WSUS Design - AUBede - American University of Beirut

WSUS Design
WSUS Release 2.0
Prepaired by: Samih Ajrouch
Approved by: Rim Kadi
Published by the American University of Beirut
Computing and Networking Services
Beirut, Lebanon
1
AUBede: WSUS Design
AUB©. All rights reserved. No part of this document may be reproduced or copied in any form
or by any means (graphic electronic or mechanical, including photocopying) recording taping or
information retrieval systems without express written permission from the American University
of Beirut.
Furthermore, no part of this document may be distributed or shown to persons, or organizations
other than those authorized by the American University of Beirut .
The information in this document pertains to the Enabled Desktop Environment plans for the
American University of Beirut and is to be treated as confidential except where officially issued
by the American University of Beirut for distribution.
Please direct questions or comments about this document to the assigned University
representative.
2
AUBede: WSUS Design
Table of Contents
TABLE OF CONTENTS.............................................................................................................................................. 3
1.
INTRODUCTION ............................................................................................................................................ 5
2.
TYPE OF DEPLOYMENT.................................................................................................................................. 5
2.1.
2.2.
2.3.
2.4.
3.
SIMPLE WSUS DEPLOYMENT ............................................................................................................................5
CHAIN OF WSUS SERVERS ................................................................................................................................6
DESIGN DECISIONS...........................................................................................................................................6
WSUS SERVERS CHAINED TOGETHER ..................................................................................................................6
MANAGEMENT STYLE ................................................................................................................................... 6
3.1.
3.2.
3.3.
3.4.
4.
CENTRALIZED MANAGEMENT .............................................................................................................................6
DISTRIBUTED MANAGEMENT .............................................................................................................................7
DESIGN DECISIONS...........................................................................................................................................7
WSUS CENTRALIZED MANAGEMENT (REPLICA ROLE) ............................................................................................8
STORAGE LOCATION ..................................................................................................................................... 8
4.1.
4.2.
4.3.
5.
LOCAL STORAGE ..............................................................................................................................................8
REMOTE STORAGE ...........................................................................................................................................9
DESIGN DECISIONS...........................................................................................................................................9
BANDWIDTH USAGE ..................................................................................................................................... 9
5.1.
5.2.
5.3.
6.
DEFERRING THE DOWNLOAD OF UPDATES: ...........................................................................................................9
FILTERING UPDATES .......................................................................................................................................10
DESIGN DECISIONS.........................................................................................................................................10
INSTALLING WSUS ...................................................................................................................................... 10
6.1.
6.2.
6.3.
7.
SOFTWARE REQUIREMENTS .............................................................................................................................10
PORT REQUIREMENTS ....................................................................................................................................10
DESIGN DECISIONS.........................................................................................................................................11
COMPUTER GROUPS ................................................................................................................................... 12
7.1.
8.
DESIGN DECISIONS.........................................................................................................................................12
AUTOMATIC UPDATES CLIENT COMPONENT .............................................................................................. 13
8.1.
8.2.
8.3.
8.4.
9.
INSTALLING AUTOMATIC UPDATES CLIENT ..........................................................................................................13
DESIGN DECISIONS.........................................................................................................................................14
CONFIGURING AUTOMATIC UPDATES CLIENT ......................................................................................................14
DESIGN DECISIONS.........................................................................................................................................15
SECURING WSUS SERVERS .......................................................................................................................... 16
9.1.
9.2.
9.3.
9.4.
10.
SECURING IIS 6.0 ..........................................................................................................................................16
DESIGN DECISIONS.........................................................................................................................................16
ADDING AUTHENTICATION BETWEEN CHAINED WSUS SERVERS .............................................................................17
DESIGN DECISIONS.........................................................................................................................................17
CONCLUSION .............................................................................................................................................. 17
3
AUBede: WSUS Design
4
AUBede: WSUS Design
1. Introduction
Windows Server Update Services (WSUS) is the new name for the next version of Software
Update Services (SUS). WSUS is a patch and update component of Windows Server and offers
an effective and quick way to help systems get secure and stay secure.
WSUS will support updating Windows operating systems and all Microsoft corporate software.
When initially released, WSUS will support updating Windows XP Professional, Windows 2000,
Windows Server 2003, Microsoft Office XP, Office 2003, Microsoft SQL Server 2000,
Microsoft SQL Server 2000 Desktop Engine (MSDE) 2000, and Microsoft Exchange Server
2003. Support for additional Microsoft products will be added over time.
This document is intended to describe the design decisions for deploying WSUS at AUB, the
hardware and software requirements, and the phases of deployment with migration from the
existing SUS solution.
2. Type of Deployment
WSUS could be deployed in one of two scenarios:

Simple WSUS deployment

Chain of WSUS servers
2.1. Simple WSUS Deployment
This type of deployment involves setting up one WSUS server inside the corporate network. This
server will connect to Microsoft Update to download updates and then clients on the private
network would connect to this server to download and install the list of missing updates.
A new feature introduced with WSUS is the “Computer Groups” that enables administrators to
target updates to a specific group of computers. In simple WSUS deployment, the WSUS
administrator can create different computer groups, move computers to these groups and then
approve updates for specific groups instead of deploying them to all the organization at once.
5
AUBede: WSUS Design
2.2. Chain of WSUS Servers
The basic idea behind this type of deployment is the ability to synchronize one WSUS server
with another WSUS server. This type of configuration is useful for scaling WSUS in a large
organization. In such a scenario, a downstream server must always synchronize to an upstream
server, where the latter synchronizes to “Microsoft Update”.
2.3. Design Decisions
At AUB, the “Chain of WSUS Servers” is the chosen deployment type. This decision was taken
based on the following criteria:

Load distribution: Currently all computers at AUB get their updates from one SUS
server. Distributing the load to other WSUS servers will decrease the load on this server.

Network Traffic: One WSUS server will be located in each Active Directory Site. This
way, the traffic initiated from client computers to their WSUS server will flow within the
same site; thus decreasing network traffic among sites.

Minimize Failure Impact: This type of deployment ensures that if one WSUS server fails,
other computers in other sites can still get updated from their own WSUS server.
2.4. WSUS Servers Chained Together
Figure1: Chain Together
3. Management Style
WSUS supports deployments in both central and distributed management models.
3.1. Centralized Management
Centrally managed WSUS servers utilize the replica server role. The replica server role features
a single administered server and one or more subordinate replicas. The approvals and targeting
groups created on the master server are replicated throughout the entire organization. Computer
group membership is not distributed throughout the replica group, only the computer groups
6
AUBede: WSUS Design
themselves. In other words, client computers must always be loaded into the created computer
groups.
3.2. Distributed Management
Distributed Management offers full control over approvals and computer groups for each WSUS
server. With the distributed management model, a WSUS administrator exists at each site. The
administrator at each site creates his/her own computer groups and approves the list of updates
required at his/her site.
3.3. Design Decisions
The management style that will be followed at AUB is the Centralized Management for the
following reasons:

There is no site administrator: At AUB, administrators are distributed among departments
rather than among sites. Thus a site could contain several system administrators.

Same updates: Normally the same updates are installed on all computers at AUB. Thus
there is no need that each site has its own list of approved updates.

Computer Groups: There will definitely be different computer groups among different
sites at AUB. However this is not a constraint in Centralized Management since computer
groups required throughout the whole organization will be created on the master server.
These computer groups will be replicated to all Downstream WSUS servers. For each
WSUS server in a site, only the necessary computer groups will be loaded with the
appropriate computer objects. Membership of computer groups is never replicated to
WSUS servers, only the name of the group.
7
AUBede: WSUS Design
3.4. WSUS Centralized Management (Replica Role)
Figure2: Centralized management
4. Storage Location
Metadata that describes what an update is useful for is stored in the WSUS database, the updates
themselves are not. There are two choices for where updates are stored: On the local WSUS
server, or on Microsoft Update.
4.1. Local Storage
Updates are stored locally on the WSUS server. This saves bandwidth on the internet connection
because the clients download updates directly from the WSUS server. This option requires a
30GB of disk space on the WSUS server.
8
AUBede: WSUS Design
4.2. Remote Storage
Updates are stored remotely on Microsoft servers. This scenario is useful if client computers
have a slow WAN connection with the WSUS server and a high-bandwidth connection to the
internet.
4.3. Design Decisions
Local Storage will be used at AUB since:

There is a large number of client computers, each one downloading updates from the
internet by itself would be a burden.

There is no constraint on the hard disk space that can be purchased for WSUS servers.

There are no slow connection between the client computers and the WSUS server.

Only one computer (the upstream master server) would require unlimited internet
connection.
5. Bandwidth Usage
The following features of WSUS will be used to efficiently use the bandwidth:
5.1. Deferring the Download of Updates:
WSUS offers the ability to download update metadata at a different time from the update itself
during synchronizations. In this configuration, approving an update triggers the download of all
the files used to install that particular update on a computer. This saves bandwidth and WSUS
server disk space, because only updates that are approved for installation are downloaded in full
to the WSUS server. For bandwidth savings, deferring downloads is useful in conjunction with a
special approval setting that only detects whether client computers require an update (approve
for detection setting). With this kind of approval, the WSUS server does not download the
update and clients do not install the update. Instead, clients just determine if they need the
update. If they do, they send an event to the WSUS server, which is recorded in a server report.
If the clients require updates that were approved for detection, the administrator can then
approve them for installation.
9
AUBede: WSUS Design
5.2. Filtering Updates
WSUS offers the ability to choose only the updates that the organization requires during
synchronizations. Synchronizations can be limited by language, product, and type of update. In a
chain of WSUS servers, WSUS automatically sets all downstream servers to use the update
filtering options that are selected on the server directly connected to Microsoft Update.
5.3. Design Decisions
Deferred downloads will be used at AUB to minimize internet bandwidth usage. This way only
the updates approved by the administrator will be downloaded from the internet to the upstream
server. However, the “Approve for Detection” setting will not be used because it introduces an
overhead on the WSUS administrator and at AUB there is not internet bandwidth restriction.
Moreover, the WSUS administrator will initially approve only the updates necessary for any
computer at AUB.
Updates will be filtered by language. Only English updates will be selected for download and
approval. This will save internet bandwidth.
6. Installing WSUS
6.1. Software Requirements
Following is a list of software that should be installed on the WSUS server prior to installing
WSUS:

Windows 2003 server

IIS 6.0

BITS 2.0

Microsoft .NET framework Service Pack 1 for Windows 2003

Microsoft Windows SQL Server 2000 Desktop Engine (WMSDE)
6.2. Port Requirements

The WSUS server uses port 80 and port 443 to obtain updates from Microsoft. This is not
configurable. Thus these ports should be open between the upstream WSUS server and
the internet.
10
AUBede: WSUS Design

If there are no Web sites running on the server where WSUS is installed, there is the
option to use the default Web site or a custom Web site. If WSUS is setup on the default
Web site, WSUS listens for Automatic Updates on port 80. If a custom Web site is used,
WSUS listens on port 8530.

Even if WSUS is configured on a custom website and listening to port 8530, a Web site
must also be set up and running on port 80 to accommodate updating Legacy Automatic
Updates client software.

Downstream WSUS servers can use the custom port to synchronize with the upstream
WSUS server.
6.3. Design Decisions
At AUB, five WSUS servers will be installed (one in every AD site). Each server will belong to
the backbone subnet dedicated to the corresponding site. Since these servers will have other roles
than windows update, the hardware will be powerful and will satisfy WSUS requirements.
The WSUS web site will be installed on port 8530, leaving port 80 free for probable web sites to
be installed on the server.
The IP address of the upstream WSUS server should be configured for unlimited internet
download. All other downstream servers will be configured to retrieve updates from the
upstream WSUS server on port 8530. The upstream server will be scheduled to retrieve updates
from Microsoft Update at 11:00 pm. Downstream servers will synchronize to the upstream server
at one hour interval from each other.
In order not to download and approve again the list of updates existing on the SUS server, a
migration procedure will take place to migrate the content and approvals from the existing SUS
server at AUB to the new upstream WSUS server. For this process, the upstream WSUS
software will be installed on the same server acting as SUS server, and then the WSUSutil.exe
utility will be used to migrate the content of updates and the list of approvals.
11
AUBede: WSUS Design
Figure3: Servers distribution
7. Computer Groups
Setting up computer groups is a three-step process. First, specify how the computers will be
assigned to computer groups. There are two options: server-side targeting and client-side targeting.
Server-side targeting involves manually adding each computer to its group. Client-side targeting
involves automatically assigning the computers by using either Group Policy or registry keys.
Second, create the computer groups in WSUS. Third, move the computers into groups by using
the method chosen in the first step.
7.1. Design Decisions
At AUB, we will configure 5 main policies linked as the follows
12
AUBede: WSUS Design

All Backbone servers group

All Departmental Servers

All Public Computers

All Administration computers

Test Group
More groups will be created upon the request of the system administrators
At AUB, client-side targeting will be used on all downstream servers for computers joined to AD
domain. The computers will be assigned to the appropriate computer group through group
policy. A WSUS computer group will be created for every high-level delegated OU, and through
group policy computers in the OU will be placed in the appropriate computer group. As to
computers that are not joined to win2k.aub.edu.lb domain, they will not be member of any
special computer group, and thus updates could not be targeted for a special group of these
computers.
Moreover, testing groups will be created to allow system administrators to test updates on their
machines before deploying the updates to the whole organization. Each system administrator will
choose one or more computer representative of the computers in his/her department. These
computers will be included in the testing computer group. Whenever new updates are
downloaded, these updates will be approved only for the testing computer group. The system
administrators will be given a three-day period to install and test the updates on the testing
computers. If no problems were encountered by any department, the updates will then be
approved to the whole organization; otherwise, special computer groups will be created for
computers that encountered problems, and these computer groups will be excluded from the
approved updates.
WSUS computer groups for delegated OUs will follow Active Directory OUs naming
convention.
8. Automatic Updates Client Component
8.1. Installing Automatic Updates Client
Automatic Updates is the WSUS client software. It can be installed on any computer running:

Windows 2000 (Professional and Server) with SP3 or SP4
13
AUBede: WSUS Design

Windows XP Professional with or without SP1 or SP2

Windows Server 2003
Computers running Windows XP with SP2 already have the WSUS client software installed and
do not need additional installation.
To minimize administrative effort, automatic updates can update itself to the WSUS compatible
software. If a machine has the legacy SUS client, every time it checks for updates on the internal
server, it also checks if there is an update for itself. This way the SUS client software will selfupdate to WSUS client software.
The self-updating client software is available on the following operating systems (those
compatible with SUS client):
 Windows 2000 with Service Pack 3 or Service Pack 4
 Windows XP with Service Pack 1 or Service Pack 2
 Windows Server 2003
8.2. Design Decisions
At AUB, all clients are currently using the SUS client software and are thus eligible for selfupdate to WSUS client software (if needed). On each WSUS server to be installed, the SelfUpdate directory will be created under the web site running on port 80. SUS clients will look for
this virtual directory at port 80 and update themselves to the new version of Automatic Updates
compatible with WSUS server.
8.3. Configuring Automatic Updates Client
Clients can be configured to retrieve updates from WSUS server through domain or local group
policy (depending whether AD domain computers or workgroup computers) or through
modifying registry keys. In addition to pointing to the WSUS server, there are automatic updates
configuration settings that are manipulated using same methods. When administrative policies
(whether through group policy or registry) are used to configure Automatic Updates, the
Automatic Updates user interface in Control Panel is disabled on the target computer.
Notifications options can be manipulated as follows:

If Automatic Updates is configured to notify the user of updates that are ready to install,
the notification is sent to the System log and to the notification area of the client
computer.
14
AUBede: WSUS Design

When a user with appropriate credentials clicks the notification-area icon, Automatic
Updates displays the available updates to install. In this case, a user with the appropriate
credentials is either a logged-on administrator or a non-administrator granted appropriate
credentials by means of Group Policy. The user must then click Install so the installation
can proceed. A message appears if the update requires the computer to be restarted to
complete the update. If a restart is requested, Automatic Updates cannot detect additional
updates until the computer is restarted.

If Automatic Updates is configured to install updates on a set schedule, applicable
updates are downloaded and marked as ready to install. Automatic Updates notifies users
having appropriate credentials via a notification-area icon, and an event is logged to the
System log. This indicates that the user can install updates.

At the scheduled day and time, Automatic Updates installs the update and restarts the
computer (if necessary), even if there is no local administrator logged on. If a local
administrator is logged on and the computer requires a restart, Automatic Updates
displays a warning and a countdown for when the computer will restart. Otherwise, the
installation occurs in the background.

If it is required to restart the computer, and any user is logged on, a similar countdown
dialog box is displayed, warning the logged-on user about the impending restart.
Computer restarts can be manipulated with Group Policy.

After the new updates are downloaded, Automatic Updates polls the WSUS server again
for the list of approved packages to confirm that the packages it downloaded are still
valid and approved. This means that if a WSUS administrator removes updates from the
list of approved updates while Automatic Updates is downloading updates, only the
updates that are still approved are actually installed.
8.4. Design Decisions
Configuration settings of the Automatic Updates Client will be done through group policy for
Active Directory Domain computers joined to win2k.aub.edu.lb and by modifying registry keys
through the “Provisioning Service” for non Active-Directory computers.
The following settings will be configured for Automatic Updates Client on client (non-server)
computers (either by group policy or by modifying registry through provisioning service):
Administration PCs

Auto download updates and schedule install (schedule will be based on computer OU
location)

Specify Intranet Microsoft update service location: Http://WSUSSiteServerName:8350
15
AUBede: WSUS Design

Enable Client Side targeting: Specify the computer group that computers will belong to.

Reschedule Automatic Update scheduled installations: 10 minutes

No auto-restart for scheduled Automatic Update installation options: Enabled

Automatic Update detection frequency: Not Configured

Allow non-administrators to receive update notifications: Disabled
Public Labs

Auto download updates and schedule the installation (schedule will be based on computer
OU location)

Specify Intranet Microsoft update service location: Http://WSUSSiteServerName:8350

Enable Client Side targeting: Specify the computer group that computers will belong to.

Reschedule Automatic Update scheduled installations: 10 minutes

No auto-restart for scheduled Automatic Update installation options: Enabled

Automatic Update detection frequency: Not Configured

Allow non-administrators to receive update notifications: Disabled
9. Securing WSUS servers
9.1. Securing IIS 6.0
9.2. Design Decisions
The following three security settings will be enabled on the IIS Web server to help ensure secure
WSUS administration.
 Enable general error messages: By default, IIS gives detailed error messages to remote
Web clients. Enabling IIS general (less detailed) error messages prevents an unauthorized
user from probing the IIS environment with IIS error messages.
 Enable additional logging options: By default, IIS enables logging for a number of
options. Logging will be added to the following keys:

Server name

Time taken

Host
16
AUBede: WSUS Design

Cookie

Referer
Remove header extensions: By default, IIS enables header extensions for HTTP requests. It is
more secure to remove any header extensions for IIS.
9.3. Adding Authentication between Chained WSUS Servers
9.4. Design Decisions
Authentication will be added for server-to server synchronization.
Enabling authentication is a two-step process.

First, a list of downstream WSUS servers allowed to authenticate with the upstream
WSUS server will be created; this list will then be added to a text file that was created
when WSUS was installed.

Second, in IIS, anonymous access to the WSUS server will be disabled.
These two steps will enable only the downstream computers listed to synchronize with the
upstream WSUS server.
10.
Conclusion
This document described the design of WSUS at AUB. In summary, a separate WSUS server
will be installed in every Active Directory site serving clients in the subnets belonging to that
site. Domain computers will be pointed to their appropriate WSUS server through group policy,
while non-domain computers will point to the appropriate WSUS server through changing the
registry keys from a script. System administrators in each department will be allowed a three
days period to test approved updates on sample machines before deploying updates throughout
the whole organization.
To prevent configuration and updates loss in case of a failure, it is recommended that the WSUS
database and configuration be backed up frequently. This should be included in the design of the
backup and disaster recovery strategy being studied for AUB servers.
17
AUBede: WSUS Design