• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Security Articles
• Planning Server Security
• Planning a Security Update Infrastructure
• Auditing Security Events
• Authentication Types
• Planning and Implementing and Authentication Solution
• Planning and Implementing an Authorization Solution
• Defining a Baseline Security Template
• Designing Network Infrastructure Security
• Identifying Security Issues Common to all Server Roles
• Implementing Access Control
• Implementing Account and Security Policies
• Implementing Auditing
• Network Attacks
• Responding to Network Attacks and Security Incidents
• Resultant Set of Policies
• Securing Application and Terminal Servers
• Securing Database Servers
• Securing Domain Controllers
• Securing File and Print Servers
• Securing Mail Servers
• Securing Web Servers
• Shared Folder Permissions
• Understanding and Designing Public Key Infrastructure
• Understanding Business Requirements for Security Design
• Understanding Certificate Authorities
• Understanding Security Templates
• Wireless Connection Security
• Implementing IAS
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Planning a Security Update Infrastructure

Security Update Overview

A software update is a file(s) that needs to be applied to a computer running a Windows operating system to correct an existing issue or problem, or to add enhancements and additional features. An update is also referred to as a patch. An update can only be applied to specific software which is installed already. All Microsoft updates are implemented in the form of an executable file that has an .exe extension, and each update is set to back up all files that they replace.

A security update infrastructure is collection of policies and mechanisms that address the following aspects with regard to updates:

• Identifying the computers on the network that need to be updated.
• Determine when security updates are released for deployment.
• Determine how security updates are tested before they are deployed into the production environment.

While updates which are security-specific need to be deployed almost immediately, there are other updates that deal with reliability problems.

There are a number of different types of updates which Microsoft provides:

• Security updates: The characteristics of security updates are listed below:
• These are updates that are released by the Microsoft Security Response Center (MSRC) to address a specific security weakness or vulnerability.
• Each specific security update includes a security bulletin and a Microsoft Knowledge Base article.
• The security bulletin provides administrators with comprehensive information on the existing security issues and security vulnerabilities:
• Who the security bulletin affects.
• The level of severity of the security vulnerability.
• The impact or risk associated with the security vulnerability.
• The recommended response process for all parties who are affected by the security vulnerability.
• The information contained within a security bulletin are listed here:
• Title; the title of the security bulletin including the current year and the bulletin number for the specific year.
• Summary; contains summary information on who the affected customers are, what the level of severity of the security vulnerability is, and the recommended response process.
• Technical description; contains a thorough description of the security vulnerability and the instances that could lead to the security vulnerability being exploited.
• Mitigating factors; includes technical factors which could reduce the vulnerability being exploited.
• Severity rating; includes a rating for each specific software that could be affected by the vulnerability. The ratings are Critical, Important, Moderate, Low and None.
• Vulnerability identifier; a link(s) to organizations which are external to Microsoft to identify the vulnerability.
• Tested versions; contains all software which has been tested by Microsoft for the specific vulnerability.
• Frequently asked questions; includes answers to any questions which Microsoft has identified as being expected for this particular security bulletin.
• Update availability; indicates the locations from where the update can be downloaded.
• Additional information; contains additional information on installation of the update.
• The Knowledge Base article for a vulnerability is usually only issued after the security bulletin has been released. Knowledge Base articles contain more comprehensive information on the vulnerability.
• Critical updates: The characteristics of critical updates are listed below:
• Critical updates are similar to security updates in that they too are released to customers quite quickly. This means that Microsoft does not test critical updates for extended time periods.
• The difference between critical updates and security updates is that that critical updates do not correct security vulnerabilities.
• A critical update contains a Knowledge Base article that provides thorough information on the existing problem and the update associated with correcting the problem.
• Customers that are affected by the issue described in the critical update and who are experiencing the issue, should apply the critical update immediately.
• Customers that are not directly being affected by the problem should not apply the critical update, but should wait for the next service pack to be released. This service pack would include the critical update after comprehensive testing has occurred.
• Hotfixes: The characteristics of hotfixes are listed below:
• Hotfixes are also sometimes referred to as security hotfixes or security fixes which is not really technically correct.
• Hotfixes deals with fixing a particular system fault.
• A hotfix can include once-off fixes for a server or client problem.
• You can download hotfixes from the Windows Update site, or from the TechNet Security page at www.microsoft.com/technet/security/default.asp.
• You can use the Microsoft Network Security Hotfix Checker (HFNetChk) included with the Microsoft Baseline Security Analyzer (MBSA) to determine whether your network computers have all the necessary hotfixes.
• Security rollup packages: The characteristics of security rollup packages are listed below:
• A security rollup package is a collection of security updates, critical updates, and other updates and hotfixes which are packaged together to facilitate easy installation.
• A security rollup package includes a Knowledge Base article that contains detailed information on the security rollup package.
• Service packs: The characteristics of service packs are listed below:
• A service pack is a collection of security updates, critical updates, other updates and hotfixes, and any requested design modifications which are packaged together to facilitate easy installation.
• Service packs typically deal with setup, security, and application compatibility enhancements or issues.
• Service packs usually improve the reliability and security of the operating system.
• A service contains a Knowledge Base article that provides thorough information on the service pack.
• They are issued by Microsoft every couple of months to ensure that the operating system is up to date, and to correct existing issues.
• The difference between a service pack and the other types of updates is that service packs are planned and thoroughly tested.
• Service packs improve on functionality when they include new tools and capabilities, and updated device drivers.
• Driver updates: The characteristics of driver updates are listed below:
• While the hardware vendors are responsible for releasing updated versions of drivers, Microsoft does release updated drivers which are aimed at addressing security problems.
• Updated drivers released by Microsoft are only released when they are officially signed by Microsoft.
• Feature packs: The characteristics of feature packs are listed below:
• Feature packs are released to deploy additional features and functionality.
• Feature packs do not fix any problems.
• Recommended updates: The characteristics of recommended updates are listed below:
• Recommended updates relates to a problem which is not critical or security specific. This is due to a recommended update not getting rid of vulnerabilities within the operating system.
• Recommended updates add enhancements and can also include new features.

Planning an Updating Infrastructure

Before you can deploy security updates or any type of update, you have to plan your updating infrastructure. The updating infrastructure is the infrastructure that you would use to test, store and deploy security updates.

One of the foremost tasks you have to perform when planning an updating infrastructure is to determine who the members of the updating team will be. To assist with this planning component, Microsoft recommends that you use the Microsoft Solutions Framework (MSF) team model.

The Microsoft Solutions Framework (MSF) team model identifies the following roles for the updating team:

• Product management; members of this role are responsible for determining the needs of the organization and the needs of its users, and then ensuring that the updating procedure supports these identified needs
• Program management; members of this role are responsible for managing the process of the updating procedure, and for managing the updating schedule and budget.
• Development; members of this role are responsible for building the updating infrastructure based on the identified design of the updating infrastructure.
• Testing; members of this role are responsible for developing the testing strategy for testing the updates, formulating the test plan, performing the actual tests, and for ensuring that all issues are resolved before the update is deployed within the production environment.
• User experience; members of this role are responsible for ensuring that the updating process supports the requirements of users.
• Release management; members of this role are responsible for the actual deployment of the updates into the production environment.

Another important step in planning and developing an updating infrastructure is to assess the existing environment. This step typically involves gathering information on the existing computers within your environment, and determining the security requirements for each computer system. You need to know which existing operating systems and applications are installed before you can begin to deploy any type of update.

The information that you need to determine on each computer within your current environment are listed here:

• Determine the operating system version, update level, and whether additional components have been installed.
• Determine which applications have been installed. Include the application version and update level as well.
• Determine whether computers are protected by firewalls and virus checkers. A firewall might be protecting your computer against specific security vulnerabilities, thereby making the deployment of certain released updates unnecessary.
• Determine the network connectivity which exists. Include the following factors when you determine network connectivity:
• List the networks which computers connect to.
• List networks that the computer connects to over dial-up and VPN connections.
• List whether computers are connected to the Internet.
• Determine the sites in which a computer is located. You can deploy security updates to computers from a server placed at each site.
• Determine the bandwidth requirements of computers. This is especially necessary for computers connected over low bandwidth connections. This will assist you in determining whether updates should be deployed during or after business operating hours.
• Determine whether there are any special uptime requirements for a computer.
• Determine which users have dependencies on certain computers being online.
• Determine who the responsible individual(s) is for deploying the security updates and for correcting any issues such as the computer failing.

You have to determine which method you will use for applying updates:

• Windows Update: Windows Update is a free Microsoft service which can be used to keep Windows based computers up to date in terms of software updates. Windows Updates works well where the number of computers that need to have the update applied are relatively small. Windows Update includes the following components:
• Windows Update Web site
• Automatic Update client
• Windows Update Catalog
When you connect to the Windows Update Web site, Windows Update checks the computer to determine whether it needs any software updates and updated device drivers applied.
• Group Policy: Organizations currently using Active Group Policy can use Group Policy objects to automatically install updates on computers. Microsoft includes the ability to deploy and distribute software using Group Policy. Publishing is the terminology used to make applications available for installation from over the network. The Software Installation and Maintenance component can also be used to automatically install applications based on certain predefined criteria on computers. When using Group Policy to deploy software in your Active Directory domain, you basically need to edit an existing Group Policy Object (GPO), or create a new GPO. The GPO needs to be linked to a site, domain, or organizational unit (OU). A GPO that is linked to one these components has a Software Installation node located under the Computer Configuration node, and a software installation node located under the User Configuration node. You can access a GPO linked to a site, domain, or OU, through the Group Policy Editor console. The Software Installation node in the Group Policy Object Editor console can be considered the main tool used to deploy software. The Software Installation node also enables the centralized management of the initial deployment of software and the removal of software. You can also centrally manage software upgrades, hotfixes, and security updates from this location.
When using Group Policy you can use one of two methods to deploy the updates:
• Publish the updates. Users will have to use the Add/Remove Programs feature located in Control Panel to install the updates.
• Assign the updates to computers. Updates that are assigned to computers are installed when the computer next restarts.
• Software Update Services (SUS): SUS was introduced to control the features of Windows Update to a corporate server, by deploying or downloading the updates to a designated corporate server who then provides the updates to your internal client computers. SUS works well in organizations that are medium in size where the organization is not using Systems Management Server (SMS). As an Administrator, you can ensure that clients' systems are up to date with the latest updates through SUS, you can control what updates are deployed in the network, and you can test the updates that are deployed to clients. One SUS server would connect to the Microsoft servers for updates, and you would configure the client computers in your corporate network to connect to the internal SUS server for their updates. This also increases the security stance of your network because less internal clients are connecting over the WAN links. Administrators have greater control over what updates are deployed to the client computers. You can choose to either approve the updates or prevent a specific update from being deployed to the internal client computers. In addition to having greater central control within your environment on what updates are deployed, you can also control the synchronization of updates from the Windows Update site. This can be done automatically, or manually. By using SUS, you can also deploy a SUS statistics server on the computer where the SUS server resides. This would enable you to verify what clients have installed updates.
• Microsoft Systems Management Server (SMS): You can use SMS to install updates and service packs on SMS client computers from a network distribution share. Using SMS for deploying updates involves the following steps:
• You have to create a SMS package that includes the location of the service pack source files and the package definition file (.pdf) for distributing the service pack. The package definition file includes the information that would be needed to create the SMS package. The SMS package includes command-line executables as well. These executables runs on the SMS client computers to manage how the SMS package executes.
• You then have to distribute the SMS package to the distribution points that you have identified
• Lastly, you have to create an SMS advertisement that will inform the SMS clients on the available service packs.
If you are planning to use SMS, you should consider using the SUS Feature Pack with SMS 2.0. Using the SUS Feature Pack with SMS 2.0 enables you to easily manage security updates because the SUS Feature Pack adds additional functionality for security update management. The SUS Feature Pack provides the following additional tools:
• Security Update Inventory Tool
• Microsoft Office Inventory Tool for Updates
• Distribute Software Updates Wizard
• Web Reports Add-in for Software Updates

In addition to determining which update deployment method to use, you can use the Microsoft Baseline Security Analyzer (MBSA) to check for and scan computers for security weaknesses and missing security updates.

Using the Microsoft Baseline Security Analyzer (MBSA)

The Microsoft Baseline Security Analyzer (MBSA) is a security assessment graphical tool that can be downloaded from the Microsoft website, and then used to scan for common security errors on a single computer or multiple computers. The MBSA can be used to verify that the computer has the latest security updates. When MBSA is run from the GUI, it places reports in the SecurityScans folder of the user profile that creates the reports. You can also use MBSA to check for missing security updates from the command-line.

The MBSA can scan for and detect a number security problems and shortfalls, including the following:

• Check whether all the necessary security updates and service packs have been installed on the computer.
• Check whether all disk drives on the computer are formatted using the NTFS file system.
• For computers running Internet Information Services (IIS) or Microsoft SQL Server, MBSA can scan for a number of security vulnerabilities.
• Check for a number of account weaknesses and vulnerabilities, including the following:
• Whether Autologon is being used by the computer.
• Whether multiple accounts exist with Administrator privileges.
• Whether the Guest account is enabled.
• Whether anonymous users have been granted excessive access to the computer.
• Checks the configuration of passwords:
• Whether passwords are blank.
• Whether passwords are weak.
• Whether passwords have been set to expire.

MBSA can scan a number of operating systems and applications, including the following

• Windows NT 4.0
• Windows 2000 Server
• Windows XP
• Windows Server 2003
• Internet Explorer 5.01 and higher
• Internet Information Server version 4.0 and 5.0
• SQL Server 7.0 and SQL Server 2000
• Windows Media Player version 6.4 and higher
• Microsoft Office 2000, and Microsoft Office XP

For a computer to use MBSA, the requirements listed below have to be met:

• The computer must be running Windows NT 4, Windows 2000, Windows XP or Windows Server 2003. Windows 95, Windows 98 and Windows Me are not supported by the MBSA tool.
• The computer must be running Windows Explorer version 5.01 or higher.
• The computer must have Client for Microsoft Networks installed.
• An XML parser must be installed.
• The Workstation and the Server service must be enabled.

How to download and install the MBSA

1. First download the MBSA tool from the Microsoft website.
2. Double-click the mbasetup.msi installer.
3. Click Next when the wizard's welcome page opens.
4. Read and accept the end user license agreement, by clicking the I Accept the License Agreement option. Click Next.
5. On the User information page, enter the appropriate information in the Full Name and Organization text boxes.
6. If you want the settings to be installed for only the current user, click the Only for Me option.
7. If you want the settings installed for any user who utilizes the computer, click the Anyone who uses this computer option. Click Next
8. Accept the default installation path, or specify another path on the Destination Folder page.
9. Clear any of the following checkboxes if you do not want the actions performed.
• Place a Shortcut on the desktop.
• Show Readme file after installation
• Launch the application after installation
10. Click Next.
1
11. Select the options and features that you want to install on the local hard drive and then click Next.
1
12. Click Next to start installing the Microsoft Baseline Security Analyzer.
1
13. Click Finish.

How to use MBSA to scan a computer for missing security updates

1. Open the MBSA that you installed
2. Choose Scan a computer.
3. On the Pick a computer to scan page, select the computer you want to scan.
4. Select the scan options that you want to use:
• Check For Windows Vulnerabilities
• Check For Weak Passwords
• Check For IIS Vulnerabilities
• Check For SQL Vulnerabilities
• Check For Security Updates
5. Click Start scan.
6. Click Yes to install the MSSecureXML file. This is the file which is updated each time Microsoft issues new updates.
7. The MBSA tool displays the scan results after the scan is completed.
8. You can click Result Details if you want to view additional information.

Using Microsoft Software Update Services (SUS)

SUS works well in organizations that are not using Systems Management Server (SMS). Through SUS, you can install software updates from one centralized location. With SUS, Windows updates are downloaded to a corporate server, and are then deployed to clients within the internal environment. You can administer 15,000 clients on a single server.

The SUS components are listed here:

• SUS server component; runs on Windows 2000 or Windows Server 2003 server and is responsible for synchronizing information on the available updates, and then downloading the updates from Microsoft's servers.
• SUS administration Web site component; after SUS is installed, the administrator has to ensure that the SUS server synchronizes, and then has to either approve or disallow the updates for client computers.
• Automatic Updates client software component; downloads updates from Windows Update or from the centralized SUS server for clients. You can configure the Automatic Updates client software to synchronize from the centralized SUS server by defining Windows Update policies in a Group Policy Object (GPO).

A few advantages of using SUS to deploy security updates are listed here:

• Enables a corporate server to perform as a Windows Update server. Security updates can be centrally managed from one location.
• SUS enables you to deploy updates to multiple clients and in multiple languages.
• All updates are checked by SUS first to determine whether they have been digitally signed by Microsoft. Updates that have not been digitally signed are dropped.
• All updates that are deployed to client computers are first approved by administrators before they are deployed.
• You can configure Automatic Updates on client computers to obtain security updates from the SUS server and not from the public Windows Update site.
• Synchronization between the SUS server and the public Windows Update site can be manually controlled or automatically controlled.
• If you need to record which clients have updates installed, you can configure a SUS statistics server to log update access and installations.

SUS supports the following client platforms:

• All Windows Server 2003 platforms
• Windows XP Professional with Service Pack 1 or over
• Windows XP Home Edition server with Service Pack 1 or over
• Windows 2000 Advanced Server with Service Pack 2 or over.
• Windows 2000 Server with Service Pack 2 or over.
• Windows 2000 Professional with Service Pack 2 or above.

Microsoft recommends the following minimum hardware requirements for installing SUS on a machine:

• Windows 2000 Server, Windows 2000 Server Advanced or Microsoft Windows 2000 Datacenter Server with Service Pack 2 or above; or Windows Server 2003.
• Pentium III 700 MHz or higher processor
• 512MB (megabytes) of RAM
• A network card
• Internet connection
• A NTFS partition with at least 100MB free disk space for the installation of the SUS server software
• 6GB of free hard disk space on a NTFS partition to store the update files.
• The server must be running IIS 5.0, and be connected to the network
• Internet Explorer 5.5 or higher.

When you install SUS, the components installed on the server are:

• Software Update Synchronization Service, for downloading update files to the SUS server
• IIS Web site, for dealing with requests from Automatic Updates clients.
• SUS administration Web, for synchronizing the SUS server and for approving the updates

Windows Automatic Updates is the client component of SUS. The Automatic Updates client is available with Windows 2000 Service Pack 3, Windows XP Service Pack 1, and Windows Server 2003.

SUS clients run an Automatic Updates version that supports SUS, by providing support for:

• Clients to obtain updates from the SUS server, and not from Windows Update.
• Clients to be configured using Group Policy. You can alternatively edit the Registry keys.
• Administrators to schedule when the downloading of updated files occurs.
• An administrative account or non-administrative account to be logged on to allow updates

There are a number of methods that you choose between to configure clients to obtain security updates from the SUS server:

• Use the Group Policy feature available in Active Directory environments.
• Use the Local Security Policy on the computers
• Modify the necessary Registry settings

How to install the SUS Server

1. You have to download the SUS software, the sus10sp1.EXE file, from the Microsoft website. You can use the following URL: http://go.Microsoft.com/fwlink/?linkid=6930.
2. When the SUS homepage opens, click Download SUS Server with Server Pack 1 (SP1).
3. The sus10sp1.EXE file should be copied to the server where you want to install SUS.
4. Double-click the sus10sp1.exe file.
5. The Welcome To The Microsoft Software Update Services Setup Wizard screen is displayed. Click Next.
6. The End User License Agreement screen is displayed next. Read through the license agreement, and click I Accept The Terms In The License Agreement. Click Next.
7. The Choose Setup Type screen is then displayed. You can either choose a Typical installation or a Custom installation. If you select Typical, SUS is installed with its default settings. If you select Custom, you can customize the settings of the SUS installation.
8. Select the Typical installation option.
9. The Ready To Install screen is displayed, and shows the URL which will be used by clients to connect to this SUS server. The default URL is http://servername.
10. Click Install.
1
11. The Completing The Microsoft Software Update Services Setup Wizard screen is displayed. Click Finish.
1
12. The SUS administration Web site in your default Web browser will automatically open.

How to synchronize the SUS server with the public Windows Update servers

1. On the Software Update Services administration screen, select Synchronize Server.
2. The Synchronize Server screen is displayed.
3. You can select Synchronize Now from the Synchronize Server screen to manually synchronize the server, or you can alternatively select Synchronization Schedule if you want to configure a synchronization schedule for the SUS server.
4. If you selected Synchronization Schedule, the Schedule Synchronization Web Page screen is displayed. This is where you set the schedule for when your updates should occur. It is recommended to schedule updates for non-peak network hours, and at a time when the server is not being backed up.
5. After setting your synchronization schedule, it is recommended to manually synchronize the SUS server the first time. Click Synchronize Now to do this.
6. The SUS server configuration determines whether updates are automatically approved, or manually approved.
7. To examine the updates, select Approve updates from the navigation menu.
8. If you want to approve particular update(s), and have it applied to client computers, select the update(s), and then click the Approve button.
9. Click Yes to acknowledge the warning message that appears
10. If you are prompted to accept an End User License Agreement, choose Accept.
1
11. When the SUS server is done downloading the updates you have specified, you are presented with a message indicating that the updates are available for clients.
1
12. The SUS server shows the updates together with a message. The messages that can be displayed are:
• New, means that the update was downloaded and has not been approved. An update that has a New message is not available to client computers that query the SUS server to download updates.
• Approved, means that the update has been approved and is available to client computers that query the SUS server to download updates.
• Not Approved, means that the update has not been approved and is therefore not available to client computers that query the SUS server to download updates.
• Updated, means that this particular update has since been modified during the SUS server synchronization process.
• Temporarily Unavailable, means that the updates are stored locally on the server, and that a needed dependency is unavailable.

How to approve security updates for deployment to clients

1. Click Synchronize Server to synchronize the SUS server with the public Windows Update site.
2. Click Synchronize Now to immediately synchronize the SUS server and download updates
3. Click OK once the download is completed.
4. You will next be informed that the downloaded updates need to be approved and tested.
5. When you have thoroughly tested the updates, click the Approve Updates button to approve the updates that you want to deploy.
6. On the Approve Updates screen, select each update that should be approved, and click Approve.
7. Click Yes to continue.
8. Click Accept to accept the license agreement. The list of approved updates is now available to clients.
9. Click OK.

How to configure clients to retrieve security updates from the SUS server (using the Local Security Policy on the computer)

1. Click Start, select Run, enter type gpedit.msc and then click OK.
2. Expand Computer Configuration and then expand Administrative Templates.
3. Right-click Administrative Templates and then select Add/Remove Templates on the shortcut menu.
4. Click Add and then select Wuau.adm.
5. Click Yes to overwrite the existing Wuau.adm file.
6. Click Close.
7. Expand Computer Configuration, Administrative Templates, Windows Components, and then expand Windows Update.
8. Double-click Configure Automatic Updates.
9. The Configure Automatic Updates Properties dialog box opens.
10. Select the Enabled option and select one of the following options:
• Notify for download and install
• Auto Download and notify for install
• Auto download and schedule the install
11. Click OK.

How to configure clients to retrieve security updates from the SUS server (using Active Directory Group Policy)

1. Click Start, Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click the particular Organizational Unit (OU) or domain for which you want to configure the policy, and then select Properties from the shortcut menu.
3. Click the Group Policy tab.
4. Click New, and then enter a name for the new Group Policy.
5. Click Edit to open the Group Policy Object Editor.
6. Proceed to right-click Administrative Templates from under Computer Settings or User Settings, click Add/Remove Templates, and then click Add.
7. Enter the name of the Automatic Updates file, wuau.adm, and then click Open.
8. In the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Windows Components, and Windows Update.
9. To configure the SUS server location, double-click the Specify intranet Microsoft update service location option. Click Enable.
10. Provide the URL for the statistics server in the Set the intranet update service for detecting updates box. Click OK.
1
11. To configure Automatic Update Properties, double-click the Configure Automatic Updates option. Click Enable.
1
12. Select one of the following Configure Automatic Updating options:
• Notify for download and notify for install
• Auto download and notify for install
• Auto download and schedule the install
13. Click OK.

How to configure clients to retrieve security updates from the SUS server (editing Registry keys)

1. Click Start, select Run, and then enter regedit in the Run dialog box.
2. The Registry Editor opens.
3. You can set Automatic Updates settings through HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
4. The Registry options (keys) that can be configured are:
• NoAutoUpdate: 0 - Automatic Updates are enabled, 1 - Automatic Updates are disabled
• AUOptions: 2 - Notify of download and the installation, 3 - Auto download and notify of the installation, 4 - Auto download and schedule the installation
• ScheduledInstallDay: 1 - Sunday, 2 - Monday, 3 - Tuesday, 4 - Wednesday, 5 - Thursday, 6 - Friday, 7 - Saturday
• UseWUServer: 0 - Use public Microsoft Windows Update site, 1 - Use server specified in WEServer entry
5. You can edit the following Registry keys in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate folder to configure the server which will used as the Windows Update server:
• WUServer key, to specify the Windows Update server via the HTTP name of the server.
• WUStatusServer key, to specify the Windows Update intranet SUS statistics server via the HTTP name of the server.

Bookmark Planning a Security Update Infrastructure

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum