Chris Sanders

I’ve always been a huge fan of using Microsoft Windows Server Update Services (WSUS) in the enterprise. It’s free and it’s the best way to effectively ensure that your workstations are up to date and secure. With the modern prevalence of client-side attacks there aren’t many things more important than keeping client computers secure as they can provide a perfect entry point for attackers into your network.
Although WSUS is great, it lacks quite a bit of functionality that it could benefit from. I’ve written a few articles about WSUS here and there and I’ve cited some of these shortcomings that include a weak management interface, a lackluster reporting system, and an inability to easily troubleshoot misbehaving clients. That being the case I’m always looking for enhancements to WSUS, and I’ve found one I really like from the folks at EminentWare who’ve asked me to review their software. Overall, I was really happy with the product and I have no qualms about recommending it to my sysadmin friends. In the sake of full disclosure I have to add that EminentWare is a paid advertiser on my site, but that in no way has any effect on my opinion of their product in this review.

The Basics

The WSUS Extension Pack adds quite a few useful features to a WSUS deployment. EminentWare released a list of the top 10 reasons you need their product, which can be found at http://www.eminentware.com/wsus-patch-management-extension.html. Some of my personal favorites include:

• Create your own packages to deploy any MSI, MSP, or EXE through WSUS

• Configure pre and post install implementation steps such as stopping/starting services, manipulating files, and running custom scripts.

• Discover rogue, unauthorized, or improperly configured machines.

That being said, the product has quite a bit to offer. EminentWare touts the Extension Pack by stating:

EminentWare’s WSUS Extension Pack extends the capabilities of your existing WSUS infrastructure, offering a powerful solution for deploying, managing, and reporting on updates, applications, and configuration settings throughout your IT environment. EminentWare’s WSUS Extension Pack adds key IT management functionality to your existing WSUS installations, allowing you to leverage existing technology to create a more flexible, more powerful enterprise patch management and configuration management solution that is extremely cost-effective.

Let’s take a look a deeper look at the extension pack.

Installation

As you would expect, EminentWare supports all of the major Microsoft server distributions so you can install it on any OS that you would install WSUS on. The website where the software can be downloaded from provides great resources for installation including a quick start guide and a short video that highlights the important parts from the guide. I skipped through the video quickly and perused the guide a bit before performing the install which seemed like it would be pretty intuitive.
The install itself went through without a hitch. Using the Express Installation option, the installer guided me through the process of installing prerequisites, creating a SQL instance, and creating a service account. The actual installation was just a few mouse clicks and less than ten minutes of waiting time. No reboots were required, which earns bonus points for me when we are talking about installations on servers.
After installation and activating my license I was presented with a series of wizards used to configure the WSUS infrastructure. The first wizard caused me a bit of trouble as it wouldn’t automatically find my domain, but I was able to enter its information in manually and proceed forward.

Figure 1: Defining the WSUS server during the initial configuration

After adding domain credentials for the product the installation was completed.

Management and Features

The management screen is built as an MMC so Microsoft sysadmins will feel comfortable working within its borders. The overall look and feel is very similar to that of the standard WSUS administration snap-in which I consider a plus. The expansion pack has more features than I ever knew I wanted, so I want to hit on a few of the ones that really struck my fancy.

Group Policy Management

I love group policy, but it’s not the easiest to use or the most user friendly. One of the parts I disliked the most about traditional WSUS setup is having to deal with the uncertainty that is group policy. The expansion pack provides a front end to the group policy settings related to WSUS so you don’t have to waste time digging around in GPOs. You can configure the local and remote policy settings for Windows updates and even refresh group policy remotely.

Status Bars and Reporting

This one may sounds a little lame, but the biggest pet peeve I’ve ever had with WSUS is its lack of progress bars and status reporting for the tasks you perform. Whether it be installing an update, refreshing policy, or remotely rebooting a computer the expansion pack adds usable, reliable status reporting of tasks.

Figure 2: The detection task provides a robust status display

Wake on LAN

This one is pretty self explanatory. If you need to apply a critical security update to a computer that is turned off at a remote site fifty miles away then WOL is your life saver. The expansion pack provides a simple and easy to use interface for utilizing this. Anything that saves me this kind of time is alright in my book.

Credential Ring

I harp on software vendors all the time because they tend to force you to create a service account for their product, make you give it domain admin rights, and use it for everything related to that software. The EminentWare guys really got this one right with their concept of a credential ring. This allows you to create service accounts with different levels of domain access and assign them to specific devices and device groupings. This way, you can specify site, department, or OU based administrative accounts rather than having yet another service account sitting there with the keys to the castle. I wish more software companies would do something like this!

Figure 3: Using the credential manager to specify credentials for particular devices

Reporting

Creating reports isn’t fun but its often the only way an IT department can bring thing to a managerial level to justify their results and expenses. The expansion pack provides a great deal of needed flexibility in reporting that was able to handle just about everything I could ever think of having a need to report. In some cases this alone could justify the cost of the software.

Device Discovery

The discovery option lets you specify an IP range or subnet that can be scanned for hosts. The results of this scan can be used to find new computers on your network that are not receiving updates or rogue devices that shouldn’t be there. This comes in handy with large networks where it’s hard to keep a handle on new devices or ones that get formatted/imaged often.

Third Party Updates

The ability to use WSUS to deploy third party updates is perhaps the most powerful aspect of the expansion pack. The framework Microsoft has built for deploying software to devices is so robust and effective that it would only make sense that you should be able to use it for the deployment of other updates. Using this feature you can configure updates for products such as Acrobat Reader, Flash, Quicktime, Firefox, Java, and more. Once again, as a highly security conscious individual this feature is worth its weight in gold and I can’t speak highly enough about it. One of the guys at EminentWare demo’d this for me and I was blown away; even more so when I did it myself.

Conclusion

I’ve reviewed a lot of products over my years as a systems administrator and network security analyst. At this time, I’ve never reviewed a product that I’ve loved as much as the EminentWare Extension Pack. WSUS is beautiful, but this product takes it to a whole new level. If I were to give it a rating I would give it a perfect five out of five. The expansion pack is the only thing like this in the market (that I’m aware of) and it is just so wonderfully done. The developers clearly talked to system administrators and found out what they thought was missing from WSUS in order to fill the void and then some. I’d probably buy the software just based upon the third party updates feature alone, but with the added administration and management features its takes the cake. Simply put, if you manage a Windows network of any reasonable size you need WSUS and you NEED the EminentWare Extension Pack.

Howdy Folks,

I wanted to take a moment and link a pair of recent articles I’ve written for WindowsSecurity.com.

September 2nd – Securing Application Execution with Microsoft AppLocker

September 23rd – Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8

Enjoy!

The great folks over at the TechGenix website WindowsSecurity.com have published my article on Locking Down Windows Server 2008 Terminal Services. This article is a fairly detailed list of things you can do to make sure your Terminal Server infrastructure is more secure.

You can view the article here:

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html

Derek Melber wrote a great little article about the top ten security settings to make directly after installing Active Directory. I’d recommend all of these. Our server guys here actually have a very similar procedure they follow when creating a new network.

Read the full article here.

 I write a lot about WSUS because I think it is a necessity for any network with Windows servers or clients. It is typically pretty easy to setup but occasionally you will run into some issues. Out of all of the WSUS issues I hear about and directly experience (and trust me, I manage a LOT of WSUS servers) the most common problem I hear is when the computers in a network simply don’t connect to the WSUS server.

Here are a few items which are the most typical causes to this problem:

Lack of Patience

This is the number one overall issue I see. WSUS is built upon a technology that is by no means instant. It takes some time for updates to download, it takes some time for Group Policy Objects to apply, and it takes some time for computer to report in to WSUS in general. That being the case, if you have just installed WSUS and are looking at this article two hours later because computers aren’t reporting in, then you most likely haven’t waited long enough. I generally tell people to wait as long as two days after installing WSUS to start looking into why individual clients aren’t reporting.

Group Policy Issues

One of the simpler problems is that either the Group Policy Object for configuring the automatic update service is not being applied or it is misconfigured. At a minimum, your GPO should be configured so that it points the automatic update service to download from the WSUS server. Make sure you don’t have any typos in this path.

You can make sure that your GPO is being applied to the computer in question by typing GPRESULT into a command prompt on one of the machines in question. Remember, the Group Policy setting for configuring automatic updates is to be applied to computer objects, not users.

Client Requirements

WSUS clients must be Windows 2000 SP3, Windows XP, or Windows Server 2003 in order to take advantage of WSUS. I’ve seen lots of cases where someone would tell me a bunch of their workstations weren’t reporting in and updating only to find out they were Windows 2000 SP2 or something like that.

Imaged/Cloned Computers

In some network most if not all of the workstations were deployed with system images via Acronis, Ghost, or some similar program. If that’s the case, there is a good chance that the WSUS ID, a unique identifier found in the registry of every computer on your network, was not regenerated. These WSUS IDs are generated based upon the SID of a computer. If you configured your image so that it would generate a new SID upon pasting then you likely won’t have this problem, but this step is commonly forgotten. The WSUS ID is stored in these three registry keys:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAccountDomainSid
HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdatePingID
HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateSusClientId

In order to generate a new WSUS ID, you will need to delete these keys on the client machine in question. After doing this, restart the Automatic Update service and run the command “wuauclt.exe /resetauthorization /detectnow. You should see the computer in the WSUS console shortly after that.

This process may seem a bit too manual when you have to perform it on multiple computers, so there is a VB script that can automate this a bit. You can download this script here: http://www.vbshf.com/vbshf/forum/forums/thread-view.asp?tid=199&start=1. You can simply download this script and perform the aforementioned steps remotely by just entering the computer name.

This covers a few of the most common reasons clients don’t report in. Obviously, there is no way to cover every possibly avenue, but hopefully this will eliminate some of the more common possibilities. As always, I respond to direct WSUS questions via e-mail. Also, the WSUS forums over at http://www.wsus.info/ are a great community driven resource for figuring out issues like this.

One of the new features in Windows Server 2008 that is getting the most attention is the introduction of the Read-Only Domain Controller (RODC).

If you manage a network that utilizes more than one domain controller then you are aware of Active Directory’s multimaster replication structure. In this architecture, any change made to active directory on any domain controller is replicated to all of the others. This has made administration a breeze in the past since administrators could make a change at any remote site and it be reflected on all of the domain controllers in the network.

The problem here arises with the threat of a security breach. Managing network and physical security at remote office location has always been a challenge. If an intruder with malicious intentions gained access to an organizations domain controller at a branch office, he/she could easily destroy the whole active directory infrastructure throughout the ENTIRE organization.

Microsoft has addressed this issue with the development of an RODC. An RODC is designed for branch offices where the network conditions require a local source of authentication but a lack of physical security monitoring and localized administration makes placing a domain controller a security risk. The RODC only allows for one way replication. That means active directory information can be replicated to it from another domain controller, but it may not replicate information to any other domain controllers.

With an RODC deployed at a branch office, an individual with malicious intentions can not make modifications to the active directory infrastructure, therefor alleviating the security risks we have mentioned.

You can deploy an RODC by simply choosing the appropriate option when running the dcpromo utility during domain controller promotion.