Patch Management

Hi

With regards to WSUS -

If you think about it, it's not that bad - clients only request the
patches they require, so don't actually get all patches. The volume of
data sored on your WSUS server will depend on which systems you have
told it to download patches for (e.g various windows versions, various
office apps, sql server etc.).

It's also worth noting that you can control the speed at which the
clients download the patches (down to 2kb / second) and have different
settings based on time - e.g. allow clients to download faster
overnight.

The randomness over which the clients choose to download a patch can
also be controlled to reduce the number downloading at the same time.

Aother approach is to use OU's to cause clients to download the patches
on different days after they are released - perhaps testing machines day
1, group 1 day 3, group 2 day 4 etc.

We are currently moving to a centralised WSUS solution covering 10s of
thousands of machines over a variety of WAN links with no issues so far.

I would also imagine any system that stores historical patches for all
the O/S's and applications that it stores will eat disk space over
time.

For a product that is free if you use microsoft servers I think WSUS
is pretty good, yes there are more flexible solutions out there, but
it does the job reasonably well.

Cheers

Kevin


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Sec Melis
Sent: 20 April 2007 05:13
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Patch Management

Have you guys check your disk space used by WSUS?
Surprisingly, my WSUS eats more than 26 GB space for last 2 years!
Imagine,
how many bandwidth resources was consumed during that time if it's
distributed across, let's say 30 WSUS relays and 8000 clients for one
medium
company ......

Duh dear uncle Bill ......

Arif Jatmoko

----- Original Message -----
From: <visitnikhil@xxxxxxxxx>
To: <security-basics@xxxxxxxxxxxxxxxxx>
Sent: Friday, April 20, 2007 9:47 AM
Subject: Re: Patch Management


Hello Donald Shroyer,

One of the recommended solution for patch management in Windows based
environment is WSUS.

For further information visit:
http://www.microsoft.com/windowsserversystem/updateservices/

Its free to download and easy to use and deploy.

--
Nikhil Wagholikar
Security Analyst

NII Consulting
Web: www.niiconsulting.com

Relevant Pages

  • Re: WSUS configuration
    ... I am not sure but i think you can not control it and let the client still go to MS to download. ... remote clients I don't want to be pulling updates from central WSUS ... want my remote clients to use WSUS but not download updates from WSUS ...
    (microsoft.public.windows.server.general)
  • Re: WSUS 3.0 Update download probleme
    ... Bei welchem der beiden Links kommt ein Download? ... Wie schon geschrieben steht der Interne WSUS im selben Netz wie die Clients, ...
    (microsoft.public.de.german.windows.server.active_directory)
  • Re: Singe file to update KB951847 ( KB959209)?
    ... This and other Updates download and update just fine, though it takes bloody forever to download KB951847. ... Are you using WSUS 3.0 on the server to download and deploy updates for all clients now? ...
    (microsoft.public.windows.server.general)
  • Re: monitoring reports not working?
    ... Do you download all MS Patches? ... I manage a SBS 2003 R2 server where WSUS is set to handle approvals ... reports sending 401's, ...
    (microsoft.public.windows.server.sbs)
  • RE: Singe file to update KB951847 ( KB959209)?
    ... Are you using WSUS 3.0 on the server to download and deploy updates for all clients now? ...
    (microsoft.public.windows.server.general)