Group Policy Central

Windows Server Update Service (a.k.a. WSUS) is Microsoft free tool they provide for deploying patches and updates. In my experience this tool is pretty much used by every organisation in the world that has more than a hand full of computers. WSUS is also a requirement for the Software Update option in SCCM 2007.

What I hope this post will teach you is how to use Group Policy in your environment to milk the absolute most out of your existing WSUS infrastructure. I am also going to assume that you are familiar with WSUS and already have it deployed in your organisation…

Is WSUS the right tool for your organisation?

Having implement WSUS for an environment of over a combination of 10,000 servers and workstations I can truly say that this tool scales really well. I also believe that even if you have bought and implemented System Center Configuration Manager in your environment then you are probably still better off using WSUS for manage you updates for your Microsoft software. The reason why I still normally recommend that people using WSUS over SCCM is that the product overall is much easier to use and its just human nature for people to want to do the easier tool where possible…

However there are a couple of reason why I think SCCM should still be used over WSUS and they are:

1. You require to wake computers using WOL for them to be patched out of hours. (However there is a way to do something similar using Group Policy).
2. You want to ensure that computers are only patched during a “Maintenance Window” (however even this can be done using Group Policy) and that these patches do not install if it will take longer than that window.
3. The SCCM Software Update supports third party updates when used in conjunction with System Center Updates Publisher 2011. This is very handy if you want to deploy third-party updates from HP, Dell or Adobe (yes! Flash and Reader). But unfortunately even though SCCM SU feature is built on WSUS there is no way to import these third-party updates directly into a standalone WSUS server.

WSUS Tip’s and Tricks

Below are a collecting of configuration recommendations and tips that help you get the most our of your WSUS infrastructure in your environment. These are in no particular order of importance and you might chose to implement only some of these setting depending on your environment.

Terminology: In this post i will use the term “client” many times. When I make this reference note that I am talking about any client of the WSUS Server, which could mean a “client” is either a server or workstation.

WSUS Computer Group Assignment

One of the first things you should do once you have installed WSUS and performed the first sync is enabled the Group Policy computer group assignment. This allows the clients that connect to your WSUS server to be automatically configured in the correct targeting group when they connect to the WSUS server. The target group on the client is controlled using the “Enable client-side target” group policy setting (more on this later).

If you don’t enable this option you will quickly find that you need to manually categorise even new computer that reports into the WSUS server. This is fine if you only have few computers but once you star managing many hundreds or thousands of computers this quickly becomes impractical.

DNS Alias for WSUS Server

One of the options you can set using Group Policy is called “Specify intranet Microsoft update service location” which allows you to specify the WSUS Server name. Even thought this setting can be controlled via Group Policy and thus can be changed in about 2 hours, I still strongly recommend that you create a DNS Alias. Creating a DNS alias for your WSUS Server will give you another way to easily migrate your clients to a new WSUS server without the need to keep a legacy alias of your old server name after you move to a new WSUS server.

Continue reading ‘Best Practice: Group Policy for WSUS’ »

Microsoft have now started to release definition updates to Microsoft Security Essentials (MSE) via WSUS. This now allows any corporate that is running WSUS to centrally deploy pattern updated from a single server. While most corporation probably will not have MSE deployed in their environment it might still be worth while to enable to ensure any fringe cases of computers on the domain are still being secured. This Microsoft blog specifically calls this being done for educational institutes that have low cost PC’s connected to their network.

I know this is not strictly a Group Policy, but WSUS does rely upon Group Policy heavily and therefore I find many Group Policy admin’s are also the WSUS admin’s for their organisations.

Heads up…  I also hope to do a details blog about how to use Group Policy to configured WSUS in the future.

See the full blog about it on the WSUS Product Team Blog at http://blogs.technet.com/wsus/archive/2010/03/31/microsoft-security-essentials-anti-malware-definitions-now-available-via-wsus.aspx

First of all thank you for coming to my new web site www.grouppolicy.biz this site is still rather new and if you have any issues and/or suggesting please feel free to post a comment.

This weeks GPSW covers another product that I use a lot and love to talk about, Windows Server Update Services (a.k.a. WSUS). The “Allow Automatic Updates immediate installation” is very handy for deploying non-windows (but still Microsoft) patches from WSUS. While the idea of installing patches in the background of users sound a little scary for an IT administrator there are a couple of benefit in turning this option on. Applying these patches sooner speeds up the deployment of patches and it shortens the length of time needed to install/reboot time of the other patches that do require a reboot of the operating system.

Often these types of “no reboot required” patches are for applications (e.g. Office) rather than the OS as these more often require a reboot for them to be applied. One of the few disappointments of Windows 7 was the lack of hot patching that has long been talked about but hey… we can wait and see what Windows 8 brings.

Alan Burchill

Update: I have since reposted this article with new registry keys that makes configured Adobe updater a lot easer. Check it out at  http://www.grouppolicy.biz/2010/06/updated-how-to-make-adobe-reader-more-secure-using-group-policy/

Recently there have been a number of critical security issues that have been associated with Adobe Reader (see below).

• http://securitygarden.blogspot.com/2010/04/critical-adobe-and-adobe-acrobat-update.html
• http://securitygarden.blogspot.com/2010/01/adobe-readeracrobat-critical-update.html
• http://securitygarden.blogspot.com/2009/10/adobe-reader-and-acrobat-critical.html
• http://securitygarden.blogspot.com/2009/05/critical-update-adobe-reader-and.html
• http://securitygarden.blogspot.com/2009/12/critical-adobe-pdf-vulnerability.html
• http://securitygarden.blogspot.com/2010/01/adobe-readeracrobat-critical-update.html
• http://www.adobe.com/support/security/advisories/apsa09-07.html

To see a complete list of current updates for Adobe Reader (all current versions) on Windows go to http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

This has has left IT administrators with a bit of a nightmare as to how to keep Reader secure as Adobe don’t have the wonderful tools such as Group Policy and Windows Update, WSUS and SCCM to manage their patch rollout deployment.

One thing you might notice about the many of the vulnerabilities in Adobe products is that they are frequently JavaScript issues. Surprisingly the recommend action from Adobe to mitigate this security issues is to simply turn off JavaScript (which is enabled by default) in Adobe Reader. Seeing how rarely the JavaScript option is actually used in Adobe Reader I recommend that you just configure this option to be permanently turned off (see image 1).

Image 1. Adobe Reader JavaScript option

Disabling JavaScript

Now there is no way to disable the user interface you can disable the user interface using third-party tools (see http://www.policypak.com/support-and-sharing/video-tutorials) to prevent users to re-enabling this option. However some users might need to open PDF’s with JavaScript content so leaving the UI enabled would allow them to re-enable the option when needed. The good thing about configuring this registry key via Group Policy Preferences is that it would automatically turn the option off in the background at the next policy update leaving JavaScript only enabled for a few hours. NICE!

To do disable this option edit a Group Policy Object (GPO) that is targeted to the users accounts. Once you have opened the GPO in the Group Policy Management Editor go to User Configuration > Preferences > Windows Settings > Registry then go to Action > All Tasks > Add and configured a New Registry setting (as per image below).

Image 2. Disable JavaScript registry key

The key to update is:

Key: HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs
Value: bEnableJS (REG_DWORD)
Data: 0 (zero)

Note: If you don’t want this option to be turned off once a users has re-enabled it then tick the “Apply once and do not reapply” option in the “Common” tab (see image 3) as this will only change this registry key once making it more a default setting rather then an enforced one.

Image 3. Apply one and do not reapply

Configuring Automatic Update for Adobe Reader

Adobe has also added a “Automatically install updates” feature (see image 4) with the release of Adobe Reader 9.2.0. however as of the time of writing this document the new version of Adobe Reader 9.3.0 is out and for some reason it is not automatically updating. So maybe there is a little more work to go here for Adobe.

Image 4. Adobe Reader Updater Preferences

If you do want to experiment with configuring this option via group policy then you need to run the following command on the computer in the context of the system account.

“C:\Program Files\Common Files\Adobe\ARM\1.0\ReaderUpdater.exe” /ArmPrefs /MODE:3

Note: You need to use “Program Files (x86)” if you are running 64bit version of Windows.

You can do this my using the “New Immediate Task” option under Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks in the Group Policy Management Editor.

So good luck with trying securing Adobe Reader in your organisation as its certainly a front that IT administrator need to focus more upon as McAfee labs have said “Adobe product exploitation will likely surpass that of Microsoft Office applications in 2010.”.

What’s new in WSUS 3 Service Pack 2