Windows operating system security issues are getting more and more attention. Microsoft will release patches to fix system vulnerabilities at regular intervals, but many users still cannot use these patches to fix the system in time, this results in significant losses. In particular, the local area network is growing in size. For network administrators, it is difficult to manually Install patches for each client. Microsoft Software Update Services can be set up in the LAN to enable the client to automatically perform regular upgrade operations.
I. Sus Introduction
Microsoft Software Update Services (SUS) is built by a network administrator on a LAN to send Microsoft's latest patches to users. It is divided into two parts: the server side and the client side. It can provide upgrade services for 15 thousand users.
Server (SUS server) only provides English and Japanese versions, while the client supports 24 languages, including Chinese versions. SUS server provides upgrade services for Windows 2000 + SP2 and later versions, Windows XP and Windows 2003 systems, but does not support Windows 98 and Windows NT systems.
Ii. Sus service requirements for hardware and software platforms
Before installing the SUS service, make reasonable planning based on the user situation of the LAN and select an appropriate hardware and software platform for Sus.
1. Server Side
For the server side, Microsoft recommends that the hardware of the server be configured as "CPU with a clock speed above MHz, memory above MB, and hard disk space above 6 GB ". If the number of users upgrading within the LAN is small, the hardware configuration requirements can be appropriately reduced.
The software platform of SUS server must be Windows 2000 Server + SP2 or later versions of the operating system or Windows Server 2003, and support for IIS 5, IE 5.5 and later versions is also required.
2. Client
The client has no special requirements on hardware configuration. The software platform only requires Windows 2000 + SP2 and later versions (Windows XP/2003), but does not support Windows 98 and Windows NT.
In addition, for Windows 2000 + SP2 and Windows XP systems, you must first install the SUS client program; for Windows 2000 + SP3 and later versions, Windows XP + SP1 and later versions, and Windows Server 2003, you do not need to install the client. You can directly set it in the Group Policy.
The network administrator can select a software and hardware platform for SUS as needed.
Iii. server platform Selection
The number of computers in the LAN managed by the author is no more than 70. It belongs to a small LAN and adopts the Working Group form. I chose a Dell server in the LAN to deploy the SUS service and installed the Windows Server 2003 operating system. All partitions adopt the NTFS format.
Tip: We recommend that you do not install sus server on the WWW server. IIS Lockdown tool is also installed when sus server is installed. This is a software to improve IIS security, but it may cause exceptions of other IIS services. We recommend that you do not install it.
Iv. Server Configuration
Download the SUS server software and run it directly. During installation, select the English version. Use the default settings for other parameters.
Note: The system disk of the SUS server and the hard disk partition that saves the SUS patch file must be an NTFS file system. Otherwise, the installation will fail. The software is: http://www.microsoft.com/downloads/details.aspx?familyid=a7a A96E4-6E41-4F54-972C-AE66A4E4BF6 C & displaylang = en.
1. Sus server basic parameter settings
You can set the parameters of the SUS server either locally or remotely. You must have the administrator privilege to set the parameters. For the local setting method, click "Control Panel> Management Tools" and run "Microsoft Software Update Services. For remote settings, you need to open the IE browser on the remote computer and enter "http: // 192.168.0.10/susadmin/" in the address bar. "192.168.0.10" is the IP address of the SUS server, enter the administrator username and password to log on to the SUS Server Management window.
In the left column of the Management window, click the "set options" option under the "Other Options" menu to set the basic parameters of the SUS server.
① Set firewall parameters in "select a proxy server configuration". We recommend that you set "automatically detect Proxy Server Settings" by default. Of course, you can also customize the settings based on the local area network, enter the IP address and port number of the firewall in the "use the following proxy server to access the Internet" text box.
Then, in the "specify the name your clients use to locate this update server" column in the middle, take a note name for the SUS server, such as "tjrao ", in this way, the client computer can access and upgrade the server through the SUS server.
In the select which server to synchronize content from column, set the source of the synchronized patch content. If you want to synchronize with Microsoft's upgrade server, select "Synchronize directly from the Microsoft Windows Update servers ". If you want to synchronize with other sus servers in the network, you can select "Synchronize from a local software update services server" and enter the name or IP address of the target sus server in the input box.
② Set the release of the patch in "select how you want to handle new versions of previusly approved updates, we recommend that you select "do not automatically approve new versions of approved updates ...... ". After the administrator tests the patch program and manually releases it to the LAN user, this avoids the conflict between some patches and the program used by the user.
The "select where you want to store updates" option is used to set the method for saving the patch. We recommend that you select "Save the updates to a local folder" here ", in this way, you can download only the patches you need.
Finally, click "Apply" to save the parameter settings.
2. Synchronization of the SUS Server
After the parameters of the SUS server are set, you can synchronize the server. In the management window, click "Synchronize server", and then click "Synchronize now" in the right column to start synchronization. However, due to network speed restrictions, this process takes a lot of time.
We recommend that you select automatic synchronization, click "synchronization schedule", select "synchronization using this Schedule" in the displayed dialog box, and set the synchronization date and time, we recommend that you synchronize data every morning (figure 1 ).
Figure 1
3. Release of patches
After completing the SUS server synchronization, you can release patches for users. Click "approve updates" in the left column of the Management window. The downloaded patches are listed in the right pane. First, the network administrator installs these patches on a few computers for testing. If the test is normal, select the check box before the patch name, and then click "approve" in the lower right corner, and agree to the patch End User License Agreement to complete the release.
V. Client Configuration
After configuring the server, you must configure the client to use the upgrade service provided by the SUS server. The configuration environment can be divided into two types: the Working Group Environment and the domain environment. This article focuses on small-sized LAN in the form of working groups. Therefore, it only introduces the configuration in the Working Group Environment (it is more appropriate to use the domain environment configuration for large-scale LAN ). In the working group environment, you need to set each client computer separately. Although this method is troublesome, it is a good solution for LAN with a small number of machines.
1. Install sus client software
Whether a LAN user needs to install the SUS client software depends on the operating system used by the client and the installed system patches. Users who use Windows 2000 + SP2 and Windows XP must install the SUS client software. Users who use Windows 2000 + SP3, Windows XP + SP1, and Windows Server 2003 do not need to install the software, because these systems have built-in sus client programs.
If the client needs to install the SUS client program, you can download the SUS client software from the http://www.microsoft.com/windows2000/downloads/recommended/susclie NT/default. asp, after the installation is complete, you can set the client.
2. Sus client settings
① On the client computer, click Start> run, and enter gpedit in the dialog box. MSC, open the Group Policy Editor, right-click "manage template" in "Computer Configuration", and select "Add/delete template ". In the displayed dialog box, add the "wuau. ADM" file under the "C \ windows \ inf" Directory (taking Windows XP as an example, the system is installed on the C drive ).
② In "manage templates", click "Windows Components> Windows Update". There are two "Windows Update" Policies in the right column, they are "automatic configuration Update" and "specify the Windows Update service location on the internal Internet of the enterprise" respectively ".
Double-click the "Configure Automatic update" policy to enter the Properties dialog box (figure 2). Here we can set the Update Time and processing method. The default value is "not configured. Select "enabled" in the dialog box, and select "4-Automatic download and scheduled installation" in the "Automatic Configuration Update" drop-down list ", select the appropriate date and time in the "scheduled installation date" and "scheduled installation time" columns as needed, and click "OK" to save the settings.
Figure 2
Go to the properties dialog box (Figure 3) of the "specify the Windows Update service location on the Enterprise Internet" policy, select the "enabled" option, and then specify the location of the SUS server in the input box below, you can use the name or IP address of the SUS server. For example, enter "http: // 192.168.0.10" or "http: // tjrao" in the input box, and click "OK.
Figure 3
Now, the setting of a client is complete, and the network administrator needs to make the same settings for each client in the LAN. After all the configurations are completed, the client automatically connects to the specified sus server to check the update status, the system will be upgraded according to the preset settings. Note that all upgrade operations are automatically performed in the background.