/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsIf you are on a network that has never been hit by a Trojan or worm, it could be because of two reasons. One is that you have a great system administrator or two, that you are just plain lucky. If the reason is the first, you could probably make his life simpler by giving him this article to read. If it's the second, you better read on before your luck runs out.
One of the most common things that happens when a network or a computer is compromised by a hack, Trojan or worm is to blame the OS developer–in most cases this being Microsoft. All the previous high-profile such cases– Nimda, Code Red, Sobig, Slammer –gave a big, black eye to the reputation of Microsoft as writing insecure code. However, if Microsoft is to be blamed, so equally are the owners of the networks those were most affected by these. The patches for all these vulnerabilities were available from Microsoft long before the exploits surfaced.
So you might say, "But MS releases so many patches, it is difficult to keep track of them and deploy them in my organization."
This is where the Microsoft System Update Services come into the picture. This free download from Microsoft lets you quickly set up a server that can perform most of the patch management for you.
To set this up, download the SUSSP1 package from Microsoft's site (or check it out on the CD). You will need either Windows 2000 Server or Windows Server 2003 to install the SUS package. You also need Internet Information Services (IIS) 5 or 6. When you start installing the package, you need to answer a couple of simple questions - the languages you wish to support at your clients' end (the default being English), the directory where to store the content for the SUS as well as the patches themselves and whether you want to manually approve new versions of older, approved packages or have it done automatically.
SUS can be installed in a number of different configurations. Here are some of the most common such configurations:
l The SUS server is connected to the Internet where it downloads patches from the Windows Update site and stores them locally. Client (LAN) computers connect to this via the Windows Update service periodically and download and install the updates automatically.
l The SUS server is connected to the Internet but downloads only the update catalog. This catalog is used by the LAN computers to find out what are the latest updates and then downloads to the machines individually.
l The SUS server picks up updates from another SUS server on the network. This is ideal in a large organization distributed geographically.
l Any of the options above but also containing a test environment where an admin tests out each new patch before approving it for deployment in the organization.
Once the installation is over, you can browse over to http://localhost/susadmin to open the SUS administration interface. First of all, go over to the Options menu and check the different settings there.
| KNOW SUS |
| MS SUS is a great tool to deploy Windows patches in your organization. However, there are a few things to keep in mind when you do. SUS is meant to deploy only Windows patches–the ones that you get from Windows Update. These are the critical and security patches — not the add-ons and new driver updates. You cannot deploy patches for software such as MS Office or Visual Studio. SUS also patches IE, and .NET apart from the Windows versions it supports. If you need to automate other applications in your enterprise, you might need to take a look We’ve found that sometimes certain antivirus software running on the server raise a false positive alarm when installing SUS. This is due to the presence of Windows scripts in the installer. Simply disable the antivirus till the installation is done. You can use the WUAU update for deploying the update settings using active directory or use older Windows NT system policies as well to deploy the registry settings that are required by the clients if you do not have an ADS running. |
Pay close attention to the name of the computer, since this is what that will be used by the clients to download the patches.
Once the settings are made, go to the Synchronize menu. In this place, you can either synchronize immediately or on a schedule. This first time you do set up SUS, synchronize immediately. The SUS server will download patches for Win 2000/Me/XP/2003, IE and the .NET framework for the languages you have selected. The first time, this will take a while depending on your Internet bandwidth. After that it will only download the newer updates.
The admin can then approve all the patches for automatic deployment that the client computer requires.
This allows the administrator the leeway of not installing some patches if it conflicts with some other program - for instance the infamous WinNT SP6 that conflicted with Lotus Domino.
Next comes the task of enabling automatic updating of the client computers. For this, you need to either use Active Directory or manually deploy a few system policies to each computer. Either way, however, you need to open Group Policy Editor (by running GPEDIT.MSC). Open Computer Configuration and Right-click "Administrative Templates". Select Add/Remove template from the context menu.
Click "Add…" and browse over to \Windows\Inf and select the WUAU.INF file here. (Note: if you cannot find this file, you will need to download the latest Windows Update client setup from the same location from the Microsoft site.)
When the template is installed, open Administrative Templates > Windows Components > Windows Update. This has all the different settings that you can set for each computer in the network. The most important ones being:
l Configure Automatic Updates: This allows you to set the frequency with which the client computer checks and installs the updates. You will need to enable this setting, as well as choose whether the updates are installed after prompting the user, automatically (default and recommended), or on a schedule that you can define.
l Specify intranet Microsoft update service location: This lets you specify the name/IP of the SUS machine on your LAN from where the updates are to be picked up. You can also set a server where update statistics are to be collected. Simply point to SUS server for both.
l Reschedule Automatic Updates scheduled installations: Allows the administrator to enable that a failed installation will be rescheduled for automatic installation the next time someone logs in after a definable delay in minutes.
l No auto-restart for scheduled Automatic Updates installation: This lets the admin specify whether the user has control over the reboot that may be required after certain updates are installed. If enabled, if a user is logged in, he is prompted after the updates are installed, if disabled, he is not. However, in either case, if there is no user logged in, the machine will be automatically restarted.
Once this is done on the client computers, the Windows update service connects to the new server and immediately downloads and installs the updates according to the specified settings.
MS SUS is a quick and inexpensive way to ensure that your network is protected from Trojans, worms and hacks targeting your Windows installations. So, the next time you hear someone talking about how insecure Windows is, ask him/her if they have their patches deployed throughout their network using
SUS.
Vinod Unny