Managing Windows Software & Updates

SUS Server

MS Baseline Security Analyzer

Software and Group PolicyPaul “The Yellow Dart” Peterson

University of Minnesota

Microsoft SUS Server

Hotfix and Service Pack Management

Why SUS Server Allows us to control which updates are

applied and when Ease of management through group policy Other options SMS and MbsaFU

The BAD news Clients stop looking for updates pending

reboot SUS Server requires IIS Little control over what is downloaded Not supported by NT4, 9x clients Requires SP3 on 2k clients

Our Experience Reliable and easy to manage Transparent to end users (fairly) Doesn’t install non-critical updates, office

updates or service packs (until recently) Client logging only in IIS logs Dedicated server recommended

MS Baseline Security Analyzer

MS security reporting

Why Microsoft Baseline Security Analyzer

Freely available

http://www.microsoft.com/downloads

Microsoft Baseline Security Analyzer v1.1.1 Full “featured” but easy to use Command line interface scriptable Verifies patches and configuration

The Bad News Reports are “noisy” False positives (or are they…)

Our Experience Easy to use Detailed reports Third party follow up tool available

Group Policy

Why Group Policy Policies easy to apply, enforce, and change Leverages AD layout and all the thought

and planning that went into your domain Unavoidable

The Bad News (in general) Can be very confusing (nearly limitless

options) Reporting tools are not good

(2003 tools improved and available) Not well documented

More Bad News (software) Requires msi packages (some software is

reluctant to be packaged) Non intuitive AND badly documented Software policy ONLY updated on reboot RELENTLESS

Our Experience Steep learning curve Easy to use once configured Greatest thing since sliced bread (for its

intended purpose)

Group Policy for SUS Management

Easy to use Prevents users from changing settings Full features require admin template from

sp1 version of SUS

Learning from our mistakes Treat “production” GPO’s with care Document and test all policy changes Keep it as simple as possible It is easier to manage a lot of GPO’s than a

lot of policy changes in a GPO Plan your OU structure carefully “Not Defined” is NOT default

The End http://www.microsoft.com/windows2000/windowsupdate/sus/

susdeployment.asp http://www.microsoft.com/windows2000/techinfo/howitworks/

management/grouppolwp.asp http://www.microsoft.com/windows2000/techinfo/howitworks/management/

rbppaper.asp http://www.microsoft.com/downloads Microsoft Baseline Security Analyzer v1.1.1

Group Policy Management Console (2003 XP)

Software Update Services Server 1.0 with Service Pack 1