RE: Windows SUS

[Lee Seidman <lseidman () yahoo com>]

Once SUS is properly configured (and approval has been
granted to various necessary patches), the GPO is the
only thing that must be configured to point the
workstations to the proper local SUS server.

The only factor we had to worry about in my
organization is the reboot issue:

1) If certain patches required rebooting, users get 5
minutes before it automatically reboots their
computers.  This would be okay if users weren't in any
critical applications and happened to walk away from
their computers during the reboot process

2) If a user never reboots his/her computer (e.g.,
just leaves it logged on and "locked" overnight), the
machine never refreshes and hence, is not deemed
prepared for the next set of updates that come down
from the SUS server

We alleviated this problem by configuring SUS so
workstations do not automatically reboot after patches
are applied, using the SHUTDOWN.EXE command from the
Windows Server Resource Kit, and writing a batch file
that automatically reboots any computer that happened
to be left in "locked" mode overnight.  This seems to
keep users from becoming agitated from any
disruptions...

- Lee


--- Joe DeMarco <demarcoj () comcast net> wrote:
> Additional question regarding SUS. Is there anything
> special (i.e..
> Software) that needs to be loaded onto the client or
> does the GPO just
> push the updates automatically when scheduled?
>
> Joseph DeMarco
> IS Specialist
> 800-852-6088 ext 102
> www.thefirestore.com
> www.officerstore.com
>
>
> -----Original Message-----
> From: Josh Mills [mailto:JMills () cnbwaco com] 
> Sent: Wednesday, April 28, 2004 7:18 PM
> To: Raoul Armfield;
> security-basics () securityfocus com
> Subject: RE: Windows SUS
>
>
> I have looked into this and as far as i know there
> is no way to make
> this work. I think they may be working on it for
> version 2 but i think
> that got pushed back *again* to late summer now.
>
> You can look in the content directory i think and it
> will have all the
> patches that it has downloaded so if you know a
> machine is missing a
> patch you can just go there and get it but otherwise
> it is scheduled
> only.
>
> -----Original Message-----
> From: Raoul Armfield [mailto:armfield () amnh org]
> Sent: Wednesday, April 28, 2004 12:49 PM
> To: security-basics () securityfocus com
> Subject: Windows SUS
>
>
> Hi all,
>
> We are setting up a SUS server here at our site.  We
> have been able to
> get several machines to get their updates from it as
> opposed to directly
> from the microsoft site.
>
> My question is this, is there a way to set up SUS so
> that you can use a
> browser to connect to http://susserver.mydomain.com
> and be able to have
> it scan the machine and then download the needed
> updates, ala
> windowsupdate.microsoft.com?
>
> My googling has not turned up anything todate. maybe
> someone has
> developed something like this already and is willing
> to share?
>
>
> TIA
>
> Raoul 
------------------------------------------------------------------------
> ---
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545
> off 
> any course! All of our class sizes are guaranteed to
> be 10 students or
> less 
> to facilitate one-on-one interaction with one of our
> expert instructors.
>
> Attend a course taught by an expert instructor with
> years of
> in-the-field 
> pen testing experience in our state of the art
> hacking lab. Master the
> skills 
> of an Ethical Hacker to better assess the security
> of your organization.
>
> Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
> ----
------------------------------------------------------------------------
> ---
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545
> off 
> any course! All of our class sizes are guaranteed to
> be 10 students or
> less 
> to facilitate one-on-one interaction with one of our
> expert instructors.
>
> Attend a course taught by an expert instructor with
> years of
> in-the-field 
> pen testing experience in our state of the art
> hacking lab. Master the
> skills 
> of an Ethical Hacker to better assess the security
> of your organization.
>
> Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
> ----
---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off 
> any course! All of our class sizes are guaranteed to
> be 10 students or less 
> to facilitate one-on-one interaction with one of our
> expert instructors. 
> Attend a course taught by an expert instructor with
> years of in-the-field 
> pen testing experience in our state of the art
> hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security
> of your organization. 
> Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
----------------------------------------------------------------------------
>


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------