[unisog] Windows Update

Gary Flynn flynngn at jmu.edu
Thu Aug 14 21:40:30 GMT 2003



Jeff Bollinger wrote:


> (a) already have systems pre-configured to fetch updates from an SUS
> server or
> (b) in a situation where you can physically touch *all* systems to make
> sure the Update client has been properly configured and installed
> 
> In a large organization where both of these scenarios are impossible,
> how can SUS be effective?
> 
> Apparently the special client software comes with Windows 2000 SP 3 and
> Windows XP SP 1, but again, there's no way of knowing if folks are at
> this level, and certainly no way to force people to upgrade to them.

My 2am reading last night led me to understand that a registry change
to earlier systems can tell the Critical Updates Notification client
to upgrade itself to Automatic Updates through SUS . (1)

It also looks like the server keeps a log of what's been loaded.
Ergo, one could use certain motivators to encourage people to
simply click on a .reg file on a web site. I'm thinking about
adding some ASP to let the user configure the settings for preferred
install time and some other options that will simply customize
a .reg file for them.

That said, I brought it up last night thinking it might help
us through the loss of the MS site but then decided clicking
ms03026.exe was easier and more certain than clicking something.reg
and hoping the automatic updates worked as advertised.  :)

However, I am very interested in it afterwards(2). The main benefit
in my mind is that I can't in clear conscience recommend that people
configure their computers to immediately accept and apply all new
Microsoft patches as they are presented. On the other hand,
if we hold the patches on the SUS server for a week or two (depending
upon severity of course) I'd feel much more comfortable recommending
the automatic installation configuration.

I'm not yet sure what to do about clients not running Critical
Update Notifications. I guess use the Automatic Update .msi
file.

(1)  Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Critical Update]
      "SelfUpdServer"="\"http://windowsupdate.jmu.edu/SelfUpdate/CUN5_4\""

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Critical Update\Critical Update SelfUpdate]
      "SelfUpdServer"="\"http://windowsupdate.jmu.edu/SelfUpdate/CUN5_4\""

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
      "WUServer"="http://windowsupdate.jmu.edu"
      "WUStatusServer"="http://windowsupdate.jmu.edu"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
      "RescheduleWaitTime"=dword:00000030
      "NoAutoRebootWithLoggedOnUsers"=dword:00000000
      "NoAutoUpdate"=dword:00000000
      "AUOptions"=dword:00000000
      "ScheduledInstallDay"=dword:00000000
      "ScheduledInstallTime"=dword:00000006
      "UseWUServer"=dword:00000001


(2) After everyone patches their systems and nobody brings up new computers or new
     OS installs on the network unprotected and Microsoft issues a recall of all
     defective CDs. ;)

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University




More information about the unisog mailing list