S 4.417 Patch Management with WSUS under Windows Server 2008 and higher

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

The Windows Server Update Services (WSUS) are a service obtaining patches, updates and service packs provided by Microsoft via the Internet and making them available to other systems in the domain. Due to the bundled download, the load placed on the network connection of the organisation is reduced on the one hand, and on the other, the patch management for Microsoft operating systems can be automated based on need. This makes the prompt distribution of important security patches much easier. In view of new software weaknesses becoming known on an ongoing basis, the patch management is one of the most important technical security safeguards (see also S 2.273 Prompt installation of security-relevant patches and updates). All Windows systems in the information system should therefore be connected to a corresponding update service.

Whereas WSUS were only available as an additional module under Windows Server 2003 and 2008, they are included as server role under Windows Server 2008 R2 and higher versions. Here, WSUS requires the availability of an Internet Information Server (server role web server) on the server. In addition to this, sufficient hard disk storage space for the temporary storage of the updates as well as a database for administration information must be available. If no suitable MS SQL Server is available, an instance of the Windows Internal Database on the server system can also be selected as database. For the evaluation and monitoring of the WSUS activities, the Report Viewer Redistributable packet must be installed in addition to this.

In more complex information systems, it is possible to operate several WSUS servers in parallel or "in series" to supply different locations, for instance. Here, each WSUS server downloads relevant updates from its source (either from Microsoft or another upstream WSUS server) at definable intervals. For this purpose, the WSUS server right at the top of the hierarchy requires an Internet connection which can also be established using a WWW proxy with or without authentication.

After the download, each update must be released for installation. This can be performed either manually by an administrator or be defined by a rule. Rules should be defined differently for WSUS computer groups so that, for example, critical security updates are automatically installed on clients, but server systems with critical applications, however, need to be released manually by an administrator. For each defined group, the fast effectiveness of automatically installed security patches must be weighed up against the threat to the system stability due to lack of tests.

The remaining systems in the domain are configured using group policies for the access to the WSUS server. Here, it is not only possible to make the "responsible" WSUS server known to the systems, but also additional configuration settings such as the intervals for the examination for present updates can be made. The systems configured in this manner then ask their WSUS server at regular intervals whether there are relevant updates to be installed (pull mechanism). Based on this request, the WSUS server determines the Windows operating system available on the respective system and identifies the present updates and their respective approval status.

WSUS is configured using an administration console which does not have to run on the WSUS server itself, but can also be called by an administration PC. In each case, the access to the administration console of the WSUS server should be limited to a small group of authorised administrators.

Using the Report Viewer Redistributable packet, different evaluations are available for the patch status of the connected systems in the administration console under Reports. Here, it is possible, amongst other things, to determine when the individual systems were last updated via WSUS server and which updates and patches have already been installed in each case. For particularly critical weaknesses in particular, the rollout of the corresponding patches can be thus tracked and followed.

Review questions:

• Is a WSUS server configured for all Windows systems in the information system?
• Does the WSUS server have access to the Internet or to another WSUS server as the source for updates?
• Is the access to the administration console of the WSUS server limited to a small group of authorised administrators?
• Does the WSUS server have sufficient storage space for the temporary storage of the pending updates?
• Are appropriate WSUS computer groups and policies defined for the release of patches, updates and service packs?
• Is the fast effectiveness of automatically installed security patches weighed up against the threat to the system stability due to lack of tests?