لطفا منتظر باشید ...
Hack 86 Use Automatic Updates Effectively
Automatic Updates is an easy way to ensure thatyour Windows servers are properly patched against critical
vulnerabilities, but there are some nuances to using it effectively.The other day, a power blackout temporarily knocked out my
company's servers. I should have tested the UPS more
often, but you know how it is. Anyway, when the power came back on,
the servers rebooted. I was sitting at the console of one of them,
about to log on, when the server suddenly rebooted itself again.
Virus? Disk problem? I stared at the screen, worried for a moment,
and then suddenly realized: Automatic Updates! Whew!Automatic Updates is a patch-management feature that replaces the
earlier Critical Update Notification utility that you used to
download from Microsoft's web site for Windows 98 or
later. Microsoft first made Automatic Updates available for download
for Windows 2000 systems running Service Pack 2. Later, when Service
Pack 3 was released, Automatic Updates was included as a component of
that service pack. Automatic Updates is also included on both the
Windows Server 2003 and Windows XP platforms. Automatic updates lets
administrators schedule the automatic downloading and installation of
critical security updates from Microsoft's Windows
Update web site, making it no longer necessary for administrators to
use Windows Update to keep their systems patched manually.
Using Automatic Updates
The way you configure Automatic Updates depends on your platform. On
Windows Server 2003 and Windows XP Service Pack 1, use Control
Panel
System and select the Automatic Updates tab.On Windows 2000 Service Pack 3 or later, use Control
Panel
Automatic Updates.Whichever platform you use, the configuration options are the same.Figure 9-3 shows the configuration options for
Windows Server 2003.
Figure 9-3. Automatic Updates feature in Windows Server 2003
The checkbox lets you enable or disable Automatic Updates on the
machine. By default, Automatic Updates is enabled and the second
option under Settings is selected. The three Settings options
represent different levels of automation.The first option"Notify me before downloading
any updates and notify me again before installing them on my
computer"is the least automated solution.
Windows automatically checks the Windows Update web site for new
updates shortly after system startup and every 22 hours thereafter
(minus a random offset of up to 5 hours). If new updates are
available for download, a notification message appears above the
status area at the bottom right of the logged-on
user's desktop. However, only administrators can
download and install these updates.If the second option"Download the updates
automatically and notify me when they are ready to be
installed"is selected, Windows automatically
checks for new updates according to the scheduled described
previously. But this time, if updates are found, they are
automatically downloaded in the background. Once downloading is
complete, a notification message asks if you want to install them.The third option"Automatically download the
updates, and install them on the schedule that I
specify"is the most automated solution for
keeping your system up-to-date with critical security patches.
Windows still checks for new updates according to the previously
described schedule, but it then allows you to schedule when
downloaded updates should be automatically installed. You can
schedule installation of updates every day or once a week at a time
of your choosing (the default time, 3:00 a.m., is a good choice,
because system and user activity is usually low then).What actually happens when the scheduled time arrives depends. If a
user is logged on at the scheduled installation time, a notification
message gives the user five minutes to log off before installation
starts. By default, the machine reboots when these five minutes are
up, but this behavior can be changed by editing the Registry
(we'll see how in a moment). On the other hand, if
the user is an administrator, he has the option of declining
installation until the next scheduled day and time. If no one is
logged on to the machine, the updates are installed automatically
and, if necessary, the machine reboots (this is usually the case).
Finally, if the machine is down when the scheduled time occurs,
installation of updates commences approximately one minute after the
machine finishes booting (this time interval can also be changed only
by editing the Registry).If you choose one of the first two methods, a list of available
updates is displayed and you can download and/or install only the
updates you choose by deselecting the updates you want to decline. If
you choose the third option, everything is automatic. Which approach
is best? While keeping your systems up-to-date with the latest
patches is important, there have been occasions when a patch has
broken one feature while fixing another, resulting in systems
freezing up or becoming unstable. On critical servers,
it's probably best to download updates automatically
but not install them until you've had a chance to
install them on a test machine to ensure that no system problems or
application incompatibilities result. We'll talk
about how you can do this in a moment.There's another reason for not using the fully
automated option on critical servers: Microsoft sometimes releases
multiple patches at a time, and if you install all of them and the
machine becomes unstable, it's hard to trace which
patch caused the problem. I suggest that when multiple patches become
available and you've tested them, use the following
hack to safely install them on your critical servers.First, click the Automatic Updates notification icon in the status
area and click Details to display a list of available updates, as
shown in Figure 9-4. Deselect all the patches in
the list except the one you want to install first. This will download
and/or install only the selected patch (if you're
installing updates that have already been downloaded, it will delete
all other downloaded updates from your system). Note that the
declined patches will not be displayed in future lists generated by
Automatic Updates, but by clicking the Declined Updates button (see
Figure 9-3 again) you can choose to have Windows
notify you again about the updates you declined so you can
download/install them later. Once you've installed
the first update on your production system and verified it
hasn't caused any negative effect, repeat the
process to install the second update, third update, and so on.
Figure 9-4. List of downloaded updates ready to be installed
The main downside of this hack is that your system might require
extra reboots. The advantage is that it's safer and
helps you pinpoint the source of any problems that arise. For more
details on how to keep Windows systems patched and up-to-date, see
[Hack #79].
|
Hacking Automatic Updates
While basic configuration of Automatic Updates is done through the
GUI, you can tweak it further by hacking the Registry. This approach
is useful mainly in a workgroup environment; to learn how to
configure Automatic Updates in an Active Directory environment, see
[Hack #87].To configure Automatic Updates by hacking the Registry, run
regedit.exe and find the following key:
HKLM\Software\Policies\Microsoft\Windows
Under this key, add a subkey named WindowsUpdate,
and under that key add a subkey named AU:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Then, populate this key the following values and assign them data
values as desired (all of them are of type
Reg_DWORD). First, the
NoAutoUpdate value determines whether Automatic
Updates is enabled (0) or disabled
(1) on your system. The
AUOptions value then determines which of the three
scheduling options is used: a value of 2 causes
Windows to notify you before downloading updates, a value of
3 automatically downloads updates but notifies you
before installing them, and a value of 4
automatically downloads and installs updates without user
intervention.The ScheduledInstallDay value determines the day
on which downloaded updates are installed when
AUOptions has a data value of
4. A value of 0 for
ScheduledInstallDay means that downloaded updates
are installed every day, while values 1 through
7 mean that updates are installed once a week on
Sunday (1) through Saturday
(7), respectively. The
ScheduledInstallTime value determines the time on
which downloaded updates are installed when
AUOptions has a data value of
4. ScheduledInstallTime can
have any integral data value from 0 through
23, representing the hours of midnight through 11
p.m., respectively.The offset time, in minutes, that Automatic Updates waits after the
computer restarts before it tries installing overdue updates is
determined by RescheduleWaitTime and can range
from 1 to 60
(1 is the default). The
NoAutoRebootWithLoggedOnUsers value determines
whether Automatic Updates is allowed to reboot (0)
or prevented from rebooting (1) the machine to
complete the installation of updates when a user is currently logged
on to the machine. Note that if you set the value of
NoAutoRebootWithLoggedOnUsers to
1, Automatic Updates won't be
able to check the Windows Update site for new updates until the
system is rebooted.Finally, if UseWUServer is set to
1, the computer will obtain updates from an
internal SUS server instead of from the Windows Update web site. Note
that this value applies only when Software Update Services (SUS) is
being used to deploy critical updates across your network.Once you've made these Registry modifications, they
won't take effect until you reboot your machine.
After rebooting, if you try to configure Automatic Updates using the
GUI, you'll see that all the options are grayed out,
even if you're an administrator.
Don't worry, though; just delete the
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
key and its contents, reboot, and you'll again be
able to configure Automatic Updates by using the GUI!
