Deploying WSUS for Exchange patch management

Introduction

We all know that it's important to keep Exchange patched and up to date, but that can be easier said than done. Exchange administrators used to have to either manually apply patches or invest in expensive patching software.

Furthermore, patching Exchange isn't enough. You must also patch the underlying operating system and client machines. At a minimum, this means patching Windows and Outlook.

The good news is that Microsoft has a free utility called Windows Server Update Service (WSUS) that can automate patching for all the products I mentioned above and more. In this article, I will walk you through how to get WSUS up and running.

The prep work

Before you install WSUS, you need to make sure your system is running the Background Intelligent Transfer Service (BITS) 2.0 and the Service Pack 1 version of the .NET Framework.

1. BITS is a Windows component. You can install it by opening the server's Add/Remove Programs applet and clicking the Add/Remove Windows Components button.

2. When you see the list of Windows components, select the Application Server option and click the Details button.

3. Select the Internet Information Server option and click Details. BITS will be one of the installation choices on the resulting component list.

4. You can download the .NET Framework component from Microsoft here.

5. After installing BITS and the .NET Framework, you must also install Windows Server 2003 Service Pack 1.

Installing WSUS

1. Once the prep work is done, run WSUS Setup.

2. When the installation wizard starts, click Next to bypass the Welcome screen, and then go on to accept the license agreement.

3. The next screen you will see asks if you want to install updates locally. This screen is referring to the patches that WSUS downloads.

   If you can spare the disk space, it is best to store the patches on the WSUS server rather than downloading them each time they're needed -- but Setup indicates that storing patches locally requires 6 GB of disk space. WSUS doesn't actually download 6 GB worth of patches, but you need to have at least that much space set aside for downloading future patches.

4. The next screen that you will see asks which type of database you want to use. SQL Server will give you the best performance, but unless you just happen to have a spare SQL Server license or you have a huge organization, SQL Server really isn't necessary. You can choose instead to install the SQL Server Desktop Engine (typically referred to as MSDE). This component is free and included with WSUS, but using it will cost you another 2 GB of disk space.

5. After selecting your database, you will see a screen asking whether you want IIS to use the default Web site or create a new site. Unless you are using the machine's default Web site for something else, just choose the default Web site option and click Next.

6. Click Next again to skip the next screen, unless you have a huge organization and need to mirror another WSUS server.

7. You will now see a screen that displays a summary of the installation options that you have chosen. Click Next one more time and installation will begin.

8. Click Finish to complete the installation process.

Configuring WSUS

WSUS offers countless options and I don't have the space to talk about all of them. But I will at least explain the minimum configuration necessary to get WSUS up and running.

1. Begin by going to the WSUS Admin console. To do so, open Internet Explorer and navigate to http://servername/WSUSAdmin.

2. Next, click the Options button, followed by the Automatic Approval Options link.

   By default, WSUS is configured not to automatically install anything. You can change this by clicking the Add/Remove Classifications buttons in the Approve for Detection and Approve for Installation sections, and then selecting the types of updates that you want to automatically install.

3. Click the Save Settings link and then click the Home button.

4. Once you arrive on the console's Home page, click the Get Started by Synchronizing Your Server link.

5. You will now see a page filled with options pertaining to downloading updates to your server.

   I recommend beginning by selecting the languages for which you want to download patches. After all, there is no reason to download the same patch a dozen different times if you only need one language. I also suggest checking the Products and Update Classifications sections to make sure that the appropriate types of patches will be downloaded.

   You won't see Exchange Server on the list right now, but it will appear later after you synchronize the server. For now, I recommend selecting the Microsoft checkbox in the Products section to ensure that Exchange patches are downloaded.

6. Finally, set the synchronization schedule and click the Synchronize Now button. The initial synchronization will take a long time because there are numerous patches to download. You can watch the synchronization process from the console's Home page.

Configuring clients

The final step in the process is to point your servers and workstations to the WSUS server you've just configured.

1. Begin by opening the Group Policy Editor and navigating through your organization's group policy to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.

2. Double click on Configure Automatic Updates to view the Automatic Update properties sheet.

3. Select the Enable option. Also, make sure the download and install options and the date and time options are to your liking. Then click OK to continue.

4. Double click the Specify Intranet Microsoft Update Service Location option.

5. When the properties sheet appears, select the Enabled option and then enter the URL for your WSUS Server. Assuming that you used the default Web site option during installation, the URL will be http://your server name/. Enter the same URL in the Set Intranet Statistics Server field.

Conclusion

You just received a crash course in deploying WSUS, which you can use to keep your Exchange organization up to date. Of course, there is a lot more to WSUS than what I have covered in this article. For more information, go here.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Virus protection

---

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patch Management Tips How to install Windows Server 2003 patches when offline Remote management for Windows system upgrades How do I properly configure WSUS? Have my Windows patches actually been installed? Importance of managing unpatched third-party software Critical September patch could hit Windows 2000 SP4 systems What's hot in Microsoft security: Critical patches Patch management; Windows Update for network security Internet Explorer in Patch Tuesday limelight for August One patch for Active Directory is a doozy Microsoft Exchange Server Security Securing Exchange Server 2003: Five tips in five minutes Dell, Symantec bundle hardware, security New Exchange exams likely to emphasize roles, security Securing Exchange services: Quick guide Exchange Server security essentials Proper patching procedures for front-end/back-end Exchange Server setups SearchExchange.com E-mail Security Webcast Series: Locking down Exchange Server Microsoft Outlook security workaround for administrators and developers 10 tips in 10 minutes: Phishing exposed Office 2003 SP2's antiphishing filter for Outlook Microsoft Exchange Server Security Research SUS/WUS How do I properly configure WSUS? What's hot in Windows security: Updating Windows Update; new IE scare Microsoft delivers 10 patches and tool update Patch Tuesday will see the release of 13 security updates Third-party patch management tools: Reasons to say yes, reasons to say no WSUS 3.0 public beta is ready New R2 security features: Federation, not firewalls Error connecting to the Windows Server Update Services database Tricks for optimizing WSUS performance SUS, WSUS, SMS and beyond RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.