There are few things I love more than getting something for “free” and having it turn out to be valuable. That’s certainly true with Microsoft’s latest attempt at easing patch management pain, WSUS (Windows Server Update Services).
WSUS is a marked improvement over the earlier Software Update Services. Instead of just providing so-called “critical and security” patches for Internet Explorer, Outlook Express, and Windows, WSUS allows support teams to maintain an internal host that provides the same content available through Microsoft’s Office Update and Windows Update support sites. WSUS even goes one better by including patches and updates for applications such as Exchange 2000/2003 and SQL Server 2000.
WSUS also contains notable improvements in its management and reporting capabilities. WSUS admins can now group WSUS clients — which can be desktops, laptops or servers — as desired and apply patches to each group on a priority basis, or merely flag the device as requiring a patch without installing it. Installation deadlines can also now be set. New reports allow line support staff and managers a client-based or patch-based view of devices needing attention, while the WSUS server’s management page presents a top-down look at server activity and, more importantly, which clients need attention.
These enhancements would constitute a major overhaul by themselves but there’s more. WSUS adds support for SSL-based communications between clients and the WSUS server, although this requires an en masse implementation of PKI. WSUS also can manage the removal of patches — at least when that’s possible.
Whether WSUS is truly free is debatable. After all, there’s still the cost of hardware and a client access licence for a Windows server OS from either the 2000 or 2003 vintages. With Microsoft having matured Windows 2000 support, one might ask what the point was in supporting the obsolescent OS.
The hardware requirements for WSUS aren’t terribly stringent: a server with a 1GHz CPU and 1GB of RAM can comfortably support more than 500 clients. Dual 3GHz processors are recommended when supporting more than 10,000 clients. Nevertheless, I’d recommend throwing the best machine one can afford at the job because a minimal server is slow to respond during management operations. Because WSUS servers can be clustered and tiered, WSUS scales across even the largest enterprise.
Setting up WSUS isn’t terribly difficult. I started with a machine running Windows Server 2003 and made sure it had the IIS Web Server package installed. The WSUS installer includes a run-time version of MSDE 2000 (Microsoft SQL Server 2000 Desktop Engine) for Windows Server 2003 as a repository manager. One can also configure WSUS to store its data on another machine running SQL Server 2000.
If one has — as I did — a current SUS installation, the new WSUS server can import content from the SUS box to save time and speed up the installation. Because WSUS can support a wider array of applications, however, there will still be data to download from Microsoft, especially if the whole enchilada of patches, driver updates and service packs is selected for distribution.
Once the WSUS server is up and running, the WSUS admin chooses whether to classify WSUS clients through group policy or manually through the WSUS console.
Although WSUS is not a comprehensive solution to patch management, it will prove a significant help for companies that stick to Microsoft products and mainstream desktop hardware. Even shops large enough to justify using Microsoft Systems Management Server and similar products may find that WSUS is a good solution in cases where remote sites are simply too difficult to manage using the heavyweight tools currently available.