WSUS for Secure Patching:    Top Tips, Tricks and Scripts forOvercoming Limitations and Challenges                        ...
Brought to you by              www.lumension.comSpeaker      Russ Ernst – Group Product Manager
Preview of Key Points Lots of tips Troubleshooting resources What’s new in Win2013 WSUS When is WSUS not enough© 2013 ...
Ensure “no computer                                                 left behind”  Create a top level GPO that configures ...
Enable Client side targeting  May be a no-brainer for many but…  WSUS Computer Groups allow you to target   patches at s...
Think hard on OU, GPO and                                  WSUS group structure WSUS allows parent/child groups Building...
Set up a Test Group that         draws on sampling of computers  For each major set of computers – especially workstation...
Ensure computers are                                              patched quickly  In group policy   “4 – Auto download ...
Limit/schedule bandwidth used                                       for download patches Explore BITS settings  /Compute...
Reduce VPN or local traffic Lots of computers off-site  At other sites across a WAN  Calling in via VPN Configure WSUS...
Other tips Other good tips covered at  http://www.grouppolicy.biz/2011/06/best-  practices-group-policy-for-wsus/  Handl...
Trouble Shooting  WSUS Troubleshooting Survival Guide   http://social.technet.microsoft.com/wiki/contents/articles/2491....
What’s new in                                                     Win2013 WSUS?   Feature and functionality            Win...
Bottom Line  WSUS isn’t enough if you need   Real control over scheduling            • Server patching            • Wake...
Flexible Deployment Options                                  Integrated Asset Discovery       Integrated Wake on LAN      ...
Manage 3rd Party Application and Cross Platform Vulnerabilities
Comprehensive Compliance Reporting
Defense-in-Depth Strategy                                              Successful risk mitigation                       AV...
Brought to you by              www.lumension.comSpeaker      Russ B. Ernst – Group Product Manager
More Information• Free Security Scanner Tools                    • Get a Quote (and more) » Vulnerability Scanner – discov...
Upcoming SlideShare
Loading in …5
×

WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…

3,844 views
3,538 views

Published on

In case you aren’t familiar with Windows Server Update Services, WSUS is Microsoft’s built-in technology for centrally deploying patches to workstations and servers for Windows, Office and other Microsoft software. When it came out, WSUS was a great leap forward for all of us who must keep systems secure and patched. As time has passed, patching is even more critical than it was before and more complicated because we have to:
• patch more quickly to defend against 0-day exploits
• deal with power management concerns
• patch servers inside tighter maintenance windows
• patch more than just Windows
In these slides, Randy Franklin Smith from UltimateWindowsSecurity shares a load of tips, tricks and scripts for helping you address these issues and deal with limitations in WSUS.

One of the biggest issues with WSUS is that you control patch management partly from within WSUS and partly from group policy. In WSUS, you select which patches are approved for deployment, but you control patch schedule and other Automatic Update settings with group policy. Learn a ton of advanced ways to use group policy to the full in order to finely tune how updates are applied on your network.

Points covered:
• How to ensure not a single computer in your domain is missed by WSUS while not misapplying a patch by accident
• Why you should start with 3 top-level computer groups in WSUS: Servers, Workstations, Terminal Servers
• How to schedule automatic updates and reboots for servers during their maintenance window using group policy and WSUS (and the limitations)
• How to use “client-side targeting” to automatically assign computers to WSUS groups and avoid manually assigning computers
• How to set up a test group of computers from across all your OUs to receive updates first
• How to address the problem of computers that are powered down when a patch should be installed
• How to patch computers in your DMZ Fine-tuning BITS for bandwidth protection Understanding how time zones work in WSUS and the AU client
Another issue we’ll tackle though is: “Should I even be using WSUS?” Issues we’ll discuss:
• Do you require Wake-On-LAN capability to fulfill a green initiative with timely patching?
• Do you have strict maintenance window requirements
• Do you understand the critical need to centrally control patching non-MS apps without relying on each app’s auto-updater?
This is where our sponsor Lumension comes in. Russ Ernst shows how Lumension’s Endpoint Management and Security Suite addresses all of these issues and more, much more.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,844
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
46
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

WSUS for Secure Patching Top Tips Tricks and scripts for Overcoming Limita…

  1. 1. WSUS for Secure Patching: Top Tips, Tricks and Scripts forOvercoming Limitations and Challenges © 2013 Monterey Technology Group Inc.
  2. 2. Brought to you by www.lumension.comSpeaker  Russ Ernst – Group Product Manager
  3. 3. Preview of Key Points Lots of tips Troubleshooting resources What’s new in Win2013 WSUS When is WSUS not enough© 2013 Monterey Technology Group Inc.
  4. 4. Ensure “no computer left behind”  Create a top level GPO that configures Specify intranet Microsoft update service location  “once an organisation does this they are amazed how this discovers a number of “hiding” computers on their network that have never been patched” Alan Burchill, http://www.grouppolicy.biz/2011/06/best- practices-group-policy-for-wsus/  Internet-Facing WSUS http://blogs.technet.com/b/sus/archive/2011/05/09/ho w-to-create-an-internet-facing-wsus-server-that-uses- different-internal-and-external-names.aspx© 2013 Monterey Technology Group Inc.
  5. 5. Enable Client side targeting  May be a no-brainer for many but…  WSUS Computer Groups allow you to target patches at specific computers BTW, these are not AD groups  In WSUS Set “You can specify how to assign computers to groups” to “Use Group Policy” • This allows you to assign computers automatically as they appear in AD  In group policy Set “Enable client-side targeting” to appropriate WSUS group© 2013 Monterey Technology Group Inc.
  6. 6. Think hard on OU, GPO and WSUS group structure WSUS allows parent/child groups Building WSYS groups to match OU structure reduces confusion 1 WSUS group  1 OU  1 GPO Same names But make sure you have computers divided up according to how you want to patch Have large sets of computers broken into smaller groups to your can phase in updates and stop if problems occur© 2013 Monterey Technology Group Inc.
  7. 7. Set up a Test Group that draws on sampling of computers  For each major set of computers – especially workstations  Create a WSUS group called Test Workstations  Create an AD security group WSUS Test Worksations  Take computers from each OU/department/subtype of the larger set make member of WSUS Test Workstations group  Goal to have a representative “sampling” of all systems to test patches upon  Perhaps identity users from each department most amenable or most likely to notice problems  Create a WSUS Test GPO at root of domain or topmost OU containing applicable computers  Enforce GPO  Change the “apply group policy” permission from Everyone to WSUS Test Workstations  Set “Enable client-side targeting” to WSUS Test Workstations© 2013 Monterey Technology Group Inc.
  8. 8. Ensure computers are patched quickly  In group policy  “4 – Auto download and schedule”  Every day  3AM or whatever  Timezone based on client • Patches with deadlines on WSUS relative to WSUS server’s timezone  Need it faster?  Check out “Automatic Updates detection frequency” at http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for- wsus/  Enable “Allow Automatic Updates immediate installation”  Enable “wake up computer if powered down”  Wake on LAN is better  Theoretically could deal with computers turned off when patch time rolls around  But there are some dangers http://www.nynaeve.net/?p=160© 2013 Monterey Technology Group Inc.
  9. 9. Limit/schedule bandwidth used for download patches Explore BITS settings /Computer Configuration/Admin Templates/Network/Background Intelligent… Schedule Limit bandwidth Peer caching© 2013 Monterey Technology Group Inc.
  10. 10. Reduce VPN or local traffic Lots of computers off-site At other sites across a WAN Calling in via VPN Configure WSUS so that clients download the actual bits of updates from Microsoft BranchCache Acceleration© 2013 Monterey Technology Group Inc.
  11. 11. Other tips Other good tips covered at http://www.grouppolicy.biz/2011/06/best- practices-group-policy-for-wsus/ Handling computers that should not be auto- rebooted WSUS for DMZ servers Run the Cleanup Wizard regularly© 2013 Monterey Technology Group Inc.
  12. 12. Trouble Shooting  WSUS Troubleshooting Survival Guide  http://social.technet.microsoft.com/wiki/contents/articles/2491.wsus- troubleshooting-survival-guide.aspx  Cool WSUS troubleshooting tools and script examples  http://blogs.technet.com/b/sus/archive/2008/10/16/cool-wsus- troubleshooting-tools-and-script-examples.aspx  Scripts  http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5 D.Type=RootCategory&f%5B0%5D.Value=windowsupdate&f%5B0%5 D.Text=Windows%20Update • Then look at the  subcategories  tags for WSUS  Other good links  http://blogs.technet.com/b/sus/archive/2009/02/19/troubleshooting- guide-for-issues-where-wsus-clients-are-not-reporting-in.aspx© 2013 Monterey Technology Group Inc.
  13. 13. What’s new in Win2013 WSUS? Feature and functionality Windows Server 2008 R2 Windows Server 2012 Inclusion of Windows PowerShell cmdlets to manage the ten most X important administrative tasks in WSUS Security enhancements with SHA256 hash X capability Client and server separation: Versions of the Windows Update X Agent (WUA) can ship independently of WSUS© 2013 Monterey Technology Group Inc.
  14. 14. Bottom Line  WSUS isn’t enough if you need  Real control over scheduling • Server patching • WakeOnLAN  #1 Third party patches!!! • http://www.lumension.com/vulnerability-management/patch- management-software/compare.aspx  Custom application patching  Non domain member discovery  More than basic reporting • Compliance!  Comprehensive endpoint security • Patch is just one slice of the pie • Think about that before going to System Center for enhanced patching© 2013 Monterey Technology Group Inc.
  15. 15. Flexible Deployment Options Integrated Asset Discovery Integrated Wake on LAN Across Domains Custom Content Creation
  16. 16. Manage 3rd Party Application and Cross Platform Vulnerabilities
  17. 17. Comprehensive Compliance Reporting
  18. 18. Defense-in-Depth Strategy Successful risk mitigation AV starts with a solid vulnerability Control the Bad management foundation, augmented by additional Device Control Control the Flow layered defenses which go beyond the traditional blacklist HD and Media Encryption approach. Control the Data Application Control Control the Gray Patch and Configuration Management Control the Vulnerability Landscape18
  19. 19. Brought to you by www.lumension.comSpeaker  Russ B. Ernst – Group Product Manager
  20. 20. More Information• Free Security Scanner Tools • Get a Quote (and more) » Vulnerability Scanner – discover all OS and http://www.lumension.com/endpoint- application vulnerabilities on your network management-security-suite/buy-now.aspx#2 » Application Scanner – discover all the apps being used in your network » Device Scanner – discover all the devices being used in your network http://www.lumension.com/Resources/ Security-Tools.aspx• Lumension® Endpoint Management and Security Suite » Online Demo Video: http://www.lumension.com/Resources/Demo- Center/Vulnerability-Management.aspx » Free Trial (virtual or download): http://www.lumension.com/endpoint- management-security-suite/free-trial.aspx20

×