How to confirm WSUS Updates are working

Hi All,

Background
I work for a large company managing the servers related to our project (i.e i dont manage all our company's servers, only the ones used for our project - approx 40 - 60 in total) some of these servers are physical, most are virtual machines. Some of these are part of a domain, others are not. It's hard to keep track of just how many virtual servers we have because we are not always informed when the developers etc set up new ones.

Scenario
I've been asked to ensure that all our servers are being patched every month (we have a WSUS server on the domain which i do not have access to, which our servers should be pointing to for automatic updates.
1) Considering i dont have access (to log on) to the WSUS Server, is there any way to confirm these boxes are getting updates? Is there some reporting or WSUS tool that will tell me this?
2) If a new server is set up (without informing me first - i.e its group policy isnt set up to point to the WSUS Server) is there some way to ensure it still receives updates?

I was considering possibly setting up a new WSUS Server - one which i can control, but i dont know if i will be allowed to do that. Approval has to be granted for requests like this, and i doubt i will be given the 'go ahead' to do it.

Any ideas?

Thanks!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

TechJunky

I use this tool. If someone knows of a command line I would appreciate this as well.

http://www.nirsoft.net/utils/wul.html

blargoe

1. Ask to rights in WSUS to view reports, and install the WSUS console on your machine.
2. Run the Microsoft Security Baseline Analyzer against your servers. This will tell you which security updates your servers are missing and also will give you a picture of any other potential security problems.

sprkymrk

You mean you manage the servers, but you have to request to set up a WSUS server, while developers can set up their own servers (that you manage) without informing/asking you? Sounds like a backwards way to do it to me. But I understand you are stuck with the way your company does things so....

Do you have a specific IP range that you can scan for servers (including new ones)? If so, then use the Microsoft Baseline Security Analyzer:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and
http://support.microsoft.com/kb/320454

You can scan from a command line using:

mbsacli.exe /r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx /sus [url]http://SUS_[/url] server

This will scan the range of IP's you specify and check for security updates against the list of approved updates on your local WSUS server. You can also use the GUI and/or many other command line options. If you run this once/week you should be able to keep up on your monthly updates.