1. Configuring an Update Testing Infrastructure
Although Microsoft tests updates rigorously before
releasing them publicly, no one can test every possible software and
hardware configuration for adverse side effects that might result when
an update is applied. For this reason, you should deploy updates to a
small group of computers prior to deploying updates to all computers
in your organization and test those computers to determine whether a
newly released update conflicts with your organization’s specific
software configuration.
You should ensure that the small group of computers on which you
test updates match the software and hardware configuration of
computers in your organization and that the computers used for testing
are actually used by real people to perform their everyday job-related
tasks. You need to do this because you will not be able to detect all
possible problems by simply installing the update on a computer that
no one actually uses. Only through testing the updates under
real-world conditions do any conflicts or other problems become
evident.
You should ensure that you deploy updates to the test computers
long enough that you have confidence that the updates do not cause
problems when deployed generally. You must balance this with not
waiting so long that the computers in your organization become
vulnerable to the issue that the update addresses. In many
organizations, updates are deployed to test computers between 7 to 10
days before being deployed to all other computers in the organization.
This period provides enough time to test that the updates do not cause
obvious problems with the existing configuration before rolling the
updates out more generally.
A basic update testing infrastructure would have a separate
computer group containing the WSUS computer accounts for all test
computers. A WSUS automatic approval rule for all new updates would
apply to this WSUS computer group. The WSUS administrator would
manually approve updates for the All Computers group after a seven-day
period in which no issues had been reported by users of computers that
are located in the test group.
2. Verifying Update Deployment
The final component in a successful update strategy is ensuring
that updates deploy correctly to client computers. There are many
reasons why updates might not deploy correctly to client computers,
including but not limited to the computer being switched off for a
lengthy period of time, synchronization problems, and lack of disk
space on the client.
One of the simplest ways that you can verify the updates that
are installed on local and remote computers running Windows 7 and
which are members of the same domain is to manually use the
Get-Hotfix Windows PowerShell command. You can
use the –Computername option to specify the
address of the remote computers that you want to check.
For example, the command
Get-HotFix -Computername wkstn1,wkstn2,wkstn3,wkstn4
provides a report on all of the updates installed on computers
wkstn1, wkstn2, wkstn3, and wkstn4. Although this is a quick way to
verify which updates are installed on a small number of computers, it is not an effective technique for
determining the status of missing updates across a large number of
computers. This is because the output will tell you only which updates
are present on the target computers and will not tell you which
updates are missing from the target computers.
One way you can determine which updates are missing from
client computers in your organization is to use WSUS reports. WSUS
servers generate reports based on information forwarded to the WSUS
server from the server’s WSUS clients. When a WSUS client retrieves
and successfully installs an update, it reports this success back to
the WSUS server.
WSUS servers do not query clients to determine whether
specifically approved updates are missing and they can use only
information that active clients report back to them. This
distinction is important because you cannot learn anything about the
update status of client computers that have not reported to the WSUS
server. To find out whether a client computer has suffered some
unforeseen configuration problem it has not reported, you must use a
tool such as the Microsoft Baseline Security Analyzer, covered later
in this lesson, to query client computers to determine whether
specific updates are missing.
You can access WSUS reports from the Reports node of the WSUS
console, as shown in Figure 1. WSUS
reports can be printed or exported to Microsoft Office Excel or PDF
format. Because WSUS data can be forwarded to a SQL Server database,
you can also perform a separate analysis using your own database
queries. There are several basic categories of reports that allow
you to view how successful the deployment of a specific update has
been or the update status of specific WSUS server clients.
Microsoft Baseline Security Analyzer
As mentioned, you can use Microsoft Baseline Security
Analyzer (MBSA) to scan client computers in an organization to
determine whether they are missing software updates. You can
configure the MBSA tool to check whether a computer is up to date
with the updates published by Microsoft through the Microsoft Update
servers. You can also configure the MBSA tool to check against the
list of approved updates hosted on a local WSUS server. This
practice allows you to determine whether a computer is up to date
with the updates that have been approved for your specific
environment. When used to scan against a WSUS server approval list,
the MBSA tool scans using the WSUS server assigned to the scanning
computer through policy.
The person performing the scan of remote computers must do so
with a user account that is a member of the local administrators
group on each remotely scanned computer. This requirement ensures
that nefarious third parties cannot use the MBSA tool to determine
what vulnerabilities computers might have. The MBSA tool can also be
used to locate common administrative vulnerabilities incurred by
problematic configuration practices.
You can use the MBSA tool to scan all computers that are
members of a specific domain or all computers that are located in a
particular IP address range, as shown by Figure 2. When scanning
computers, ensure that the Check For Security Updates option is
configured. Then you need to choose between configuring the scan to
use Microsoft Update or the WSUS server that is configured for the
computer performing the scan.
Keep in mind that only Microsoft Baseline Security
Analyzer 2.11 and later are compatible with the Windows 7 operating
system. You install and use the Microsoft Baseline Security Analyzer
in the practice exercise at the end of this lesson.
