Manage Learn to apply best practices and optimize your operations.

Automating Microsoft Windows patch management with WSUS

Microsoft offers Windows Server Update Services (WSUS) as a free download, but there are installation and agent-related issues to contend with.

Microsoft patch management is a fact of life for Windows network administrators. With millions of lines of code...

in the Windows operating system, it's virtually guaranteed vulnerabilities will be discovered no matter how thorough Microsoft is in developing and testing its software. Patching used to be much more chaotic in the Wild West days before Microsoft initiated its Trustworthy Computing initiative and instituted Patch Tuesday. Patches were released on an unpredictable, ad-hoc basis, keeping administrators jumping to deploy critical patches on a regular basis.

Now with the rare exception of patches issued out-of-band for particularly critical vulnerabilities, administrators can plan their patch management process around the fact that Microsoft releases patches on the second Tuesday of each month.

Whether there is one patch or 10, there is something to be said for the consistency and predictability of Patch Tuesday. Even with that consistency though, the process of administering and deploying patches is a daunting task. IT administrators need automated patch management tools.

Microsoft supplies just such a tool in Windows Server Update Services (WSUS) that is capable of automatically updating a wide variety of Microsoft operating systems and applications including the various versions of Microsoft Windows, Exchange Server, SQL Server, ISA Server, the various Forefront offerings and more.

COSTS ASSOCIATED WITH FREE WSUS DOWNLOAD WSUS is available as a free download for customers with a valid Windows Server 2003 or Windows Server 2008 license, and the requisite Client Access Licenses (CALs) for the systems being supported by WSUS. The latest version also works with Windows 7 clients and can support remote offices via the BranchCache feature.

It should be noted that there could be some additional costs involved. WSUS needs a database. By default it relies on the free MSDE database engine. Many organizations may want to use the more robust SQL Server which would require the appropriate SQL Server licensing as well.

Additional Windows patch management resources

How to fill patch management gaps using MBSA: Microsoft Baseline Security Analyzer examines and quantitatively summarizes the state of your organization's Windows security.
Determine when to use a workaround rather than patch a system: Learn how to determine when your midmarket organization should employ a workaround, rather than patch immediately.
How to prepare for security patch testing: Learn what steps organizations can take prior to security patch testing to ensure a successful patch testing phase.

WSUS is free, and it automatically keeps your Microsoft operating systems and applications up to date. It sounds like a winner, so, what's the catch?

Well, perhaps you're familiar with the phrase "you get what you pay for." WSUS is not without its downsides. I have two serious issues with WSUS:

Installation: WSUS relies on other Microsoft services to perform some of its functions. Prerequisites such as IIS, the .NET framework, and BITS have to be installed prior to starting the WSUS installation. If they are not present, the WSUS installation will abort.

It would be preferable if the WSUS installation worked more intelligently and simply installed any missing prerequisites.

Once you first install WSUS you need to configure some key elements to get started on the right foot:

  • Set up from where the WSUS server will download its updates. Typically it would get updates from Microsoft, but if you have a larger environment you might have a primary WSUS server from which downstream WSUS servers get their updates.
  • Specify the operating systems and applications that WSUS should monitor and update.
  • Configure the languages you need WSUS to download. For security purposes, ensure you get all applicable languages for your environment. At the same time, downloading too many languages, or worse, all of the languages, can tax system resources and quickly fill the hard drive.

Agent-based: WSUS relies on client agents to phone home periodically to check for any new available updates and pull them down. There is no way to force systems to update immediately by pushing the patches out to the client, and any system not configured with the WSUS agent will be off the patch updating grid altogether.

Of course, Patch Tuesday applies only to Microsoft Windows operating systems and applications. In the real world, systems have software from other vendors as well, such as the Firefox Web browser or Adobe Flash, which has been the subject of some serious security vulnerabilities this year.

Unfortunately, WSUS won't be much help beyond Microsoft operating systems and applications. Some Microsoft customers may be able to accomplish the goal of patching a heterogeneous environment by using System Center Essentials.

There are third-party alternatives as well…for a price. Products from companies such as Shavlik Technologies Inc.and BigFix Inc. provide comprehensive patch management across multiple platforms including Microsoft, Unix, Linux and Mac, as well as software applications that don't come from Redmond.

Tony Bradley is the founder and president of S3KUR3, Inc. Follow him on Twitter @PCSecurityNews.

Send comments on this technical tip [email protected].

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was last published in September 2009

Dig Deeper on Microsoft Patch Tuesday and patch management