server running SUS due to size or network configuration, you can configure a chained or hierarchical relationship between the SUS servers on your network.
- Remote administration via HTTP(S)—As with just about any of Microsoft’s products these days, the server component of SUS has a Web interface. Using either HTTP or HTTPS, you can control your server from a Web browser. Of course, you have to use at least Internet Explorer 5.5 or later.
If you already use Systems Management Server (Microsoft’s flagship management software package) as a patch distributor, don’t worry. Microsoft says that it will soon release a patch that will integrate SUS into SMS.
Deployment and configuration
SUS is easy to install, but you might run into trouble with the configuration. You can download the files here. Then, simply invoke the server installation file by double-clicking on it, and follow the instructions from the setup wizard.
If you’d like, you can deploy the client MSI files via Group Policy (that's how I prefer to do it). Once they're deployed, you need to open Internet Explorer and enter http://<yourservername>/SUSAdmin. This is the Web page you will use to administer and configure SUS. From here, choose Set Options in the navigation pane on the left, and then configure the appropriate settings for your environment. This white paper will provide all the installation and configuration info you need. It's a must-read.
All in all, SUS is a valuable product. Of course, it won't be perfect right away, since it is in its early stages. So expect small glitches and bugs when you start using it, and report any serious problems to Microsoft. In time, SUS will most likely become a standard part of administering a Windows network in a corporate environment.
Jeremy L. Smith, CISSP, is a cybersecurity and public safety professional who has worked with a variety of agencies to improve the security of their call centers and execute their public safety initiatives more effectively, including 911 call taking, cyber security, mass notification, and more. As the former chair of the NENA Security Working Group, he helped lead the development and creation of the public safety industry's first cyber security standards, NG-SEC. He is currently the general manager of the Mass Notification Division of Airbus DS Communications, a leader in the public safety market.