Now there are more and more Windows vulnerabilities, especially some major vulnerabilities may cause the whole network to crash. Although we can use Windows Updata with Windows XP/2000 to upgrade online, but upgrade the large number of computers in the computer room and company. It's not so easy, especially when the LAN's outgoing bandwidth is small or inconvenient to upgrade, it is very troublesome, which makes the administrator very headache. Now Microsoft has prepared a suitable solution for us, that is SUS (Software Update Service software upgrade server). Through SUS, you can set up a Windows upgrade server in the LAN, and computers in the LAN can be upgraded through this server. Tip: Currently, SUS can only provide clients with critical updates of the Windows operating system and Internet Explorer and service packs for the operating system. It does not provide update services for Office or other Microsoft software. And all the update activities are carried out through the Windows background automatic update, which is very convenient without any intervention. Server-side installation: For the server side, the recommended configuration is: processor with a frequency of at least 700MHz, memory of 512MB or more, hard disk space of more than 6GB; and software requirements are: Windows 2000 Server or Windows Server 2003, IIS5 or IIS 6 , IE 5.5 or higher. Tip: This configuration is recommended according to the upgrade service provided by 15,000 computers. If there are fewer machines on your LAN, the server configuration can be reduced accordingly. Before installing, you must first install and configure IIS on the server, install the server side of SUS, the installation process is very simple, everything can be set according to the default settings. Then start setting up SUS, there are two ways, local settings or remote settings. For local settings, double-click "Microsoft Software Update Services" in "Control Panel/Administrative Tools"; remote settings can use a computer with IE5.5 installed, and then enter http://IP/in the address bar of IE. After susadmin, you need to enter the user account and password with administrator privileges on the computer where the SUS server is located, and then you can see the management interface (Figure 1). First click on "Set Options" in the list on the left to set up the server. Here we have the following points to note: Select which server to synchronize content from, this option allows you to set The source of the SUS server update, if you have multiple SUS servers in your network, then you can synchronize the other servers with one, which is much faster, but if there is only one SUS server in your network, then you You can only set "Synchronize directly from the Microsoft Windows Update servers" (directly with Microsoft's Windows Update server). Select how you want to handle new versions of previously approved updates. This option allows you to choose how to release new patches. If you feel that each new patch should be carefully posted before it is released to your network. Test, then you can choose "Do not automatically approve new versions of approved updates. I will manually approve these updates later", so that the patch can not be immediately used by you every time you synchronize a new patch. The client downloads it, but it is tested by you first. When you think the patch is ok, you can post it to the network. This will prevent some updates from conflicting with the software used by the LAN. Synchronize installation packages only for these locales. You should pay special attention to this option. By default, the SUS server will download all the patches from Microsoft, if there is only Simplified Chinese version on the network. System or other languages, then there is no need to spend extra time to download these language patches that you don't need, which can save a lot of hard disk space. Once set, click on the “Apply” button in the lower right corner of the page and these settings will take effect. Then click on the "Synchronize server" link from the list on the left, you can see the interface (Figure 2), where you can specify that SUS is immediately synchronized with other servers. In addition, you can set up a synchronization plan, so you can set the server to synchronize every night, because the network utilization is the lowest, it will not affect other people. Click on the "Synchronization Schedule" button and a window will pop up where you can set the time, frequency and number of retries. If you click the "Synchronize Now" button, synchronization will start immediately. The first synchronization process can be lengthy, depending on the speed of the network and the number of patches downloaded. If you set up the test before releasing the patch and have tested all the patches, you should now publish them to the LAN. Click on the "Approve updates" link on the left to see the interface (Figure 3). All patches that have not yet been approved are marked with a red "New". You can complete the approval by selecting the checkbox in front of the patch you want to approve and clicking the "Approve" button in the lower right corner. After the server is set up, start configuring the client below. SUS has some requirements for the client, the first is the operating system, SUS only supports Windows 2000 SP2 and above operating systems, software, Windows 2000 SP2 and Windows XP first need to install a SUS client software, and Windows 2000 SP3 Windows XP SP1 and Windows Server 2003 come with client software and do not require additional installation. If your network is a workgroup environment, then you need to set up the SUS client on each computer separately. Run Gpedit.msc to open the Group Policy Editor, open "Computer Configuration /Administrative Templates", then right click on "Administrative Templates", select "Add/Remove Templates", then click "Add" on the (Figure 4) interface. Button, and find the wuau.adm file in the %windir%\\inf directory, double click to add. Then continue to open "Windows Components /Windows Update" (this item will only appear after the client software is installed and added), there will be two available policies displayed on the right side of the window. "Configure automatic update" allows you to set the time and processing method for updating. "Specify the internal network of the enterprise..." is used to specify the location of the server. You can use "http://server name" or "http://Server IP" mode input. If you have a domain controller in your network and all the computers are joined to the domain, it is even simpler. After installing the client for the operating system that needs to install the client, enter "dsa.msc" in the running on the domain controller. And press Enter, open the Active Directory Users and Computers Settings window, right click on the OU or domain where you want to create a policy, select "Properties", then open the "Group Policy" tab in the Properties window and click the "New" button. , name the newly created strategy (Figure 5). Select the newly created group policy, click the "Edit" button, and then a group policy settings window will pop up, which is similar to the usual gpedit.msc open window, but here you can set Group Policy for all computers in the entire domain. In this window, open "Computer Configuration /Administrative Templates /Windows Components /Windows Update", and then set the policy here to set the working parameters of the SUS client to all computers in the login domain. These settings are applied by all clients on the next reboot. The deployment of the client is complete. It is believed that after such deployment, the patching of the computers in your network will be more convenient and rapid, and the security can be greatly improved.