WSUS: Better platform, bolder name

Repetition is sometimes the essence of depression. To wit: Yet another day begins with yet another friend of a client calling to ask whether not keeping his anti-virus software up to date could have anything to do with the machine suddenly displaying a bouncing swastika. (Reply edited for children.) This incident was followed by another date with a woman who turns out to be a professional sociopath. Followed by yet another late evening on the TV couch watching — and I kid you not — yet another premiere of a new Law & Order series. Is there only one writer left in Hollywood?

Sometimes, however, repetition can encompass the essence of the “try and try again” philosophy. Such is the case with Microsoft’s RC (release candidate) of the WSUS (Windows Server Update Services) platform; it used to be called Windows Update Services but the Department for Ridiculous Acronyms and Titles called and Microsoft was forced to change it.

WSUS has several advantages over its previous SUS (Software Update Services) incarnation. It’s probably more in-depth than SUS, but I still wish that WSUS ran on more than just Windows 2000 Server, Windows 2003 Server, and Windows XP. What is nice, however, is that it’s even more manageable than SUS. For one thing, BITS (Background Intelligent Transfer Service) is part of the basic WSUS package instead of an add-on. BITS allows users on low-bandwidth or even intermittent connections to manage ongoing downloads in the background even if those downloads have to stop and restart several times.

If you set up a full WSUS server, you’re pretty well covered for updates productwise; WSUS checks for updates for all its supported operating systems, as well as Microsoft Office, Exchange (2000 or later), and SQL Server (2000 or later). Redmond promises more products will be supported over time. You can choose which products to check for download, you can schedule those downloads, you can designate specific downloads to run at specific times, and you can even point specific updates at specific users, computers, or groups.

Basically, it’s a noticeable step up from SUS, so if you’re running an SUS server, it’s time to update. You can find the release candidate for WSUS here.

One tidbit that will soon appear on your radar, if you install WSUS, is Windows Server 2003 SP1. If you traveled all the way to Microsoft’s Technical Reviewer’s Workshop a couple of weeks ago, you got a deeper scoop on what’s to be expected in SP1, but for those who didn’t: There was a lot of talk about the Security Configuration Wizard. But because I’ve already harangued you with news on that feature (see the eloquently titled column “Microsoft makes server hardening easier” from a few weeks back), I’ll stick to a related feature called PSSU (Post-Setup Security Updates). This nifty dialog box pops up at a server’s initial boot following the SP1 install or at its creation (in the case of new servers configured after the release of SP1).

PSSU locks down the server, protecting it from the hordes of server exploits lurking on the network waiting to immediately compromise a virginal server machine. It makes a connection to the network, but it uses Windows Firewall to block everything until an administrator has confirmed that all relevant updates and security fixes have been installed to his or her satisfaction. After that’s done, admins can run past PSSU and disable Windows Firewall should they wish it.

Given that our testing facility at Advanced Network Computing Laboratory (ANCL) has a record of 14 minutes before an unprotected Windows machine was compromised, PSSU is a feature that probably should have been available earlier.

I’ll be checking out SP1 in more depth as soon as Redmond sends me gold or RC-level code. In the meantime, if you’re desperate for some beta testing, check out the beta program for Microsoft Update. MU is an extension of Windows Update, but covers all Microsoft applications instead of just OS patches and security fixes. If you want to check it out, you’ll need a .Net Passport account to get in.