Embed Size (px)
Citation preview
HEPiX Fall Meeting, SLAC 12.10.2005 1
Experiences with WSUS/SUS as Patch
Deployment Solution for Windows at DESY
Reinhard Baltrusch, Melvin AlfaroDESY IT
WIN.DESY.DE
2HEPiX Fall Meeting, SLAC 12.10.2005
SituationSituation
Over 2500 Windows clients in the domain to manage.Discovered security holes requires more and more a quicker patch deployment mechanism.In former times group administrators install service packs and security fixes on PCs of their group. Today it is absolute necessary and more efficient to centralize these task. SUS (Software Update Service) was for us the first suitable and free Microsoft solution to deploy security fixes, but some functionality is missing.Main problem was and still is, to control the success of security fix deployment on every machine. Solutions in old manner are several scripts used for checking status of patch installation. The development of programs like the “Microsoft Baseline Security Analyzer” was a great step in the right direction.WSUS 2.0 (Windows Server Update Service) as successor of SUS is the more sophisticated solution and stands after IT internal tests in front of its DESY wide usage.XP Service Pack 2 is distributable over WSUS, but the rollout starts before WSUS was available.Server systems are managed over HFNetCheckPro.
WIN.DESY.DE
3HEPiX Fall Meeting, SLAC 12.10.2005
The idea of updating clients with The idea of updating clients with WSUS/SUSWSUS/SUS
Microsoft Update
Internet
Firewall
WSUS/SUS
Database Automatic Update
ClientsServices :Automatic UpdateBackground Intelligent
Transfer Service
Windows Update
WIN.DESY.DE
4HEPiX Fall Meeting, SLAC 12.10.2005
Software Update Service (SUS)Software Update Service (SUS)Working on a Windows 2003 Server with IIS 6.0 (HP Blade 20p).Supports most of the clients in the domain, has approved updates only for Windows XP and Windows 2003 in english, but not for Windows 2000. No integrated function to control success of deployment (only log files).Clients are configured over group policy (“Automatically download updates and install them on the schedule specified below”).Laptop presentation problem (every day at 11:00 AM).Users without local admin rights unable to hold up reboot after update installation.
WIN.DESY.DE
5HEPiX Fall Meeting, SLAC 12.10.2005
SUS Admin web interfaceSUS Admin web interface
WIN.DESY.DE
6HEPiX Fall Meeting, SLAC 12.10.2005
WSUS (Windows Server Update WSUS (Windows Server Update Service)Service)
Next generation deployment service with advanced features, builds on the features of SUS. Windows 2003 Server with IIS6 (HP Blade 20p).Better client side options per group policy (e.g.“Allow non-administrators to receive update notifications”).Update client (wuauclt) with command line options (e.g. force update detection with : “wuauclt /detectnow”).Options to define groups of computers for testing, reporting and other purposes (“Targeting”).Problems with updates of administrative Office installations (over NetInstall), so at the moment no approval for installation of Office updates, only detection of needed updates. No approval for installation of “Service Packs”.
WIN.DESY.DE
7HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin web interfaceWSUS Admin web interface
WIN.DESY.DE
8HEPiX Fall Meeting, SLAC 12.10.2005
New functions and advantages of New functions and advantages of WSUSWSUS
More updates for Microsoft products .Ability to automatically download updates from Microsoft Update by product and type.Additional language support for customers worldwide (18 different languages).Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0. (BITS 2.0 is not installed by WSUS, but is available on Windows Update).Ability to target updates to specific computers and computer groups.Ability to verify that updates are suitable for each computer before installation (this feature runs automatically for critical and security updates).Flexible deployment options.Reporting capabilities.Flexible database options.Data migration and import/export capabilities.Extensibility through the application programming interface (API).Better options for client configuration.
WIN.DESY.DE
9HEPiX Fall Meeting, SLAC 12.10.2005
Overview of update classes from Overview of update classes from MicrosoftMicrosoft
Connectors Software Critical Updates * #Development Kits Drivers *Feature Packs * Guidance Security Updates * # Service Packs *Tools * Updates (non-critical, non-security) *Update Rollups *
* class can be distributed over WSUS# class is automatically approved for detection
WIN.DESY.DE
10HEPiX Fall Meeting, SLAC 12.10.2005
Supported products for update over Supported products for update over WSUSWSUS
Windows XPWindows XP 64-bit editionWindows Server 2003 (all editions, 64-bit)Windows 2000 (all edtions)Office 2002/XP applications (incl. Project, Visio etc.)Office 2003 applications (incl. Project, Visio etc.)SQL serverExchange Server 2003All products in different languages
WIN.DESY.DE
11HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin - UpdatesWSUS Admin - Updates
WIN.DESY.DE
12HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin - WSUS Admin - Update Update ApprovalApproval
Approval actions :
• Install
• Remove (this action is possible only if the update supports uninstall)
• Detect-only• Decline
WIN.DESY.DE
13HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin - ReportingWSUS Admin - Reporting
WIN.DESY.DE
14HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin – Status of WSUS Admin – Status of UpdatesUpdates
WIN.DESY.DE
15HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin – Status of WSUS Admin – Status of ComputersComputers
WIN.DESY.DE
16HEPiX Fall Meeting, SLAC 12.10.2005
WSUS Admin - ComputersWSUS Admin - Computers
WIN.DESY.DE
17HEPiX Fall Meeting, SLAC 12.10.2005
Targeting of clients in different Targeting of clients in different groupsgroups
WSUS
Database
Group A
Group B
Group C
Group AGroup BGroup C …All ComputersUnassigned Computers
WIN.DESY.DE
18HEPiX Fall Meeting, SLAC 12.10.2005
WSUS chainsWSUS chains
WSUS (upstream
server)
Database
WSUS (downstream
server)Internet
Database
Microsoft Update
(MS tested max. 5 server/ recommended max. 3 server)
WIN.DESY.DE
19HEPiX Fall Meeting, SLAC 12.10.2005
Update of clients without direct Update of clients without direct Internet connectionInternet connection
CD / DVD
WSUS (upstream
server)
Database
Internet
Microsoft Update
WSUS (downstream
server)
Database
WIN.DESY.DE
20HEPiX Fall Meeting, SLAC 12.10.2005
The database of WSUSThe database of WSUS
Contains WSUS server configuration information.„Metadata“ for every update (information about update, among others EULA).Information about client, about updates and update state of client computers.Every WSUS Server has it’s own database.With W2K3 WMSDE will be recommended (free and without spacelimit).Interaction with database (MSDE or WMSDE) only over WSUS engine.
WIN.DESY.DE
21HEPiX Fall Meeting, SLAC 12.10.2005
Storage of updates on the WSUS Storage of updates on the WSUS serverserver
During synchronisation only the metadata of updates and one hash value for the updates are downloaded from the Microsoft Update server.Not until after the approval for installation the update files will be saved locally on the WSUS server (under WSUS Content).The size of the necessary storage capacity varied intensely depending on the quantity of approved updates (min. 6 GB, recommended 30 GB).
WIN.DESY.DE
22HEPiX Fall Meeting, SLAC 12.10.2005
Impact for the network through Impact for the network through WSUSWSUS
Not until after the approval action „Install“ the necessary files for an update were downloaded from the MU server to the WSUS server.The approval action „Detect only“ allows to determin first if and for how many computers an update is needed.Through the usage of „Express installation files“ the Intranet can be relieved.
~300MB
~30MB~100MB ~100M
B
Express enabledExpress disabledMU WSUS CLIENT
WIN.DESY.DE
23HEPiX Fall Meeting, SLAC 12.10.2005
Background Intelligent Transfer Background Intelligent Transfer Service (BITS 2.0)Service (BITS 2.0)
Windows Service which allows the asynchronous download of files over http.Organizes transfer jobs through a system of queues with different priorities and a time window for every priority.Works inbetween foreground jobs with full bandwidth and background jobs with unused bandwidth.Reacts tolerant on interruption of synchronization.BITS never initialize a network connection by itself.Is „not“ distributable over WSUS, but is part of XP SP2.API can be used for/with other applications.XP supporttool „bitsadmin“ allows to use the service over a command line for other purposes.
WIN.DESY.DE
24HEPiX Fall Meeting, SLAC 12.10.2005
Problems / To do / OutlookProblems / To do / OutlookHow to handle PCs where nobody log on locally (“somewhere in the tunnel”) ?How to handle Laptops which seldom connected to DESY network ?How to handle “DESY-Home”-PCs which only connected from time to time over VPN ?How to handle Windows computers which are not in the domain ? (local computer policy/registry)Look for solution for the problem with administrative Office installations.Test service pack installations.Find a good targeting structure.Looking forward whether other products become available to get updates over WSUS.No look on advanced solutions like SMS 2003 in the near future.
WIN.DESY.DE
25HEPiX Fall Meeting, SLAC 12.10.2005
References/LinksReferences/Links
http://www.microsoft.com/wsushttp://www.wsuswiki.com/
WIN.DESY.DE
26HEPiX Fall Meeting, SLAC 12.10.2005
The end – Questions ?The end – Questions ?
