Endpoint Admission Defense Help >> Typical Applications >> Collaboration Application with Microsoft WSUS

Collaboration Application with Microsoft WSUS

Scenario Description

System patch management has become an important task of intranet security management. However, the system patch management for end users provided by Microsoft WSUS still fails to eliminate all potential security problems. As a total solution, the Endpoint Admission Defense Component can work with WSUS for system patch check for end users. If the PC used by an access user is found not having the required patches installed, the system calls the WSUS client to force patch update. The collaborative patch solution, where the Endpoint Admission Defense Component and WSUS complement each other functionally, allows for active and improved network security. Suppose an intranet using Microsoft WSUS for system patch management. The EAD solution can be deployed, with little change to the original system patch management mechanism, to integrate system patch management with the overall network security management framework.

WSUS patch check networking

Scenario Analysis

Suppose that the network where the EAD security policy server resides is ready and can communicate. Now you need to check the terminal PCs connected to the intranet for the Windows patch updates. Then you can configure the patch controls to be checked on the WSUS server to implement the following functions: During the security authentication for an employee, the iNode client calls the WSUS client for system patch check on the terminal PC used by the employee. In case the required patches are not installed, the policy server informs the access switch, which then limits the employee's access to the isolation area (including the updates server) only. In the meantime, WSUS automatically updates the OS patches. Suppose the other configurations are as follows:

• IP address of the user access manager server: 10.153.128.75.
• IP address of the policy server: 10.153.128.75.
• IP address of the proxy server: 10.153.128.75.
• IP address of WSUS: 10.153.128.63.
• Access terminal OS: Windows.
• The access terminal has iNode client and WSUS client installed.

Operation Procedure

1. Configure WSUS server (refer to Installation and Configuration Guide for Windows Server Update Service for details).
   
2. Configure security level (refer to Security Level Management for details).
   (1) Type the security level name WSUS isolation mode.
   (2) In the Check Windows Patches area, set the security mode for WSUS/SMS Server Collaboration Failure to Isolate.
3. Configure security policy (refer to Security Policy Management for details).
   (1) Type the security policy name WSUS isolation security policy.
   (2) Select the Check Windows Patches check box.
   (3) Set the patch check mode to Check Through Microsoft Server.
   (4) Type the WSUS server address.
   
4. Change the security policy for the subscribed service to WSUS isolation security policy (refer to Service Configuration for details).
5. With the above configurations, when an account user accessing through the iNode client is found not having the specified patches installed during security authentication, it is isolated and the WSUS client is called for automatic OS patch update.
   

Precautions

• In configuring the isolation ACL, be sure to include the WSUS server in the isolation area. Then when a user fails to pass the patch check, it can directly access the server for OS patch update.

Related Topics

• Security Policy Management
• Security Level Management
• Service Configuration Management