Rabu, 26 Agustus 2009

Group Policy Security Filtering

The most misleading thing about Group Policy is its name—Group Policy is simply not a way of applying policies to groups! Instead, Group Policy is applied to individual user accounts and computer accounts by linking Group Policy Objects (GPOs), which are collections of policy settings, to Active Directory containers (usually OUs but also domains and sites) where these user and computer accounts reside. So the newbie’s question concerning Group Policy is usually, “How can I get this GPO to apply to this group?” The answer to this question is: by implementing security filtering.

Understanding Security Filtering

Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities), and you can view the default ACL on a typical GPO as follows:

  1. Open the Group Policy Management Console (GPMC)
  2. Expand the console tree until you see the Group Policy Objects node.
  3. Select a particular GPO under the Group Policy Objects node.
  4. Select the Delegation tab in the right-hand pane (see Figure 1).


Figure 1: Viewing the ACL for the Vancouver GPO using the Delegation tab

For a more detailed view of the ACEs in this GPO ACL, click the Advanced button to display the familiar ACL Editor (Figure 2):


Figure 2: Viewing the ACL for the Vancouver GPO using the ACL Editor

An obvious difference between these two views is that the ACL Editor displays the Apply Group Policy permission while the Delegation tab doesn’t. This is because the Delegation tab only displays ACEs for security principles that actually process the GPO, and that implicitly means those security principals have the Apply Group Policy permission set to Allow. More specifically, if you want a GPO to be processed by a security principal in a container linked to the GPO, the security principal requires at a minimum the following permissions:

  • Allow Read
  • Allow Apply Group Policy

The actual details of the default ACEs for a newly created GPO are somewhat complex if you include advanced permissions, but here are the essentials as far as security filtering is concerned:

Security Principal

Read

Apply Group Policy

Authenticated Users

Allow

Allow

CREATOR OWNER

Allow (implicit)

Domain Admins

Allow

Enterprise Admins

Allow

ENTERPRISE DOMAIN CONTROLLERS

Allow

SYSTEM

Allow

Note that Domain Admins, Enterprise Admins and the SYSTEM built-in identity have additional permissions (Write, Create, Delete) that let these users create and manage the GPO. But since these additional permissions are not relevant as far as security filtering is concerned, we’ll ignore them for now.

The fact that Authenticated Users have both Read and Apply Group Policy permission means that the settings in the GPO are applied to them when the GPO is processed, that is, if they reside in a container to which the GPO is linked. But who exactly are Authenticated Users? The membership of this special identity is all security principals that have been authenticated by Active Directory. In other words, Authenticated Users includes all domain user accounts and computer accounts that have been authenticated by a domain controller on the network. So what this means is that by default the settings in a GPO apply to all user and computer accounts residing in the container linked to the GPO.

Using Security Filtering

Let’s now look at a simple scenario where you might use security filtering to resolve an issue in Group Policy design. Figure 3 below shows an OU structure I developed in a previous article. Note that the Vancouver top-level OU has three departments under it defined as second-level OUs, with user and computer accounts stored below these departments in third-level OUs:


Figure 3: Sample OU structure for Vancouver office

Let’s say that of the fifteen users who work in the Sales and Marketing Department in Vancouver, three of them are senior people who have special requirements, for example access to certain software that other people in the department shouldn’t have access to. Such software could be provided to them by publishing it in Add or Remove Programs using a user policy-based software installation GPO. The trouble is, if you link this GPO to the Sales and Marketing Users OU then all fifteen users in the department will have access to it through Add or Remove Programs. But you only want this special group of three users to be able to access the software, so what do you do?

You could create another OU beneath the Sales and Marketing Users OU and call this new OU the Senior Sales and Marketing Users OU. Then you could move the user accounts for the three senior employees to this new OU and create your software installation GPO and link it to the new OU. While this approach will work, it has several disadvantages:

  • It makes your OU structure deeper and more complicated, making it harder to understand.
  • It disperses user accounts into more containers making them more difficult to manage.

A better solution is to leave your existing OU structure intact and all fifteen Sales and Marketing users in the Sales and Marketing Users OU, create your software installation GPO and link it to the Sales and Marketing Users OU (see Figure 4), and then use security filtering to configure the ACL on the software installation GPO to ensure that only the three senior users receive the policy.


Figure 4: Senior Sales and Marketing Users Software Installation GPO

To filter the software installation GPO so that only users Bob Smith, Mary Jones, and Tom Lee receive it during policy processing, let’s first use Active Directory Users and Computers to create a global group called Senior Sales and Marketing Users that has only these three users as members (see Figure 5):


Figure 5: Membership of the Senior Sales and Marketing Users global group

Note that you can store this security group in any container in the domain, but for simplicity you’ll probably want to store it in the Sales and Marketing Users GPO since that’s where its members reside.

Now go back to the GPMC with the software installation GPO selected in the left-hand pane, and on the Scope tab of the right-hand pane, remove the Authenticated Users special identity from the Security Filtering section and then add the Senior Sales and Marketing Users global group (Figure 6):


Figure 6: Filtering the GPO so it only targets the Senior Sales and Marketing Users group

That’s it, we’re done! Now when policy is processed for a user account residing in the Sales and Marketing Users OU, the Group Policy engine on the client will first determine which GPOs need to be applied to the user. If the user is a member of the Senior Sales and Marketing Users security group, the following GPOs will be applied in the following order (assuming we haven’t used blocking or enforcement anywhere):

  1. Default Domain Policy
  2. Vancouver GPO
  3. Sales and Marketing GPO
  4. Sales and Marketing Users GPO
  5. Senior Sales and Marketing Users GPO

If however the user is one of the other twelve (junior) members of the Sales and Marketing Department, then the last policy above (Senior Sales and Marketing Users GPO) will not be applied to them. In other words, the published software will only be made available to Bob, Mary and Tom as desired.

The Power of Security Filtering

The power of security filtering is that it allows us to simplify our OU structure while still ensuring that Group Policy is processed as designed. For example, in my original OU structure for Vancouver (see Figure 3 above) I created separate OUs for three departments in that location, namely the IT Department, Management, and Sales and Marketing. In Toronto however I could have taken a different approach and lump all my users and computers together like this (Figure 7):


Figure 7: Toronto has a simpler OU structure than Vancouver

Then I could group user and computer accounts in Toronto into global groups like this:

  • IT Department Users
  • IT Department Computers
  • Management Users
  • Management Computers
  • Sales and Marketing Users
  • Sales and Marketing Computers

I could then create GPOs for each group of users and computers in Toronto, link these GPOs to the appropriate container, and use security filtering to ensure they are applied only to the desired security principals (Figure 8):


Figure 8: Using Group Policy to manage users in Toronto

The main downside of this approach is that as you flatten your OU structure you can end up with lots of GPOs linked to each OU, which can make it harder at first glance to figure out which policies are processed by each user or computer unless you examine in detail the security filtering setup.

Conclusion

In the end then, it’s a simple matter of give and take—make your OU structure too flat and it can be harder to manage policy; make your OU structure too deep and it can be harder to manage accounts. It’s up to you to decide on which approach to take for implementing Group Policy for your enterprise.

Source: http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
Diposting oleh di Tidak ada komentar:
Label:

Kamis, 20 Agustus 2009

Install WSUS Server

Langkah-langkah:

  1. Double-click WSUSSetup.exe.
  2. Klik Next.
  3. Baca terms of the license agreement, klik I accept the terms of the License Agreement, dan klik Next.
  4. Pada halaman Select Update Source, anda dapat mengatur dimana client akan mendapat kan update. Jika memilih check box Store updates locally, updates akan disimpan pada WSUS server dan tentukan lokasi penyimpanan. Jika tidak disimpan di lokal maka untuk mendapatkan update, client harus terhubung ke internet (Microsoft Update).

    Klik Next.

    Pilih Update Source Page
  5. Pada halaman Database Options, pilih software database yang digunakan untuk mengatur WSUS database. Secara default, WSUS Setup akan memilihkan untuk menginstall WMSDE jika servernya Windows Server 2003.

    Jika memilih WMSDE, SQL Server instance for WSUS harus tersedia, dengan memilih Use an existing database server on this computer dan mengetikkan instance name pada kotak SQL instance name.

    Biarkan setingan seperti defaultnya, dan klik Next.

    Database Options Page
  6. Pada halaman Web Site Selection, pilih Web site yang akan digunakan WSUS. Halaman ini yang akan digunakan untuk menunjukkan kemana client akan mencari update.
    Jika telah ada web site yang menggunakan port 80, WSUS Web site dapat menggunakan custom port.

    Biarkan setingan seperti defaultnya dan klik Next.

    Web Site Selection Page
  7. Pada halaman Mirror Update Settings, tentukan management role untuk WSUS server. Jika ini WSUS server pertama pada network atau hendak dijadikan sebagai distributed management topology, lewatkan halaman ini.

    Jika ingin central management topology, dan WSUS server ini bukan yang pertama pada network, pilh check box, dan ketik nama dari WSUS server yang telah ada pada kotak Server name.

    Biarkan setingan pada defaultnya dan klik Next.

    Mirror Update Settings Page
  8. Pada halaman Ready to Install Windows Server Update Services, cek kembali seting yang telah dibuat dan klik Next.

    Siap untuk halaman Install Windows Server Update Services
  9. Jika halaman akhir telah dikonfirmasikan bahwa WSUS installation telah berhasil, klik Finish.
Sumber: http://www.geocities.com/dwi_harjanto/ebook/wsus2.htm

Diposting oleh di Tidak ada komentar:
Label:

How to setup Hotspot AAA Microsoft IAS RADIUS for use with MikroTik

Part A - Setup IAS RADIUS on Active Directory Services

1. Setup IAS on a server acting as Active Directory Services Domain Controller and register it’s services. (Ref: IAS-Setup1.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup1.JPG

2. Give a meaningful description and enable logging for authentication status. (Ref: IAS-Setup2.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup2.JPG

3. User respective 1812 for Authentication and 1813 for Accounting port only. (Ref: IAS-Setup3.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup3.JPG

4. Create a Realms profile, find “User-Name” replace it with “DOMAIN\User-Name” variables into IAS. (Ref: IAS-Setup4.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup4.JPG

5. Create a “hotspot.com” client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Vendor to RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box. (Ref: IAS-Setup5.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup5.JPG

6. Enable Remote Access Logging check box for all properties. (Ref: IAS-Setup6.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup6.JPG

7. Select IAS Format and set Log Time Period to Daily. (Ref: IAS-Setup7.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup7.JPG

8. Create Remote Access Policies profile to “hotspot.com”. Add “Windows-Groups” matches “DOMAIN\Username” profile. Enable Grant remote access permission. (Ref: IAS-Setup8.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup8.JPG

9. At Authentication tab Enable check box for “MS-CHAP v2, MS-CHAP, CHAP and PAP” method. Note HotSpot only uses PAP method. (Ref: IAS-Setup9.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup9.JPG

10. At Encryption tab Enable all the check box allowed by this profile. (Ref: IAS-Setup10.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup10.JPG

11. At Advance tab do not add any additional connection attributes. (Ref: IAS-Setup11.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Setup11.JPG


Part B - Setup IAS RADIUS with MikroTik

1. Add a RADIUS server profile and enable service for “hotspot”. Enter IP Address of IAS RADIUS server. Enter the same password created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms. (Ref: IAS-MT-Config1.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-MT-Config1.JPG

2. At “Hotspot Server Profiles” Login By check “HTTP PAP” only. (Ref: IAS-MT-Config2.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-MT-Config2.JPG

3. At “Hotspot Server Profiles” check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or change to 15 (Ethernet) mode. (Ref: IAS-MT-Config3.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-MT-Config3.JPG


Part C – Testing IAS RADIUS with PC

1. Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/

2. Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test.

3. Enter the IAS RADIUS server IP Address and port “1812” for Request Type “Authentication Request” mode followed by the RADIUS Secret Key. (Ref: IAS-Test1.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Test1.JPG

4. Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply will be “Access-Accepted”.

5. Next change port to “1813” for Request Type “Accounting Start” click send and reply should be “Accounting-Response” if the RADIUS server is working. (Ref: IAS-Test2.JPG) http://wiki.mikrotik.com/wiki/Image:IAS-Test2.JPG


Part D – Activating Domain Users for IAS RADIUS

1. Check for respective User properties if they are member of “RAS and IAS Server” groups, if not add them as group members. (Ref: AD-User_IAS1.JPG) http://wiki.mikrotik.com/wiki/Image:AD-User_IAS1.JPG

2. Next check the Dial-in tab and enable Allow access for Remote Access Permission. (Ref: AD-User_IAS2.JPG) http://wiki.mikrotik.com/wiki/Image:AD-User_IAS2.JPG


Part E – Using CHAP Authentication method

1. To use CHAP authentication method for Hotspot kindly go to the respective users in the Active Directory user properties.

2. At Account tab just below Password never expire check box, enable “Store password using reversible encryption” option. Note: This is required for CHAP to work in IAS (Ref: CHAP-Test-1.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-1.JPG

3. Next Reset the respective user password for the encryption function to take place. Exit Active Directory Users and Computers mmc console. (Ref: CHAP-Test-2.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-2.JPG

4. Go to Hotspot Server Profile, click Login By tab and ensure HTTP CHAP is enable. You can leave HTTP PAP just incase users cannot login using CHAP it will use PAP method. (Ref: CHAP-Test-3.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-3.JPG

5. Finally test if the CHAP authentication is working using NTRadPing and it should show “Access-Accepted” which means it is working! (Ref: CHAP-Test-4.JPG) http://wiki.mikrotik.com/wiki/Image:CHAP-Test-4.JPG


Note: Please see attached setup image files for illustrations.

P.S. Many Thanks to Mat Dawam mailto:mda@landasan.com.my and Hamidi Yaacob mailto:hamidi@landasan.com.my of Landasan Teknologi (M) Sdn Bhd for Technical Support of MikroTik RouterOS deployment in Malaysia for Metropolitan College Malaysia.


*** The End ***

Could also Refer to Wiki Pages...
http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
_________________
Rodney Yeo
Diposting oleh di Tidak ada komentar:
Label:

AAA with Active Directory

MT setup 

 /ip radius add
service=ppp,wireless
address=
secret=
authentication_port=1812
accounting_port=1813
 /ip ppp AAA
use_radius=yes
accounting=yes
 /ip ppp pptp-server
enabled=yes
authentication=mschap1,mschap2

Windows Setup 

 Start->Control Panel-Administrative Tools->Internet Authentication Service
Right-click on RADIUS Clients->New
Friendly Name: MikroTik
Address: 
Client-Vendor: RADIUS Standard
Shared secret:


Example Two

Part A - Setup IAS RADIUS on Active Directory Services

Setup IAS on a server acting as Active Directory Services Domain Controller and register it’s services. Image:IAS-Setup1.JPG

Give a meaningful description and enable logging for authentication status. Image:IAS-Setup2.JPG

User respective 1812 for Authentication and 1813 for Accounting port only. Image:IAS-Setup3.JPG

Create a Realms profile, find “User-Name” replace it with “DOMAIN\User-Name” variables into IAS.

Image:IAS-Setup4.JPG

Create a “hotspot.com” client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Vendor to RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box. Image:IAS-Setup5.JPG

Enable Remote Access Logging check box for all properties. Image:IAS-Setup6.JPG

Select IAS Format and set Log Time Period to Daily. Image:IAS-Setup7.JPG

Create Remote Access Policies profile to “hotspot.com”. Add “Windows-Groups” matches “DOMAIN\Username” profile. Enable Grant remote access permission. Image:IAS-Setup8.JPG

At Authentication tab Enable check box for “MS-CHAP v2, MS-CHAP, CHAP and PAP” method. Note HotSpot only uses PAP method. Image:IAS-Setup9.JPG

At Encryption tab Enable all the check box allowed by this profile. Image:IAS-Setup10.JPG

At Advance tab do not add any additional connection attributes. Image:IAS-Setup11.JPG


Part B - Setup IAS RADIUS with MikroTik

Add a RADIUS server profile and enable service for “hotspot”. Enter IP Address of IAS RADIUS server. Enter the same password created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms. Image:IAS-MT-Config1.JPG

At “Hotspot Server Profiles” Login By check “HTTP PAP” only. Image:IAS-MT-Config2.JPG

At “Hotspot Server Profiles” check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or change to 15 (Ethernet) mode. Image:IAS-MT-Config3.JPG


Part C – Testing IAS RADIUS with PC

  1. Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/
  2. Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test.
  3. Enter the IAS RADIUS server IP Address and port “1812” for Request Type “Authentication Request” mode followed by the RADIUS Secret Key.
  4. Image:IAS-Test1.JPG
  5. Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply will be “Access-Accepted”.
  6. Next change port to “1813” for Request Type “Accounting Start” click send and reply should be “Accounting-Response” if the RADIUS server is working. Image:IAS-Test2.JPG

Part D – Activating Domain Users for IAS RADIUS

Check for respective User properties if they are member of “RAS and IAS Server” groups, if not add them as group members. Image:AD-User_IAS1.JPG

Next check the Dial-in tab and enable Allow access for Remote Access Permission. Image:AD-User_IAS2.JPG

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory
Diposting oleh di 1 komentar:
Label:

Seting WSUS Client

Update dan Configure Automatic Updates

WSUS client membutuhkan versi Automatic Updates yang kompatibel. WSUS Setup secara otomatis mengkonfigurasikan IIS untuk menginstall Automatic Updates versi terbaru pada masing-masing client yang terhubung ke WSUS server.

Note:

Walaupun hampir semua versi dari Automatic Updates dapat diarahkan ke WSUS server dan secara otomatis melakukan self-update ke versi WSUS-compatible , versi Automatic Updates yang ada pada Windows XP tanpa service packs tidak dapat update otomatis.

Cara terbaik untuk meng-configure Automatic Updates tergantung dari network environment. Pada Active Directory environment, dapat menggunakan Active Directory-based Group Policy object (GPO). Pada non-Active Directory environment, gunakan Local Group Policy object. Walaupun telah menggunakan Local Group Policy object (GPO) yang tersedia di domain controller, client computers harus diarahkan ke WSUS server, kemudian configure Automatic Updates.

Langkah-langkahnya adalah sebagai berikut :

  • Masukkan WSUS Administrative Template.
  • Konfigurasikan Automatic Updates.
  • Arahkan client computers ke WSUS server.
  • Inisiasi deteksi manual pada client computer.

Menambah WSUS Administrative Template

  1. Untuk menampilkan GPO, pada menu RUN, ketik gpedit.msc
  2. Pada Group Policy Object Editor, klik Administrative Templates nodes.
  3. Pada menu Action, klik Add/Remove Templates.
  4. klik Add.
  5. Pada Policy Templates dialog box, klik wuau.adm, kemudian klik Open.
  6. PadaAdd/Remove Templates dialog box, klik Close.

Konfigurasi Automatic Updates

  1. Pada Group Policy Object Editor, klik Computer Configuration, klik Administrative Templates, klik Windows Components, kemudian klik Windows Update.
  2. Pada details pane, double-klik Configure Automatic Updates.
  3. Klik Enabled, kemudian klik salah satu dari pilihan berikut:
    • Notify for download and notify for install. Opsi ini akan mengingatkan logged-on administrative user sebelum mendownload dan meng-install updates.
    • Auto download and notify for install. Opsi ini secara otomatis men-download updates kemudian memberitahukan logged-on administrative user sebelum meng-install updates.
    • Auto download and schedule the install. Set hari dan waktu untuk scheduled installation.
    • Allow local admin to choose setting. Pada opsi ini local administrators diperbolehkan menggunakan Automatic Updates pada Control Panel untuk memilih konfigurasi
  4. klik OK.

Mengarahkan client computer ke WSUS server

  1. Pada Group Policy Object Editor, klik Computer Configuration > Administrative Templates > Windows Components > Windows Update.
  2. Pada details pane, double-klik Specify intranet Microsoft update service location.
  3. Klik Enabled, ketikkan HTTP URL tempat WSUS server berada di Set the intranet update service for detecting updates box dan di Set the intranet statistics server box. Misalnya, ketikkan http://servername dikedua box.
  4. Klik OK.

Setelah selesai, langkah ini memakan beberapa waktu sebelum client muncul di Computers page pada WSUS console. Untuk client computers yang dikonfigurasikan dengan Active Directory-based GPO, memakan waktu sekitar 20 menit setelah Group Policy refreshes. Secara default, Group Policy refreshes tiap 90 menit, dengan random offset antara 0 sampai 30 menites. Jika ingin melakukan refresh Group Policy secepatnya, pada command prompt die client computer ketikkan : gpupdate /force.

Untuk client computers yang dikonfigurasikan dengan Local GPO, Group Policy seting langsung digunakan dan membutuhkan waktu 20 menit.

Setelah Group Policy dapat digunakan, deteksi manual dapat dilakukan. Dengan langkah ini, tidak membutuhkan 20 menites untuk client computer menghubungi WSUS.

Deteksi manual WSUS server

  1. Pada client computer klik Start, kemudian klik Run.
  2. Ketik cmd, kemudian klik OK.
  3. Pada command prompt, ketik wuauclt.exe /detectnow. Command-line ini akan menginstruksikan Automatic Updates untuk mengadakan hubungan dengan WSUS server secepatnya.
Sumber: http://roykeame.blogdetik.com/2008/05/28/wsus-versi-iv/
Diposting oleh di Tidak ada komentar:
Label:

WSUS Step by Step

Setelah selesai meng-install WSUS 3.0 di Server 2003 akan tampil WSUS Configuration Wizard, wizard ini akan menyiapkan WSUS Server untuk melakukan proses updating ke server di microsoft. Bila ternyata anda belum melakukan configuration wizard ini, anda dapat menjalankannya dari menu Options yg terdapat di WSUS console.

Yang terpenting dlm Configuration Wizard::

  • Pada Choose Upstream Server, pilih Synchronize from Microsoft Update bila WSUS server tsb adalah satu-satunya wsus server di network.
  • Bila anda menggunakan proxy, pada Specify Proxy Server, centang Use a proxy server when synchronizing, dan masukkan IP dan port dari proxy server tersebut.
  • Kemudian klik Start Connecting untuk mengupdate list jenis product dan class update yg terdapat di microsoft.
  • Setlah itu, pilih language English untuk membatasi download updates untuk english saja.
  • pada Choose Products, anda dapat menentukan jenis products apa saja yg akan di download dari microsoft. Listing products ini tidak akan muncul bila anda belum berhasil melakukan koneksi awal ke microsoft dari button Start Connecting. Nantinya, anda dapat juga merubah pilihan products melalui WSUS console.
  • pada Choose Classifications, pilih jenis updates yang akan didownload. Jenis updates yg penting :: Critical Updates dan Security Updates. bila anda menggunakan Forefront Client Security (FCS), anda harus memilih Definition Updates, supaya WSUS mendownload updates utk antivirus FCS.
  • pada Configure Sync Schedule, tentukan jadwal utk WSUS server melakukan updates secara otomatis
  • Setelah itu anda dapat memulai sinkronisasi updates yg telah anda tentukan sebelumnya. Sinkronisasi ini akan mendownload semua list updates utk products dan classifications yg telah anda pilih.

Bila sinkronisasi berhasil, maka melalui WSUS console (Microsoft Windows Server Update Services 3.0 SP1 di dalam Administrative Tools) anda dapat menentukan updates mana yg akan di download.

Pada panel kiri WSUS console, terdapat beberapa menu spt Updates, Computers, Downstream Servers, Synchronizations, Reports dan Options. Dari menu Updates inilah, anda menentukan (meng-approve) updates yg mana yg akan di download dari microsoft.

Dalam tiap sub-menu Updates, spt Critical Updates, Security Updates, WSUS Updates; bila anda click, pada panel bagian tengah wsus console, akan tampil sejumlah list updates utk category tersebut. Pada bagian atas panel tengah terdapat pilihan drop-down box utk Approval dan Status.

  • Untuk menampilkan updates yg blum didownload ke wsus server, pilihlah Unapproved dari dropdown box Approval, kemudian di Status pilih Failed or Needed, dan kemudian click Refresh.
  • pada list yg tampil, utk updates yg diperlukan, klik kanan pada updates tersebut, dan pilih Approve...
  • pada window Approve Updates, klik kanan group All Computers , dan pilih Approve for Install.
  • WSUS Server akan segera memulai download updates yg telah diapprove tersebut.
  • bila anda klik nama wsus server di panel kiri, pada panel tengah akan ditampilkan status Download Status.

Untuk konfigurasi client, bisa dilakukan dari Group Policy domain, sehingga memudahkan anda utk mengkonfigur semua client yg ada. Bila network anda menggunakan domain, maka bisa dilakukan dari AD Users and Computers, bila tidak maka anda bisa melakukan dari group policy local di client XP dan kemudian anda bisa meng-export registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate utk di merge di semua client yg lainnya.

dari GroupPolicy Object Editor, masuklah ke Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. Pada bagian kanan GPO editor, mulailah mengkonfigur Configure Automati Updates::

  • Configure Automatic Updates => set ke Enabled, pilih 4. Auto download and schedule the ..., tentukan waktu (hari dan jam) untuk instalasi updates di client.
  • Specify internet Microsoft update service location => set Enabled, masukkan address url dari WSUS server anda, misal http://WSUSserver atau http://WSUSserver:8845 bila anda meng-install WSUS di port 8845.
  • Enable client-side targeting => bila anda ingin semua client anda otomatis dimasukkan ke group tertentu di WSUS server, anda bisa meng-enable-kan option ini, dan tentukan group utk client tsb. Bila tidak, set ke Disabled saja.
  • Reschedule automatic updates scheduled installations => gunakan option ini utk menentukan berapa menit setelah startup barulah client memulai updates ke wsus server.
  • No auto-restart Specifies that to complete a scheduled installation => set Enabled, supaya client tidak otomatis di re-start bila telah melakukan updates.
  • Automatic updates detection frequency => set Enabled, dan isi berapa jam interval waktu bagi client untuk cek ada tidaknya update dari WSUS server.
  • Allow automatic updates immediate installation => set Enabled
  • Allow non-administrators to receive update notifications => set Enabled, supaya users yg bukan administrators, tetap menerima notifikasi adanya updates.

Saya sarankan utk menggunakan pengaturan BITS dari group policy di server WSUS. Policy ini pd dasarnya tidak ada, anda harus menambahkan template utk policy BITS terlebih dahulu.

di group policy utk BITS (Computer Configuration - Administrative Templates - Network - Background Intelligent Transfer Service ), pada Maximum network bandwidth that BITS uses, anda bisa set limit speed download dalam Kbps.

Misalkan supaya tidak download pada jam kerja, anda bisa set Limit BITS transfer rate (Kbps) to = 0, mulai dari jam ( From 6AM) sampai (to 6PM), kemudian centang Use all available unused bandwidth supaya WSUS bisa melakukan download dg speed penuh diluar jam From - to.


Sumber: http://wss-id.org/forums/t/5803.aspx?PageIndex=1
Diposting oleh di Tidak ada komentar:
Label:
Langganan: Postingan (Atom)