[unisog] Validation problems with Windows Update

K.M. Jeary kmj1000 at ucs.cam.ac.uk
Sun Aug 28 14:18:44 GMT 2005


   I am aware of but not interested in the discussion of the legality (or
   otherwise) of various reasonably well-publicized workarounds for this
   problem. Legal ain't my area. My priority is to get Windows Update (and
   now of course "Microsoft Update") to work, using the simplest possible
   measures.

> Our students are beginning to show up on campus and are looking to register
> for our network. We are forcing students to do a few security related things
> before they are allowed on the network. One of the main things they must do
> is update their system by going to WindowsUpdate.
>
> We have experienced a lot of problems with users being able to validate
> their OS with Microsoft. Even people who appear to have legitimate copies of
> Windows. 
> Among the problems we've experienced:
>
> - Users being able to download, but not install the Windows Genuine
> Advantage Validation tool. Despite repeated downloads, and attempts at
> installing, it simply will not install.

   I've seen various problems with the validation tool but not any
   unrecoverable ones as such, except one. That was on a Dell Windows
   XP post-SP2 machine which (fot several possible reasons) could not
   run ActiveX. There's a secondary way of validating which the Microsft
   site tries, but not even this would work with this machine. As with
   other situations where ActiveX isn't functional (parts of standard
   applications start failing and random other problems are encountered
   on other sites) the solution was repair/re-install. Nothing new there...

> - A potential timeout issue when users go to the website to validate their
> version of windows. There is a message stating that the validation tool was
> not able to communicate properly. This is potentially a problem with our
> firewall rules. What sites/addresses are people letting through their
> firewalls now to accommodate for this newly revamped WindowsUpdate. The
> error that's given only tells the user to ensure their date/time is correct.
> Not very helpful.
>
> Any info is greatly appreciated!

   Given what I've said above I haven't actually tried the solution I'm
   about to suggest, so you need to test it foru yourself. _However_ what
   the Microsoft FAQ on WGA declare is that _even_ if your amchine has not
   pased the validation test, _automated_ Windows Update will continue to
   work... Foe security updates that is.

   See: http://www.microsoft.com/genuine/downloads/FAQ.aspx

   "Q: Do security updates require validation?

   A: Security updates are not part of WGA. Security updates can be
   installed  using the Windows XP Automatic Updates feature, or downloaded
   from the Download Center."

   So make sure they've got Automatic Updates set I guess... And the
   additional point of course is that if you've got updates set to
   download and install at a particular point during the day (at least on
   Windows XP) you will be asked so frequently to reboot that most peopke
   tend to give in sooner-or-later...

> Cheers
>
>
> Matt Ashfield
> Network Analyst
> Integrated Technology Services
> University of New Brunswick
> mda at unb.ca 
>
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
> ---------- Forwarded message ----------
> Date: Fri, 26 Aug 2005 15:47:11 -0400
> From: "BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu>
> Reply-To: UNIversity Security Operations Group <unisog at lists.sans.org>
> To: mda at unb.ca, UNIversity Security Operations Group <unisog at lists.sans.org>
> Subject: Re: [unisog] Validation problems with Windows Update
>
> Hello-
>
> We're looking at the same issue here.
>
> A trace is showing a connection to a number of Microsoft sites, as well
> as one packet sent to 208.172.13.251.  It has a destination port of 80,
> and source of 1433.
>
> Are looking into seeing if allowing this to pass will help.
>
>
> ++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++

Internet:  K.M.Jeary at ucs.cam.ac.uk       University Computing Service,
NT-Support: NT-Support at ucs.cam.ac.uk     Pembroke Street
Telephone: +44 (0)1223-335632            Cambridge CB2 3QH, England.


More information about the unisog mailing list