Scribd
Upload
144 views10 pages

Windows Server WSUS - v1

Windows updates and patching are the primary method of fixing software vulnerabilities. Microsoft releases security patches monthly to address vulnerabilities, while "zero-day" vulnerabilities exploited before a fix may require an out-of-schedule patch. Windows Server Update Services (WSUS) allows centralized management of update distribution across a network. It connects Windows Update clients to approve and deploy updates from Microsoft Update.

Uploaded by

Viorel Stefanescu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
144 views10 pages

Windows Server WSUS - v1

Windows updates and patching are the primary method of fixing software vulnerabilities. Microsoft releases security patches monthly to address vulnerabilities, while "zero-day" vulnerabilities exploited before a fix may require an out-of-schedule patch. Windows Server Update Services (WSUS) allows centralized management of update distribution across a network. It connects Windows Update clients to approve and deploy updates from Microsoft Update.

Uploaded by

Viorel Stefanescu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

1.

Windows updates/patching

A security patch - is a change applied to an OS component to correct the weakness described by a


vulnerability. This corrective action will prevent successful exploitation and remove or mitigate a threat’s
capability to exploit a specific vulnerability in an asset.

- are the primary method of fixing security vulnerabilities in software


- currently Microsoft releases their security patches once a month (2nd Tuesday **)

** Zero-Day Vulnerability - refers to a hole in software that is unknown to the vendor. This security hole
is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called
a zero day attack. The fix patch may be released outside of regular monthly schedule.

Microsoft Security Bulletins:


https://technet.microsoft.com/en-us/security/bulletins.aspx

If the security bulletin has an associated hotfix, then it will also be accompanied by a hotfix which of
course has an associated KB article.
Microsoft of course creates lots of hotfixes for its broad range of products, most of which are not
security related and thus there is no need to issue a MS bulletin.

Microsoft Update Catalog:


http://www.catalog.update.microsoft.com/Search.aspx?q=KB4025343

Hotfix - update to fix a very specific issue, not always publicly released.

- includes one or more files that are used to address a problem in a software product (i.e. a
software bug).
- are made to address a specific customer situation and may not be distributed outside the
customer organization.

Service Pack - Large Update that fixes many outstanding issues, normally includes all Patches, Hotfixes
since last service pack.

Windows Update is a Microsoft service that's used to provide updates like service packs, patches,
security patches for the Windows operating system and other Microsoft software.
1
Windows Server Update Services (WSUS) – a server built-in role to fully manage the distribution of
updates that are released through Microsoft Update to computers on your network:
- connects to Windows Update agent/client to deploy updates
- centralized update management
- update management automation
- at least on WSUS server in your network must be able to connect to Microsoft Update to get
available update information

Install the WSUS role:

Choose where all the updates will be stored on the WSUS server:

2
Basic WSUS server configuration

- configure update source – where to get updates from: Microsoft of another WSUS server
from you company
- proxy server where needed – if WSUS server doesn’t have internet access

3
- Products and Classifications – choose for which Microsoft products you want updates to be
downloaded

- Synchronization schedule – can be automatically set or manual sync need to be triggered

- Automatic approvals – you can specify which types of updates can be automatically
deployed for a group of computers or for all:

4
- Computers – how to assign computers to a specific group:

- Computer groups - enable you to target updates to specific computers. There are two
default computer groups: All Computers and Unassigned Computers**

** By default, when each client computer initially contacts the WSUS server, the server adds it
to both these groups.
5
By default, the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS protocol to obtain
updates from Microsoft (WSUS version 6 (installed with Windows Server 2012) uses port 8530)

WSUS deployments:

- Simple WSUS deployment - consists of a server inside the corporate firewall that serves
client computers on a private intranet:
 WSUS server connects to Microsoft Update to download updates
 it determines if new updates have been made available since the last
synchronization
 If it is the first time synchronizing WSUS, all updates are made available for
download.

- Upstream WSUS - you synchronize one WSUS server with another WSUS server instead of
with Microsoft Update and they can be configured in two modes:
 Autonomous mode: An upstream WSUS server shares updates with its downstream
server or servers during synchronization, but not update approval status or computer
group information. Downstream WSUS servers must be administered separately
 Replica mode: An upstream WSUS server shares updates, approval status, and computer
groups with its downstream server or servers. Downstream replica servers inherit update
approvals and cannot be administered apart from their upstream WSUS server.

Extra references
WSUS server deployment:
https://technet.microsoft.com/en-us/library/cc720448(v=ws.10).aspx

6
Microsoft Security Baseline Analyzer (MBSA) offline security – tool to scan offline systems (local
and remote) for missing security updates and common security misconfigurations:
- missing security updates, security issues (ex if Guest account is enabled)
- Weak passwords
- if filesystem is not NTFS
- IIS and SQL vulnerabilities

MBSA is mostly used for offline scans when you need also the wsusscn2.cab file, downloadable from
Microsoft, for scanning:

Wsusscn2.cab file contains metadata from the following classifications: security updates, update rollups,
and service packs.

MBSA download:
https://www.microsoft.com/en-us/download/details.aspx?id=7558

WSUSScn2.CAB Manual download location:


http://go.microsoft.com/fwlink/?LinkId=76054

7
Configure wsus client (Windows update )

Windows update client if not configured to connect to a WSUS server will try to connect to Microsoft
update server over internet:

Configure wsus client to connect with a WSUS server:

- From local/domain group policy – open Group Policy Edit (cmd  gpedit.msc ) expand
Computer Configuration > Administrative Templates > Windows Components  Windows
Update

8
- From local registries – create the registry keys below

Troubleshooting WSUS client

- Stop the Windows update service, delete the folder Downlolad and start the service:
C:\Windows\SoftwareDistribution\Download\

- check the log file for errors


C:\Windows\WindowsUpdate.log

- Stop Windows update service and delete the registry key AU from below path and start the
service back:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\

- From cmd with Admin priviledges issue the command:


wuauclt /detectnow -- this will initiate a detection event to the assigned update services
resource (AU or WSUS).
9
wuauclt /resetauthorization /detectnow -- this is actually a special case version of the
previous command. The /resetauthorization parameter forces the targeting cookie to be
immediately expired. Normally the cookie has an ~60 minute expiration. Typically this
form of the command is used when server-side targeting is being used, and a client
system has just been reassigned to new group(s) via the WSUS console. Use of this
command forces the WUAgent to discard any previously known group memberships and
to requery the WSUS server for the current memberships. This command should also be
used when the SusClientID has been deleted and a detection was performed within the
previous hour to ensure the WUAgent does not use the SusClientID that is cached in the
targeting cookie. Also note that the order of these parameters is critical -- the
/resetauthorization flag must be the first of these flags on the command line.

wuauclt /reportnow – if a recent event has completed and there are PENDING EVENTS to
be reported to the WSUS server, this command will force the immediate flushing of that
reporting event queue. If there are no pending events to be reported, this command
does nothing.
No other parameters are supported or documented -- although many are defined in the
source code and have been extracted via reflection. Some of them have experimental
functionality, but should not be used in a production environment.

10

You might also like