Where should WSUS be installed?

Where should WSUS be installed?.

From the newsgroup comes the question “Where should WSUS, the patch tool be installed?”

And it's perfectally fine and supported
“on” the SBS 2003 server. While it “can” be on a member server, it
can't be on the desktop like my Shavlik HfnetchPro is.
[By the way … I've lost my argument against Firefox on my desktops
because Shavlik DOES now patch for Firefox], and I will still argue
that Shavlik hands down is soooooooo much easier to set up, the fact

Yesterday I went to a friend's house and
I put them on Microsoft Update and patched their unpatched Office XP.
Next Tuesday, not only will they get Windows patches, but any Office
ones as well.

For us SBS boxes, even if you don't WSUS in your firm AT LEAST send your folks this link: http://update.microsoft.com/microsoftupdate and have them do the opt in process. Do it on your SBS servers. At this time it will NOT download SBS 2003 sp1 [and especially not for premium folks as you need the cdroms], but at least it will be giving you more patches for that SBS box than we've had before.

At TechEd in Orlando, someone posted in
the list of top ten ways to get your network in trouble, as presented
by Dr. Jesper Johansson and Steve Riley that's in the back of their new book. I'm stealing the list too:

1. Don't patch anything.
2. Run unhardened applications
3. Use one admin account, everywhere (you should be using different admin accounts for every machine)
4. Open lots of holes in your firewall
5. Allow unrestricted internal traffic
6. Allow all outbound traffic
7. Don't harden servers
8. Re-use your passwords
9. Use high-level service accounts in multiple places
10. Assume everything is OK
See that number 1? That's what WSUS and Microsoft Update are all about.
The biggest issue with adding WSUS to SBS is setting the group policy to http://servername:8530

Leave a comment