Compliance
is a term that encompasses all the configurations necessary for
ensuring that the computers in your organization are configured to a
specific standard. For example, to meet compliance requirements, all
client computers running Windows Vista might need Service Pack 1 and a
specific set of updates applied, a certain firewall configured, and a
specific set of applications installed. In this lesson, you will learn
about several technologies you can use to assess whether software
updates that you have approved have actually been deployed to all the
computers in your environment. You will also learn how to create a
role-based security policy that you can apply to computers in your
environment and the tools you can use to verify that the applied policy
remains active.
Microsoft Baseline Security Analyzer
The Microsoft Baseline
Security Analyzer (MBSA) is a basic tool that enables systems
administrators to scan the network to determine which computers are
missing updates or are incorrectly configured according to Microsoft
best practices recommendations. The best practices scan involves
checking Windows Firewall policies, SQL Server – Service Accounts, and
other security configuration settings. The MBSA tool can integrate with
WSUS, so rather than scanning target systems to see whether any updates
are missing from the entire catalog of updates, the MBSA tool will just
check whether approved updates are missing from a target computer. You
can also use the MBSA tool to detect computers that have not been
assigned a software update server. To scan computers with the MBSA tool,
your user account must have administrative privileges on the target
computer. This enables you to scan computers in your own and trusted
forests, assuming your user account has been delegated the appropriate
privileges.
As of version 2.1, the
MBSA cannot be used to scan computers running Windows Server 2008,
although this will be addressed in later versions of the product.
Although you can use the MBSA tool to scan most computers in enterprise
environments, as Figure 1
shows, the MBSA scans are relatively limited in the problems that they
can detect on the computers in your environment. Another drawback to the
MBSA tool is that the reports it generates are basic. Unlike tools such
as SCCM 2007, discussed later in this lesson, you cannot configure the
MBSA tool to notify you by e-mail automatically if a server or servers
in your environment become noncompliant.
WSUS Reporting
You can use WSUS 3.0 SP1 to
offer basic software update compliance reporting functionality in
enterprise environments. The reports WSUS generates are based on
information communicated with WSUS. WSUS does not scan computers to
determine whether updates are missing but instead records whether
updates have been downloaded to target computers and whether the target
computers have reported back to the WSUS server that the update has been
successfully installed. Figure 2 shows a list of the available WSUS reports.
WSUS reports can be
printed or exported to Microsoft Office Excel or PDF format. If WSUS
data is written to a SQL Server database, you can perform your own
separate analyses by using your own set of database queries. This
enables the generation of more sophisticated reports than are offered by
the default WSUS configuration.
You can generate the
following reports, using WSUS 3.0 SP1 if your user account is a member
of the WSUS Reporters or WSUS Administrators groups:
Update Status Summary
This report contains basic information about update deployment,
including the number of computers the update is installed on, is needed
on, or failed to install on, and for which WSUS has no data. One page is
available per update. Figure 3 shows an Update Status Summary Report.
Update Detailed Status
This report offers significantly more information about the deployment
of updates, providing a list of computers and their update status on an
update-per-page basis. When you run a detailed update, you can view the
report in summary or tabular format.
Update Tabular Status
This report format provides data in a table on a perupdate basis.After
this report is generated, you can switch the report to Summary or Update
Detailed Status. This form of report is the best to export to Excel
because it is already in tabular format, as shown in Figure 4.
Computer Status Summary
Similar to the Update Detailed Status report, this report provides
update information on a per-computer rather than on a per-update basis.
Data is presented in summary form.
Computer Detailed Status
This report format provides detail about the status of specific updates
for a particular computer. After this report is generated, you can
switch the report to summary or tabular form.
Computer Tabular Status
This report provides a table of update status information, with
individual computers as rows. After this report is generated, you can
switch the report to summary or tabular form.
Synchronization Results This report shows the result of the last synchronization of the WSUS server.
Enabling
the Reporting Rollup For Downstream WSUS servers option enables update,
computer, and synchronization data for replica downstream servers to be
included in reports generated on the upstream WSUS server. This is an
important option in enterprise environments because it displays a
complete view of the software update deployment process.
