With security at the forefront of everyone’s mind and the number of threats from various exploits increasing daily, patch management is a big issue for admins today. Microsoft does a good job of responding to newly discovered exploits by issuing patches to fix security holes, but manually applying all the fixes to every machine in a large or even medium sized organization is an overwhelming task.
To make this easier, Microsoft provides SUS, which builds on the Windows Update technology and allows you to provide updates to computers on your LAN from a local source, rather than using Internet bandwidth for each machine to download the same updates. In this article, we’ll describe how SUS works and give you some pointers on deploying SUS within your organization.
What SUS Does – and Doesn’t Do
SUS automates the process of delivering software updates to your Windows 2000 (both Professional and Server), XP (both Home and Professional editions) and Server 2003 computers. It doesn’t provide updates to other Windows operating systems nor to computers running non-Microsoft platforms.
SUS is not a replacement for Systems Management Server (SMS). Indeed, SMS is a more full featured method of software distribution and if you’re using it, you will probably want to continue to do so. SUS is intended for those administrators who are currently manually checking the Windows Update site or Security Web site and then manually distributing the patches. SUS also doesn’t take the place of Group Policy software installation, which can also be used to automatically distribute applications.
Note: It is important to note that SUS only supports the deployment of critical updates and security rollups in this first version. SUS will only install update packages that have been digitally signed by Microsoft.
SUS is actually a version of the Windows Update server that you can install and run on your local network. It installs on a Windows 2000 or 2003 server, and is synchronized with Microsoft’s Windows Update Web server, either at preset intervals or manually. An e-mail notice is sent to the administrator whenever new updates become available and they are downloaded to the internal SUS server. Then the administrator decides which updates to publish, and they will be installed on the client computers.
Because it is important to test patches before deploying them on the production network, SUS can be used in a tiered arrangement for staged deployment, in which one SUS server publishes updates to test lab computers, and other SUS servers publish the updates to clients on the production network, only after they have been tested. An SUS server can download updates from the Microsoft Update servers or from other internal SUS servers. One SUS server can support about 15,000 clients.
How to Deploy SUS
The first step in deploying SUS is to install it on a Windows 2000 (with SP 2 or above) or a Window Server 2003 server.
Next, you must install the Automatic Updates client component on the Windows 2000, XP and 2003 computers that will use the SUS for updates. If you have multiple SUS servers, you’ll need to configure the client to connect to the proper SUS server. The client software is an enhanced version of the Automatic Updates client that comes with Windows XP and is included with:
- Server 2003
- Service Pack 1 for Windows XP
- Service Pack 3 for Windows 2000
It is also available as a Windows Installer (.msi) installation package.
Installing the SUS Server Software
The SUS server needs to meet the following minimum hardware requirements:
- PIII at least 700MHz processor
- 512 MB RAM
- 6 GB free disk space
IIS 5.0 or above must be running on the SUS server and Internet Explorer 5.5 or above is also required.
Note: If you install SUS on Windows 2000, the IIS Lockdown settings will be applied. These settings are already the IIS defaults on Server 2003.
The SUS server must be using NTFS for the system partition, and the SUS software itself must be installed on an NTFS partition. If you want to install SUS on a domain controller or a computer running Small Business Server (SBS) 2000, you’ll need SP1 for SUS. However, Microsoft recommends (and so do we) that you run SUS on a computer dedicated to that purpose. Some applications are not compatible with the IIS settings configured by SUS.
You can download the SUS software (with SP1) from Microsoft’s SUS Web site at http://www.microsoft.com/windowsserversystem/sus/default.mspx. The client software is also available on that site. Detailed installation instructions are also available there. To install SUS with the default settings is a simple operation:
Start the installation by double clicking the downloaded Sus10sp1.exe file.
Click Next on the Wizard welcome screen to begin the process.
Click the option button to accept the EULA and click Next.
Click to check the checkbox labeled Typical and click Next.
During the installation, setup will tell you the URL that client machines will use to connect to the SUS server. Write this down before clicking Install.
The IIS lockdown tool will run if you are installing on Windows 2000 or SBS 2000.
Click Finish to complete the wizard.
An SUS utility will be added to your Administrative Tools folder.
After installation, you’ll need to configure the SUS server. You use the Web interface to do this. In your browser (IE 5.5 or above), go to http:///SUSAdmin or use the Administrative Tool link.
Note: You need to be a local administrator to configure the SUS server.
The SUS Web site also allows you to synchronize the server manually, and to set up automatic synchronization on a preset schedule. You can specify that you must approve any updates before they are published to the client computers. Logs are maintained by SUS to keep track of synchronizations and content approvals.
A content distribution point is automatically created on the SUS server when you install it. You can also choose to maintain content on Microsoft.com, or you can manually create a distribution point on any server running IIS 5.0 or above.
Installing and Configuring the Client Software
If the client computer is running Windows 2000 with SP2 (but not SP3 or above) or Windows XP without SP1 or above, you’ll need to download and install the client software on computers that you want to be updated via the SUS server.
After installing the client software, configure it by following these steps:
Click Start | Settings | Control Panel
On XP, select the System applet and Automatic Updates tab. On Windows 2000, select the Automatic Updates applet.
Check Keep my computer up to date.
Set preferences for notification and scheduling installation.
Note: Automatic Updates settings can also be configured via Group Policy or by editing the Registry.
Software Update Services (SUS) is a useful tool for automatically deploying patches (critical updates) to computers running Windows 2000 or a later operating system. In this article, we’ve provided an overview of how SUS works and how to install the SUS server and client software. For much more detailed information, visit the Microsoft Web site and download the 95 page Software Update Services Deployment White Paper at http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx.