RE: Windows Update

["Todd Towles" <toddtowles () brookshires com>]

The AU shouldn't be a issue for anyone running SUS or SMS. It is a pain to turn it back on if you have already turned 
it off (my case) via corporate wide reg hack. But that is my issue and easily fixable.

AU running in automatic mode will not install updates on its own. As long as you turn the automatic feature off in the 
control panel. I saw this problem on the gold version of XP. You tell it to not do automatic updates but the service 
starts up as automatic and waste CPU cycles and memory. That is why I put it to manual on all my computers on the 
network. But with XP SP2 - WindowsUpdate won't work if the service is set to manual. Great policy change from 
Microsoft? 

As far as admins turning it off to stop updates, why don't you try a proxy? Don't good admins use those?  Sure, once a 
user gets thru the proxy, a update could be installed and that is problem.

But I do understand the issue of automatic patching of systems. I was the primary SMS Admin for my company before 
getting a new job. Updates should be released in a controlled way in a coporate network. 

Look at it this way. If you use SMS you don't need AU and can leave it to manual. Therefore no local user can get to 
WindowsUpdate and you have now have more control over which patches are installed when and where. 


-----Original Message-----
From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of ASB
Sent: Monday, August 23, 2004 8:02 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Windows Update

Just because the Automatic Update service is enabled, doesn't mean that updates will be automatically "installed".  
There are various options for configuration.

I require AU enabled because I'm using SUS, and I control when updates are available.

The automatic nature of the service is not an implicit evil.

-ASB

On Sat, 21 Aug 2004 19:56:14 -0400, Über GuidoZ <uberguidoz () gmail com> wrote:
> Umm, hold on a sec here...
>
> (snip from "James Tucker"):
> > There really should be no reason why you would want to disable the  
> > Automatic Updates service anyway, unless you are rolling out updates  
> > using a centralised distribution system, in which case you would not 
> > need it anyway.
>
> I believe you are missing one fundamental point: SPs and updates are 
> notorious for breaking something else. (Especially from Microsoft.) 
> Granted, if fixing a security weakness breaks something you're using, 
> then that aspect could have been written better. However, that still 
> doesn't fix it when an entire business network goes down and YOU are 
> the one responsible. I do not allow ANY automatic updates (except for 
> virus definitions) to run on ANY networks I am in charge of. I take 
> the time (like every good sysadmin should) to look over each update 
> before applying it so I know three things:
>
> 1. What it's fixing/patching
> 2. Why it's fixing/patching it
> 3. What will be the end result of the fix/patch
>
> If you would simply allow updates and SPs to have free reign over your
> system(s) without taking any time to look over those updates, you're 
> going to be one busy and irritated sysadmin. That is, if you still 
> have a job after a little bit.
>
> ~G
>
> P.S. Don't take my word for it. Look here:
> - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html
> - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1
> - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619
> - http://www.vnunet.com/news/1157279
> - Or, find the other 200+ articles by searching Google News
>    for "disable automatic update sp2"  =)
>
>
>
> On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker <jftucker () gmail com> wrote:
> > Here I found that I can have BITS and Automatic Updates in "manual", 
> > Windows Update works fine here. It may be a good idea to refresh the 
> > MMC console page, as you will probably find that at time the service 
> > had shut down if and when BITS was stopped prematurely (i.e. when it 
> > was in use).
> >
> > There really should be no reason why you would want to disable the 
> > Automatic Updates service anyway, unless you are rolling out updates 
> > using a centralised distribution system, in which case you would not 
> > need it anyway.
> >
> > If you are worried about system resources, you should look into how 
> > much the service really uses; the effect is negligable, in fact 
> > there is more impact if you select (scroll over) a large number of 
> > application shortcuts (due to the caching system) than if you leave 
> > Automatic Updates on. If you are worried about your privacy and you 
> > dont believe that the data sent back and forth has not been checked 
> > before, then you surely dont want to run Windows Updates ever. If 
> > you want to cull some real system resources and have not already 
> > done so, turn the Help and Support service to manual, that will save 
> > ~30mb on boot, up until the first use of XP help; this will stop 
> > help links from programs from forwarding to the correct page, until 
> > the service has loaded once.
> >
> > As for worry over using bandwidth on your internet service, again, 
> > you want to check this out as its a trickle service, not a flood. 
> > BITS does not stand for Bloody Idiots Trashing Service; it means 
> > what it says on the tin.
> >
> > On Fri, 20 Aug 2004 14:30:22 -0700, David Vincent
> >
> >
> > <support () sleepdeprived ca> wrote:
> > > joe wrote:
> > >
> > > > Yep, this is how it works now.
> > > >
> > > > You control whether Windows Update is updating or not via the 
> > > > security panel in the control panel applets (wscui.cpl).
> > > To eb complete, I should have mentioned I have Automatic Updates 
> > > turned off in the control panel.  I also had the service disabled 
> > > before applying SP2 and venturing to Windows Update v5.
> > >
> > > > Of course if you aren't using automatic update you could always 
> > > > disable the service and just reenable when you go to do the 
> > > > update, or don't use windows update at all and just pull the 
> > > > downloads separately. We are talking about a single command line 
> > > > to reenable that service
> > > Yep.
> > >
> > > > Is it a pain? Yes, for those who like to run minimal services. Is 
> > > > it a security issue or life threatening, probably not.
> > > Agreed.
> > >
> > > -d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html