Your Computer Network Solution
Protect Your Network with Windows Server Update Services
Perhaps the most important step a system administrator can take to protect a network from outside attack and vulnerability is to assure that all systems and applications are patched and updated to the latest revisions. It is a fact that most viruses and malware attack well known and documented vulnerabilities. Remember the infamous Melissa virus that devastated networks a few years ago? The patch that prevented that vulnerability had been released by Microsoft 387 days prior to the first report of the virus!
How can that be, you might ask? It’s simple: most authors of viruses and malware don’t discover new holes in software and operating systems; rather, they attack documented openings. When Microsoft releases a new patch, they also provide some documentation as to what the patch addresses. So a rudimentary roadmap is given that directs the malware author to an area of code or functionality that has a problem. The virus just takes advantage of the many systems that are not up to date, and therefore open to exploitation.
This is where patch management comes in. Anyone around ICS knows that I’m almost fanatical about making sure that all ICS computing resources are continuously kept up to date. That can be a huge challenge. With all the various systems and servers deployed, how can anyone really have an accurate picture of their network? Microsoft has addressed this challenge with Windows Server Update Services (WSUS).
WSUS is a product available from Microsoft (at no charge) that runs on a server. WSUS uses Microsoft SQL server (free edition or full version) to manage a database of machines, applications and patches. This application will provide a centralized deployment of all updates and patches for Microsoft operating systems, Office products, and many applications. Let’s say that you have 50 XP workstations and Microsoft just released a 25MB update. Rather than download 50 copies of the update for each and every workstation, WSUS will download one copy and publish it to each and every workstation.
click to enlarge
WSUS provides the administrator a centralized console that shows all computers and updates. Status reports are generated daily that show where certain computers are missing updates and how others are fully updated. A user can choose what updates are approved for installation and to what groups of computers those updates are to be installed. WSUS can be configured to install and reboot workstations and servers automatically or to allow individual users latitude as to scheduling installation of updates.
I will caution you that a WSUS server does require some significant disk space. I would plan on a minimum of 100 GB of free storage before deploying WSUS. A WSUS server does not need to be backed up. Should the server fail, a replacement server can be installed. The updates will automatically be downloaded from Microsoft and inventories will be regenerated within a couple of days.
click to enlarge
We have found that WSUS is an essential part of any Microsoft Windows network where there are more than a handful of workstations or servers. In fact, Microsoft considers WSUS so important that they are bundling it with all versions of Microsoft Small Business Server 2008.
Please contact Chris Faist, Integrated Computer Systems Support, at chrisf@ics-support.com or 425-284-5410 for further details or if we can help you deploy WSUS in your network.
