We
have used Microsoft's Software Update Services (SUS) for desktop
patch
management since 2003. According to statistics, the number
of desktop computers with missing patches has been under control,
making our campus network more secure. However, SUS mainly
supports Microsoft's operating systems while other popular
Microsoft software products are not covered. (See Network
Computing, Issue 45 - September 2005 for details.)
Windows
Server Update Services (WSUS) is Microsoft's new tool for
patch management, replacing the existing SUS. There is not
much difference between the patch management process of SUS
and WSUS. It enables the management of individual PCs as well
as groups of PCs, performs tests before approval, and controls
the timing of when a patch is going to be applied to the PCs.
With
extended capabilities, WSUS can now automatically deliver
security patches/updates for SQL Server, Office, Visio, Project
and the like to the clients. In addition, it has some favourable
features that facilitate administrative productivity and efficiency,
including advanced network optimization using Background Intelligent
Transfer Service (BITS), flexible update management, and comprehensive
status reports. The new "detect only" feature of
WSUS also enables us to better plan the software update deployments.
After
testing WSUS in selected departments for some time, it was
formally deployed for the whole campus on 22 March. The deployment
is successful and smooth. WSUS now manages more than 3,500
domain PCs and has become an important part of the security
management process at the University. As the Internet is turbulent
today and users may face zero-day attacks, WSUS can surely
help us protect our Windows-based machines which have joined
the CITYUMD domain.