WSUS: una soluzione per l’Update Management Process 15/04/2017 3:54 AM Workshop sul Calcolo e Reti dell’INFN Otranto (Le) 6-9 Giugno 2006 WSUS: una soluzione per l’Update Management Process Francesca Del Corso - INFN Sez. Firenze ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
L’Update Management Process 15/04/2017 3:54 AM L’Update Management Process 1. Valutazione del proprio ambiente Task A. Baseline del sistema B. Valutare l’infrastruttura e la configurazione C. Individuare le risorse critiche D. Inventario dei client 2. Identificazione delle nuove vulnerabilità Task A. Identificare le nuove patch B. Determinarne la rilevanza C. Verificare l’autenticità e l’integrità delle patch 2. Identificazione 1. Valutazione 3. Valutazione e pianificazione 3. Valutazione e pianificazione Task A. Approvazione della distribuzione delle patch B. Valutazione e test delle patch C. Pianificazione dei rilasci 4. Distribuzione degli aggiornamenti Task A. Distribuire e installare le patch B. Analisi dei report C. Gestione delle eccezioni D. Revisione del processo di distribuzione 4. Rilascio ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Soluzioni di Update Management 15/04/2017 3:54 AM Soluzioni di Update Management Tipo di utenza Scenario Scelta Utente casalingo Microsoft/Office Update Sezione medio -piccola Nessun server Windows da 1 a 3 server, 1-3 amministratori di sistema MBSA, WSUS Sezione grande Soluzione di patch management con livello base di controllo che aggiorna le ultime versioni del s.o. Singola soluzione di Patch Management con elevato grado di controllo su aggiornamenti e distribuzione del sw SMS ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Microsoft/Windows Update 15/04/2017 3:54 AM Microsoft/Windows Update L’utente va sull’icona Microsoft/Windows Update e seleziona ‘Scan for updates’ Microsoft Update Service Il codice Client-side nel browser valida il server MU e scarica il catalog metadata Tale codice utilizza i metadata per identificare gli aggiornamenti mancanti L’utente seleziona gli aggiornamenti mancanti Il client scarica, valida, installa gli aggiornamenti, quindi aggiorna la history ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Microsoft Update Service 15/04/2017 3:54 AM Automatic Update AU contatta il servizio Microsoft Update per I nuovi aggiornamenti ogni 1722 ore Microsoft Update Service AU valida il server MU e scarica il Download Catalog metadata AU utilizza i metadata per identificare gli aggiornamenti mancanti AU notifica all’utente o scarica automaticamente gli aggiornamenti utilizzando BITS AU notifica all’utente o installa automaticamente gli aggiornamenti AU aggiorna la history e le informazioni di statistica ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Windows Server Update Services 15/04/2017 3:54 AM Windows Server Update Services ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Architettura WSUS Windows Update WSUS Internet Microsoft Update 15/04/2017 3:54 AM Architettura WSUS Windows Update WSUS Internet Microsoft Update Firewall Database Automatic Update Clients ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Requisiti WSUS WSUS client (Automatic Update sw): WSUS Server: 15/04/2017 3:54 AM Requisiti WSUS WSUS client (Automatic Update sw): Windows 2000 SP3 e successivi Windows XP e successivi Windows Server 2003 WSUS Server: Windows 2000 SP4 e successivi Prerequisiti: IIS 6.0, BITS 2.0, MS .NET Framwork 1.1 s.p. per Win srv2003 Migrazione (non update!) da SUS 1.0 a WSUS WSUSutil.exe in WSUSInstallationDrive:\ProgramFiles\UpdateServices\Tools http://WSUSInstallationServer:8530/WSUSAdmin/ ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
15/04/2017 3:54 AM Caratteristiche WSUS Controllo granulare sugli aggiornamenti da fare e da scaricare, maggior controllo sul processo di upgrade Introduzione dei gruppi, approvazione degli updates personalizzata per gruppo Export/Import data e aggiornamenti su media API per estendere e personalizzare il pacchetto secondo le esigenze BITS 2.0 – miglioramento del consumo di banda, ripresa delle sincronizzazioni interrotte Miglioramento nella reportistica UI in italiano ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Tipologia di aggiornamenti Critical Updates # Drivers Feature Packs Security Updates # Service Packs Tools Updates (non-critici, non di security) Update Rollups # automaticamente approvati per detection Non viene fatto il patch di sw di terze parti come Acrobat Reader, Firefox ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Prodotti supportati Windows XP (32, 64 bit) 15/04/2017 3:54 AM Prodotti supportati Windows XP (32, 64 bit) Windows Server 2003 (tutte le edizioni, 32 64 bit) Windows 2000 (tutte le edizioni) Applicazioni Office 2002/2003/XP (Project, Visio, ecc.) SQL Server Exchange Server 2003 Tutti i prodotto sono supportati in lingue diverse ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS - Requisiti HW Fino a 500 Client Minimo Raccomandato CPU 750 MHz 15/04/2017 3:54 AM WSUS - Requisiti HW Fino a 500 Client Minimo Raccomandato CPU 750 MHz 1 GHz o superiore RAM 512 MB 1 GB Database WMSDE/MSDE Da 500 a 15.000 Client Minimo Raccomandato CPU 1 GHz o superiore dual processor (per n. client > 10.000) a 3 GHz o superiore RAM 1 GB Database WMSDE/SQL Server 2000 con SP3a WMSDE/SQL Server 2000 con Service Pack 3a ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Impostazioni WSUS Client 15/04/2017 3:54 AM Impostazioni WSUS Client client in workgroup Local Computer Policy (gpedit.msc) in Computer Configuration / Administrative Templates / Windows Components / Windows Update (template c:\windows\inf\wuau.adm) Regedit.exe HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU script wsus.reg C:\> gpupdate /force C:\> wuauclt.exe /detectnow client in dominio AD Group Policy Object a livello di dominio o OU Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate] "WUServer"="http://wsus" "WUStatusServer"="http://wsus" "ElevateNonAdmins"=dword:00000000 "TargetGroup"=“INFN-FI" "TargetGroupEnabled"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] "NoAutoUpdate"=dword:00000000 "AUOptions"=dword:00000004 "AutoInstallMinorUpdate"=dword:00000001 "DetectionFrequencyEnabled"=dword:00000001 "DetectionFrequency"=dword:00000004 "NoAutoRebootWithLoggedOnUsers"=dword:00000001 "RebootRelaunchTimeout"=dword:000005A0 "RebootRelaunchTimeoutEnabled"=dword:00000001 "RebootWarningTimeout"=dword:0000001e "RebootWarningTimeoutEnabled"=dword:00000001 "RescheduleWaitTimeEnabled"=dword:00000001 "RescheduleWaitTime"=dword:0000001e "ScheduledInstallDay"=dword:00000000 "ScheduledInstallTime"=dword:00000010 "UseWUServer"=dword:00000001 "LastWaitTimeout"=- "DetectionStartTime"=- ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS – Pagina iniziale 15/04/2017 3:54 AM ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: Aggiornamenti 15/04/2017 3:54 AM ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
15/04/2017 3:54 AM WSUS: Rapporti ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: Rapporti: - stato degli aggiornamenti ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: Rapporti - Stato dei computer 15/04/2017 3:54 AM WSUS: Rapporti - Stato dei computer ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: stato dei computer 15/04/2017 3:54 AM WSUS: stato dei computer ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: risultati di sincronizzazione 15/04/2017 3:54 AM WSUS: risultati di sincronizzazione ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
15/04/2017 3:54 AM WSUS - Computers ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
15/04/2017 3:54 AM WSUS - Opzioni ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: Opzioni di sincronizzazione 15/04/2017 3:54 AM WSUS: Opzioni di sincronizzazione ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS: Opzioni di approvazione automatica 15/04/2017 3:54 AM WSUS: Opzioni di approvazione automatica ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS Tools WSUS Client Diagnostic Tool (ClientDiag.exe) 15/04/2017 3:54 AM WSUS Tools WSUS Client Diagnostic Tool (ClientDiag.exe) WSUS Server Debug Tool (WsusDebugTool.exe) Check WSUS (Check_WSUS_1.05.04.1.vbs) ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS Client Diagnostic Tool 15/04/2017 3:54 AM WSUS Client Diagnostic Tool ClientDiag.exe [/t] /? -? = Help /t -t = Print to file ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
15/04/2017 3:54 AM WSUS Server Debug Tool WsusDebugTool [/OutputCab:<value>] /Tool:<value> Per /Tool <value>: ResetAnchors PurgeUnneededFiles ResetForegroundDownload GetBitsStatus GetConfiguration GetLogs SetForegroundDownload ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Check WSUS Verifica impostazioni AU WSUS server name Check_WSUS_1.05.04.1.vbs Verifica impostazioni AU WSUS server name WSUS status server TargetGroup Opzioni in accordo con GPO Modalità autoinstallazione ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Ottimizzazione delle Performance 15/04/2017 3:54 AM Ottimizzazione delle Performance Scaricare gli aggiornamenti in modalità express Usare una macchina dedicata per WSUS ~300MB ~30MB ~100MB Express enabled Express disabled MU WSUS CLIENT ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Ambiente di produzione alla sezione INFN di Firenze ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Architettura Internet GGI 15/04/2017 3:54 AM Microsoft Update WSUS Server UpstreamServer WSUS Server Downstream Server WSUS-TEST INFN-FI GGI PORTATILI ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS Client nel dominio AD 15/04/2017 3:54 AM WSUS Client nel dominio AD GPO a livello di dominio o OU tramite gpmc.msc: Local Group Policy object in Group Policy Object Editor ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
I dati Macchine gestite dal WSUS Upstream Server: INFN-FI: 25 client Portatili: 2 WSUS-TEST: 3 (1 MS Win XP SP2, 1 MS Vista , 1 MS Srv 2003) Macchine gestite da WSUS Downstream Server: GGI: 28 client, 1 server Tutte le macchine nei domini AD sono gestite da WSUS TO DO: impostare l’AU tramite WSUS per le macchine che sono nei workgroup (sono tante!) ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Proposte di lavoro Verifica problematiche WSUS 15/04/2017 3:54 AM Proposte di lavoro Verifica problematiche WSUS http://blogs.technet.com/WSUS Sistemi alternativi di full-patch management ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
WSUS Documentazione WSUS Communities 15/04/2017 3:54 AM WSUS Documentazione Microsoft Windows Server Update Services Overview: http://go.microsoft.com/fwlink/?LinkID=42213 Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services: http://go.microsoft.com/fwlink/?LinkID=41774 Deploying Microsoft Windows Server Update Services: http://go.microsoft.com/fwlink/?linkid=41777 Windows Update Agent Software Developer's Kit: http://go.microsoft.com/fwlink/?LinkID=43101 WSUS Communities http://www.microsoft.com/wsus http://www.wsuswiki.com ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.