A major issue with security on Windows Server installations is the difficulty in keeping all servers up to date with the latest security patches and fixes. The Windows Update service which allowed for automatically download and installation of security fixes is really only suitable for smaller enterprises, large enterprises with numerous Windows Server installations do not wish to run the bandwidth and overhead of having each server run its own individual update. Windows Server Update Services (WSUS) is a free download from Microsoft which effectively gives enterprise their own, independent of the Windows Update server. Clients then connect to the central intranet Windows Server Update Services (WSUS) server for all security patches and OS updates.
Windows Server Update Services (WSUS) Requirements
It is optimal to install WSUS on a dedicated server, but it can also be installed on a Windows Server 2008 R2 server that is running other tasks, provided the server is running Internet Information Services (IIS). The below is the minimum requirements for WSUS:
- Windows Server 2003 SP1 or higher
- Background Intelligent Transfer Service (BITS)
- Internet Information Services (IIS)
- Windows Internal Database role or, alternatively SQL Server 2005 (or higher) installed locally or on a remote server
- .NET Framework 2.0 or higher
Installing WSUS on Windows Server 2008 R2
WSUS installation is a simple process as it is installed as a server role from Server Manager. The below steps install Windows Server Update Services plus all required components.
To complete the initial installation of WSUS, follow these steps:
- Launch the Server Manager.
- On the Roles Summary pane, select Add Roles to launch the wizard and click Next.
- Select Windows Server Update Services, and then click Next.
- Next, the Add Role Services and Features Required for Windows Server Update Services window will prompt you for additional components to be installed, if necessary. The required components are the IIS web server and management tools, the Windows Process Activation Service Process Model, and the .NET framework. Once this is complete, click Add Required Role Services to continue and then lick Next.
- Read the Introduction to Web Server (IIS) overview (if necessary) and then click Next.
- Hit Next to select the default role services to install for IIS.
- Read the Introduction to Windows Server Update Services overview(if necessary) and then click Next.
- After reading the summary of installation selections, click Install.
- The Server Manager will show “Searching for Updates” and “Downloading” while it connects to the Microsoft’s server and downloads WSUS. It will also install IIS and the Windows Process Activation Service, if required.
- The Windows Server Update Services Setup Wizard will be shown displays as the installation progresses. Click Next.
- Read and accept the license agreement for WSUS, and then click Next.
- If alerted that Report Viewer 2005 is not installed just click Next to continue with the installation (note that some reports will be unavailable without Report Viewer installed).
- Select the Store Updates Locally check box, and then enter a location to store them. This location needs be sufficient to hold a large number of downloadable patches. Click Next.
- Select Install the Windows Internal Database on This Computer, or alternatively, Use an Existing Database Server on a Remote Computer if you wish to use a remote SQL Server.
- Select to Use the Existing IIS Web Site and then click Next to continue with the installation.
- Review the security settings on the Ready to Install page and then Click Next.
- The installation then completes in the Server Manager and, once the Finish button is clicked, the WSUS Configuration Wizard is shown. Review the information and then click Next.
- Click Next to sign up to the Microsoft Update Improvement Program.
- Select Synchronize from Microsoft Update, and then click Next.
- If necessary, configure your proxy server settings and then click Next.
- Click on Start Connecting to save your settings and download update information. This process can take several minutes. Then click Next.
- Select the preferred update language(s), and then click Next.
- Select the products which you want to have updates for, and click Next.
- Select the classifications of the updates that you wish to download, and click Next.
- Set the schedule that you want WSUS to automatically synchronize with the Microsoft Update servers or alternatively you can select Synchronize Manually. Click Next.
- Make sure that Begin Initial Synchronization is selected, and then click Finish.
- Finally, review the installation results, click Close, and then close the Server Manager.
Windows Server Update Services is administered from the WSUS MMC which is the main location for all the configuration settings for WSUS and is its only administrative console. WSUS MMC is located at Administrative Tools > Microsoft Windows Server Update Services 3.0 SP1, or can directly accessed from Server Manager.