Everybody knows about free Windows System Update Service/WSUS. But i feel this service needs some extra explanations, recommendations for newbie sysadmins.
At first why do you need it? – briefly: for security and to fix software glitches. Proper and in time hotfixing/patching has paramount importance for security (maybe even more important than to have weak antivirus, IDS/IPS, firewall and other standard protection measures, which also should be regularly updated) If your health is bad or even if you are close to die then just screening from hackers will not help you. The weaker you are the more expensive protection, the better immunity the less efforts to withstand threats. It’s pain to see how somebody spends kilobucks for boxed robust professional security solutions to avoid routine, but basic unavoidable tasks – one of which is WSUS or similar. Without immunity you die even from slightest cough buying expensive medicine. The software patching is the immunity for IT body. Who neglects this rule eventually regrets.
Why not to use default update mechanism – directly from Microsoft Update – when you have more than 10-15 computers it’s too slow and time-consuming to download from internet at work time the same patches 10-15 times instead of once for WSUS at night time (proxy caching of dynamic content is not effective for a such volumes). Moreover using WSUS you control what update to allow/approve, what to block, you control where pushed updates not installed and so on. By default only MS Windows and MS Office updates are downloaded/installed, but WSUS can download and deploy updates for Windows/Office/SQL/Exchange/Lync/SC and other Microsoft products, classifications.
OK, if nobody denies the need of WSUS, then some recommendations:
- Reduce (it means remove from IT infrastructure unnecessary version/editions) as much as possible the number of systems which you are going to protect (to hotfix and monitor patching). It means that you better reduce number of OS to one workstation OS edition and one server OS version, and only one MS Office version. The same for versions of Adobe Reader, archiver, antivirus and so on, but unfortunately they are not patched by WSUS – but the main principle is the same. As a result less size for WSUS DB, less efforts to troubleshoot hotfixing/patching conflicts, less attack surface. Anyway standardized and shortlisted authorized software list is mandatory for large companies.
- Better NOT download upgrades, only updates. Everybody knows how big and slow upgrades from win7/win8 to win10, and even migrations between different builds of windows 10. Such sudden upgrade is not what you expect to happen automatically (sometime downtime is for half working day).
- Segment your workstations and servers – don’t update all of them at the same time – if there is some conflict of new patch with LineOfBusiness application and so on – better dose volume of problems/issues.
- And obvious – schedule sync for night time as early as possible – then by working time sync will finish and Internet bandwidth will not deteriorate. (on slow internet lines it’s better to enable new product categories/classifications in WSUS on Friday evening)
- don’t install WSUS on VM with expensive speedy SAS/SSD disks, better on cheap mirrored/or even not mirrored and even on cheap desktop servers. Only eng version of win10/win7/office2013/win2012r2 occupies about 500-700Gb (so not less than 1.5-2TB for small companies).
- Don’t forget from time to time to use WSUS cleanup.
- if you enabled and after some time changed mind and disabled any category – go to updates in WSUS snap-in, filter these updates and “decline” them to remove from reports.
- to avoid sync of WSUS server during work hours dont’ forget to configure Group Policy to throttle any WSUS traffic