Lab 1: Managing Security Updates

Objectives After completing this lab, you will be able to: Scan computers for missing security updates. Install security updates by using Windows Update. Distribute and install security updates by using SUS and Automatic Updates. Scan computers by using SMS 2003. Manage security update distribution by using SMS 2003. Scenario You are the administrator for Contoso. The company network contains an Active Directory domain. All domain controllers run Microsoft Windows Server 2003. The network also contains Windows XP client computers, and Windows Server 2003 servers. You need to implement a security update management infrastructure. This lab uses the following computers: Paris and Miami. Before you begin the lab, you must start the computers, and you must log on to the computers.

Computers

Estimated time to complete this lab: 75 minutes

Lab 1: Managing Security Updates

Exercise 1 Scanning Computers with Microsoft Baseline Security Analyzer (MBSA)

In this exercise, you will use Microsoft Baseline Security Analyzer (MBSA) to scan networked computers for missing security updates and security misconfigurations.

Scenario
Contoso wants to assess the security configuration of the computers on the network. You use MBSA to scan the computers remotely, and use the security reports to identify missing security updates and security misconfigurations.

Tasks

Detailed steps

Note: This lab uses the following computers: Paris and Miami. Before you begin the lab, the computers must be started. Click on the computer(s), the computer session will start as a separate window. Note: Perform the following steps on the Miami computer.
1.

On the Miami computer, use MBSA 1.2 to scan your computer for security vulnerabilities and any missing security updates.

a.

On the Miami computer, on the Start menu, point to All Programs, and then click Microsoft Baseline Security Analyzer 1.2. The Microsoft Baseline Security Analyzer (MBSA) window opens. MBSA scans your computer for common security misconfigurations and missing security updates. MBSA 1.2 is a free downloadable program (1.6 MB) from the Microsoft Web site at www.microsoft.com/fwlink/?linkId=12518.

b. In the MBSA window, click Scan a computer. c.

On the Pick a computer to scan page, complete the following information: Computer name: CONTOSO\MIAMI IP address: Leave this field empty Security report name: %D % - %C% (%T%) Options: Leave all five checks enabled and then click Start scan. MBSA will scan your computer. When it has completed its scan, it will display the scan results in a security report.

Lab 1: Managing Security Updates (continued)

Tasks
2.

Detailed steps
a.

Examine the update database versions used by MBSA in the security report.

In the heading of the security report, examine the MBSA version number. The current version of MBSA is 1.2.3316.1. This is the latest version of MBSA when this lab was created on Feb. 8, 2004. Each time MBSA performs a scan, it attempts to connect to the Microsoft Web site to determine whether a new version of MBSA has been released. MBSA will notify you if a new version is available.

b. In the heading of the security report, examine the Security update

database version. The current version (effective Feb. 8, 2004) of the security update database file mssecure.xml is 2004.02.02.0. Microsoft continuously updates the Mssecure.xml file on the Microsoft Web site. This file contains information about which security updates are available for particular products. It includes security bulletin names titles, and detailed data about productspecific security updates, changed registry keys, checksums, and so on.
c.

In the heading of the security report, examine the Office update database version. The current version (effective Feb. 8, 2004) of the office update database file invcif.exe is 11.0.0.6122. The Invcif.exe file is the security update document for Microsoft Office which is also continuously updated by Microsoft.

3.

Examine the security update database file (Mssecure.xml) in the MBSA folder.

a.

Use My Computer to open the C:\Program Files\Microsoft Baseline Security Analyzer folder. When MBSA begins scanning, the application attempts to obtain the latest version of the Mssecure.xml file in a signed file named MSSecure_1033.CAB. It first attempts to connect to the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18922. It then checks the Temporary Internet Files folder. And finally it checks the MBSA installation folder. You can manually download the CAB file, and place it in the MBSA installation folder, if MBSA does not have access to the Internet.

b. In the Microsoft Baseline Security Analyzer folder, right-click the

MSSecure_1033.CAB file, and then click Properties.

c.

In the MSSecure_1033.CAB Properties dialog box, select the Digital Signatures tab. digital signature, and then click Details. This MSSecure_1033.CAB file is digitally signed by Microsoft on Sunday, Feb. 01, 2004. Only if the digital signature is verified, will MBSA extract the Mssecure.xml file from the CAB file.

d. On the Digital Signatures tab, in the Signature list box, select the

e.

Click OK to close the Digital Signature Details dialog box.

Lab 1: Managing Security Updates (continued)

Tasks
3.

Detailed steps
f. g.

(continued)

Click Cancel to close the MSSecure_1033.CAB Properties dialog box. In the Microsoft Baseline Security Analyzer folder, right-click the MSSecure_1033.CAB file, and then click Open. The CAB file contains the Mssecure.xml file.

h. In the MSSecure_1033.CAB window, click Back.

MBSA extracted the Mssecure.xml file when it scanned your computer.

i.

In the Microsoft Baseline Security Analyzer folder, right-click the Mssecure.xml file, and then click Open. Internet Explorer opens the Mssecure.xml file. The file contains information about all released security bulletins for the Microsoft products that are supported by MBSA, staring with bulletin MS98-001 from June 1, 1998.

j.

In Internet Explorer, in front of <Bulletins>, click the (minus) character to collapse the security bulletins listing. and so on, until <SUSMappings>) to see the type of information in the Mssecure.xml file.

k. Continue to collapse the XML tags (<Products>, <ProductFamilies>,

l.

Close Internet Explorer. In the MBSA security report, examine the Security Update Scan Results section. Notice that MBSA detected a total of 11 missing security updates on Miami.

m. Close the Microsoft Baseline Security Analyzer folder. 4.

Examine the Security Update scan results in the MBSA security report.

a.

b. In the Security Update Scan Results section, click any of the What was

scanned links. Internet Explorer opens the check5311.html file.

c.

After the fourth paragraph, examine the list of products and components for which MBSA 1.2 checks missing service packs and missing security updates on your computer. In the Security Update Scan Results section, on the Windows Security Updates line, click Result details. MBSA detected 8 missing (red-cross icon) Windows security updates, and 1 possibly missing (blue-asterisk icon) Windows security update (MS03-030/819696). Microsoft Knowledge Base article 306460 contains a list of security updates, such as MS03-030/819696, that MBSA cannot confirm as installed. Note: You cannot click on the links to view the text of the security bulletins (MSnn-nnn) in this lab.

d. Close Internet Explorer. e.

f.

Close the Result Details window.

Lab 1: Managing Security Updates (continued)

Tasks
5.

Detailed steps
a.

Examine the Windows Scan Vulnerabilities scan results in the MBSA security report.

In the MBSA security report, scroll down to examine the Windows Scan Results - Vulnerabilities section. MBSA can check for common security misconfigurations. The security report shows that Automatic Updates is disabled on Miami, that two accounts have non-expiring passwords and the results of a few other configuration checks.

b. In the Windows Scan Results - Vulnerabilities section, on the Local

Account Password Test line, click Result details. The result details show that the Guest account has a weak password (it is actually blank). MBSA does not attempt to crack passwords during the check; instead, it attempts to change the passwords on the accounts, using a few well-known passwords, such as blank, "password", "admin", "administrator" and the user account name and computer name.
c. 6.

Close the Result Details window. In the MBSA security report, scroll down to examine the Windows Scan Results - Additional System Information section. click Result details. MBSA reports the status of potentially unnecessary services that are installed on your computer. The Telnet service is installed on Miami (but stopped). You can edit the contents of the services.txt file in the MBSA installation folder to indicate which services MBSA should consider as potentially unnecessary. By default, it contains FTP, Telnet, WWW and SMTP.

Examine the Windows Scan Additional System Information scan results in the MBSA security report.

a.

b. In the Additional System Information section, on the Services line,

c. 7.

Close the Result Details window. In the MBSA window, in the table of contents list on the left, click Pick a computer to scan. information: Computer name: (skip) IP address: 10.6.1.1 Security report name: %D % - %C% (%T%) (is default) Options: Leave all five checks enabled and then click Start scan. MBSA scans the Paris computer (IP address 10.6.1.1), and displays the scan results in a security report.

Use MBSA to scan the Paris computer (10.6.1.1).

a.

b. On the Pick a computer to scan page, complete the following

Lab 1: Managing Security Updates (continued)

Tasks
8.

Detailed steps
a.

Examine security results from scanning Paris.

In the MBSA security report, examine the Security Update Scan Results section. MBSA detected (the same) 11 missing security updates on Paris, and 2 missing SQL Server security updates. Notice that MBSA cannot scan for Office Security Updates remotely.

b. Scroll down to the Windows Scan Results - Vulnerabilities section.

The security report does not contain a result for the Local Account Password Test. MBSA can scan for weak passwords remotely, but for performance reasons will skip this test on domain controllers (like Paris).
c.

Scroll down to the IIS Scan Results - Vulnerabilities section. MBSA scans for common misconfigurations of Internet Information Services (IIS). Note: You need to have the IIS Common Files installed on the MBSA computer (Miami) to scan remotely for IIS vulnerabilities.

9.

Close the MBSA window.

a.

Close the Microsoft Baseline Security Analyzer window. MBSA also has a command-line interface (mbsacli.exe), but you cannot run mbsacli.exe when the graphical MBSA window is opened. Although the MBSA window is closed, the security reports are saved for later reference.

10. At the command prompt,

a.

Open a Command Prompt window. Baseline Security Analyzer", and then press ENTER. Note: you can type cd \pro<tab>\mic<tab> to quickly type the complete path.

use Mbsacli.exe to scan both 10.6.1.1 (Paris) and 10.6.1.2 (Miami).

b. At the command prompt, type cd "\Program Files\Microsoft

c.

Type mbsacli /?, and then press ENTER. Mbsacli.exe is able to perform all the scanning functions that the graphical MBSA interface has. It even has more options, such as detecting installed security updates by using file checksums.

d. Type mbsacli /hf /?, and then press ENTER.

The mbsacli /hf option allows you to scan in HFNetChck mode. HFNetChk scans only for security updates only.
e.

Type mbsacli /hf, and then press ENTER. The output of the command displays the same 11 missing security updates, as the graphical MBSA interface showed in the earlier scan.

Lab 1: Managing Security Updates (continued)

Tasks
10. (continued)

Detailed steps
f.

Type mbsacli /R 10.6.1.1-10.6.1.2, and then press ENTER. MBSA and mbsacli.exe can scan multiple computers. This is especially useful if you want to create a batch file or a script that periodically checks security updates and security configuration on the computers in the organization. When mbsacli.exe is not used in HFNetChk mode, then the scan results are saved in the same security report files as the graphical MBSA interface.

g.

Type mbsacli.exe /L, and then press ENTER to see a list of all the available security reports. On the Start menu, point to All Programs, and then click Microsoft Baseline Security Analyzer 1.2. All available MBSA security reports are listed. The most recent report is listed at the top of the screen. The two reports at the top (CONTOSO\PARIS and CONTOSO\MIAMI) contain the scan results of the most recent mbsacli.exe scan.

h. Close the Command Prompt window. 11. Use the graphical MBSA a.

interface to examine the security reports from mbsacli.exe.

b. In the MBSA window, click View existing security reports.

c.

On the Pick a security report to view page, click the top CONTOSO\PARIS report. Because you did not yet install any security updates, or changed any security configuration, the scan results in the report are exactly the same as the earlier scan of the Paris computer.

d. Close the Microsoft Baseline Security Analyzer window. 12. Examine the security report a.

files in the %userprofile% \SecurityScans folder.

Use Windows Explorer (or My Computer) to open the C:\Documents and Settings\Administrator.CONTOSO\SecurityScans folder. MBSA and mbsacli.exe will save the scan results in XML files in the %userprofile%\SecurityScans folder. These are displayed as the security reports in the graphical MBSA interface. Note: MBSA requires administrative access on the computer that it scans. This means that you should consider the security reports, listing missing security updates and security misconfigurations, as information that needs to be protected as well. The default permissions on the SecurityScans folder only allow access to the user that generated the report, and the Administrators group.

b. Close the SecurityScans folder.

Lab 1: Managing Security Updates

Exercise 2 Installing Updates with Windows Update and Windows Update Catalog
In this exercise, you will install updates with Windows Update and Windows Update Catalog.

Scenario
You need to install a specific security update on a Windows Server 2003 computer. You use Windows Update to scan the computer for missing updates, and then install the required security update. You use MBSA to verify that the security update is installed correctly. You use Windows Update Catalog to download a security update for Windows XP.

Tasks

Detailed steps

Note: Perform the following steps on the Miami computer.

1.

On the Miami computer, use Windows Update to scan your computer for missing updates.

a.

On the Miami computer, on the Start menu, point to All Programs, and then click Windows Update. Internet Explorer opens the Microsoft Windows Update Web site. The first time a computer connects to the Windows Update site, you have to install and run an ActiveX Control. Windows Update uses the ActiveX Control to scan your computer, and provide you with a correct list of updates.

b. In the Security Warning dialog box, click Yes to confirm that you

want to install and run the "Windows Update" ActiveX component.

c.

Maximize the Internet Explorer window, if this is not done already. Note: The lab computers are not connected to the Internet. Currently Internet Explorer displays a demo of a small part of the real Windows Update Web site. The demo is only intended to illustrate how Windows Update and Windows Update Catalog can help you keep your computers upto-date.

d. On the Welcome to Windows Update page, click Scan for updates.

Windows Update scans your computer to determine which updates you need. It reports that it has found 12 critical updates (and 2 recommended Windows Server 2003 updates).

Lab 1: Managing Security Updates (continued)

Tasks
2.

Detailed steps
a.

Review the list of critical updates that Windows Update found.

On the Pick updates to install page, click Review and install updates. to the Internet, click Yes to confirm that you want to continue. Displaying this warning message box is the default setting in Internet Explorer when a HTTP Post request is done. Windows Update scans the computer locally, by using the downloaded ActiveX Control. Microsoft does not know the result of this scan, until the HTTP Post request asks for more details about a specific list of needed updates. None of the configuration information sent, can be used to identify you. Windows Update does not collect any form of personally identifiable information.

b. If a message box appears, warning you that you will send information

c.

On the Total Selected Updates page, scroll through the list of 12 critical updates. The list of needed 12 critical updates detected by Windows Update is up-to-date as of Feb. 8, 2004. MBSA reported only 11 security updates at that moment. The difference is the critical update KB828026 for Windows Media Player. There is no related security bulletin (MSnn-nnn) for that update, so MBSA did not report this update.

3.

Review the list of recommended updates that Windows Update found.

a.

In the Windows Update window, in the table of contents on the left, click Windows Server 2003 family (2). Windows Update found 2 recommended updates for Miami. These updates are not automatically added to the selected list of updates. Note that MBSA does not scan for recommended updates.

b. In the table of contents on the left, click Driver Updates (0).

Windows Update did not find any driver updates for the hardware devices used by Miami.
4.

Use Windows Update to download and install the KB828026 update for Windows Media Player.

a.

In the table of contents on the left, click Review and install updates (12). updates, except the KB828026 update (seventh in the selected list). Only a single update (KB828026 - download size 2.8 MB) is selected. The description of the update mentions that you may have to restart the computer. Because the Windows Media Player, and the files replaced by the update, have not been used since Miami started, Windows Update will most likely not ask you to restart the computer after installation.

b. On the Total Selected Updates page, click Remove for all selected

c.

Click Install Now. Please wait while Windows Update downloads and installs the update. This takes approximately one minute. After the successful installation of the security update, the Installation Complete page appears.

10

Lab 1: Managing Security Updates (continued)

Tasks
5.

Detailed steps
a.

Use Windows Update to scan you computer again.

In the table of contents on the left, click Welcome. Windows Update scans your computer again, and now reports that it has found 10, instead of 12, critical updates. The original list of 12 critical updates included Windows Media Player update KB819639 of June 6, 2003 (which MBSA also found as security bulletin MS03-021). The Windows Media Player update that is just installed (KB828026 of Sept. 17, 2003), includes all the changes of the earlier KB819639 update. Windows Update (and MBSA) do not list KB819639 as a needed security update anymore.

b. On the Welcome to Windows Update page, click Scan for updates.

c. 6.

Close Windows Update. On the Start menu, point to All Programs, and then click Microsoft Baseline Security Analyzer 1.2. The MBSA window opens.

Use MBSA to scan you computer again. Compare the scan result with an earlier MBSA scan of Miami.

a.

b. In the MBSA window, click Scan a computer. c.

On the Pick a computer to scan page, complete the following information: Computer name: CONTOSO\MIAMI (is default) IP address: (leave empty) Security report name: %D % - %C% (%T%) (is default) Options: Leave all five checks enabled and then click Start scan. MBSA scans your computer again. When it is completed, it reports that it found a total of 10 missing security updates (9 Windows security updates, and 1 MDAC security update). There are no security updates found for Windows Media Player.

d. In the table of contents on the left, click Pick a security report to

view.
e. f. g.

If not all reports are listed on the Pick a security report to view page, click Click here to see all security reports. On the Pick a security report to view page, in the Sort order list box, select Computer name (descending). Click the second most recent security report for Miami. An earlier security report for Miami is displayed. This MBSA scan results in this report are from before the installation of the KB828026 Windows Media Player update.

h. In Security Update Scan Results section, on the Windows Media

Player Security Updates line, click Result details. The earlier security report still lists the KB819639 (MS03-021) security update as missing.
i. j.

Close the Result Details window. Close the Microsoft Baseline Security Analyzer window.

Lab 1: Managing Security Updates (continued)

11

Tasks
7.

Detailed steps
a.

Examine the results of the installation of the KB828026 security patch. Examine: - Add or Remove Programs - $NtUninstallQ828026$ folder - LastGood folder - dllcache folder - Windows Update.log

On the Start menu, point to Control Panel, and then click Add or Remove Programs. Player Hotfix [See wm828026 for more information]. (Do NOT click Remove). Almost all security updates can be uninstalled, if needed.

b. In the Add or Remove Programs window, select Windows Media

c.

Close the Add or Remove Programs window. C:\Windows\$NtUninstallQ828026$ folder. The $NtUninstallQ828026$ folder contains the original files (msdxm.ocx and wmp.dll), and registry entries, that have been replaced by the installation of the update. These files are saved here to allow uninstallation of the update.

d. Use Windows Explorer (or My Computer) to open the

e. f. g.

Close the $NtUninstallQ828026$ folder. Open a Command Prompt window. At the command prompt, type cd \, and then press ENTER. The original wmp.dll file (dated March 25, 2003) is found in the uninstall folder and in the LastGood folder. The updated wmp.dll file (dated Sept. 17, 2003), is installed in the System32 folder and in the dllcache folder used by Windows File Protection. Because the security update package for KB828026 is digitally signed by Microsoft, Windows File Protection accepts the replacement file in the dllcache folder.

h. Type dir /a /s wmp.dll, and then press ENTER.

i. j.

Close the Command Prompt window. Use Windows Explorer (or My Computer) to open the C:\Windows folder. click Open. Notepad opens the Windows Update.log file.

k. In the Windows folder, right-click Windows Update.log, and then

l.

Maximize Notepad, if that is not done already. Windows Update.log contains a log of the use of Windows Update (and Windows Update Catalog). Installation of updates by Automatic Updates are also logged in this file. The log file has two time columns. The first time column is the local time of the computer. The second time column is UTC/GMT time. This allows for easy comparison of the log files when between computers in multiple time zones.

m. Close Notepad. n. Close the Windows folder.

12

Lab 1: Managing Security Updates (continued)

Tasks
8.

Detailed steps
a.

Use Windows Update Catalog to download any specific update. For example: - OS: Windows XP SP1 - Language: English - Published: Past 6 months

On the Start menu, point to All Programs, and then click Windows Update. Internet Explorer opens the Windows Update Demo Web site.

b. Maximize the Internet Explorer window, if this is not done already.

Although the main Windows Update site is intended to scan your computer, and then install selected updates on the scanned computer, the site also contains a section named Windows Update Catalog that you can use to download any update for any Microsoft operating system, without directly installing it.
c.

In the table of contents at left, click Personalize Windows Update. Display the link to the Windows Update Catalog is enabled.

d. On the Personalize your Windows Update experience page, ensure that e. f.

In the table of contents at left, click Windows Update Catalog. On the Welcome to Windows Update Catalog page, click Find driver updates for hardware devices. While not directly related to security updates, you can also use Windows Update Catalog to download updated hardware drivers.

g.

On the Internet Explorer toolbar, click Back. updates for Microsoft Windows operating systems.

h. On the Welcome to Windows Update Catalog page, click Find i.

On the Microsoft Windows page, click Advanced search options. You can use this page to search for any type of update for any Microsoft operating system (Windows 98 or later), in any language.

j.

Complete the following information: Operating system: Windows XP SP1 Language: English Date posted to the Web: Past 6 months and then click Search. The Windows Update Catalog Demo does not actually let you find updates, but the real Windows Update Catalog Web site would now present you with a list of 92 applicable English-language updates for Windows XP SP1, published in the past six months. You can add any of these updates to the Download Basket.

k. In the table of contents at left, click Go to Download Basket.

On the Download Basket page (if you have selected updates), you click Browse to specify a download folder on the local computer, and then click Download Now to start downloading the selected updates. The View download history option will display logging information, kept on the local computer, and show you all the updates and folder locations where you saved downloaded updates from Windows Update Catalog before.
l.

Close Windows Update.

Lab 1: Managing Security Updates (continued)

13

Tasks

Detailed steps

Note: The option to download any security update for all Microsoft operating system that your organization may have is especially important if you want to deploy updates and service packs by other means than using Windows Updates (or Automatic Updates). Possible scenarios are: Integrating (or slipstreaming) updates or service packs in Windows installation source files. Newly installed computers will directly use the updated files. See Microsoft Knowledge Base articles 828930 and 262839 for instructions on how to do this. Creating a CD or DVD with applicable security updates, that you can distribute to mobile computer users, who may not be connected to your network often enough, or long enough, to make use of other patch distribution solutions. Combining multiple security updates in packages used by SMS, to distribute to the SMS client computers on your network.

14

Lab 1: Managing Security Updates

Exercise 3 Distributing Updates with Software Update Services (SUS)

In this exercise, you will distribute updates with Software Update Services and Automatic Updates.

Scenario
Contoso wants to distribute approved security updates to all computers on the network. You configure Software Update Services to download available updates, and approve the security updates for distribution. After you have configured a SUS server on the network, you need to configure Automatic Updates on the computers so that they connect to the SUS server. You use Group Policy to specify the Automatic Updates settings.

Tasks

Detailed steps

Note: Perform the following steps on the Miami computer.

1.

On the Miami computer, examine the three Automatic Updates download and install scenarios. Do NOT enable Automatic Updates yet.

a.

On the Miami computer, on the Start menu, point to Control Panel, and then click System. tab. Automatic Updates is the automated form of a user connecting to Windows Update with Internet Explorer, scanning the computer for missing security updates, and then downloading and installing those updates. Instead of the user initiating the connection to the Windows Update Web site, the Automatic Updates service connects every 17 to 22 hours, and checks, downloads and installs newly released security updates.

b. In the System Properties dialog box, select the Automatic Updates

c.

On the Automatic Updates tab, enable Keep my computer up to date. When Automatic Updates is enabled, you can choose from three download and installation scenarios. By default Automatic Updates is enabled, and uses the second scenario: Download automatically, and notify when ready to be installed.

d. Click Cancel to close the System Properties dialog box.

Do NOT click OK. You will enable Automatic Updates later in this exercise. Note: Perform the following steps on the Paris computer.

Lab 1: Managing Security Updates (continued)

15

Tasks
2.

Detailed steps
a.

On the Paris computer, open the SUS administration Web site. Use: http://localhost/SUSAdmin

On the Paris computer, open Internet Explorer. In the Address box, type http://localhost/SUSAdmin, and then press ENTER. The Microsoft Software Update Services (SUS) window opens. You can configure Automatic Updates on the client computers to connect to a SUS server, instead of the Windows Update Web site on the Internet. In comparison with the Windows Update site, SUS allows you to select which security updates are already approved for installation on the client computers. SUS 1.0 SP1 is a free download (32 MB) from the Microsoft Web site at www.microsoft.com/windowsserversystem/sus/ default.mspx.

3.

Configure SUS. Options: Use proxy server: No This SUS server: 10.6.1.1 Synchronize from local SUS server: 10.6.1.35 Synchronize approved items list: No

a.

In the Software Update Services window, in the table of contents on the left, click Set options. The SUS server is just installed on Paris. After installation, the following tasks need to be performed: 1. Configure SUS options for managing updates (Set options) 2. Synchronize the server to receive the latest updates (Synchronize server) 3. Approve updates for distribution to your client computers (Approve updates).

b. On the Set options page, complete the following information:

Proxy server configuration: Do not use a proxy server Server name your clients use: 10.6.1.1 (is SUS Web site on Paris) Synchronize from a local SUS server: 10.6.1.35 Synchronize list of approved items: disable and then click Apply. In this lab, Paris runs multiple Web sites on different IP addresses. It is important to specify the Server name as 10.6.1.1, so that the client computers connect to the correct SUS Web site. Instead of receiving the latest updates from Windows Update on the Internet, a SUS server can receive the updates from another SUS server on the network (10.6.1.35). However, this SUS server does not synchronize the file (ApprovedItems.txt) that indicates which updates the other SUS server has already approved. For demonstration purposes, the other SUS server on the network (10.6.1.35) is actually another Web site on Paris itself.

c. 4.

Click OK to confirm that the settings have been successfully saved. In the table of contents on the left, click View synchronization log. This SUS server has not received any updates yet.

Examine the synchronization log and approval log.

a.

b. Click View approval log.

You have not yet approved any updates on the SUS server.

16

Lab 1: Managing Security Updates (continued)

Tasks
5.

Detailed steps
a. c.

Configure a synchronization schedule. Use: Every day at 4:00 A.M.

Click Synchronize server. In the Schedule Synchronization dialog box, complete the following information: Synchronize using this schedule: enable At this time: 04:00 On the following day(s): Daily and then click OK. The next synchronization to check for the latest updates will happen at 4:00 AM tonight.

b. On the Synchronize server page, click Synchronization Schedule.

6.

Synchronize the SUS server now (instead of waiting until 4:00 A.M.).

a.

On the Synchronize server page, click Synchronize Now. The SUS server first downloads the CAB file (Aucatalog1.cab) with the specification of all available security updates (95%). It then unpacks this catalog file. Secondly, the SUS server downloads all security updates (12x) that it had not received yet, plus a CAB file (aurtf1.cab) with all the textual descriptions of the security updates.

b. When the synchronization is complete, click OK to confirm that the

SUS server successfully received the latest updates, and to go to the Approve updates step. Note: To accelerate this lab, the new SUS server had already received all 182 English-language security updates (total 561 MB), that were available on Feb. 8, 2004. This includes Windows XP SP1a and Windows 2000 SP4. For demonstration purposes, 12 security updates for Windows Server 2003, were removed from the SUS server again, representing newly available updates.
7.

Use the Available updates list to save the 823559 update file to the C:\ folder.

a.

On the Approve updates page, scroll through the list of available updates (12 New updates, followed by 170 Unapproved updates). The green text beneath each update description indicates the Microsoft operating system to which the update applies.

b. Scroll to the 823559 security update (fifth new update in the list), and

then click Details. The Update Details dialog box displays the full file name of the update, and the setup parameters used when Automatic Updates installs the update. The same update file is used for four different editions of Windows Server 2003.
c.

In the Update Details dialog box, click any of the blue links to the update file.

Lab 1: Managing Security Updates (continued)

17

Tasks
7.

Detailed steps
d. In the File Download dialog box, click Save. e.

(continued)

In the Save As dialog box, select the C:\ folder, and then click Save. The 823559 update file is now saved in the C:\ folder. The update files that you can download with Windows Update Catalog and the update files that you can save from the Available Updates list in SUS are exactly the same files.

f. 8.

Click Close to close the Update Details dialog box. Use Windows Explorer (or My Computer) to open the C:\ folder. ENU_d8d8fa.exe file, and then click Rename.

Verify the digital signature on the 823559 update file.

a.

b. In the C:\ folder, right-click the WindowsServer2003-KB823559-x86c.

Rename the file to WindowsServer2003-KB823559-x86-ENU.exe. For testing or manual deployment purposes, it is no problem to rename the update file.

d. Right-click the WindowsServer2003-KB823559-x86-ENU.exe, and

then click Properties.

e. f.

In the file Properties dialog box, select the Digital Signatures tab. On the Digital Signatures tab, in the Signature list box, select the digital signature, and then click Details. The update file is digitally signed by Microsoft. The digital signature of the (renamed) update file is verified. The signature verifies who distributed the update file, and that the content has not been changed. This check does not include the file name. Note: You normally do not have to verify the signature on the update files manually. All the patch management tools that use update file (Windows Update installation, SUS synchronization, and Automatic Updates installation) verify the signature of the update files as well. However, never accept update files through any other means, such as e-mail attachments!

g. i.

Click OK to close the Digital Signature Details dialog box. Close the C:\ folder.

h. Click Cancel to close the file Properties dialog box.

18

Lab 1: Managing Security Updates (continued)

Tasks
9.

Detailed steps
a.

Use SUS to approve three new updates: KB832483 KB823559 KB828026

In the SUS window, on the Approve updates page, select the check box in front of the following three new security updates: KB832483 (second new update in the list) KB823559 (fifth new update in the list) KB828026 (seventh new update in the list)

b. Click Approve. c.

Click Yes to confirm that you are about to approve a new list of updates for your client computers. Accept.

d. In the Software Update Services license agreement dialog box, click e.

Click OK to confirm that the list of approved updates is available for distribution to your clients. The Available Updates list has changed. It now consists of 3 Approved updates, followed by 179 Unapproved updates.

10. Examine the latest SUS

a.

In the SUS window, in the table of contents on the left, click Welcome. After every synchronization, the Welcome page displays any new messages from Microsoft, related to SUS. In this case, the page explains that after the original release of SUS 1.0 SP1, a change has been made to include service packs in the SUS synchronization. Note: To limit the bandwidth used by SUS synchronization, on the Set Options page, ensure that you do not enable synchronization for more language versions that needed in your organization. (The default installation setting is to synchronize all languages.)

news message from Microsoft.

11. Examine the total number of

a.

available updates per product.

In the SUS window, in the table of contents on the left, click Monitor server. The Monitor server page lists the total number of updates available for each platform (and Internet Explorer versions). This includes all 31 language versions.

b. On the Monitor server page, click Window Server 2003 family.

Internet Explorer displays the contents of a text file (Items.txt) containing XML descriptions of all the updates in all languages, available for Windows Server 2003.
c. 12. Examine the a.

Close the Items.txt file. In the table of contents on the left, click View synchronization log. The Synchronization log page displays any added updates per synchronization. It is important to periodically check the synchronization log, to find out whether new updates need to be tested and approved. All new updates are always unapproved.

synchronization log and approval log.

b. Click View approval log.

The Approval log page shows that currently 3 updates are approved.

Lab 1: Managing Security Updates (continued)

19

Tasks
13. Close the SUS

Detailed steps
a.

Close the Software Update Services window.

administration Web site. Note: In the next steps, you configure Automatic Updates by using Group Policies.
14. Create a new Group Policy a.

Object (GPO). Name: SUS Client Policy Link to: contoso.com

On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers console opens.

b. In the Active Directory Users and Computers console, in the left

pane, expand contoso.com, right-click contoso.com, and then click Properties.

c.

In the Contoso.com Properties dialog box, on the Group Policy tab, click New. SUS Client Policy, and then press ENTER. A new (empty) Group Policy Object named SUS Client Policy is created.

d. In the New Group Policy Object text box, replace the text by typing

15. Configure Automatic

a.

Right-click SUS Client Policy, and then click Edit. Computer Configuration, expand Administrative Templates, expand Windows Components, and then select Windows Update.

Updates settings in the SUS Client Policy GPO: Configure Automatic Updates: enabled Install: Auto download and schedule Day: every day Time: 03:00 SUS server: 10.6.1.1 Statistics server: 10.6.1.1 Reschedule: 10 minutes

b. In the Group Policy Object Editor console, in the left pane, under

c.

In the right pane, right-click Configure Automatic Updates, and then click Properties. complete the following information: Policy radio button: Enabled Configure automatic updating: 4 - Auto download and schedule the install Scheduled install day: 0 - Every day Scheduled install time: 03:00 and then click OK. Enabling Automatic Updates through a Group Policy also has the effect that the System Properties dialog box on the client computer no longer allows manual changes to the Automatic Updates configuration.

d. In the Configure Automatic Updates Properties dialog box,

e. f.

Right-click Specify intranet Microsoft update service location, and then click Properties. In the Properties dialog box, complete the following information: Policy radio button: Enabled (meaning use a SUS server) Intranet update service: http://10.6.1.1 Intranet statistics server: http://10.6.1.1 and then click OK. Automatic Updates connects to the file Wutrack.bin in the root of the SUS Web site, before and after each installation, so that you can gather statistics on Automatic Updates from the IIS log file.

20

Lab 1: Managing Security Updates (continued)

Tasks
15. (continued)

Detailed steps
g.

Right-click Reschedule Automatic Updates scheduled installations, and then click Properties. Policy radio button: Enabled Wait after system startup: 10 minutes and then click OK. If a client computer has downloaded new updates, but is not turned on at the scheduled installation time (every day at 3:00 AM), then Automatic Updates will install the new updates 10 minutes after the computer is started.

h. In the Properties dialog box, complete the following information:

i. j.

Close the Group Policy Object Editor console. Click Close to close the Contoso.com Properties dialog box.

k. Close the Active Directory Users and Computers console.

Note: Automatic Updates performs two functions: A detection cycle (connecting to Windows Update or to a SUS server to check for new updates). Installation of applicable updates. To avoid high bandwidth use when new updates become available, Automatic Updates on each client computer only does a detection cycle one time every 17 to 22 hours. Microsoft Knowledge Base article 326693 describes the steps to manually force a detection cycle on a single client computer within 5 minutes. However, in this lab, these steps are not performed, and installing updates with Automatic Updates is not done.

Lab 1: Managing Security Updates

21

Exercise 4 Scanning Computers with SMS 2003 Security Update Inventory Tool
In this exercise, you will configure SMS 2003 to scan computers on the network for missing security updates.

Scenario
Contoso wants to use SMS 2003 to manage security updates for computers on the network. You need to configure SMS 2003 so that it will scan computers for missing security updates.

Tasks

Detailed steps

Note: Perform the following steps on the Paris computer (as SMS client).
1.

On the Paris computer, verify the SMS Management Point of the computer.

a.

On the Paris computer, on the Start menu, point to Control Panel, and then click Systems Management. The Systems Management Properties dialog box opens. On the General tab, notice that the Management Point of this computer (Paris) is Paris. In this exercise, the Paris computer is used both as SMS 2003 Server, and as SMS 2003 Advanced Client.

b. Click Cancel to close the Systems Management Properties dialog

box. Note: Perform the following steps on the Paris computer (as SMS server).
2.

On the Paris computer, install the SMS 2003 Security Update Inventory Tool. File: C:\SMS Lab Files\ SecurityPatch_ENU.exe Package name: Scanner

a.

On the Paris computer, use Windows Explorer (or My Computer) to open the C:\SMS Lab Files folder. The SMS Lab Files folder contains: SecurityPatch_ENU.exe - This is the SMS 2003 Security Update Inventory Tool. The file is extracted from a free download (SMS2003ScanTools_ENU.exe) from www.microsoft.com/smserver/downloads/2003/featurepacks/ suspack/default.asp. Windows Server 2003 security update KB825119 Windows Server 2003 security update KB828035 Both security updates are downloaded with Windows Update Catalog.

b. In the SMS Lab Files folder, right-click SecurityPatch_ENU.exe, and

then click Open.

c.

In the Security Update Inventory Tool Installation dialog box, click Next. indicate that you agree to the terms of the EULA, and then click Next.

d. On the End User License Agreement (EULA) page, select Accept to e.

On the Select Destination Directory page, ensure that the Destination path is C:\Program Files\SecurityPatch, and then click Next.

22

Lab 1: Managing Security Updates (continued)

Tasks
2.

Detailed steps
f.

(continued)

Click Yes to confirm that you want to install to this existing path. In this lab, the SecurityPatch folder does already exists, because as part of the lab configuration, the Mssecure.cab file is already downloaded from the Microsoft Web site, and copied to the folder.

g.

On the Scan Tool Download page, click Download to indicate that you want to download the security bulletin file. The Setup program attempts to connect to go.microsoft.com/fwlink/?LinkId=9160 to download the latest version of mssecure.cab to the C:\Program Files\SecurityPatch\PkgSource\1033 folder. Paris does not have a connection to the Internet, and fails to download the file.

h. Click Yes to confirm that you want to download any remaining items. i. j.

Click Yes again to confirm that you want to download the remaining files. Click OK to confirm that the download completed successfully. The Mssecure.cab file was already copied to the correct folder.

k. On the Scan Tool Download page, click Next. l.

On the Ready to Install page, click Next. Create Collection: enable (is default) Create Advertisement: enable (is default) Assign Package to all Distribution Points: enable (is default) Package name: Scanner and then click Next.

m. On the Distribution Settings page, complete the following information:

n. On the Database Updates page, in the Obtain updates using text box,

type PARIS, and then click Next. SMS will create a weekly advertisement for Paris to download the latest version of the mssecure.cab file.
o.

On the Test Computer page, in the Test computer text box, type PARIS, and then click Next. SMS will initially limit the advertisement of the Scanner program to only the test computer (Paris). You can remove the collection limitation after the Scanner program has been tested successfully.

p. On the Ready to Install page, click Next.

The Setup program installs the Security Update Inventory Tool.

q. When the Installation Completed page appears, click Finish. r.

Close the SMS Lab Files folder.

Lab 1: Managing Security Updates (continued)

23

Tasks
3.

Detailed steps
a.

Use the SMS Administrator console to examine the collections created by the installation of the Security Update Inventory Tool.

On the Start menu, point to All Programs, point to Systems Management Server, and then click SMS Administrator Console. The SMS console opens.

b. Maximize the SMS console, if this is not done already. c.

In the SMS console, in the left pane, expand Site Database (001 Contoso), expand Collections, and then select Scanner. The installation of the Security Update Inventory Tool created three new collections: Scanner, Scanner (pre-production) and Scanner Sync Host. Currently Paris is the only member in the Scanner collection. This collection represents the systems that are scanned by the Scanner program.

d. Right-click Scanner, and then click Properties. e.

In the Scanner Collection Properties dialog box, on the Membership Rules tab, right-click Collection Query, and then click Properties. The Query Rule Properties show that currently the Scanner collection is limited to the Scanner (pre-production) collection. When you are ready for full production deployment of the Scanner program, you can remove the collection limitation to include all systems.

f. g. i. j.

Click Cancel to close the Query Rule Properties dialog box. Click Cancel to close the Scanner Collection Properties dialog box. Right-click Scanner (pre-production), and then click Properties. In the Scanner (pre-production) Collection Properties dialog box, select the Membership Rules tab. Currently the Scanner (pre-production) collection consists of only member Paris (which has Resource ID 2). This collection represents the list of systems that are scanned, until you are ready for full production deployment.

h. In the left pane, select Scanner (pre-production).

k. Click Cancel to close the Scanner (pre-production) Collection

Properties dialog box.

l.

In the left pane, select Scanner Sync Host. This collection represents the list of systems that periodically download the latest version of the mssecure.cab file from the Microsoft Web site.

24

Lab 1: Managing Security Updates (continued)

Tasks
4.

Detailed steps
a.

Examine the packages and programs created by the installation of the Security Update Inventory Tool.

In the SMS console, in the left pane, expand Packages. The installation of the Security Update Inventory Tool created one new package: Scanner.

b. Under Packages, expand Scanner, and the select Programs.

The installation of the Security Update Inventory Tool created three new programs: Scanner, Scanner (expedited) and Scanner Sync.
c.

In the right pane, right-click the Scanner program, and then click Properties. On the General tab, notice that the Scanner program runs the s_scan.exe /s /cache command line.

d. On the General tab, click Browse.

The s_scan.exe tool calls the command-line version of MBSA 1.1 (mbsacli.exe) to scan for missing and installed security updates on the client computer. The scan result of the mbsacli.exe tool is converted by the Hfnetchkconv.exe tool into a MOF file, which is then added to the WMI Win32_PatchState class on the client computer, from where it can be collected by SMS (at the next scheduled Hardware Inventory Cycle).
e. f. g.

Click Cancel to close the Open dialog box. Click Cancel to close the Scanner Program Properties dialog box. In the right pane, right-click the Scanner (expedited) program, and then click Properties. The Scanner (expedited) program uses the same command line as the Scanner program, with an additional /kick parameter. This parameter causes the client computer to perform a Hardware Inventory Cycle action, directly after the scan has finished, instead of waiting for the next scheduled inventory cycle.

h. Click Cancel to close the Scanner (expedited) Program Properties

dialog box.
i.

In the right pane, right-click the Scanner Sync program, and then click Properties. The Scanner Sync program runs the SyncXML.exe tool. This tool downloads the latest version of the mssecure.cab file from the Microsoft Web site on the Internet.

Lab 1: Managing Security Updates (continued)

25

Tasks
4.

Detailed steps
j.

(continued)

In the Scanner Sync dialog box, select the Environment tab. Notice that by default, the program only runs when a user is logged on to the computer that this program is advertised to (currently Paris). The reason for this is that the firewall in the network may not allow anonymous connections to the Internet. If you want to run this program on a computer when no user is logged on, then you have to change the Program can run setting, you need to ensure that the firewall allows anonymous Internet access, and you have to add the /unattend parameter to the command line on the General tab.

k. Click Cancel to close the Scanner Sync Program Properties dialog

box.
5.

Examine the advertisements created by the installation of the Security Update Inventory Tool.

a.

In the left pane, select Advertisements. The installation of the Security Update Inventory Tool created two new advertisements: Scanner and Scanner Sync. In the right pane, you can see that the Scanner advertisement runs the Scanner program (s_scan.exe /s /cache) on all computers in the Scanner collection. The Scanner Sync advertisement runs the Scanner Sync program (SyncXML.exe) on all computers in the Scanner Sync Host collection.

b. In the right pane, right-click the Scanner advertisement, and then click

Properties.
c.

In the Scanner Advertisement Properties dialog box, select the Schedule tab. By default, the Scanner program will run every seven days on the client computers.

d. Click Cancel to close the Scanner Advertisement Properties dialog

box.
e. f.

In the right pane, right-click the Scanner Sync advertisement, and then click Properties. In the Scanner Sync Advertisement Properties dialog box, select the Schedule tab. The Scanner Sync program will also run every seven days to retrieve the latest Mssecure.cab file.

g.

Click Cancel to close the Scanner Sync Advertisement Properties dialog box.

26

Lab 1: Managing Security Updates (continued)

Tasks

Detailed steps

Note: Perform the following steps on the Paris computer (as SMS client).
6.

On the Paris computer, force the client to run the Scanner program.

a.

On the Paris computer, on the Start menu, point to Control Panel, and then click Systems Management. tab, select Machine Policy Retrieval & Evaluation Cycle, and then click Initiate Action. The client will request new policies from SMS. This includes the advertised Scanner program.

b. In the Systems Management Properties dialog box, on the Actions

c.

Click OK to confirm that the action may take several minutes to complete.

d. Click OK to close the Systems Management Properties dialog box.

Note: Perform the following steps on the Paris computer (as SMS server).
7.

On the Paris computer, use the SMS console to verify that the Scanner program has run on the client computer.

a.

On the Paris computer, in the SMS console, in the left pane, expand System Status, and then select Advertisement Status. In the right pane, notice that the Scanner advertisement is received (by a client computer), and that the program has run. (It may take two minutes, before the status is updated.)

b. Right-click Advertisement Status, and then click Refresh.

c.

Expand Advertisement Status, and then in the left pane, select Scanner. Messages, and then click All. In the SMS Status Message Viewer window, scroll to the right, so that you can see that Paris successfully received (ID 10002), started (ID 10005) and completed (ID 10009) the Scanner program.

d. In the right pane, right-click the 001 - Contoso site, click Show

e. f. g.

Close the SMS Status Message Viewer window. In the left pane, select Scanner Sync. In the right pane, right-click the 001 - Contoso site, click Show Messages, and then click All. The SMS Status Message Viewer window shows that Paris successfully received (ID 10002) and started (ID 10005) the Scanner Sync program, but that it failed (ID 10007) to connect to the Internet.

h. Close the SMS Status Message Viewer window.

Lab 1: Managing Security Updates (continued)

27

Tasks

Detailed steps

Note: Perform the following steps on the Paris computer (as SMS client).
8.

On the Paris computer, force the client to perform a Hardware Inventory Cycle action.

a.

On the Paris computer, on the Start menu, point to Control Panel, and then click Systems Management. tab, select Hardware Inventory Cycle, and then click Initiate Action. The client will report its hardware inventory, including the security update information as generated by the Scanner program.

b. In the Systems Management Properties dialog box, on the Actions

c.

Click OK to confirm that the action may take several minutes to complete.

d. Click OK to close the Systems Management Properties dialog box.

Note: Perform the following steps on the Paris computer (as SMS server).
9.

On the Paris computer, use the Resource Explorer console to view hardware inventory data and security update information.

a.

On the Paris computer, in the SMS console, in the left pane, under Collections, select All Systems. Tasks, and then click Start Resource Explorer. The Resource Explorer console for Paris opens.

b. In the right pane, right-click the Paris client computer, point to All

c.

Maximize the Resource Explorer console, if that is not done already. and then select Workstation Status (last in the list). In the right pane, the last hardware scan date and time should be within the last few minutes.

d. In the Resource Explorer console, in the left pane, expand Hardware,

e.

In the left pane, select Software Updates. A list of 12 security updates is displayed in the right pane. The Status column shows that 3 of those updates (828750, 823980 and 822925) are installed, and that 9 are not installed. These three updates are not installed already, but are superseded by other cumulative security updates (824146 and 832894) in the list In this lab, you will configure SMS to install two of the missing security updates (825119 and 828035).

f. 10. Use the SMS console to see a.

Close the Resource Explorer console. In the SMS console, in the left pane, select Software Updates. In the right pane, the total number of compliant computer systems per security update is displayed. (In this lab, the Compliant column only shows a maximum of 1.)

security update compliance counts.

b. Right-click the 825119 security update, and then click Properties.

When you are connected to the Internet, and click More Information in the Security Update Properties dialog box, Internet Explorer will display the associated security bulletin (in this case MS03-044) from the Microsoft Web site.
c.

Click Close to close the Security Update Properties dialog box.

28

Lab 1: Managing Security Updates

Exercise 5 Distributing and Installing Updates with SMS 2003

In this exercise, you will configure SMS 2003 to distribute and install security updates on computers on the network.

Scenario
After you have configured SMS 2003 to scan for missing security updates, you need to distributed security updates to the computers. You use the Distribute Software Updates Wizard to prepare a package that is distributed to the computers that need the security update.

Tasks

Detailed steps

Note: Perform the following steps on the Paris computer (as SMS server).
1.

On the Paris computer, use the Distribute Software Update Wizard to distribute security updates. Update type: MBSA Package name: Win2003 Updates-1 Updates: - 828035 - 825119 Collection: All Windows Server 2003 Systems

a.

On the Paris computer, in the SMS console, in the left pane, right-click Software Updates, point to All Tasks, and then click Distribute Software Updates. The Distribute Software Updates Wizard appears. Note: This wizard consists of many steps. Each wizard page gives explanation of the options. Ensure that you understand the different settings.

b. In the Distribute Software Updates Wizard dialog box, click Next. c.

On the Specify a Software Update Type page, in the Select an update type list box, select MBSA, and then click Next. New, and then click Next.

d. On the Create an SMS Package page, in the SMS packages list, select e.

On the Identify the SMS Package page, complete the following information: Package name: Win2003 Updates-1 Program name: MBSA - Win2003 Updates-1 (automatic) and then click Next.

f.

On the Customize the Organization page, in the Organization text box, type Your SMS demo, and then click Next. This name will appear as the authoritative sender in update notification messages on the client computers, if enabled for users: "Your SMS demo recommends that you install the latest software updates now."

g.

On the Select an Inventory Scanning Program page, complete the following information: Inventory Scan Tool package: Scanner Program name: Scanner and then click Next. The Add and Remove Updates page lists all security updates reported by the Scanner program, which are missing on one or more client computers (see the Requested column).

Lab 1: Managing Security Updates (continued)

29

Tasks
1.

Detailed steps
h. On the Add and Remove Updates page, select two updates:

(continued)

828035 825119 and then click Next. Notice that you can distribute multiple security updates in the same SMS package.

i.

On the Specify a Source Directory for Files page, complete the following information: Package source directory: \\PARIS\C$\MBSA - Win2003 Updates-1 Package sending priority: Medium I will download the source files myself: enable and then click Next. Because you indicated that you will download the security updates to the package source directory, but have not done so already, the Software Update Status list shows No in the Ready column.

j.

On the Software Updates Status page, select the first update (828035), and then click Properties. In the Distribute Software Update Wizard dialog box for the 828035 security update, notice that the Binary present text box (No), indicates whether the security update file is in the package source directory already. When you are connected to the Internet, you can click Download to download the requested update automatically to the package source directory.

k. In the Distribute Software Updates Wizard dialog box for update

828035, click Import.

l.

In the Open dialog box, open the \\Paris\c$\SMS Lab Files folder, select WindowsServer2003-KB828035-x86-ENU.exe, and then click Open. The update file is copied from the SMS Lab Files folder to the package source directory: the Binary present text box shows Yes.

m. In the Parameters text box, type -q -z.

All the security updates that use the Update.exe installation tool, use the same parameters: -q Suppress prompts (quiet mode). -z Do not automatically restart after installation.
n. Click OK to close the Distributed Software Updates Wizard dialog

box for update 828035. The Ready status of the security update in the package is changed to Yes.
o.

On the Distribute Updates Status page, select the second update (825119), and then click Properties.

30

Lab 1: Managing Security Updates (continued)

Tasks
1.

Detailed steps
p. In the Distribute Software Updates Wizard dialog box for update

(continued)

825119, click Import.

q. In the Open dialog box, open the \\Paris\c$\SMS Lab Files folder,

select WindowsServer2003-KB825119-x86-ENU.exe, and then click Open.

r. s.

In the Parameters text box, type -q -z. Click OK to close the Distributed Software Updates Wizard dialog box for update 825119. The Ready status of both security updates in the package is now changed to Yes.

t.

On the Software Updates Status page, click Next. Next.

u. On the Update Distribution Points page, select PARIS, and then click v.

On the Configure Installation Agent Settings page, complete the following information: Collect client information immediately: disable (is default) Create client template: disable (is default) Postpone restarts for: Both servers and workstations and then click Next.

w. On the second Configure Installation Agent Settings page, complete the

following information: Perform unattended installation: disable Countdown (minutes): 5 (is default) After countdown: Install updates Maximum run time (minutes): 30 (is default) Enforce start time and maximum installation time: disable (is default) and then click Next.

x.

On the third Configure Installation Agent Settings page, complete the following information: Notify users about update activity: enable (is default) Allow users to postpone for: 2 days from Time Authorized Install all updates: enable (is default) and then click Next.

Lab 1: Managing Security Updates (continued)

31

Tasks
1.

Detailed steps
y.

(continued)

On the Advertise Updates page, complete the following information: Advertise: enable Collection: All Windows Server 2003 Systems (use Browse) Recur every: 3 days and then click Next. You can distribute security updates to Windows Server 2003 systems that have not run the Scanner program yet. The MBSA Win2003 Updates-1 package runs the Scanner program on each computer in the collection, before installation, to verify whether the security updates are applicable.

z. 2.

On the Completing the Distribute Software Updates Wizard page, click Finish. In the SMS console, in the left pane, select Packages. Under Packages, expand MBSA - Win2003 Updates-1, and then select Programs. program, and then click Properties. The PatchInstall.exe tool controls the client update deployment.

Examine the new update installation program and advertisement.

a. c.

b. Right-click Packages, and then click Refresh.

d. In the right pane, right-click the MBSA - Win2003 Updates-1

e. f.

Click Cancel to close the Program Properties dialog box. In the left pane, select Advertisements. A new advertisement named MBSA - Win2003 Updates-1 is created.

g.

In the left pane, under System Status, select Advertisement Status. The program in the MBSA - Win2003 Updates-1 advertisement has not run yet.

h. Right-click Advertisement Status, and then click Refresh.

Note: Perform the following steps on the Paris computer (as SMS client).
3.

On the Paris computer, force the client to run the advertised update installation program.

a.

On the Paris computer, on the Start menu, point to Control Panel, and then click Systems Management. tab, select Machine Policy Retrieval & Evaluation Cycle, and then click Initiate Action. The client will request new policies from SMS. This includes the advertised update installation program.

b. In the Systems Management Properties dialog box, on the Actions

c.

Click OK to confirm that the action may take several minutes to complete.

d. Click OK to close the Systems Management Properties dialog box.

32

Lab 1: Managing Security Updates (continued)

Tasks
4.

Detailed steps After two minutes a notification appears, to inform you that new software updates are ready to install.
a.

Examine the automatic software installation notification.

Click the Software Updates Installation (or click the Software Updates Installation icon in the notification area). The Systems Management Server dialog box counts down from 5 minutes.

b. In the Systems Management Server dialog box, click Show Detail.

The two selected updates (828035 and 825119) are ready to be installed.
c.

Click Postpone. You can postpone the installation of the updates until two days from now.

d. Click No to confirm that you do not want to postpone installing the

updates.
e.

Click Install Now (or wait until the countdown times out). The two security updates are installed. After installation, a new notification balloon appears, to inform you that you have to restart your computer, before the updates take effect.

f.

Close the Software Updates Installation balloon. The Software Updates Installation icon stays in the notification area, to remind you of the pending required restart.

5.

Force the client to perform a Hardware Inventory Cycle action.

a.

On the Start menu, point to Control Panel, and then click Systems Management. tab, select Hardware Inventory Cycle, and then click Initiate Action. The client will report its hardware inventory, including the new security update information as generated by the Scanner program.

b. In the Systems Management Properties dialog box, on the Actions

c.

Click OK to confirm that the action may take several minutes to complete.

d. Click OK to close the Systems Management Properties dialog box.

Lab 1: Managing Security Updates (continued)

33

Tasks

Detailed steps

Note: Perform the following steps on the Paris computer (as SMS server).
6.

On the Paris computer, use the Resource Explorer console to verify the installation of the security updates.

a.

On the Paris computer, in the SMS console, in the left pane, under Collections, select All Systems. Tasks, and then click Start Resource Explorer. The Resource Explorer console for Paris opens.

b. In the right pane, right-click the Paris client computer, point to All

c.

In the Resource Explorer console, in the left pane, expand Hardware, and then select Workstation Status (last in the list). In the right pane, the last hardware scan date and time should be within the last few minutes.

d. In the left pane, select Software Updates.

The Status (Installed) and the Authorization name of the two installed security updates are changed. It is possible that one of the two updates is not detected as installed, until after a restart of the computer.
e.

In the left pane, expand Hardware History, expand Software Updates History, and then select Current. The Current list is the same as listed under Hardware. Under Software Updates History, select the time and date entry. This list represents the security update status from the last time Hardware Inventory Cycle reported the scan results. This is before the two additional security updates are installed.

f.

g. 7.

Close the Resource Explorer console. Close the SMS console.

Close the SMS console.

a.