Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004...
-
Upload
adam-parks -
Category
Documents
-
view
217 -
download
0
Transcript of Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004...
Delivering Windows OS Updates Delivering Windows OS Updates at Yale with SUSat Yale with SUS
EDUCAUSE Security Professionals WorkshopEDUCAUSE Security Professionals Workshop
May 17, 2004May 17, 2004Washington DCWashington DC
Ken Hoover, Systems ProgrammerKen Hoover, Systems [email protected]@yale.edu
Copyright Ken Hoover 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Background and NumbersBackground and Numbers
~18,000 hosts, est. ~18,000 hosts, est. 75%75% WinTel WinTel (~13.5K)(~13.5K)
Mature Active DirectoryMature Active Directory ~49K users, ~12K computers, 1000+ OU’s~49K users, ~12K computers, 1000+ OU’s
Many semi-independent IT groupsMany semi-independent IT groups
We needed a solution that:We needed a solution that: Was open to all managed systemsWas open to all managed systems Had a convincing case for adoptionHad a convincing case for adoption Accommodated all levels admin abilityAccommodated all levels admin ability Easy to implement at the client levelEasy to implement at the client level Didn’t look like a takeover to departmental ITDidn’t look like a takeover to departmental IT … … and cheap.and cheap.
A Look at SUSA Look at SUS
Software Update Services (SUS) v1Software Update Services (SUS) v1
One server can deliver updates to a large number of clientsOne server can deliver updates to a large number of clients Client settings managed with Group PolicyClient settings managed with Group Policy
Boundary of administration for SUS is the Boundary of administration for SUS is the serverserver
Clients associate with one serverClients associate with one server Admin approves updatesAdmin approves updates Servers can be linkedServers can be linked
How Yale Implemented SUSHow Yale Implemented SUS First SUS server went online in October 2003First SUS server went online in October 2003
General scheme of operation:General scheme of operation:
SUS @ Yale FAQ posted on webSUS @ Yale FAQ posted on web Sample GPO provided with functional settingsSample GPO provided with functional settings SUS admins compare test results on new updates SUS admins compare test results on new updates
before releasing thembefore releasing them Notification of client support staff when updates are releasedNotification of client support staff when updates are released
Currently three dominant SUS servers run by large IT groups plus a Currently three dominant SUS servers run by large IT groups plus a few “local” ones.few “local” ones.
The large servers together have approximately 5,900 clients. The large servers together have approximately 5,900 clients.
More on Implementation…More on Implementation…
Education/adoption push to department-level IT staffEducation/adoption push to department-level IT staff
Support groups may use an existing SUS server or set up their ownSupport groups may use an existing SUS server or set up their own
If someone associates their system with a SUS server, they are If someone associates their system with a SUS server, they are implicitly agreeing to live with that server’s administrators’ judgment on implicitly agreeing to live with that server’s administrators’ judgment on releasing updates.releasing updates.
The reboot “problem”The reboot “problem”
If updates are installed automatically, client systems may reboot If updates are installed automatically, client systems may reboot automatically at the designated time.automatically at the designated time.
Information provided on how to have specified systems “opt out” of the Information provided on how to have specified systems “opt out” of the SUS policy.SUS policy.
SUS Limitations and WorkaroundsSUS Limitations and Workarounds
Can not approve an update for subsets of client systemsCan not approve an update for subsets of client systems
No reporting of client activity, but information can be pulled from IIS No reporting of client activity, but information can be pulled from IIS logs…logs…
““SUS Client Status Checker” web siteSUS Client Status Checker” web site• Configured to limit information “leakage” to outsidersConfigured to limit information “leakage” to outsiders
• amt-sus1.its.yale.edu/checkamt-sus1.its.yale.edu/check
Another SUS Reporting UtilityAnother SUS Reporting Utility• www.susserver.com/software/SUSreportingwww.susserver.com/software/SUSreporting
SUS 2.0SUS 2.0 In beta, currently named “In beta, currently named “WWindows indows UUpdate pdate SServices”ervices”
Better tracking, reporting and forced-uninstall capabilityBetter tracking, reporting and forced-uninstall capability
Delivery of many more kinds of updatesDelivery of many more kinds of updates All Windows 2000+ OS’s (incl. Datacenter)All Windows 2000+ OS’s (incl. Datacenter) Exchange, SQL Server, Office XP and Office 2003Exchange, SQL Server, Office XP and Office 2003 Service Packs, SDK’s, Tools, Feature PacksService Packs, SDK’s, Tools, Feature Packs Drivers Drivers
Updates can be targeted to groups of systemsUpdates can be targeted to groups of systems
Can’t delegate authority over part of the SUS client base to an Can’t delegate authority over part of the SUS client base to an “untrusted” admin“untrusted” admin
ClosingClosing
Ken HooverKen Hoover<[email protected]><[email protected]>
SUS @ Yale Q&A web page (for Yale departmental IT)SUS @ Yale Q&A web page (for Yale departmental IT)wss.yale.edu/win2k/sus-information.htmlwss.yale.edu/win2k/sus-information.html
““SUS Client Status Checker”:SUS Client Status Checker”:amt-sus1.its.yale.edu/checkamt-sus1.its.yale.edu/check
Useful SUS information, tools and resourcesUseful SUS information, tools and resourceswww.susserver.comwww.susserver.com