WSUS Server

scj6771 · 10-02-2006, 12:17 PM

I know this is going to be vague but I need to get a WSUS server running on a Windows 2003 Server to deploy patches to around 600 machines. I have downloaded the needed version of WSUS and installed it.

Any advice? Anyone use WSUS?

I have read the "white papers" and it seems to be a farily user friendly application.

newhouse1390 · 10-03-2006, 07:45 AM

I use WSUS to deploy patches for about 400 machines. Are you running a server with AD integrated? If you are you can set the clients to receive updates through the group policy. You are going to need to evaluate where all 600 of you clients are as far as current MS patches go. You are going to want to familiarize yourself with the WSUS approval terminology. What I did because most clients were somewhat patched, I approved all the updates for detection and that allowed me to evaluate where I was. One by one I approved the patches for installation (the needed patches were identified). Now I am at a point where I can watch the release of the monthly security updates and deploy them the same day. It really just takes some getting use to. Microsoft has great resources on best ways to deploy updates, but it really depends on your organization. You can get down to the “nitty gritty” when configuring how users will receive the updates. Again, most of the setting you are going to want to configure based on your users and or security needs.

Let me know what your setup is as far a Clients/Servers OS, and if you can edit the GP using AD.

scj6771 · 10-03-2006, 09:15 AM

Thanks for the reply newhouse1390, As of know we have the WSUS Server setup at our corporate location on a Win 2000 box, all of our clients are running Win XP, some with and some without service pack 2.

We have 8 centers around the east coast consisting of around 10-30 employees at each location with one Win 2000 server at each running symantec anti virus.

We are currently in the process of cleaning up our AD, as of right now once a machine is logged into the domain it dumps it into one container, we will be creating seperate OU's for each location and diveded into users and computers.

Quote:

and if you can edit the GP using AD.

Yes this can be done by myself and is obviously the way I would like to go. Do you have some advice on setting this policy up? Thanks again.

newhouse1390 · 10-03-2006, 04:44 PM

http://www.microsoft.com/technet/com...ip/st0506.mspx

Above is a good link containing a description of what GP Assignments can be made. Personally, I give my users control over the installation of updates. I Download the update(s) to the WSUS server for approval and then set a deadline for the install (about a week, depending on the severity of the update). I also allow non-administrators receive update notifications, this encourages users to install updates themselves and puts them in the right frame of mind in regards to security. They feel more secure and rely on the computer technology more to do their day to day business operations.

The one thing you want to pay very close attention to is the reboot behavior. You don't want a patch to be deployed and then a user being forced to reboot their computer in 5 minutes. Similarly, you don’t want you r boss to be in the middle of a corporate meeting and have to reboot his laptop because his system administrator if forcing an update installation. That is what I call a career limiting move. I do not schedule a reboot or force one after the update, however the user is notified every hour to reboot. Eventually it will get done. You are also going to have to set an install time that is "after hours". That way after the update installation is complete, in the middle of the night, the user can reboot their computer as soon as they begin their day in the morning. You wouldn't want to interrupt a users business in the middle of the day.

Most of the group policy settings are fairly self explanatory. Each has an in depth description of its impact.

WSUS is a good patch management solution for small to medium size business; you should make it a point to consider Microsoft’s SMS (Systems Management Server) as a patch management solution. This is a much better tool for deployment of updates across a large enterprise with many remote sites.

Another recommendation. You should use SSL on the WSUS web server since you will be deploying updates across firewalls and network boundaries.

If you have any more questions let us know, also let us know how you progress.

-Mike

**Cellus** · 10-05-2006, 01:02 PM

To be honest with the above recommendations you're good to go. The GUI interface for WSUS and the WSUSadmin web interface are easy to use. Just make sure, as always, to be mindful of what you are configuring.

10-02-2006, 12:17 PM	#1 (permalink)
scj6771 Registered User Join Date: Feb 2002 Posts: 39 OS:	WSUS Server I know this is going to be vague but I need to get a WSUS server running on a Windows 2003 Server to deploy patches to around 600 machines. I have downloaded the needed version of WSUS and installed it. Any advice? Anyone use WSUS? I have read the "white papers" and it seems to be a farily user friendly application.

10-03-2006, 07:45 AM	#2 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	I use WSUS to deploy patches for about 400 machines. Are you running a server with AD integrated? If you are you can set the clients to receive updates through the group policy. You are going to need to evaluate where all 600 of you clients are as far as current MS patches go. You are going to want to familiarize yourself with the WSUS approval terminology. What I did because most clients were somewhat patched, I approved all the updates for detection and that allowed me to evaluate where I was. One by one I approved the patches for installation (the needed patches were identified). Now I am at a point where I can watch the release of the monthly security updates and deploy them the same day. It really just takes some getting use to. Microsoft has great resources on best ways to deploy updates, but it really depends on your organization. You can get down to the “nitty gritty” when configuring how users will receive the updates. Again, most of the setting you are going to want to configure based on your users and or security needs. Let me know what your setup is as far a Clients/Servers OS, and if you can edit the GP using AD. __________________ Because you can read this thank a teacher, because it's English thank a soldier.

10-03-2006, 04:44 PM	#4 (permalink)
newhouse1390 Member, Networking Team Join Date: Jan 2005 Location: Ohio Posts: 1,040 OS: Windows Server 2003	http://www.microsoft.com/technet/com...ip/st0506.mspx Above is a good link containing a description of what GP Assignments can be made. Personally, I give my users control over the installation of updates. I Download the update(s) to the WSUS server for approval and then set a deadline for the install (about a week, depending on the severity of the update). I also allow non-administrators receive update notifications, this encourages users to install updates themselves and puts them in the right frame of mind in regards to security. They feel more secure and rely on the computer technology more to do their day to day business operations. The one thing you want to pay very close attention to is the reboot behavior. You don't want a patch to be deployed and then a user being forced to reboot their computer in 5 minutes. Similarly, you don’t want you r boss to be in the middle of a corporate meeting and have to reboot his laptop because his system administrator if forcing an update installation. That is what I call a career limiting move. I do not schedule a reboot or force one after the update, however the user is notified every hour to reboot. Eventually it will get done. You are also going to have to set an install time that is "after hours". That way after the update installation is complete, in the middle of the night, the user can reboot their computer as soon as they begin their day in the morning. You wouldn't want to interrupt a users business in the middle of the day. Most of the group policy settings are fairly self explanatory. Each has an in depth description of its impact. WSUS is a good patch management solution for small to medium size business; you should make it a point to consider Microsoft’s SMS (Systems Management Server) as a patch management solution. This is a much better tool for deployment of updates across a large enterprise with many remote sites. Another recommendation. You should use SSL on the WSUS web server since you will be deploying updates across firewalls and network boundaries. If you have any more questions let us know, also let us know how you progress. -Mike __________________ Because you can read this thank a teacher, because it's English thank a soldier.

10-05-2006, 01:02 PM	#5 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	To be honest with the above recommendations you're good to go. The GUI interface for WSUS and the WSUSadmin web interface are easy to use. Just make sure, as always, to be mindful of what you are configuring. __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!