Tips and Tricks
4-1-1 on SUS
All you wanted to know about Microsoft's update service.
The Windows side of the IT industry has certainly seen its share of viral
outbreaks in recent years. Attacks from SoBig and Blaster, to name just
a couple, have caused plenty of downtime, cost plenty of dollars and earned
plenty of airtime on the local news. Hundreds of other less-spotlighted
viruses affect businesses everyday. Unfortunately, most of it’s preventable,
and the old maxim, “An ounce of prevention is worth a pound of cure,”
is true in our industry. Blaster, for example, exploited a vulnerability
that had been patched over a month prior. The problem was that nobody
bothered to deploy the patches. Patch management in the Microsoft world
hasn’t always been easy; but Microsoft keeps trying, and there is an easier
way available these days: SUS, the Software Update Services.
SUS is basically your own in-house version of Windows Update. Sure, you could use Automatic Updates and let your servers download patches willy-nilly from Microsoft, but that doesn’t exactly place you in a position of control, not to mention the WAN bandwidth that a hundred servers will use when a new patch comes out. SUS is more efficient and more controllable, and it’s incredibly easy to deploy.
You can install SUS on any Windows 2000 or Windows 2003 server computer, including (as of SP1) domain controllers and Small Business Server installations. You’ll configure SUS to download updates for all available operating systems, Internet Explorer and other packages, directly from Windows Update. SUS caches the updates locally, so they’re more readily available to clients and other server computers across your WAN. And, contrary to common belief, SUS downloads most types of updates offered on Windows Update, not just “critical” updates. The catch: SUS won’t retrieve or deploy service packs for you. You’re still on your own with those. And some products (such as Office and SQL Server) do not yet make their updates available via SUS.
Once SUS downloads an update, it sits on it. Clients (and other server computers count as “clients” in this discussion) can’t download updates until you specifically approve them in SUS’ administrative interface. That way, you’ve got plenty of time to test patches in your environment before they go out to your client computers.
Speaking of your clients, they’ll need to run the SUS Client software,
also called “Automatic Updates.” It’s included in Windows 2000 SP3, Windows
XP SP1 and Windows Server 2003. You can also download it from www.microsoft.com/windows2000/windowsupdate/sus/.
Now, by default, Automatic Updates wants to deal only with the Windows Update Web site, but you can change all that. SUS SP1 includes an updated ADM file that you can use to create group policies, forcing clients’ Automatic Updates software to retrieve updates on a schedule you designate and to use only your SUS server (or servers). In fact, you can outright disable access to Windows Update, ensuring that you have complete control over the flow of patches into your network. The ADM file even allows you to disable automatic restarts, so that server computers don’t reboot themselves after installing patches that require a restart. By the way, the updated policy file is already bundled with Windows 2003.
If you have a large, distributed network, SUS can accommodate you. SUS servers can be configured to download approved updates from other SUS servers, allowing you to deploy a hierarchy of servers that best meets your needs for deploying patches, centralizing control and conserving WAN bandwidth. Installing SUS takes about 10 minutes; configuring it perhaps another 10. With patch control and deployment this easy, there’s no reason not to nip the next Blaster in the bud while still maintaining complete control over your server and client computers. Even if you’re working in a small shop, you can easily add SUS to an existing file server or domain controller and take advantage of enterprise-class patch deployment.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.