RE: Critical/Security Updates as well as other Patch Management

["jhargreaves" <jhargreaves () sbcglobal net>]

Jason,
        Your are correct that SUS has the ability to act as a filter, where
updates are approved on an "internal" server and the clients are re-directed
to the "external" windowsupdate site for the download of the update itself.
        However, SUS also facilitates building an internal infrastructure of
distribution servers which the managed clients can access for approved
update download and installation. One server can be configured as the
interface to Microsoft for the receipt of new updates and this server is the
source of updates for the downstream distribution servers. Each distribution
server can support up to 15,000 clients, according to MS.
        SUS uses a file transfer protocol know as BITS (Background
Intelligent Transfer Service) to deliver the updates (SUS is a pull
technology). BITS is network bandwidth aware and will suppress itself to
avoid impacting the end user when other traffic is detected. It is also
state aware and will continue a download from the point it left off in the
event the client is disconnected from the network or re-booted mid-transfer.
Our testing showed this technology to be effective with both network
connected and dial-up clients. 
        The autoupdate client is self-aware of updates available and those
it needs and will chain multiple updates together and install with just one
re-boot. 
        Downside, it currently only supports Windows 2000 and Windows XP as
clients. It also has fairly weak reporting capabilities (raw IIS log). It
currently only supports critical updates and security rollups (service packs
are in the works I am told).
        From what I've seen of the product (it is free) it can provide
substantial assistance with patch maintenance for many organizations.
 http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp  

Jeff Hargreaves
jharg () sbcglobal net


-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org] 
Sent: Thursday, March 13, 2003 11:38 AM
To: Jed Needle; security-basics () securityfocus com
Subject: RE: Critical/Security Updates as well as other Patch Management


SUS is nothing more than a filter for windowsupdate.com that tells managed
boxes not to allow windowsupdate.com to install anything other than the
subset of updates approved by the SUS administrator.

Each Windows box still uses Windows update directly, so all vulnerabilities
that impact Windows update and the client-side code that talks to
windowsupdate.com are still present when SUS is used.

Jason Coombs
jasonc () science org

-----Original Message-----
From: Jed Needle [mailto:jed () vitel com]
Sent: Tuesday, March 11, 2003 12:24 PM
To: security-basics () securityfocus com
Subject: RE: Critical/Security Updates as well as other Patch Management


On Microsoft platforms there is a patch management util called SUS "software
update service?? (I think) Once configured, the server will automatically
download relevant patches, you then point the clients to the sus server and
push updates to clients that way.

Jed