WSUS Implementation Plan

NSF401 Security Management Practices Sept. 23r ! 200" WSUS #eam $ocumentation Pro%i e &y' Jerry Freeman, Justin Fisher, Tim Rose and Mary Miley

1.

Overview
This Implementation plan states the terms of the best use and practices when administering the WSUS server. This plan will also establish a guideline for recommended controls and safeguards to maintain the quality assurance of the WSUS server to better support BS S!"s mission.

#.#

$urpose
This plan will act as a reference for administrators to ensure they follow best practices on optimi%ing the security& resource usage and set up of Windows Server Update Service.

#.'

Scope This plan will apply to the S! WSUS server and the team overseeing its distribution of updates across the BS S! networ( to client systems.

2.

)pproach
The following summari%es how to set up& manage and maintain the best performance out of the WSUS server.

'.#

WSUS Setup
When possible& the WSUS networ( should be configured with the least number of tiers to reduce latency in downloading updates. *oaming clients that do not connect to the local intranet should be configured to retrieve updates from the internet facing the WSUS server. +ore information on ordering for roaming clients configuration can be found in the& WSUS $eployment (ui e (http://go.microsoft.com/f lin!/"#in!$d%1&'(&2).

'.'

*esource Usage
In order to best conserve resources it is important the server uploads the metadata as it synchroni%es updates.

Then downloading update files only after the update has been approved. *egular use of the ,leanup Wi%ard will help (eep unwanted updates to a minimum. Separate WSUS servers can be implemented for networ(s with different sets of +icrosoft products to limit the product updates on the networ(. ,lic( Options& clic( )utomatic )pprovals& clic( the )dvanced tab& and then clic( )utomatically decline updates when a new revision causes them to e-pire. Otherwise these will need to be declined manually on a periodic basis.

'..

WSUS Security
I$sec should be used to secure traffic over the networ( for WSUS connections. Otherwise SS/ can be used on all systems that download updates via the internet. The WSUS server should be secured behind a firewall allowing access only to the domains needed by the WSUS. WSUS should not have more file and folder permissions that is required to operate. WSUS )dministrators should be able to perform any tas( needed but have a second group set up for WSUS reporters with read0only access.

'.1

*ecommendations
,onfigure email notifications for when updates become available. This will help in scheduling deployment in advance. ,lient computers should be able to immediately patch updates that do not require a system restart. When deploying large updates use BITS throttling& IIS throttling and targeting to control the rollout.

&.

Implementation Schedule
Task to Perform Date of Task Duration Initia l

Confirm OS is installed and updated to current Service Pack 2eploy WSUS Choose a WSUS Management style 2etermine what database software to use Determine where to store Updates Install WSUS ..3 S$' Server ,onfigure etwor( 4 $ro-y Server 4 !irewall Settings Install e!uired Software IIS "#$ % #&'( framework )#$

SOU*,5S ,IT52 6+I,*OSO!T WSUS 25$/O7+5 T 8UI259& ) UT:O* ; ) IT) T)7/O* http://www.microsoft.com/downloads/details.aspx?FamilyID=22395ab !923"!"eff! b9fd!"#f$52"59aa2%displaylan&=en 6+I,*OSO!T WSUS O$5*)TIO S +) U)/ 9& ) UT:O* ; ) IT) T)7/O* http://www.microsoft.com/downloads/details.aspx?FamilyID=22395ab !923"!"eff! b9fd!"#f$52"59aa2%displaylan&=en