Looking for an affordable way to keep your user workstations humming with all of those critical security updates...
and hotfixes? Software Update Services doesn't have all the answers, but it's a good solution for the cost -- free -- from Microsoft. Enhanced version upgrades come free, as well. And you don't need Active Directory to take advantage of it.
Microsoft designed the SUS server to be located on your organization's private network, behind a firewall or proxy server. The current version is SUS 1.0, Service Pack 1. Microsoft is expected to release SUS version 2.0 by the end of 2003.
If you follow these step-by-step instructions and then use our registry file modification, you'll be up and running in less than an hour. But first, here's some background information about how SUS works.
Once a day, your local SUS server will make a connection to Microsoft and download all of the latest critical updates. The administrator then approves some or all of the critical updates for distribution to the workstations. The install begins after properly configured workstations power on or, if a workstation was left on overnight, at a pre-configured, set time. The workstation connects to the SUS server, downloads the updates, verifies that they are from Microsoft (using a digital certificate), then installs the patches. Since many of the critical updates require a reboot, Microsoft has, in some cases, chained the updates, which allows for the patches to be installed together with only one reboot after the final patch has been applied. Before you think you are in update utopia, however, there are a few SUS shortcomings of which you should be aware:
- SUS does not deploy service packs, updates to Office, updated drivers or third-party updates.
- Microsoft wants you to have faith in its product. Consequently, there are no reporting tools or log files to check for success or failure on the clients.
- If SUS is used with Active Directory, group policies cannot be used for granular updating of clients with specific updates.
- Without AD and group policies, it's all or nothing, which means that all of the updates the local SUS administrator approves will be accepted by every client. If an XP update is approved, for example, in a mixed environment of XP and Win2k Pro, only the XP machines will accept the XP updates, and Win2k will accept updates for Win2k machines.
These are significant limitations, but I have yet to find a better product for the price. In the future, Microsoft promises to address these limitations, as well as those that haven't yet cropped up.
Now for the big bomb -- SUS only works with XP Pro, Windows 2000 Server and Professional and Windows Server 2003. There's no help here for keeping all of your 95/98/CE/ME/NT machines up to date. But, to my way of thinking, it's still worth it, even if it only helps with a few of your enterprise machines.
A final note: once you get your SUS server up and running, be sure to take a look at the SUS deployment guides and release notes on the Microsoft SUS Web site. The documentation is voluminous. There are two documents -- one is about 90 pages long, and the second is 14 pages. But within these 100-plus pages are bits of information that will assist you in tuning some settings.
Microsoft also provides e-mail notification when new critical updates are available. You can subscribe to this service on the Microsoft Web site, but you will need a Passport account. If you feel uncomfortable about supplying Microsoft with personal information for a Passport account, just check your SUS server daily for updates.
About the author: Douglas R. Spindler is the Active Directory project coordinator at Lawrence Berkeley National Laboratory and a technology consultant living in the San Francisco Bay area. He holds an MCSE + Internet certification and is a freelance writer, lecturer and president of the San Francisco Networking Technologies User Group. He can be reached at firstname.lastname@example.org
FOR MORE INFORMATION