In Windows server infrastructure, deployment of Windows Patch management is very essential for small to medium sized businesses and even for large enterprise networks. A good design of WSUS management is critical to maintaining the operational availability, confidentiality, and integrity of the information assets and the systems that support these assets.
Why Windows patch management? Designing patch management with pro-active approach will help mitigate the risks associated with vulnerabilities in your systems and to avoid the potential compromise of these systems if these vulnerabilities are not addressed in a timely manner. New patches are being released at an ever-increasing rate, and it is often difficult to determine which patches should be deployed in a particular environment.
Windows provides a powerful and easy to deploy WSUS (Windows Server Update Services) patch management which is designed to centralize the management of Windows critical updates for Windows infrastructure networks in a consistent, timely and safe fashion without overly impacting business processes.
Normally a Windows PC when it connects to the Internet, the Windows update system will scan the computer for necessary high-priority updates including security updates, critical updates, and service packs, downloaded updates and install them. This is because the Automatic update system is enabled, but if the Automatic update is turned off the computer is more vulnerable to viruses and other security threats.
In medium to large-sized computer networks with hundreds to thousands of Windows clients, you can imagine how they will hog your internet bandwidth if all of them download the updates direct from the internet at the same time. It is therefore a Windows patch management system is needed to centralize the update management in a single server: a WSUS management server.
WSUS management server will be responsible for all the critical security updates downloaded direct from the internet and then all the computers on the local networks will obtain the updates direct from the WSUS server. This way will reduce the internet bandwidth usage for Widows update download significantly.
Best Practice Design and Configuration
The following figure shows a conceptual diagram in deploying the WSUS management server in your local business network. The idea of this Windows patch management is to configure the WSUS server as the central Windows update server within the local network where all the Windows clients obtain the updates from instead of downloading direct to the Windows update server via Internet connection.
Firstly you need to prepare the server that will be used as the WSUS management server. You don’t need a dedicated server to host WSUS services, you can host it in your DHCP server or Print server with Windows server 2003 or later.
Secondly, download the WSUSSetup.exe file from Microsoft website here: http://go.microsoft.com/fwlink/?LinkId=71058
Install the WSUS program by double clicking the file and just follow the installation wizard that will guide you through easy step by steps installation with default options. Leaving the default option will work for most installations, unless you need advanced configuration.
After the installation is completed, you need to configure the WSUS management server how it will obtain the updates from, whether from another WSUS upstream server or from the Windows update server in the internet. In medium to large scale enterprise networks, generally they build two WSUS servers. The first server is configured to obtain the updates direct from Windows update server in the internet, while the second server is configured to obtain the updates from the first one. All the Windows clients on local network are configured to obtain the updates from the second WSUS server.
Why you need two WSUS servers? The idea is to test the updates in testing machine prior to rolling out the updates to production machines. It is possible that particular patches are not working properly that probably causes the system to freeze, so testing the patches on testing environment is beneficial in large production networks. Unless, you need to perform roll-back the patch installation to large production machines in case of problems with improper patches.
I will not discuss detail installation here; you can find complete installation guidelines in Microsoft TechNet.
Summary:
Windows patch management is very essential in medium to large-scale Windows network environments. Configuring two WSUS management servers would be beneficial by testing the patches before rolling-out to production environments.
See also:
- Microsoft windows XP – best practice configuration
- Common internet connection problems and troubleshooting
- Information security managements and policies
- Local area network topologies – basic concepts
- Wide are network technologies and services
Recent Comments