Implement Patch Management Flashcards
WSUS
Windows Server Update Services
Centralizes updates for Microsoft products
Products WSUS maintains updates for
Windows ISes Exchange SQL Server Office System Center Windows Defender
Features of WSUS
Automatic download of updates
Administrative control over update approval
Update Rollbacks
Email notification of update progress / status
You can use WSUS to download patches based on ____
Category (service pack, security update, driver)
Product (Windows 2012, Office 2007, etc)
Language
Microsoft Update versus Windows Update
Microsoft Update includes updates for other products, like Office, Exchange, SQL, ect
WSUS role prerequsites
IIS
BITS
Internal Database role or SQL Server 2005 or later (locally or remotely available)
.NET Framework 2.0 or later
BITS
Background Intelligent Transfer Service
Uses idle bandwidth to transfer large files over time.
. BITS constantly monitors network traffic for any increase or decrease in network traffic and throttles its own transfers to ensure that other foreground applications (such as a web browser) get the bandwidth they need. BITS also supports resuming transfers in case of disruptions.
zero-day exploitation
code written to take advantage of systems that are not updated. This is written within hours of when MSFT releases the patch.
WSUS vulnerability
Does not target anything but MSFT products
components required for WSUS
WSUS servers (database can be local or remote, IIS) admin console windows clients group policy update binaries and metadata
deployment methods of WSUS
Simple Server Deployment
Multiple Server Deployment
Simple Server Deployment
Single admin group has control over: Updates Service Packs Driver Updates AV Definitions
Why would you have your clients download directly from MSFT servers instead of your WSUS server
Branch office
bad WAN link, good ISP link
Multiple Server Deployment
Different groups can control different servers, thus impacting different groups of clients.
Alternatively, multiple servers can replicate data from a single master.
WSUS hardware requirements
1.4GHz x64bit (2GHz recommended)
1.5 GB RAM over what the server requires
10GB min free space, 40 recommended
100Mbps network adapter or greater
What permission requirements are there for WSUS
Dumb gotchas – NT Authority / Network Service account must have full control of:
%windir%\Microsoft.NET\Framework\v4.0….\Temperary ASP.NET files
two different modes of multiple server deployment
Autonomous Mode
Replica Mode
Administration hierarchy for WSUS
One administration team approving updates for downstream
Database requirements for WSUS
SQL Server 2012
SQL Server 2008 R2 SP1
Windows Internal Database (This is included in Windows already)
What port do clients connect to WSUS over?
8530
add-WsusComputer
Adds a specified client computer to a specified target group.
approve-wsusupdate
Approves an update to be applied to clients
deny-wsusupdate
Declines the update for deployment.
get-wsusclassification
Get the list of all Windows Server Update Services (WSUS) classifications currently available in the system.
get-wsuscomputer
Gets the Windows Server Update Services (WSUS) computer object that represents the client computer.
get-wsusproduct
Get the list of all products currently available on Windows Server Update Services (WSUS) by category.
get-wsusserver
Gets the value of the Windows Server Update Services (WSUS) update server object.
get-wsusupdate
Gets the Windows Server Update Services (WSUS) update object with details about the update.
invoke-WsusServerCleanup
Performs the process of cleanup on a specified Windows Server Update Services (WSUS) server.
set-wsusclassification
Sets whether the classifications of updates that Windows Server Update Services (WSUS) synchronizes are enabled or disabled.
set-wsusproduct
Sets whether the product representing the category of updates to synchronize is enabled or disabled.
set-wsusserversynchronization
Sets whether the Windows Server Update Services (WSUS) server synchronizes from Microsoft Update, or an upstream server and the upstream server properties.
