COME VISIT MY NEW BLOG:

Friday, August 17, 2007

NAC WSUS Requirement Type

Background:

New to 4.1.1, WSUS Requirements gives NAC Appliance administrators the ability to seamlessly integrate with local WSUS servers or utilize Microsoft Servers to ensure users are up to date on their microsoft service packs and patches.

Configuring WSUS Requirements:

The following are a list of options when configuring a WSUS Requirement:

  • Update Validation source - This involves checking to see if a particular client machine is up to date with patches. This check can be done against the WSUS server itself OR against Cisco rulesets.
    • Cisco Rules - In this case, the new “WSUS Server Update services” requirement needs to be mapped to the standard Cisco rule sets such as XP_hotfixes etc. Standard registry scans will be performed on the client machine based on these rule sets.
    • WSUS Server - In this case, the CCA Agent makes an API call to the WSUS Agent on the client machine to check compliance. Since our rule set is not used here (direct interaction between WSUS client and server, no need to map the Rule set to the requirement.
  • Update Installation source - This involves remediating the user after we have established that he/she is non-compliant. The remediation can be done either from local WSUS servers OR against WindowsUpdate
    • WSUS Servers - Download and Install the patches from the local WSUS servers.
    • Windows Update - Download and install patches from Microsoft Windows Update website
  • Update Installation type - This involves deciding what type of hotfixes should be downloaded and installed from the chosen source.
    • Express - This option installs the same Windows updates as would be available from the Windows Update application "Express" option. (For example, the Windows "Express" option may include just Critical and Important security updates or could call for installing an entire service pack update.)
    • Custom - Use this setting and the associated dropdown menu to install updates based on their severity by choosing Critical, Medium, or All from the associated dropdown menu. If you select Critical only the most severe/critical Windows updates are installed; selecting Medium means all updates (except for those classified as "low severity" by Microsoft) are installed; selecting All means that all of the currently available Windows Updates are installed, regardless of severity.
    • Upgrade to Latest OS Service Pack - automatically install the latest service pack available for the user's operating system.
  • UI Experience - This setting controls what the end user sees when the Updates are being installedlist of options when
    • Show UI - The Windows Update UI (showing that patches are being installed) is displayed to user
    • No UI: Updates are done silently and user does not see any UI that shows updates are being installed
Figure 1 - Configuring a WSUS Requirement

Notes on configuring WSUS Requirements:
  • Validation against WSUS server may take between 10-15 seconds
  • Make sure Access is opened to WSUS server or Windows update server in the temporary role (depending on what is being used)
  • Make sure that the client PC can talk to the WSUS server on port 80/443. These are the ports client machine uses to talk to WSUS server
  • WSUS updates may take long. So, it is important to set the Session Timer for the temporary role long enough to allow enough time for the updates to complete.
  • In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.
  • If there are update errors, see C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log.
  • To see if you have a Local WSUS server configured go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and the "WUServer" key will have the server listed.
Summary:

WSUS Requirements are a great new best practice method to ensure Microsoft is truly up to date.

Sources: 4.1(2) CAM Admin Guide; Whats New 4.1(1)

4 comments:

Nguyen said...

dear Mr Jamie R. Sanbower !
Im implementing NAC in my company's network.I'm configuring window update by WSUS requirement follow Cisco guide. When I chose Serverity box in WSUS requirement configuration page, the client could access to the network, but about 10 minutes later, it could not. I used the packet sniffer program, but I couldnt sniff any packet sent beetwen CAM, CAS and WSUS server so I'm wondering about how can NAC server check about whether the NAC client meets minimum standard security guidelines.Please tell me about this issue. Thank you very much. :)

Jamie R. Sanbower said...

The CAM/CAS does not interface with WSUS. The CAA gets the information about missing patches from the windows update service running on the client and sends it to the CAS, who sends it to the CAM.

I am not sure what you mean by after 10 minutes the client could not login? Please email me directly to discuss!

David said...

Jamie,

Page 11-17 of the cam416ug.pdf states that under the "optional" enforce choice for WSUS requirement, the client machine does not have to meet the requirement for the user to proceed or have network access. But this seems to contradict another statement on page 11-15 which states that "Cisco recommends making the WSUS requirement "Optional" so that WSUS remediation takes place as a background process on the client machine." Assuming that I have set up an "Optional" WSUS requirement, does this mean that if the client doesn't have some of the Microsoft patches, does this mean that the CAA on the workstation will still tell the Windows Update agent to phone home to the WSUS server to get the "optional" updates.

Jamie R. Sanbower said...

Great Question...

When the Requirement type is set to Mandatory the User is forced to remediate prior to connecting to the network.

When the requirement is optional the user is prompted to remediate, but is not required prior to connecting to the network.

The administrator does have the ability to set whether or not the remediation option automatically launches(E.g. WSUS client launches and connects to the WSUS Server or Microsoft Servers) or the user is required to click on the "update" button on the agent.