For organizations whose business platform is Windows-based, the frequency of Microsoft updates and corresponding threats to your business is well documented and rehearsed nearly every Patch Tuesday. In short, every IT shop must patch the systems, which requires an IT security function and expertise in an organization of any size. While there are a myriad of patching products on the market, organizations running an AD environment can leverage the freely available Microsoft Windows Server Update Service (WSUS), designed to manage and deploy Windows patches and service packs.
Although the tool has its limitations -- depending on your strategic management architecture, application inventory and industry segment, WSUS may not be robust enough -- the good news for SMBs is that WSUS is essentially free. So to what point can WSUS satisfy an organization's patching requirements? In this tip, we'll review Windows patch deployment tools and discuss when a transition to a fuller featured commercial product is warranted.
WSUS: The benefits of the Windows patch deployment tool
The singular purpose of WSUS is to provide a platform whereby Windows operating system security fixes can easily and efficiently flow to company workstations and servers.
WSUS allows you to specify products and classifications of patching. On the product side, WSUS is configured in a traditional tree format starting with "All Products,"(Figure 1) under which the only subcategory is Microsoft Corporation.
This structure seems to foreshadow future support of other manufacturers, like maybe Adobe (Acrobat and Flash) or Sun/Oracle (Java) products that also proliferate Windows desktops. But don't hold your breath, as this functionality is likely reserved only for Microsoft's commercial management suite, System Center Configuration Manager.
On the WSUS platform, products supported are, of course, all Microsoft: from Exchange to BizTalk Servers, from Visual Studio to ISA Server, all server and workstation platforms back to XP, all SQL platforms, and all versions of Office back to Office XP. A spattering of other predominantly used products like MS Silverlight, Forefront, Visual Studio and Antigen are available as well.
Following product selection, the classification options define whether the patch inventory includes critical updates, broadly released bug fixes, or security or service packs (Figure 2). All MS Office, workstation and server platforms are enabled by default, which for a SMB with a Windows environment would likely cover 90% of the patching requirements -- not bad for out-of-the-box coverage.
Utilizing correct design principles, SMBs and even large enterprise environments can invoke a decentralized constellation of WSUS servers. Take, for example, a company with a headquarter site and three office campuses in separate states (Figure 3). A simple and effective design would include deploying a primary WSUS server at headquarters and three downstream WSUS servers, one at each campus. All update and patch approvals are downloaded and authorized centrally at the primary WSUS server, yet all hosts will download and install patches from their assigned downstream server. Because any Windows 2003 server can become a downstream WSUS server, the SMB can scale the design at no cost by leveraging existing server resources at the campus locations.
This design flexibility can accommodate a quantity of hosts and various internal or external bandwidth considerations, and it can also provide for shared administration. With a more polished MMC snap-in, the WSUS admin console is much improved. All categories of updates, host computers, downstream servers, synchronization status, reports and WSUS configuration options are present in a single view (Figure 4). The layout of the console permits patch deployment, status and reports based on a specific patch, user defined groups of computers or on-demand for a singular host. Patch review, approval and deployment are pre-sorted, with two important categories of critical and security updates grouped separately (Figure 4). Sifting through the updates, their definition and consequently approving, declining, or removing patches is all done through a single view (Figure 4).
See larger image
Figure 4 -- Singular high level view (left pane) with corresponding details view and update actions (right pane)
Further, WSUS admins can manage other primary WSUS or downstream servers through the same MMC console. Now add into the design a well-configured Windows Update Group Policy (GPO) and a single administrator can orchestrate how, when and where hundreds or thousands of workstations, servers and office applications get their updates and generate meaningful status reports. For all the technical and configuration details, Microsoft provides a WSUS step-by-step guide, deployment guide and operations guide on the company site.
Choosing your Windows patch deployment tools
All these features and functionality are very robust, but don't lose sight of the blindly obvious fact that it only supports Windows-based operating systems and applications. There are many thousands of applications across dozen of industries, both modern and legacy that a mature, organizational patch management program must account for.
Another significant cost and drain on resources is end/remote-user support, software and hardware inventory and new system imaging -- all elements of a managed desktop environment that WSUS can't touch. SMBs with a managed desktop strategy will find that commercial products like LANDesk, Altiris, CA Unicenter and MS Configuration Manager all provide vastly more granular control of servers and desktops: OS patching, internal or 3rd party application updates, total software and hardware asset inventorying, centrally managed remote user support, license management and detailed scheduling controls to name a few. And if your SMB has embraced mobile platforms, WSUS cannot nor will it ever likely address these environments either.
Clearly WSUS is a vastly improved, solid and reliable tool that SMBs should seriously evaluate to satisfy their patching requirements. The bottom line is that WSUS is a uni-purpose patch deployment and maintenance tool supporting only Windows-based platforms and applications. Large SMBs with a more heterogeneous environment of applications, operating systems and managed user needs would be advised to move to a third-party product providing cross-platform support. Windows-based organizations with just a few hundred workstations and fewer than a dozen servers will find WSUS a suitable solution. SMBs that are Windows workstation- and server-heavy but use third-party business applications should consider a hybrid setup: leverage WSUS for Windows updates and a third-party software management module to perform application updates.
Regardless of the size and complexity of where you start or end up, WSUS can serve as an effective foundation. In less complex environments, it can suffice as the lone management tool yet easily fill a complimentary role as complexity increases. And even if you ever did out grow the patch management features of WSUS, it will never become useless -- just turn it into a security scanner. Hint, hint…
About the author:
Gregg Braunton, CISSP, GSEC, C|EH, MCP serves as an Information Security Officer. He possesses fifteen years experience working in the information technology field with expertise in user awareness education, security compliance, forensics and technical and policy based security controls across various technologies and platforms.