WUS (Windows Update Services)
Results 1 to 7 of 7

Thread: WUS (Windows Update Services)

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    WUS (Windows Update Services)

    WUS (Windows Update Services)

    What is it?

    WUS is the acronym for Microsoft Windows Update Services. WUS is currently in BETA and is NOT supported by Microsoft, yet. SUS (Software Update Services) was WUS’s predecessor. However, SUS is not as flexible as most network and security administrators would like. SUS lacks reporting, groups, ability to choose which types of updates, details about the updates, the platforms for which updates you are interested in, successful or failed installs, and a couple other useful features that are introduced into WUS. The two major features that were missing, in my opinion, were reporting and groups. SUS has a decent following and has prompted some home brew solutions to cope with SUS’s shortcomings. If you are currently using SUS and don’t want to deploy WUS because it is still in beta, then I suggest you check out the following homebrew “tools”:

    http://singe.rucus.net/sus/
    http://www.susserver.com/Software/SUSreporting/
    http://forums.susserver.com/index.php?showtopic=4107
    http://forums.susserver.com/index.php?showtopic=638

    WUS’s current role in network security is to handle the ever-increasing amount of service packs and patches for Microsoft’s 2K/XP/2K3 operating systems along with the XP/2K3 office suites. As everyone with dial up knows, these patches can be several megabytes to hundreds of megabytes in size. I believe that it would take a dial up user more than 10 hours on a 56k connection to download Windows XP Service Pack 2. However, those of us who have larger pipes can download them in 30 min or less.

    Why do I care?

    Since I have a large pipe, I can download the largest updates in 30 minutes. Does that mean that we want to download a service pack or patch from Microsoft’s Windows Update website hundreds or even thousands of times via Automatic Update? No! What a waste of bandwidth! Do I want untested patches deployed without my approval? No! We want to test the patches within our test environment and then deploy. Who has the time to walk around to so many machines manually installing updates on a weekly or monthly basis?

    What am I going to do about it?

    This is going to change depending on the size of your company or network. You can even set this up at home on a machine that is not a server. You just have to hack up the install package a bit. It will run just fine on a 2K workstation or XP Pro Workstation. (Note: SUS would run fine; however, I have only tested WUS on a 2K Server.)

    I recently setup WUS on a client’s network. This network has over a hundred workstations. I needed an inexpensive and reliable solution that I have control over. With WUS, I could create groups and assign the computers into the groups. (This can also be done with Active Directory.) I took a couple of workstations from each department and put them in the test group. If all is well, and updates don’t break programs they use, then I’ll deploy them to all the workstations. Some critical security vulnerabilities require us to bypass the testing phase and deploy right away. However, if you are on a private network and you have multiple layers of security, there is little reason you shouldn’t be able to test most of the updates. I don’t recommend updating drivers.

    Again, keep in mind that this is still beta. We are aware of this and so far we have had no problems. All machines get all updates just like planned. We will upgrade the WUS server as Microsoft releases updates.

    Minimum requirements for WUS:

    Microsoft recommends having 30 gigs of available disk space. They also recommend 1GB RAM and a minimum of 1 GHz Processor. The server I setup for my home network had the following specifications: 1.5 GHz processors, 768 MB RAM, 160GB OS partition. The WUS install took about 2 gigs of hard drive space for the WUS content and the free SQL server (MSDE2000). By today’s standards, those requirements are miniscule.

    Setting up the servers:

    First and foremost: Read the documentation! Deploying WUS on your network has a great impact on your bandwidth. Each network is different, and you need to determine how you are going to deploy WUS. I certainly don’t have the bandwidth to deploy patches over a WAN. I need a WUS server for each of my remote sites. Then I can sync the servers at night when the bandwidth is not being utilized. One nice thing is that you can specify where you are going to store the content. So, after you have one server setup, you can burn the content to CDs or DVDs and copy them to the server without downloading all of the updates.

    Installation:

    I’m not going to walk you through the install phase. Microsoft has been kind enough to provide a document that will do just that. You can find it on the WUS homepage. It is called “Step-by-Step Guide to Getting Started with Microsoft Windows Update Services”. http://www.microsoft.com/wus

    Note: If you are installing on 2K Server, you have to install MSDE yourself. The setup for 2K3 will automatically install and configure it for you. It is pretty easy to do though. If MSDE doesn’t fit your requirements, then you’ll have to specify some other SQL server. You don’t have to run SQL locally; you can use a remote database server.

    Setting up the clients:

    If you use Active Directory, then this should be a breeze. Create groups based on your workstations in various departments. You’ve probably already done this for security policies anyway. Keep in mind that it is smart to have a test group if you have the resources. Your test subjects should not the 70-year-old receptionist who barely knows how to move the mouse. They should be somewhat technically literate. They should know when something is wrong and promptly report it to the IT department. This is so you know when a patch breaks a commonly used or business critical program. You can then find a workaround for it or decline the update before you have hundreds of users breathing flames through the phone and into your ear.

    If you don’t use Active Directory, then this process is a bit more difficult. You’re going to have to manually set the computer’s local policy to download from your internal server, rather than to download it from Windows Update. This is very easy and self-explanatory. However, make sure that you get the latest ADM file.

    If you are upgrading from SUS to WUS, the clients will automatically get an updated copy of the Windows Update ADM snap-in file.

    Server Security:

    The WUS server (or database server) will have to be one of the tightest boxes you have on your network. If someone were to get access to this server, they can pretty much get the info to access to any of the other boxes on your network. There are other methods of doing this too, but why just give it to them? This would be the ultimate footprinting tool. They will have access to your database! From your database, they can find out which machines have which patches. From that, they can easily choose which canned exploit to launch against the unpatched machine(s).

    By default, only Admins can access the WUS homepage. I’ve taken it a step further and set ACLs on which IP addresses can access the WUS admin page.

    SSL should also be enabled so connections to the WUS server can’t be sniffed. By default, WUS uses HTTP which is transferred in clear text.

    To ensure that the updates have not been tampered with, Automatic Update checks the cyclical redundancy check (CRC).

    For more information on SUS or WUS security, please visit: http://www.microsoft.com/resources/d...h_sus_zvfp.asp

    I have put this same document up on my school site. It has screenshots. The screenshots are not very good quality due to word reformatting them. For this reason, I will also include just the screen shots in a different .zip file. I'll have to do that later this evening though. For the original doc, check out http://user.dtcc.edu/~f1189/ao/wus.doc
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Phish put me onto this about a week ago and I have to say that it blows SUS out of the water....

    The feature I like the best that was missing before is the ability to rollback a patch if it's bad.....

    Nice Job Phish.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    We are testing WUS out on one of our clients as well. They have roughly 150 workstations and so far so good.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I forgot to post the pics yesterday evening. They're in no specific order.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I did some more reading on this. For those of you who actually use it; did you install this on a dedicated machine or is it shared with something? It requires windows server so there are licensing issues that could make it an expensive install. Especially if the clients connect to it during update. The disaster rollback function could cause some severe overhead. Any insight? I was considering sharing this with a backup server since patch peak times are pretty much scheduled and could be run on a weekend and not interfere with the backup flow. If it ran on XP or 2k I could toss it on a box running antivirus updates.

    Phish, you say you can hack the install to get it to run on a non server based platform? Does that violate the EULA? Any comments from someone who has looked into this? Software compliance is a priority where this could be deployed.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Phish, you say you can hack the install to get it to run on a non server based platform? Does that violate the EULA? Any comments from someone who has looked into this? Software compliance is a priority where this could be deployed.
    I beleive it does violate the EULA. They require 2K or 2k3 Server. I just happened to find a way to hack it up a bit. see this thread

    On my home network, I installed it on a multipurpose server. (file/print/AD/dns/wus)
    I only have a handfull of workstations on my home network though.

    On bigger networks, I installed on a dedicated server.

    We're using per seat licensing though... not per server... so I already had the licenses.
    I'm no licensing expert... but per seat should cover it. I hope.

    As far as the rollback feature... I just deploy to test boxes first. If all is well, then I deploy to the rest of the boxes. If you're only rolling back your test boxes (which shouldn't be that many?) then you shouldn't have too many problems. I took 2 workstations from each department, so I only have about 14 test workstations.

    I was considering sharing this with a backup server since patch peak times are pretty much scheduled and could be run on a weekend and not interfere with the backup flow.
    One thing I noticed is that no matter what you have for your install schedule... the workstations will download as soon as the update is approved. It will then install at the scheduled time.

    Here is review from windowsecurity.
    http://www.windowsecurity.com/articl...es-Review.html

    here is some more wus material
    http://wus.editme.com/WhatIsWUS
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    but per seat should cover it.
    Yeah that should cover it.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •