How to confirm WSUS Updates are working
Hi All,
Background
I work for a large company managing the servers related to our project (i.e i dont manage all our company's servers, only the ones used for our project - approx 40 - 60 in total) some of these servers are physical, most are virtual machines. Some of these are part of a domain, others are not. It's hard to keep track of just how many virtual servers we have because we are not always informed when the developers etc set up new ones.
Scenario
I've been asked to ensure that all our servers are being patched every month (we have a WSUS server on the domain which i do not have access to, which our servers should be pointing to for automatic updates.
1) Considering i dont have access (to log on) to the WSUS Server, is there any way to confirm these boxes are getting updates? Is there some reporting or WSUS tool that will tell me this?
2) If a new server is set up (without informing me first - i.e its group policy isnt set up to point to the WSUS Server) is there some way to ensure it still receives updates?
I was considering possibly setting up a new WSUS Server - one which i can control, but i dont know if i will be allowed to do that. Approval has to be granted for requests like this, and i doubt i will be given the 'go ahead' to do it.
Any ideas?
Thanks!
Background
I work for a large company managing the servers related to our project (i.e i dont manage all our company's servers, only the ones used for our project - approx 40 - 60 in total) some of these servers are physical, most are virtual machines. Some of these are part of a domain, others are not. It's hard to keep track of just how many virtual servers we have because we are not always informed when the developers etc set up new ones.
Scenario
I've been asked to ensure that all our servers are being patched every month (we have a WSUS server on the domain which i do not have access to, which our servers should be pointing to for automatic updates.
1) Considering i dont have access (to log on) to the WSUS Server, is there any way to confirm these boxes are getting updates? Is there some reporting or WSUS tool that will tell me this?
2) If a new server is set up (without informing me first - i.e its group policy isnt set up to point to the WSUS Server) is there some way to ensure it still receives updates?
I was considering possibly setting up a new WSUS Server - one which i can control, but i dont know if i will be allowed to do that. Approval has to be granted for requests like this, and i doubt i will be given the 'go ahead' to do it.
Any ideas?
Thanks!
Comments
-
TechJunky Member Posts: 881I use this tool. If someone knows of a command line I would appreciate this as well.
http://www.nirsoft.net/utils/wul.html -
blargoe Member Posts: 4,174 ■■■■■■■■■□1. Ask to rights in WSUS to view reports, and install the WSUS console on your machine.
2. Run the Microsoft Security Baseline Analyzer against your servers. This will tell you which security updates your servers are missing and also will give you a picture of any other potential security problems.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□You mean you manage the servers, but you have to request to set up a WSUS server, while developers can set up their own servers (that you manage) without informing/asking you? Sounds like a backwards way to do it to me. But I understand you are stuck with the way your company does things so....
Do you have a specific IP range that you can scan for servers (including new ones)? If so, then use the Microsoft Baseline Security Analyzer:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and
http://support.microsoft.com/kb/320454
You can scan from a command line using:mbsacli.exe /r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx /sus [url]http://SUS_[/url] server
This will scan the range of IP's you specify and check for security updates against the list of approved updates on your local WSUS server. You can also use the GUI and/or many other command line options. If you run this once/week you should be able to keep up on your monthly updates.All things are possible, only believe.