SWOCA TSS ACADEMYImplementing Patch Management and Systems Monitoring

on Windows Server 2012

UPDATE MANAGEMENTInstall and Configure Windows Server Update Services on Windows 2012

TYPES OF UPDATES - HOTFIX

A single update that fixes a single issue.

Normally generally released in Microsoft’s monthly update cycle. Some critical and security updates are released out of band of the schedule if needed.

Some hotfixes are not generally released. Microsoft may require that a support call be initiated to verify your issue or a web form be filled out before it can be downloaded. After verification, MS sends an email with a link to the specific hotfix.

Hotfixes can be combined for a product like Internet Explorer or the .NET Framework. These are cumulative updates.

TYPES OF UPDATES – SERVICE PACKS

Service Packs (SP) is an update that combines all previous updates.

It will include security and performance improvements

Support for new hardware

New software features

A version demarcation point for the software. Windows Server 2008 R2 is considered different than Windows Server 2008 R1 SP1.

A Service Pack installation can be required for other software and feature installations.

CLASSIFICATION OF MICROSOFT UPDATES

Important Updates: Improved security, privacy, reliability. Should be installed as soon as they become available and would be installed automatically if the computer is set to Install Updates Automatically.

Recommended Updates: Address non-critical problems or enhance computer experience.

Optional Updates: updates, newer hardware drivers and new software from Microsoft.

Security Updates: Addresses an identified security vulnerability. Rated for severity, and are described in detail via Microsoft’s monthly security bulletin.

Critical Updates: Addresses critical but non-security related bugs in the operating system.

MICROSOFT UPDATE CYCLE

Microsoft releases monthly updates for all of their software.

Security Bulletins and descriptions of each hotfix are provided on the Microsoft Security TechCenter. Email and RSS alerts are available.

In North America, the update release is scheduled on the second Tuesday, known as, ‘Patch Tuesday’.

Patches can be added to Microsoft’s Update servers on any day.

MICROSOFT SECURITY ADVISORIES AND BULLETINS

MICROSOFT SECURITY BULLETIN

Released monthly – describes each hotfix that will be released for the month.

History of all Security Advisories

Sign up for Microsoft Technical Security Notifications

http://technet.microsoft.com/en-us/security/dd252948

Options: WWW, Email, RSS Basic, Comprehensive, Advisories

Microsoft Security Response Center Blog http://blogs.technet.com/b/msrc/ WWW, RSS

PATCH INSTALLATION OPTIONS

Windows / Automatic Updates Windows updates are set for manual or scheduled installation of updates. Updates are pulled down per machine, directly from the MS update servers. Changing from ‘Windows Update’ to ‘Microsoft Update’ allows other Microsoft

applications to be patched through the service. Ideal for many small organizations. Each machine must have internet access.

Windows Server Update Services (WSUS) Centrally manage updates. Choose which to install for which groups of servers. Free - Runs as a Server Role Can download updates directly from the Internet or from another WSUS server.

Microsoft Systems Center Configuration Manager (SCCM) Not Free – Fully featured Microsoft operating system management platform

WINDOWS UPDATE – GROUP POLICY

Group Policy is a feature within the Microsoft Windows Server products that allow administrators to centrally manage and configure the operating systems, applications and, user settings in an Active Directory (AD) environment.

Group Policy Objects (GPO), linked to Organizational Units (OU) can be set to control the behavior of Windows / Automatic Update on target systems. http://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx

Through GPO, administrators can configure

different update settings for different types

of machines.

WINDOWS & AUTOMATIC UPDATE

Windows XP / Windows Server 2003 Windows Update Website – Use Internet Explorer to manually scan,

choose and install updates adhoc. Automatic Updates – In the Control Panel, schedulable options exist for:

Download and install updates automatically Download but do not install updates automatically Notify, but do not download or install updates Turn off Automatic Updates all together

WINDOWS & AUTOMATIC UPDATE

Windows Server 2008 – 2012 R2, Windows 7-8.1 Windows Update can be found in two places:

Control Panel \ System and Security \ Windows Update Administrative Tools \ Server Manger \Windows Update

WINDOWS UPDATE – CHANGE SETTINGS

WINDOWS UPDATE - VIEW UPDATE HISTORY

PROGRAMS & FEATURES – INSTALLED UPDATES

CONFIGURE UPDATES VIA GROUP POLICY

Reference: Configure Automatic Updates via Group Polices: http://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx

Open Server Manager. Tools > Group Policy Management

In Group Policy Management console, right click on Group Policy Objects > New

Title the New GPO, choose (none) in Source Starter GPO

In the Group Policy Management Editor window that opens, expand Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

Configure the options desired, close the Group Policy Management Editor

Link the created Group Policy Object. In Group Policy Management Console, Select an OU, right click, Link an Existing GPO. Choose your GPO and click OK

VERIFYING GPO WINDOWS UPDATE SETTINGS

GPResult /R Displays the Group Policy Objects that are configured for the target

computer and logged in user account. http://technet.microsoft.com/en-us/library/cc733160.aspx

GPUpdate /force Refreshes Group Policy Objects for the logged in user account and

computer. Processes new, removed and edited Group Policy Objects http://technet.microsoft.com/en-us/library/hh852337.aspx

WINDOWS SERVER UPDATE SERVICES

INSTALLING WSUS - REQUIREMENTS

Windows Server 2003 +

Internet Information Services (IIS) 6.0 +

Microsoft .NET Framework 2.0 +

Microsoft Management Console (MMC) 3.0

Microsoft Report Viewer Redistributable 2008 +

SQL Server 2005 SP2 Express +, Windows Internal Database

100 GB of disk space for WSUS, database and, updates.

Internet access for Autonomous WSUS servers

INSTALLING WINDOWS SERVER UPDATE SERVICES

Create a folder to house the downloaded updates. This disk should have plenty of free space on it. It can be a remote share.

Open Server Manager. Manage > Add Roles and Features. Before you Begin page – Next.

Role-based or feature-based installation

Select a server from the server pool.

Select, Windows Server Update Services from the server roles.

Add Features that are required for the WSUS role

In Select Role Services, choose WSUS Server. Select WID Database if you will use the Windows Internal Database option or, Select Database if you will use a version of SQL Server. Choose the location to store the updates. Next through the IIS pages, Install.

CONFIGURE WSUS – POST INSTALLATION

Open Server Manager > Tools > Windows Server Update Services

Complete WSUS Installation dialog appears. Choose the folder created earlier to store your updates. This process creates your configuration database and folders. Close the dialog when complete.

The Windows Server Update Services Configuration Wizard begins.

WSUS CONFIGURATION WIZARDBEFORE YOU BEGIN

WSUS CONFIGURATION WIZARDMICROSOFT IMPROVEMENT PROGRAM

WSUS CONFIGURATION WIZARDCHOOSE UPSTREAM SERVER

WSUS CONFIGURATION WIZARDSPECIFY PROXY SERVER

WSUS CONFIGURATION WIZARDCONNECT TO UPSTREAM SERVER

WSUS CONFIGURATION WIZARDCHOOSE LANGUAGES

WSUS CONFIGURATION WIZARDCHOOSE PRODUCTS

WSUS CONFIGURATION WIZARDCHOOSE CLASSIFICATIONS

WSUS CONFIGURATION WIZARDSET SYNC SCHEDULE

WSUS CONFIGURATION WIZARDFINISHED INITIAL CONFIGURATION OF YOUR SERVER

WSUS CONFIGURATION WIZARDFINISHED INITIAL CONFIGURATION OF YOUR SERVER

WSUS CONFIGURATION WIZARDWHAT’S NEXT

CONFIGURING WSUS COMPUTERS

WSUS COMPUTER GROUPS

Computer groups are created to organize your computers in a way to determine which computers get which updates at what time.

Computers are typically organized by the way you want updates to be installed. i.e.: Test, production, clustered or, manual updates only.

Two methods exist for populating Computer Groups within WSUS: Server-side targeting – the administrator manually moves computers

from group to group. Client-side targeting – the administrator assigns computers to their

groups via Group Policy which modifies the registry of the target machine.

CLIENT-SIDE TARGETING

Client side targeting allows for the most flexibility in automating the configuration of WSUS clients. It is the preferred method for computers that are a member of a Windows Active Directory domain.

To enable client side targeting within WSUS, open the WSUS MMC console. Choose Options > Computers and choose Use Group Policy or registry settings on computers.

To enable client side targeting on clients: Open Server Manager on a computer with Group Policy Management installed.

Tools > Group Policy Management > ‘Your Domain’ > Group Policy Objects > New.. Type in a name to create the new GPO. Find that GPO, right-click and choose Edit.

Computer configuration > Policies > Administrative Templates > Windows Components > Windows Update.

Enable Client-side Extensions, Enable Specify intranet Microsoft update services location.

Choose other options as desired.

APPROVING UPDATES

Besides the actions configured within Group Policy, all updates must be approved by an administrator. Approving the updates make them available to clients when they check in with WSUS.

Open the WSUS Console. Expand Updates > All Updates. In middle pane, Approval: Unapproved. Status: Any.

Releases can be sorted through the field headers .

Select Updates you wish to Approve. Right-click on the selection, choose Approve. Updates that you do not want to ever be installed, choose Decline.

Right click on the Computer Group(s) you wish to Approve the Updates. Inheritance can be by choosing Apply to children. Deadline (for installation) can also be set. This will force the installation before the Deadline date.

Approving the Updates for Install, Removal or Not Approved for a set of computers within a Computer Group.

VIEWING REPORTS

To view reports, Microsoft .Net Framework 2.0 and the Microsoft Report Viewer 2008 Redistributable packages must installed on the computer running the WSUS MMC.

To view Reports, open the WSUS MMC, Expand Reports. Reports are available by Updates and by Computer Groups.

Reports can be saved as in Excel and PDF formats and printed.

TROUBLESHOOTING

Application Event Log – Includes Update Synchronization, WSUS (general), WSUS database errors.

C:\Program Files\Update Services\LogFiles\Change.txt – Records every update installation, synchronization, and WSUS configuration change

C:\Program Files\Update Services\LogFiles\softwareDistribution.txt – detailed log used by MS support if they need to see debug information.

MONITORING SERVERSFinding ways within the native operating system to let you know what is going

on and correct them.

SERVICES CONSOLE

Most Windows Server programs are installed as Services. Services are executables launched when the operating system starts or when another program needs it to function. Some services require other services to operate and visa-versa.

Because these Services are critical to your normal operating state, it would be nice to know when they are having an issue.

The Recovery tab of the Service has options to alert and correct a service when it fails.

Run Program allows for custom programs, PowerShell scripts to run if a service fails

EVENT VIEWER

The Event Viewer MMC snap-in enables you to browse and manage the Event Logs created by the OS and programs installed on the computer.

Event Viewer assembles the OS’ System, Security, Application and Setup logs as well as application or Role specific logs in one location.

Because so much information is collected, it is sometimes useful to Filter the data and create Custom Views.

Event Viewer enables you to: View events from multiple event logs Save useful event filters Schedule a task to be run in response to an event Create and manage event subscriptions

EVENT VIEWER – FILTER EVENTS

• Each Event Log can contain 1000’s of entries.

• Events can be sorted by the column headers but when that fails or takes too long,

• Right click on an Event Log and choose Filter Current Log

• Logs can be filtered by Event Level, Time it was logged, Event Sources, Keywords, Task Category, User and Computer that was related to the Event.

EVENT VIEWER - CUSTOM VIEWS

• Some Custom Views are created when Server Roles and applications are installed.

• They read and filter the Event Logs and gather Events that pertain to the Role or application.

• The Administrative Events View contains Critical, Error and Warnings from all logs.

• Administrators can create their own Custom Views (Custom Views > Right-click > New Custom View

• Custom Views can be further modified by adjusting their filters.

• Custom Views can be saved for viewing, exported and imported to other computers.

EVENT VIEWER – EVENT SUBSCRIPTIONS

Event Subscriptions allow an administrator to gather relevant events from multiple computers to a central location.

Event Subscriptions require that Windows Remote Management (Server Manager > Windows Remote Management > Enabled) be enabled and the Windows Event Collector Service to be running and configured to automatically start with the computer.

Events can be filtered.

There are two ways to gather Subscribed events: Collector Initiated:

The Collector computer polls the target computers’ Event Logs for information and gathers the events. Only works for Domain joined computers, which are selected individually.

Source Computer Initiated: The forwarding computer contacts the collection computer. Works for domain and non-domain computers. Non-domain joined computers require certificate

authentication.

Events are gathered in Forwarded Events.

EVENT VIEWER – ATTACHING TASKS

• Sometimes an administrator would like to be notified or have an action taken (or both) when an event is generated. If so, Attach a Task to an event.

• Attaching a Task uses the Scheduled Tasks wizard using the Event generation as the Trigger

• The Wizard will ask you for a Name for the Task, populate the Trigger with the Event being generated and give the options for Actions.

• Start a program, preferably a PowerShell script, is the preferred Action to take. Send an Email and Display a Message (pop-up on the server console) is being depreciated.