Embed Size (px)
Citation preview
Security Patching Using Windows Server Security Patching Using Windows Server
Update ServicesUpdate Services
Jeff AlexanderJeff AlexanderIT Pro EvangelistIT Pro EvangelistMicrosoft AustraliaMicrosoft Australiahttp://blogs.technet.com/jeffa36http://blogs.technet.com/jeffa36
AgendaAgenda
• Update Services Goals and Design Update Services Goals and Design PrinciplesPrinciples
• FeaturesFeatures
• ArchitectureArchitecture
• DeploymentDeployment– ScenariosScenarios– Migration from SUS 1.0Migration from SUS 1.0– ConsiderationsConsiderations
What is Update Services?What is Update Services?• Corporate update management offeringCorporate update management offering
– Gets content from Microsoft Update (MU) serviceGets content from Microsoft Update (MU) service• RTW component of Windows ServerRTW component of Windows Server
– Free to Windows Server (2000 and above) Free to Windows Server (2000 and above) licenseeslicensees
– Requires Windows Server / Core CAL for target Requires Windows Server / Core CAL for target systemssystems
• Does not change currently available offeringsDoes not change currently available offerings– SUS 1.0 continues to get content from WUSUS 1.0 continues to get content from WU
• Core component of Microsoft’s Patch & Core component of Microsoft’s Patch & Update Management solutions & roadmapUpdate Management solutions & roadmap
WSUS Goals and Design WSUS Goals and Design PrinciplesPrinciples
• Deliver easy to use, fully functional Deliver easy to use, fully functional solutionsolution to address to address update management scenarios for all Microsoft productsupdate management scenarios for all Microsoft products– Automate the update management process as much as Automate the update management process as much as
possiblepossible– Support more than just Windows patchesSupport more than just Windows patches– Address customer requests from SUS 1.0Address customer requests from SUS 1.0– Optimize administrator experience for IT generalistOptimize administrator experience for IT generalist
• Build the core patch management Build the core patch management infrastructureinfrastructure for the for the Windows platformWindows platform– Leveraged by other tools (e.g., SMS & 3Leveraged by other tools (e.g., SMS & 3rdrd party products) party products)– Rich set of APIs to allow for extensibility and customizationRich set of APIs to allow for extensibility and customization– Scale to large InternetScale to large Internet services (Microsoft Update)services (Microsoft Update)
Administrator subscribes to update categories
< Back Finish Cancel
Windows Update ServicesWindows Update Services
Server downloads updates from Microsoft UpdateClients register themselves with the serverAdministrator puts clients in different target groupsAdministrator approves updatesAgents install administrator approved updates
< Back Finish Cancel
Windows Update ServicesWindows Update Services
Microsoft Update
WSUS Server
Desktop ClientsTarget Group 1 Server
ClientsTarget Group 2
WSUS Administrator
Solution OverviewSolution Overview
SupportedSupported Products and Content Products and Content• Content PartnersContent Partners
– Windows, Office, SQL, Exchange at RTM.Windows, Office, SQL, Exchange at RTM.– Additional products added over time Additional products added over time
• OS platformsOS platforms– Client/agentClient/agent
• Win2k SP3 and later, WinXP RTM and later (incl. XP embedded)Win2k SP3 and later, WinXP RTM and later (incl. XP embedded)• Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and IA64)Win2k3 RTM (32-bit only), Win2k3 SP1 (x64 and IA64)
– ServerServer• Win2k SP4 and laterWin2k SP4 and later• Win2k3 RTM and later (32-bit only)Win2k3 RTM and later (32-bit only)
• International supportInternational support– Client is localized to 25 Windows client localeClient is localized to 25 Windows client locale– Server is localized to 17 Windows Server localesServer is localized to 17 Windows Server locales– MUI supportMUI support
FeaturesFeatures• Administrator defined target groupsAdministrator defined target groups
– Group Policy defines client membership for AD Group Policy defines client membership for AD environmentsenvironments
– WSUS Server defined group membership for non-AD WSUS Server defined group membership for non-AD environmentsenvironments
• Administrator control of approvalsAdministrator control of approvals– ““Detect only” evaluation of machines for patch applicabilityDetect only” evaluation of machines for patch applicability– Approve for install and uninstall (requires update support)Approve for install and uninstall (requires update support)– Date-based deadlinesDate-based deadlines– Per target group approval:Per target group approval:
• Different updates to different target groupsDifferent updates to different target groups• Different deadlines to per target groupDifferent deadlines to per target group• Different action per target groupDifferent action per target group
FeaturesFeatures
• Flexible Agent ConfigurationFlexible Agent Configuration– Polling frequencyPolling frequency– Notification and Install behaviorsNotification and Install behaviors– Reboot behaviorsReboot behaviors– Port configurability Port configurability – Non-administrators can install updates (like Non-administrators can install updates (like
administrators)administrators)– Install at Shutdown (XP SP2 only)Install at Shutdown (XP SP2 only)
Network Optimization FeaturesNetwork Optimization Features• Resilient and transparentResilient and transparent
– BITS* for client-server and server-server downloadsBITS* for client-server and server-server downloads– Downloads are in the backgroundDownloads are in the background
• Minimized data downloadsMinimized data downloads– Update subscriptions – only download updates for Update subscriptions – only download updates for
products, classifications and languages that *you* need products, classifications and languages that *you* need – Support for “delta compression” technologies for client-Support for “delta compression” technologies for client-
server communicationsserver communications– Option to only download approved updates (download on Option to only download approved updates (download on
demand)demand)– Option to download only update descriptions & detection Option to download only update descriptions & detection
– binaries stay on MU– binaries stay on MU *Background Intelligent Transfer Service
User Interface
demonstrationdemonstration
Reporting FeaturesReporting Features
• Synchronization reportsSynchronization reports– What’s new, what changedWhat’s new, what changed
• Event log integrationEvent log integration– Agent and server status events sent to local Agent and server status events sent to local
event log event log • All reporting information available via All reporting information available via
Server .NET APIServer .NET API
Deployment/Management FlexibilityDeployment/Management Flexibility• Server deployment optionsServer deployment options
– Stand alone serverStand alone server– Hierarchical deployments of serversHierarchical deployments of servers
• Independent servers – no replication of approvalsIndependent servers – no replication of approvals• Replica servers - approvals and target groups replicated Replica servers - approvals and target groups replicated
between Update Services serversbetween Update Services servers– Disconnected ServersDisconnected Servers
• Manageability (and extensibility)Manageability (and extensibility)– ServerServer
• .NET based Server APIs.NET based Server APIs• Simple rules for automatic “headless” deployment of updatesSimple rules for automatic “headless” deployment of updates
– ClientClient• Client Command line options to trigger update detectionClient Command line options to trigger update detection• COM based APIs with scripting & remoting supportCOM based APIs with scripting & remoting support
ServerServer• Simple to use web UI allows administration from any computerSimple to use web UI allows administration from any computer
• Synchronization engine to download updates from Microsoft Synchronization engine to download updates from Microsoft UpdateUpdate
• SQL database holds all data other than content (software files)SQL database holds all data other than content (software files)
• Can be set up in a hierarchy to suit organizational needsCan be set up in a hierarchy to suit organizational needs
• Completely built on managed codeCompletely built on managed code
• Uses BITS to efficiently utilize the networkUses BITS to efficiently utilize the network
• SecureSecure– Validates all downloaded contentValidates all downloaded content
– All content download locations securely ACL’edAll content download locations securely ACL’ed
• ScalableScalable– Supports up to 15k clients on a single 1ghz 512Mb serverSupports up to 15k clients on a single 1ghz 512Mb server
– Replica servers for scale outReplica servers for scale out
Server ArchitectureServer Architecture
Server API
File Store(NTFS)
Metadata StoreMSDE/SQL
Client/ServerWeb service
Server/ServerWeb service
ReportingWeb service
Admin UI Contentsync
Catalogsync
ClientsClients WSUS Servers/MUWSUS Servers/MU
Admin Admin workstatiworkstationon
ClientClient• Win32 Service (Agent) implements most functionalityWin32 Service (Agent) implements most functionality
• Extensible architecture based on Update type Extensible architecture based on Update type HandlersHandlers
– Handlers for MSI, update.exe, drivers etc. Handlers for MSI, update.exe, drivers etc.
• Automatically self-updates to newer versions offered Automatically self-updates to newer versions offered on the serveron the server
• Automatic Updates feature controllable by policyAutomatic Updates feature controllable by policy
• SecureSecure
– Validates all downloaded content for Microsoft certificatesValidates all downloaded content for Microsoft certificates
– All content download locations securely ACL’edAll content download locations securely ACL’ed
Client ArchitectureClient Architecture
WU Client APIWU Client APIWU Client APIWU Client API
WU Service WU Service or WSUSor WSUS
WU Service WU Service or WSUSor WSUS IE (WU Site)IE (WU Site)IE (WU Site)IE (WU Site)
Update Update HandlersHandlersUpdate Update
HandlersHandlers
BITSBITSBITSBITS Content Content StoreStore
Metadata Metadata StoreStore
WU ClientWU Client
Custom Custom ScriptsScriptsCustom Custom ScriptsScripts
Custom Custom ScriptsScriptsCustom Custom ScriptsScripts
Custom Custom ScriptsScriptsCustom Custom ScriptsScripts
Automatic Automatic UpdatesUpdates
Automatic Automatic UpdatesUpdates
Update Update ManagerManagerUpdate Update
ManagerManager
Deploying Updates Using WSUS
demonstrationdemonstration
Deployment OptionsDeployment Options
• Server OptionsServer Options– Single ServerSingle Server– Multiple ServersMultiple Servers
• ReplicaReplica• AutonomousAutonomous
– Disconnected ServersDisconnected Servers
• Client OptionsClient Options– Detection frequencyDetection frequency– Client side vs Server side targeting modeClient side vs Server side targeting mode
Single Server:Single Server: Small organization or simple networkSmall organization or simple network
• Configure single server to talk to MUConfigure single server to talk to MU
• Synchronize all relevant updates (e.g. Windows Synchronize all relevant updates (e.g. Windows XP critical and security updates)XP critical and security updates)
• Configure clients to point to the WSUS serverConfigure clients to point to the WSUS server
• Optionally:Optionally:– Create target groups for different groups of machinesCreate target groups for different groups of machines– Configure clients to be members of a target groupConfigure clients to be members of a target group– Configure auto approval rules to approve updates for Configure auto approval rules to approve updates for
install automaticallyinstall automatically
Desktop Clients
Multiple ServersMultiple Servers
Microsoft Update
WSUS Server
Desktop Clients
WSUS Server
Multiple Server Scenario:Multiple Server Scenario: Large organization/complex networkLarge organization/complex network
• Configure single/multiple servers to talk to MUConfigure single/multiple servers to talk to MU
• Synchronize all relevant updates (e.g. All Windows XP, Synchronize all relevant updates (e.g. All Windows XP, 2000, 2003 critical, security updates)2000, 2003 critical, security updates)
• Create a hierarchy of serversCreate a hierarchy of servers– Independent WSUS servers in the intranetIndependent WSUS servers in the intranet– Replica serversReplica servers
• Configure clients to point to respective WSUS serversConfigure clients to point to respective WSUS servers
• Optionally:Optionally:– Create target groups for different groups of machinesCreate target groups for different groups of machines– Configure clients to be members of a target groupConfigure clients to be members of a target group
Desktop Clients
Disconnected ServersDisconnected Servers
Microsoft Update
WSUS Server
WSUS Server
Disconnected Server:Disconnected Server: Disconnected networksDisconnected networks
• Setup an external server to talk to MUSetup an external server to talk to MU
• Synchronize all relevant updates (e.g. All Windows XP, Synchronize all relevant updates (e.g. All Windows XP, 2000, 2003 critical, security updates)2000, 2003 critical, security updates)
• Export update data and content to mediaExport update data and content to media
• Import update data and content to WSUS server on Import update data and content to WSUS server on disconnected networkdisconnected network– Server will validate Microsoft certificates on content and data Server will validate Microsoft certificates on content and data
relationships integrityrelationships integrity
• Configure clients to point to respective WSUS serversConfigure clients to point to respective WSUS servers
Migration SUS 1.0 to WSUSMigration SUS 1.0 to WSUS
• Single serverSingle server– WSUS and SUS 1.0 on a single serverWSUS and SUS 1.0 on a single server
• Multiple serversMultiple servers– WSUS and SUS 1.0 on separate serversWSUS and SUS 1.0 on separate servers– Multiple SUS 1.0 servers to a single Multiple SUS 1.0 servers to a single
WSUS serverWSUS server– Multiple SUS 1.0 servers to multiple Multiple SUS 1.0 servers to multiple
WSUS serversWSUS servers
Environment ConsiderationsEnvironment Considerations
• Ease of updating client settingsEase of updating client settings– E.g., policy or scriptedE.g., policy or scripted
• New clients coming into environment which New clients coming into environment which are not yet WSUS compatibleare not yet WSUS compatible
• Branch office scenariosBranch office scenarios
• Targeting group modelTargeting group model
Migration ConsiderationsMigration Considerations
• WSUS and SUS 1.0 can not synchronize WSUS and SUS 1.0 can not synchronize metadata with each othermetadata with each other
• Only one way SUS 1.0 to WSUS migrationOnly one way SUS 1.0 to WSUS migration
• Migration of update approvals overwrites Migration of update approvals overwrites any pre-existing approvals per target group any pre-existing approvals per target group
• What doesn’t migrateWhat doesn’t migrate– proxy server settingsproxy server settings– Internet Information Services (IIS) settingsInternet Information Services (IIS) settings
Single Server MigrationSingle Server Migration
• For customers with few serversFor customers with few servers• Requires WSUS to be initially installed on a Requires WSUS to be initially installed on a
different port than SUS 1.0different port than SUS 1.0• Requires updating all clients as they Requires updating all clients as they
connect once the WSUS server is installedconnect once the WSUS server is installed• Potentially requires redirecting clients to a Potentially requires redirecting clients to a
different port on the same serverdifferent port on the same server• Clients will still use SUS 1.0 for updates Clients will still use SUS 1.0 for updates
until redirected to the WSUS port, or SUS until redirected to the WSUS port, or SUS 1.0 is decommissioned1.0 is decommissioned
Multiple SUS server migrationMultiple SUS server migration
• To a single WSUS serverTo a single WSUS server– Take advantage of target groups Take advantage of target groups – Consolidate Windows Servers Consolidate Windows Servers
• To multiple WSUS serversTo multiple WSUS servers– Maintain organizational structures with different Maintain organizational structures with different
administratorsadministrators– Support branch officesSupport branch offices
Migration ToolMigration Tool
WSUSUTIL.EXE migratesusWSUSUTIL.EXE migratesus• /content <content share>/content <content share>
– Migrate content from a SUS 1.0 <content share>Migrate content from a SUS 1.0 <content share>
• /approvals <server name>/approvals <server name>– Migrate approvals from the SUS 1.0 serverMigrate approvals from the SUS 1.0 server
• ““target_group”target_group”– Apply approvals to the target group "target_group".Apply approvals to the target group "target_group".– Requires /approvals to be specified.Requires /approvals to be specified.
• /log <log_file>/log <log_file>– Log the migration activities to the <log file> fileLog the migration activities to the <log file> file
Deployment ConsiderationsDeployment Considerations• Hardware requirementsHardware requirements
– Number of clients, how often will clients poll the serverNumber of clients, how often will clients poll the server
• Database & storageDatabase & storage– Local or remote SQL vs MSDELocal or remote SQL vs MSDE
• BandwidthBandwidth– Single site, multi-site, branch office, low bandwidthSingle site, multi-site, branch office, low bandwidth
• SecuritySecurity– Customize portsCustomize ports
• ScalabilityScalability– Server hierarchyServer hierarchy
• Target optionsTarget options– Client side vs server side targeting modeClient side vs server side targeting mode
• ManagementManagement– Automated with scripts vs Web UIAutomated with scripts vs Web UI
Adopt the solution that Adopt the solution that best meets the needsbest meets the needs of your organization of your organization
Comparing Microsoft Update, Windows Comparing Microsoft Update, Windows Update Services, and SMS 2003Update Services, and SMS 2003
CapabilityCapability Microsoft UpdateMicrosoft Update Windows Server Windows Server Update ServicesUpdate Services SMS 2003SMS 2003
Supported Software and ContentSupported Software and Content
Supported Software for Supported Software for ContentContent
Same as Windows Update Same as Windows Update Services + WinXP HomeServices + WinXP Home
Win2K, WS2003, WinXP Pro, Win2K, WS2003, WinXP Pro, Office 2003, Office XP, Exchange Office 2003, Office XP, Exchange 2003, SQL Server 2000, MSDE2003, SQL Server 2000, MSDE
Same as Windows Update Services Same as Windows Update Services + NT 4.0 & Win98 + can update any + NT 4.0 & Win98 + can update any other Windows based softwareother Windows based software
Supported Content Supported Content Types for Supported Types for Supported SoftwareSoftware
All software updates, critical All software updates, critical driver updates, service packs driver updates, service packs (SPs), and feature packs (FPs)(SPs), and feature packs (FPs)
All software updates, critical driver All software updates, critical driver updates, SPs, & FPsupdates, SPs, & FPs
All updates, SPs, & FPs + supports All updates, SPs, & FPs + supports update & app installs for any update & app installs for any Windows based softwareWindows based software
Update Management CapabilitiesUpdate Management Capabilities
Targeting Content Targeting Content to Systemsto Systems N/AN/A SimpleSimple AdvancedAdvanced
Network Bandwidth Network Bandwidth OptimizationOptimization YesYes YesYes Yes Yes
Patch Distribution Patch Distribution ControlControl N/AN/A SimpleSimple AdvancedAdvanced
Patch Installation & Patch Installation & Scheduling FlexibilityScheduling Flexibility Manual & end user controlledManual & end user controlled SimpleSimple AdvancedAdvanced
Patch Installation Patch Installation Status ReportingStatus Reporting
Install errors reported to user. Install errors reported to user. Lists missing updates for Lists missing updates for accessing computeraccessing computer
SimpleSimple AdvancedAdvanced
Deployment PlanningDeployment Planning N/AN/A SimpleSimple AdvancedAdvanced
Inventory ManagementInventory Management N/AN/A NoNo YesYes
Compliance CheckingCompliance Checking N/AN/A SimpleSimple AdvancedAdvanced
*Customer uses Windows Update, another update tool, or manual update process for OS versions & applications not supported by Windows Update Services or Microsoft Update
Choosing A Patch Management SolutionChoosing A Patch Management SolutionTypical Customer DecisionsTypical Customer Decisions
Customer Customer TypeType ScenarioScenario Customer Customer
ChoosesChooses
Large or Large or Medium Medium EnterpriseEnterprise
Want single flexible update management solution with extended Want single flexible update management solution with extended level of control to update (+ distribute) ALL Windows OSes and level of control to update (+ distribute) ALL Windows OSes and Applications, as well as an integrated asset management Applications, as well as an integrated asset management solutionsolution
SMS 2003SMS 2003
Want update management-only solution that provides simple Want update management-only solution that provides simple updating for Microsoft software and initially supports Windows updating for Microsoft software and initially supports Windows (Win2K & later versions), Office (2003 & XP), Exchange 2003, (Win2K & later versions), Office (2003 & XP), Exchange 2003, SQL Server 2000, and MSDE 2000SQL Server 2000, and MSDE 2000
WSUSWSUS**
Small Small BusinessBusiness
Have at least 1 Windows server and 1 IT administratorHave at least 1 Windows server and 1 IT administrator WSUSWSUS**
All other scenariosAll other scenarios Microsoft UpdateMicrosoft Update**
ConsumerConsumer All scenariosAll scenarios Microsoft UpdateMicrosoft Update**
SummarySummary
• Windows Server Update Services is a Windows Server Update Services is a platform infrastructure as well as a solutionplatform infrastructure as well as a solution
• Provides significantly more functionality and Provides significantly more functionality and flexibility than SUS 1.0flexibility than SUS 1.0
– Default implementation is very simpleDefault implementation is very simple
– Complex implementations will require planningComplex implementations will require planning
ResourcesResourcesWSUS homepage: http://www.microsoft.com/updateservices
WSUS Server download
Deployment and Operations Guides
SDK and Troubleshooter
WSUS community
Online Help
WSUS Wiki: www.wsuswiki.com
WSUS Community: www.wsus.info
Microsoft Update: http://update.microsoft.com/microsoftupdate
