RE: Windows Update

["joe" <mvp () joeware net>]

> What I see Microsoft as doing is pretty much forcing 
> everyone to turn on Automatic Windows Update.  Why 
> leave it as a control panel option, I've no clue.  
> Same with BIT (Background Intelligent Transfers.) 
> For the millions of users out there that are likely 
> subject to viruses, etc, I'm sure it will help make 
> things better, but for people who would fit into the 
> "power user" class, it's a real pain in the arse.
<SNIP>
> I really object to this philosophy because it does 
> not let a person plan the downloading and installation 
> of updates - some of which will require a reboot.

No they aren't. If you don't want auto updates, you set it to no
autoupdates, like my machine is now. Then it won't do anything unless you go
out and tell it to. Of course the service is still running but if you are a
power user, you know how to disable the service and reenable when you want
to go get the updates. As I mentioned previously, this is kind of a pain,
but certainly isn't forcing you to have AU on and has no impact on your
planning of downloading and installing of updates. A power user knows it
only takes a single command line to stop and disable the WU service and
single command line to reenable and start it again. 


> What do large corporate installations of Windows do here?

Depends on the company. The large ones I have worked/talked with, 5k+ seats
to about 200k seats, use various methodologies for deploying software and
patches, from custom in house services to simple batch files to SMS to
Windows Update service either due to using SUS or using the Update Web Site.


> Do they run their own caches of the Windows updates?

In many cases yes. Depends on the deployment method. 

> Push out updates from servers rather than have clients pull?

In some cases yes. 

> Is it all done with SUS?

Nope, but many do.

> Is SUS usable on a single node, in place of WU?

SUS depends on the WU client.

> The help for the "Windows Update" web site suggests 
> that it is possible to get updates without Automatic Updates.  
> Is the help out of date or is there a way to still do it 
> without AU on ?

You go to the KB articles or security bulletins and download the qfe's
manually. In my last job as a Server Admin, there wasn't a single update in
3 years I pulled through Windows Update Web site. In fact the company
blocked that traffic at the firewall. I or our systems integration group
would check out the new issues and download the patch or get it from
Microsoft Support and then integrate it into our patching methodologies
(basically batch it up for silent install) and test it to make sure the
install wasn't damaging then test it for functionality then deploy it. The
client group would slap the patch package into the software deployment
system and it would zoom out to the local site servers where the local
admins would schedule the deployment to their local workstations.  

There is no hard fast answer to patch management. Many at the corporate
levels beat MS for that but then many others don't care as they already have
something be it shavlik, SMS, SUS, or something they have whipped up for
themselves from fancy batch files to interactive perl scripts to automatic
service/daemon like service scripts, to actual custom executables.
Personally I like the freedom of choice in how things can be deployed, I
certainly wouldn't want to be railroaded into a single methodology like you
misunderstand WU to be. 


  joe

 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Darren Reed
Sent: Monday, August 23, 2004 6:52 AM
To: Security List
Cc: full-disclosure () netsys com
Subject: Re: [Full-disclosure] Windows Update

In some mail from Security List, sie said:
> Went to windows update last night w/ XP Pro. 
> Redirected to the v5 version.  I was asked to install the new Windows 
> Update software...downloaded the WU software...copied the files...then 
> saw registering...kinda thinking that it was checking for a valid 
> registration or license.  No updates needed according to WU.  XP SP2 
> is not available via WU for XP Pro yet.
>
> Now, I checked the Automatic Update service to see if it was turned 
> back start automatic as I always have it disabled.  Yup, it was set to 
> automatic and it was started.  I stop and disable automatic update 
> service, and try WU.  Get error stating that the automatic update 
> service must be enable to use WU now.  Has anybody else head of this?  
> Once again, we must have services that we do not want enable.  I can 
> not believe that they are forcing user to turn on the service to use 
> WU.

I discovered this when testing out v5beta and had to do a checkpoint
recovery to restore version 4.  If you don't install the latest Windows
Update software (if, for example, you have all Active X stuff set for
prompting and you say "no") then you don't even get to 1st base and Windows
Updates (via a convienient mechanism) are not available.
IMHO, this sucks big time.

What I see Microsoft as doing is pretty much forcing everyone to turn on
Automatic Windows Update.  Why leave it as a control panel option, I've no
clue.  Same with BIT (Background Intelligent Transfers.) For the millions of
users out there that are likely subject to viruses, etc, I'm sure it will
help make things better, but for people who would fit into the "power user"
class, it's a real pain in the arse.

I really object to this philosophy because it does not let a person plan the
downloading and installation of updates - some of which will require a
reboot.

What do large corporate installations of Windows do here?
Do they run their own caches of the Windows updates?
Push out updates from servers rather than have clients pull?
Is it all done with SUS?
Is SUS usable on a single node, in place of WU?
The help for the "Windows Update" web site suggests that it is possible to
get updates without Automatic Updates.  Is the help out of date or is there
a way to still do it without AU on ?

If you were a conspiracy theorist, you'd say this was Microsoft's way of
being able to do more automatic updates before announcing a security
vulnerability and mitigate the impact of 0-day exploits (developed through
reverse engineering of changes.)

Darren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html