Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Windows Server 2003 on HP ProLiant Servers : Security Planning and Design (part 3) - Microsoft Software Update Service and Windows Update Service

2/7/2013 5:15:18 PM

Microsoft Software Update Service (SUS) and Windows Update Service (WUS)

SUS has been Microsoft's initial attempt to provide a tool to automate the download and application of security patches, service packs, and other updates to servers and workstations. Currently, the new WUS has not been released.

Software Update Service (SUS)

When a SUS server is identified, the SUS software is installed. This server is configured to download from Microsoft's Windows update site periodically (default is 3 a.m. daily). The SUS is then enabled through a Group Policy, where you specify the name of the SUS server. The clients that the policy applies to download the updates periodically and either notify the user of their availability or automatically apply them (optional).

The SUS server is domain-independent. Thus, if you have several domains, you can have a single SUS server to serve all computers in all domains. You can also specify a hierarchy of SUS servers, as shown in Figure 7. In this example, the top-level SUS server, SUS-01, gets the downloads from Microsoft. The second-level servers, SUS-02, SUS-03, and SUS-04, download from SUS-01. Because they are located via HTTP, they are domain-independent and can be placed at convenient locations in the network for best performance in serving clients.

Figure 7. SUS server hierarchy.


note

You can get the SUS software for the server at http://www.microsoft.com/downloads/details.aspx?FamilyID=a7aa96e4-6e41-4f54-972c-ae66a4e4bf6c&DisplayLang=en. You should also download the “Software Update Services Overview” whitepaper from http://support.microsoft.com/default.aspx?scid=kb;en-us;810796.


Some of the features of the SUS include

  • You can download from Microsoft or other SUS servers.

  • The Administrator can configure the download schedule.

  • The Administrator can configure patches, service packs, and so on to be automatically applied at the client or to require Administrator approval before deploying to the client.

  • Clients can be configured to automatically install the updates or to notify the user, like the normal update service does.

  • Clients can be configured to automatically reboot when the updates are applied or to be rebooted manually. (Thus, you can fully automate SUS so that patches are automatically downloaded from Microsoft, distributed to the clients, installed, and the clients rebooted without manual intervention—or with intervention as desired.)

  • SUS works across domain boundaries using the HTTP service.

  • The SUS server can be managed from any computer via a browser by specifying the server name in the format http://servername/SUSAdmin, where servername is the name of the SUS server.

  • Works on DCs or servers.

  • It's free!

Some of the drawbacks include

  • It's free (you get what you pay for).

  • There's no good way to determine whether the updates worked or not. You have to drill down in the event logs of the client to determine whether they were applied.

  • There's no way to report which clients have been updated. You can put the patches on the machines, but you don't know whether they have been applied.

  • Still requires a lot of manual intervention. It's still a long way from what Administrators really need and have been begging for—an automated way to determine vulnerabilities in the system and to apply the patches proactively.

tip

Microsoft has provided the SUS 1.0 ADM file for SP1: http://www.microsoft.com/downloads/details.aspx?FamilyID=d26a0aea-d274-42e6-8025-8c667b4c94e9&DisplayLang=en. This ADM is an add-on to Group Policy that permits additional administrative control over SUS clients running SUS SP1.


Although the SUS made life somewhat easier in patch management, it's not the answer Administrators are looking for. The better solution is the WUS, which is in beta at this writing.

Windows Update Service (WUS)

Because this product is in beta at this writing, there is not a lot of detail on how it works or actual deployments. I have summarized some of the features that Microsoft is promising. Make sure you check Microsoft's Web site for details after WUS is released. One big change is the addition of the Microsoft Update (MU) service. SUS used the Windows Update (WU) service, but this service only included Windows OS updates. MU hosts services that host all Microsoft updates for all Microsoft products. Note that WUS get updates from MU.

The WUS takes a big step in enterprise patch management with the following features:

  • An SQL (Structured Query Language) database or MSDE (Microsoft Data Engine) holds all data other than content.

  • Uses .NET Framework.

  • Scriptable through exposed APIs (Application Program Interfaces) for server and client.

  • Manages all Microsoft product patches—not just Windows.

  • Can configure to manage other products' patches.

  • Can build hierarchy of WUS servers.

  • Easier to configure than SUS.

  • WUS Client Automatic Updates are controlled by policy.

  • Built-in security features.

  • Validates all downloaded content for Microsoft certificates.

  • All content download locations are secured by ACLs.

Other -----------------
- Developing with SharePoint 2010 (part 4) - Developer Toolbar
- Developing with SharePoint 2010 (part 3) - Server Object Model
- Developing with SharePoint 2010 (part 2) - SharePoint Fundamentals
- Developing with SharePoint 2010 (part 1) - Platform Development Tools, Development Server Configuration
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Viewing Stored Procedures
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Deferred Name Resolution
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 2) - Displaying Data Using BDC in Microsoft Office SharePoint Server
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 2) - Displaying Data Using BDC in Microsoft Office SharePoint Server
- Using Microsoft SharePoint with Microsoft Dynamics CRM Functions (part 1) - Displaying Data in SharePoint Using the List Web Part for Microsoft Dynamics CRM 4.0
- Microsoft Exchange Server 2007 : Single Copy Clusters (part 2) - Installing Exchange Server 2007 on the Active Node
- Microsoft Exchange Server 2007 : Single Copy Clusters (part 1)
- Windows Server 2003 on HP ProLiant Servers : Logical Structure Design (part 5) - Trust Definitions
- Windows Server 2003 on HP ProLiant Servers : Logical Structure Design (part 4) - Group Policy
- Windows Server 2003 on HP ProLiant Servers : Logical Structure Design (part 3) - Naming Standards
- Windows Server 2003 on HP ProLiant Servers : Logical Structure Design (part 2) - Forest Structure, OU Structure
- Windows Server 2003 on HP ProLiant Servers : Logical Structure Design (part 1) - Domain and OU Structure
- Microsoft Dynamics GP 2010 : Preventing Errors in Dynamics GP - Ensuring proper year-end closing by checking Posting Types
- Microsoft Dynamics GP 2010 : Preventing Errors in Dynamics GP - Preventing account selection errors with Chart Segment names
- Monitoring Windows Small Business Server 2011 : Using Windows SBS Console Monitoring (part 3) - Creating and Viewing Reports
- Monitoring Windows Small Business Server 2011 : Using Windows SBS Console Monitoring (part 2) - Using Notification Settings
 
 
Most view of day
- Microsoft Systems Management Server 2003 : Configuring the Client (part 4) - Managing the Advanced Client Download Cache, Advertised Programs Process Flow
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 6) - Configuring a DHCPv6 server, IPv6 transition technologies
- Windows Server 2008 : Configuring Server Core after Installation (part 3) - Logging Off, Shutting Down, and Rebooting
- Windows Server 2008 : Configuring Server Core after Installation (part 4) - Setting the Time, Date, and Time Zone , Joining a Domain
- Accessing and Using Your Network : Accessing Network Resources
- Monitoring Windows Small Business Server 2011 : Using WSUS Reports
- Windows Server 2012 : Ensuring DHCP availability (part 2) - Implementing DHCP failover
- Microsoft Content Management Server Development : Validating Placeholder Controls - Validating the SingleAttachmentPlaceholderControl
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
- Microsoft Visio 2010 : Modifying a Graphic (part 2) - Wrapping Text Around a Graphic
Top 10
- Microsoft Exchange Server 2007 : Implementing Client Access and Hub Transport Servers - Installing the Hub Transport Server
- Microsoft Exchange Server 2007 : Implementing Client Access and Hub Transport Servers - Transport Pipeline
- Microsoft Exchange Server 2007 : Hub Transport Server Policy Compliance Features (part 4) - Message Classification , Rights Management and the Hub Transport Server
- Microsoft Exchange Server 2007 : Hub Transport Server Policy Compliance Features (part 3) - Journaling
- Microsoft Exchange Server 2007 : Hub Transport Server Policy Compliance Features (part 2) - Disclaimers
- Microsoft Exchange Server 2007 : Hub Transport Server Policy Compliance Features (part 1) - Transport Rules
- Microsoft Exchange Server 2007 : Implementing Client Access and Hub Transport Servers - Understanding the Hub Transport Server
- Conducting Research in OneNote 2010 : Translating Text
- Conducting Research in OneNote 2010 : Researching a Topic, Customizing the Research Task Pane
- Conducting Research in OneNote 2010 : Handling the Research Task Pane
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro