Internet Server Technologies

Problem 07:
P.A.T.C.H. it!

1
 Problem Statement
Wannacry ransomware attack is the largest cyber-attack
occurred in recent years.

The malware tool encrypts files in victims’ system and

demands money for its recovery.

Your boss requires you to get all the 500 Windows 10 PCs
and 20 servers running installed with the security update
released in March which addresses the vulnerability that
these attacks are exploiting on Windows systems in an
effective method.
2
 Approaches to Problem Statement

What is the software patch management strategy?

How does the manager assess if a software or OS needs
a patch or not?
What are the ways to patch a software using Windows
Server 2016?
What is/are the available Patch Management Tool in
Windows Server 2016?

3
 Update Management

It is a process of controlling the deployment and

maintenance of interim software releases into
production environments.

It helps administrators to maintain operational

efficiency, overcome security vulnerabilities, and
maintain the stability of the production environment.

Source: https://technet.microsoft.com/en-us/library/hh852345(v=ws.11).aspx

4
Phases of Update Management

4. Deploy 1. Assess

3. Evaluate
& Plan 2. Identify
 Phases of Update Management
Assess
 Inventory existing computing assets.
 Assess security threats and vulnerabilities.
 Determine the best source for information about new software
updates.
 Assess the existing software distribution infrastructure.
 Assess operational effectiveness.
Identify
 Discover new software updates.
 Determine whether software updates are relevant.
 Obtain safe and reliable software update source files.
 Categorize the software update as a normal change or an
emergency.

6
 Phases of Update Management (Cont’d)

Evaluate and Plan

 Determine whether an update deployment is actually
required.
 Plan the release of the software update.
 Build the release.
 Conduct acceptance testing of the release.

Deploy
 Prepare for deployment.
 Deploy a software update to targeted computers.
 Review the deployment, post-implementation.

7
 Security Bulletins

Source: http://www.microsoft.com/technet/security/bulletinsandadvisories/default.mspx

8
 Update Management Tools
 System Center Configuration Manager (SCCM) - formerly known
as Microsoft Systems Management Server (SMS)
 Commercial software
 Besides Patch Management, features include Application
Deployment/Asset Tracking and Management
 Windows Update
 Automatic Updates
 Windows Server Update Services (WSUS)
 Ease the deployment of the product updates and patches.
 Manage the distribution of updates to clients in your environments

9
 Windows Server Update Service (WSUS)
 The Windows Server Update Service (WSUS) enables system
administrators to deploy the latest Microsoft product updates.

 Through WSUS, administrators can fully manage the distribution

of updates that are released through Microsoft Update to
computers in their network.

Source: https://technet.microsoft.com/en-us/library/hh852345(v=ws.11).aspx

10
 WSUS Deployment Scenarios
(Small-Sized or Simple Network)

administrators can set up a server

running WSUS inside their
corporate firewall, which
synchronizes content directly with
Microsoft Update, and distributes
updates to client computers

Single WSUS Server

Source: https://technet.microsoft.com/en-us/library/cc708628(v=ws.10).aspx

11
 WSUS Deployment Scenarios
(Medium-Sized or More Complex Network)
Administrators can deploy multiple servers that are
configured so that each server is managed
independently and so that each server synchronizes
its content from Microsoft Update

Multiple Independent
WSUS Servers

Multiple Internally
Synchronized WSUS Servers

Administrators can deploy multiple

servers running WSUS that
synchronize all content within their
organization’s intranet

12
 WSUS Deployment Scenarios
(Medium-Sized or More Complex Network)

Disconnected WSUS Servers

(Limited or Restricted Internet
Connectivity)

If corporate policy or other conditions limit computer access to

the Internet, administrators can set up an internal server
running WSUS

13
 Windows Server Update Services
Software that downloads all critical updates and
security patches to servers and client
computers as soon as the updates are posted
to the Windows Update Web site

Test client computers Automatic

Updates
Server running
Windows Server
Update Services

LAN

Test server Internet

Automatic
Updates

14
 Windows Updates
What are updates?
Security fixes, critical updates, and critical drivers
Resolve known security vulnerabilities and stability issues
Can also include drivers, feature packs, tools,

Windows Update is an online extension of Windows

Updates Microsoft Windows operating systems, software, and
device drivers

New content is added to the

site regularly
Notification is sent directly to
your desktop

15
 Windows Update Settings

 On the WSUS client

computer, Windows Update
settings is used to check for
updates.

 On the WSUS server, WSUS

Setup automatically
configures IIS to distribute
updates to each client
computer that contacts the
WSUS server.

16
 Windows Update Settings
The best way to configure Automatic Updates depends
upon your network environment.

In an Active Directory environment, you can use an

Active Directory-based Group Policy object (GPO).

You need to create a new Group Policy object (GPO) for

WSUS settings, and link the GPO on the domain level.

17
 Configuring Automatic Updates via GPO
Automatic Updates can be
configured using GPO to download
packages from a server running
Windows Server Update Services

Enables administrator to specify how

and when client computers get
Windows updates
After download is complete, a
message appears that updates are
ready to be installed
 Administrator can choose to
install or not

18
 Checking if Update is successful
 Microsoft uses Windows Update Agent
to automatically download updates to
your client machine.
 Windows 10, contains major changes to
Windows Update Agent operations; it no
longer allows the manual, selective
installation of updates. All updates,
regardless of type (includes hardware
drivers), are downloaded and installed
automatically, and users are only given
the option to choose whether their
system would reboot automatically to
install updates when the system is
inactive, or be notified to schedule a
reboot.
 You can view update history to see the
list of updates that has been applied to
your client machine

19
 UsoClient.exe
 USO stands for Switch Description

Update Session StartScan  Used To Start Scan

Orchestrator, and StartDownload  Used to Start Download of Patches
it’s the replaced
Windows Update StartInstall  Used to Install Downloaded Patches

Agent. Windows RefreshSettings Refresh Settings if any changes were

Update service,   made
usoclient.exe, is StartInteractive May ask for user input and/or open
Scan  dialogues to show progress 
basically a
RestartDevice  Restart device to finish installation of
command to run updates
either scan for ScanInstallWait  Combined Scan Download Install
updates, install or ResumeUpdate  Resume Update Installation On Boot
resume updates.
20
 Samples of Lab Work

Next few slides will show screenshots of lab work that

should be done.

21
 WSUS Configuration Wizard

22
 WSUS Configuration Wizard

23
 WSUS Configuration Wizard

24
 Update Service console

25
 Configure Automatic Updates (via GPO)

26
 Enable client-side targeting (via GPO)

27
 Specify intranet Microsoft update service
location (via GPO)

28
 WSUS Admin Website
Use the Windows Server Update Services Web site for:
Synchronizing and approving content
Remote administration
Configuring Windows Server Update Services
options
Monitoring
server status
and logs

29
 How Synchronization Works

Corporate headquarters Microsoft

Windows
Update
Client computer

Windows Server Updates

Services server
Internet
LAN

Automatic synchronization

Administrator Manual synchronization

30
 WSUS Reports (validation)
WSUS provides
reports containing
useful information
that allows
administrators to
validate if updates
have been
successfully
applied.

Administrators can
use information
from these reports
to make decisions
and carry out any
admin tasks if
deemed necessary

31
 Possible Solution

You can setup a WSUS Server to install the security

update released in March which addresses the
vulnerability that these attacks are exploiting on
Windows systems to all the 500 Windows 10 PCs and 20
servers.

With this, it allows you to centralize and automate

update management.

32
 P07: What you learnt today
 Explain the role of Windows Server Update Services (WSUS) that
enables administrators to manage and distribute updates
 Manage the distribution of updates that are released through
Microsoft Update to computers in a network using GPO
 Configure Group Policy Settings to control how WSUS clients can
interact with Windows Update to obtain automatic updates
 Deploy updates with WSUS

33
 Road Map
S/No Key Area Objective

Students will learn how to plan, deploy and configure a

1 Server Configuration server (file or print) to fit an organization’s needs. Students
will learn common administrative tasks needed on a server.

Students will learn how to manage the many servers in an

organization. Using directory services and server-side
2 Server Management
scripting, students will learn how to automate patch
management and security policy enforcement.

Students will understand the roles of the different

Specialized Servers specialized (i.e. DHCP, DNS, Web, Email, Compute) servers
3
  and how they fit into an organization’s needs. Students will
learn how to deploy and manage these dedicated servers.

34