Today, we’re going to take a quick look at WSUS, explain what it is and reveal how it can help you keep your infrastructure secure.
Windows Server Update Services (WSUS) is a very simple service that you can use to manage various updates (not just for your operating system but also applications and services), especially security patches, and keep yourself safe from the bad guys.
This service allows sysadmins to have control over how updates are applied across the business network. It’s a kind of a “digi-evolution” of Software Update Services (SUS), a program used to apply patches to operating systems.
One of the advantages of WSUS is that you can download updates to a single server and then send them across the business network. This saves a lot of time and bandwidth. Furthermore, it doesn’t just reduce the volume of downloads but also the volume of disk space required as the updates are downloaded just once and then installed on the devices that need them.
What Is WSUS?
As we said, WSUS stands for Windows Server Update Services and allows the systems administrator to apply updates for various Microsoft products across their infrastructure in a centralised way.
Sysadmins can use WSUS to manage Microsoft updates from end to end.
WSUS Architecture
There are many different ways to work with WSUS, either with a single WSUS server or a more complex network structure with multiple servers.
The available options are:
- Basic WSUS architecture.
- Architecture with multiple WSUS servers.
- Architecture with multiple disconnected WSUS servers.
- Architecture with WSUS servers integrated within another solution.
First, we have the basic architecture for delivering updates, which is essentially just a simple chain. The WSUS server is the central link of the chain and connects to Microsoft Update Services using the internet. It then selects the updates and patches to install and sends them to the clients, who could be desktop devices or other servers.
The next possible configuration is similar to the previous one but with some redundancy. With this architecture, we have different sections that perform the same basic tasks. Each WSUS server is located at a central point and connects to Microsoft Update Services, selecting the updates and patches to install and sending them to the clients connected to their section of the network.
The third option is a little more complex. Here, we have two different lines. The first one essentially works in the same way as the previous examples, but there is a break in the middle that isolates the devices and servers from the internet.
The WSUS server connects to Microsoft Update Services, selects the necessary updates and patches and sends them to a central repository.
Then, a different WSUS server accesses the repository to send the updates to the clients on the network.
The fourth way of using WSUS is the configuration that uses WSUS servers integrated into another solution, such as Microsoft System Center Configuration Manager (SCCM). This looks a lot like the previous example, and we’re only going to look at it briefly because SCCM is outside of the scope of this article.
With this configuration, we again have two different lines. The first line basically works in the same way as the previous examples but with a break to isolate the devices and servers from the internet.
The WSUS connects to Microsoft Update Services, selecting the updates and patches to apply and sending them to a central repository.
This repository is then accessed by a second service, like Microsoft SCCM, which then distributes the updates to all the clients that need them.
Technical Requirements
WSUS is a relatively simple service to deploy and maintain, mainly because its hardware requirements are quite basic and it uses common listening ports, at least when downloading software.
First of all, the server needs to be running Windows Server 2012 or later:
- Windows Server 2012.
- Windows Server 2012 R2.
- Windows Server 2016.
- Windows Server 2019.
- Windows Server 2022.
Then, the hardware requirements to enable the WSUS role are as follows:
- Processor: 1.4GHz, x64, although 2GHz is recommended.
- Memory: 2GB of RAM in addition to the server recommendations.
- Disk Space: 40GB.
- Network: 100Mbps or more.
Software requirements:
- If you need to run reports, you will need Microsoft Report Viewer Redistributable 2008, and depending on your server configuration, you may also need Microsoft Report Viewer Runtime 2012.
- Microsoft .NET Framework 4.0.
- The NT Authority account or network service must have Full Control permissions for the following directory path: “%windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files”.
The server will download updates using the following ports:
- Port 80 for HTTP.
- Port 443 for HTTPS.
So, as you can see, there are no special requirements.
Also, WSUS uses other ports to send updates to client devices:
- Port 8530 for HTTP.
- Port 8531 for HTTPS.
Update Policies
One thing we couldn’t possibly ignore in an article about software is the importance of having a good installation policy.
With any network infrastructure, it’s always best to have a small pilot network that you can use to test updates before applying them to production devices. Ideally, you would have a network with a series of test devices on which to perform different levels of testing.
First, you should test updates on the test devices to check that they are suitable and don’t have any harmful effects that could spread to the rest of the network.
In addition, it’s also best to set up different update groups, applying updates gradually across the network in case there are any issues that haven’t yet been detected.
NOTE: The procedure described above applies to non-critical updates. In the case of critical security updates, you can probably dispense with these precautions.
Summary
In this article, we’ve looked at WSUS (Windows Server Update Services), an update and patch management solution that allows you to manage all matters concerning updates in a centralised way, saving a considerable amount of time, disk space, and bandwidth.
Today, we’ve mainly focused on the benefits, but we haven’t yet explained how to implement this service on your network. We’ll save that for a later tutorial, so stay tuned. However, if you can’t possibly wait, you can always check out the Microsoft Knowledge Base.
We hope that you’ve found this article interesting. Thanks for reading!