Delivering Windows OS Updates Delivering Windows OS Updates at Yale with SUSat Yale with SUS

EDUCAUSE Security Professionals WorkshopEDUCAUSE Security Professionals Workshop

May 17, 2004May 17, 2004Washington DCWashington DC

Ken Hoover, Systems ProgrammerKen Hoover, Systems Programmerken.hoover@yale.eduken.hoover@yale.edu

Copyright Ken Hoover 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Background and NumbersBackground and Numbers

~18,000 hosts, est. ~18,000 hosts, est. 75%75% WinTel WinTel (~13.5K)(~13.5K)

Mature Active DirectoryMature Active Directory ~49K users, ~12K computers, 1000+ OU’s~49K users, ~12K computers, 1000+ OU’s

Many semi-independent IT groupsMany semi-independent IT groups

We needed a solution that:We needed a solution that: Was open to all managed systemsWas open to all managed systems Had a convincing case for adoptionHad a convincing case for adoption Accommodated all levels admin abilityAccommodated all levels admin ability Easy to implement at the client levelEasy to implement at the client level Didn’t look like a takeover to departmental ITDidn’t look like a takeover to departmental IT … … and cheap.and cheap.

A Look at SUSA Look at SUS

Software Update Services (SUS) v1Software Update Services (SUS) v1

One server can deliver updates to a large number of clientsOne server can deliver updates to a large number of clients Client settings managed with Group PolicyClient settings managed with Group Policy

Boundary of administration for SUS is the Boundary of administration for SUS is the serverserver

Clients associate with one serverClients associate with one server Admin approves updatesAdmin approves updates Servers can be linkedServers can be linked

How Yale Implemented SUSHow Yale Implemented SUS First SUS server went online in October 2003First SUS server went online in October 2003

General scheme of operation:General scheme of operation:

SUS @ Yale FAQ posted on webSUS @ Yale FAQ posted on web Sample GPO provided with functional settingsSample GPO provided with functional settings SUS admins compare test results on new updates SUS admins compare test results on new updates

before releasing thembefore releasing them Notification of client support staff when updates are releasedNotification of client support staff when updates are released

Currently three dominant SUS servers run by large IT groups plus a Currently three dominant SUS servers run by large IT groups plus a few “local” ones.few “local” ones.

The large servers together have approximately 5,900 clients. The large servers together have approximately 5,900 clients.

More on Implementation…More on Implementation…

Education/adoption push to department-level IT staffEducation/adoption push to department-level IT staff

Support groups may use an existing SUS server or set up their ownSupport groups may use an existing SUS server or set up their own

If someone associates their system with a SUS server, they are If someone associates their system with a SUS server, they are implicitly agreeing to live with that server’s administrators’ judgment on implicitly agreeing to live with that server’s administrators’ judgment on releasing updates.releasing updates.

The reboot “problem”The reboot “problem”

If updates are installed automatically, client systems may reboot If updates are installed automatically, client systems may reboot automatically at the designated time.automatically at the designated time.

Information provided on how to have specified systems “opt out” of the Information provided on how to have specified systems “opt out” of the SUS policy.SUS policy.

SUS Limitations and WorkaroundsSUS Limitations and Workarounds

Can not approve an update for subsets of client systemsCan not approve an update for subsets of client systems

No reporting of client activity, but information can be pulled from IIS No reporting of client activity, but information can be pulled from IIS logs…logs…

““SUS Client Status Checker” web siteSUS Client Status Checker” web site• Configured to limit information “leakage” to outsidersConfigured to limit information “leakage” to outsiders

• amt-sus1.its.yale.edu/checkamt-sus1.its.yale.edu/check

Another SUS Reporting UtilityAnother SUS Reporting Utility• www.susserver.com/software/SUSreportingwww.susserver.com/software/SUSreporting

SUS 2.0SUS 2.0 In beta, currently named “In beta, currently named “WWindows indows UUpdate pdate SServices”ervices”

Better tracking, reporting and forced-uninstall capabilityBetter tracking, reporting and forced-uninstall capability

Delivery of many more kinds of updatesDelivery of many more kinds of updates All Windows 2000+ OS’s (incl. Datacenter)All Windows 2000+ OS’s (incl. Datacenter) Exchange, SQL Server, Office XP and Office 2003Exchange, SQL Server, Office XP and Office 2003 Service Packs, SDK’s, Tools, Feature PacksService Packs, SDK’s, Tools, Feature Packs Drivers Drivers

Updates can be targeted to groups of systemsUpdates can be targeted to groups of systems

Can’t delegate authority over part of the SUS client base to an Can’t delegate authority over part of the SUS client base to an “untrusted” admin“untrusted” admin

ClosingClosing

Ken HooverKen Hoover<ken.hoover@yale.edu><ken.hoover@yale.edu>

SUS @ Yale Q&A web page (for Yale departmental IT)SUS @ Yale Q&A web page (for Yale departmental IT)wss.yale.edu/win2k/sus-information.htmlwss.yale.edu/win2k/sus-information.html

““SUS Client Status Checker”:SUS Client Status Checker”:amt-sus1.its.yale.edu/checkamt-sus1.its.yale.edu/check

Useful SUS information, tools and resourcesUseful SUS information, tools and resourceswww.susserver.comwww.susserver.com