Case Study:Use Caution When Deploying Microsoft's Software Update

Microsoft has quietly developed the Software Update Service (SUS) for distributing critical software updates and patches. Once installed, and properly configured, an internal SUS website will respond to internal hosts requesting the latest operating system patch or security roll-up, just like the Windows Update website. The purpose of this case study is to document the process used to evaluate the security risks associated with SUS before implementing it on a real world network. Risks such as hardening IIS, protecting the Internet connection required when downloading updates from the Internet, and server placement within the network were considered. Ultimately, I hope to demonstrate how I used Microsoft's Software Update Services as a solution for delivering the latest operating system updates and patches to internal clients on a small network. (WARNING: A recently discovered vulnerability may make this product extremely unsafe if configured incorrectly. Suggested configuration changes are noted in this paper)