Tips and Tricks

4-1-1 on SUS

All you wanted to know about Microsoft's update service.

• By Don Jones
• 10/01/2003

The Windows side of the IT industry has certainly seen its share of viral outbreaks in recent years. Attacks from SoBig and Blaster, to name just a couple, have caused plenty of downtime, cost plenty of dollars and earned plenty of airtime on the local news. Hundreds of other less-spotlighted viruses affect businesses everyday. Unfortunately, most of it’s preventable, and the old maxim, “An ounce of prevention is worth a pound of cure,” is true in our industry. Blaster, for example, exploited a vulnerability that had been patched over a month prior. The problem was that nobody bothered to deploy the patches. Patch management in the Microsoft world hasn’t always been easy; but Microsoft keeps trying, and there is an easier way available these days: SUS, the Software Update Services.

SUS is basically your own in-house version of Windows Update. Sure, you could use Automatic Updates and let your servers download patches willy-nilly from Microsoft, but that doesn’t exactly place you in a position of control, not to mention the WAN bandwidth that a hundred servers will use when a new patch comes out. SUS is more efficient and more controllable, and it’s incredibly easy to deploy.

You can install SUS on any Windows 2000 or Windows 2003 server computer, including (as of SP1) domain controllers and Small Business Server installations. You’ll configure SUS to download updates for all available operating systems, Internet Explorer and other packages, directly from Windows Update. SUS caches the updates locally, so they’re more readily available to clients and other server computers across your WAN. And, contrary to common belief, SUS downloads most types of updates offered on Windows Update, not just “critical” updates. The catch: SUS won’t retrieve or deploy service packs for you. You’re still on your own with those. And some products (such as Office and SQL Server) do not yet make their updates available via SUS.

Once SUS downloads an update, it sits on it. Clients (and other server computers count as “clients” in this discussion) can’t download updates until you specifically approve them in SUS’ administrative interface. That way, you’ve got plenty of time to test patches in your environment before they go out to your client computers.

Speaking of your clients, they’ll need to run the SUS Client software, also called “Automatic Updates.” It’s included in Windows 2000 SP3, Windows XP SP1 and Windows Server 2003. You can also download it from www.microsoft.com/windows2000/windowsupdate/sus/.

Now, by default, Automatic Updates wants to deal only with the Windows Update Web site, but you can change all that. SUS SP1 includes an updated ADM file that you can use to create group policies, forcing clients’ Automatic Updates software to retrieve updates on a schedule you designate and to use only your SUS server (or servers). In fact, you can outright disable access to Windows Update, ensuring that you have complete control over the flow of patches into your network. The ADM file even allows you to disable automatic restarts, so that server computers don’t reboot themselves after installing patches that require a restart. By the way, the updated policy file is already bundled with Windows 2003.

If you have a large, distributed network, SUS can accommodate you. SUS servers can be configured to download approved updates from other SUS servers, allowing you to deploy a hierarchy of servers that best meets your needs for deploying patches, centralizing control and conserving WAN bandwidth. Installing SUS takes about 10 minutes; configuring it perhaps another 10. With patch control and deployment this easy, there’s no reason not to nip the next Blaster in the bud while still maintaining complete control over your server and client computers. Even if you’re working in a small shop, you can easily add SUS to an existing file server or domain controller and take advantage of enterprise-class patch deployment.