Friday, January 14, 2005
The Joy of SUS
Wouldn't you be amazed to find a robust, full-featured piece of software that was easy to deploy, saved you hundreds of hours, and - wait for it - was free?
Well, that's exactly what happened to me this year when I found SUS. Since then, I've become it's biggest fan, and decided to sing its praises here.
Oh wait, did I mention it's made by Microsoft?
Many of you by now have likely heard about 'Software Update Services' (SUS), but 9 months ago, I felt like I'd stumbled upon a pearl in my baththub. (hmm...bad analogy?)
Anyway, what sparked my search for a patching solution was the outbreak of Sasser. You may recall that this was one of those nasty worms that didn't require any user action, it just infected any unpatched Windows 2000 or XP machines that it could find. (Dastardly! I much prefer the ones where you at least have to be dumb enough to launch the attachment!)
Despite some confidence that my firewall would keep any outside machines from starting an outbreak, the potential threat of travelling users and home VPN connections left me facing the thought of patching >150 machines by hand. Not a large number of machines perhaps, but still not something I was looking forward to. (aside: Why is it that a non-administrator can't run Windows Update on a Win2K machine? Somehow that just seems to contradict the security push...)
And so I embarked on a search for a free, automated patch management tool, and stumbled across a SUS reference in a newsgroup somewhere.
Using a combination of Microsoft's SUS site and susserver.com, I was able to get this up and running within a day.
What's good about SUS:
1) Simple deployment via Group Policy (ok, for those of you without Active Directory, you'll have to distribute registry changes some other way.
2) Ability to 'Approve' updates. Updates are not deployed to my clients until I say so. Nice way to do some testing and avoid problem patches (came in handy while testing XP SP2!)
3)Minimized WAN traffic, due to single download point.
4)Low maintenance, easy administration.
What's lacking in SUS:
1) Directed updates - currently, all approved updates go to all clients of the SUS server, there's no finer control.
2) Reporting - There's no 'nice' built-in tool for confirming exactly which updates have been installed by which client. You'd have to run MS Baseline Analyzer or some other tool against a client to verify the updates. You *can* upload your IIS logs and get them analyzed here. Or download the add-on tool created by Wayne Flynn and create your own reports.
3) Ability to deploy more than just Windows updates. SUS will only do Windows updates and Service Packs. No SQL Server updates, no Office updates, etc.
All in all, SUS has served me well, and I can't wait for WUS. I'm currently playing with the beta, and although I'm still not quite *there* with it, I'm happy to report that it seems to address all three of the shortcomings listed above.
Between this and the new anti-spyware beta, I don't think anyone can say that Microsoft isn't stepping up to the plate to make securing their software easier.
Well, that's exactly what happened to me this year when I found SUS. Since then, I've become it's biggest fan, and decided to sing its praises here.
Oh wait, did I mention it's made by Microsoft?
Many of you by now have likely heard about 'Software Update Services' (SUS), but 9 months ago, I felt like I'd stumbled upon a pearl in my baththub. (hmm...bad analogy?)
Anyway, what sparked my search for a patching solution was the outbreak of Sasser. You may recall that this was one of those nasty worms that didn't require any user action, it just infected any unpatched Windows 2000 or XP machines that it could find. (Dastardly! I much prefer the ones where you at least have to be dumb enough to launch the attachment!)
Despite some confidence that my firewall would keep any outside machines from starting an outbreak, the potential threat of travelling users and home VPN connections left me facing the thought of patching >150 machines by hand. Not a large number of machines perhaps, but still not something I was looking forward to. (aside: Why is it that a non-administrator can't run Windows Update on a Win2K machine? Somehow that just seems to contradict the security push...)
And so I embarked on a search for a free, automated patch management tool, and stumbled across a SUS reference in a newsgroup somewhere.
Using a combination of Microsoft's SUS site and susserver.com, I was able to get this up and running within a day.
What's good about SUS:
1) Simple deployment via Group Policy (ok, for those of you without Active Directory, you'll have to distribute registry changes some other way.
2) Ability to 'Approve' updates. Updates are not deployed to my clients until I say so. Nice way to do some testing and avoid problem patches (came in handy while testing XP SP2!)
3)Minimized WAN traffic, due to single download point.
4)Low maintenance, easy administration.
What's lacking in SUS:
1) Directed updates - currently, all approved updates go to all clients of the SUS server, there's no finer control.
2) Reporting - There's no 'nice' built-in tool for confirming exactly which updates have been installed by which client. You'd have to run MS Baseline Analyzer or some other tool against a client to verify the updates. You *can* upload your IIS logs and get them analyzed here. Or download the add-on tool created by Wayne Flynn and create your own reports.
3) Ability to deploy more than just Windows updates. SUS will only do Windows updates and Service Packs. No SQL Server updates, no Office updates, etc.
All in all, SUS has served me well, and I can't wait for WUS. I'm currently playing with the beta, and although I'm still not quite *there* with it, I'm happy to report that it seems to address all three of the shortcomings listed above.
Between this and the new anti-spyware beta, I don't think anyone can say that Microsoft isn't stepping up to the plate to make securing their software easier.
// posted by danring @ 10:39 AM 
Comments:
<< Home
Wow...it's about time for another post...It took from July 6th to January 14th to come up with a new post. Congratulations though. I've run across this blog a few times and I've been waiting on an update. The new post definitely was worth while...thanks for pointing this out.
Post a Comment
# posted by 
: 3:00 PM
: 3:00 PM << Home
