Re: Windows Update

[David Vincent <support () sleepdeprived ca>]

Darren Reed wrote:

> What I see Microsoft as doing is pretty much forcing everyone to turn
> on Automatic Windows Update.  Why leave it as a control panel option,
> I've no clue.  Same with BIT (Background Intelligent Transfers.)
> For the millions of users out there that are likely subject to viruses,
> etc, I'm sure it will help make things better, but for people who would
> fit into the "power user" class, it's a real pain in the arse.
>  
I'm just annoyed that Microsoft now requires me to run another service 
if I want their update website to work when I use it.  Turning off 
automatic updates in the control panel doesn't do anything to the 
service other than tell it to not poll the Microsoft site and tell me if 
I am missing something.

> I really object to this philosophy because it does not let a person
> plan the downloading and installation of updates - some of which will
> require a reboot.
>  
If you don't want to use Windows Update, you can always download each 
patch manually from the links provided in their monthly security 
bulletins.  You are subscribed to their bulletins right?  Once you have 
each patch downloaded, you can indeed plan the rollout to your system, 
don't forget you need a tool to check that your patches were installed 
correctly, like MBSA or HFNETCHK.

> What do large corporate installations of Windows do here?
>  
SUS, soon to be WUS.

> Do they run their own caches of the Windows updates?
>  
Yes, SUS, soon to be WUS.

> Push out updates from servers rather than have clients pull?
>  
Well, no.  The clients really pull it from the SUS Server, which pulls 
it from Microsoft.

> Is it all done with SUS?
>  
Yes.

> Is SUS usable on a single node, in place of WU?
>  
Define node.  On a workstation?  No, you need a Windows Server (2000 or 
2003) to run SUS from.  You also cannot visit the SUS site from a 
workstation using IE and do a scan like you do with Windows Update.  You 
have to schedule things so the client will poll the server for updates 
it is missing.

> The help for the "Windows Update" web site suggests that it is
> possible to get updates without Automatic Updates.  Is the help
> out of date or is there a way to still do it without AU on ?
>  
Subscribe to the Monthly Security bulletins and download the patches 
using the links provided there.  Or go to 
http://www.microsoft.com/security  and click on the "More security 
updates..." link.  I think you can take it from there.

> If you were a conspiracy theorist, you'd say this was Microsoft's way
> of being able to do more automatic updates before announcing a security
> vulnerability and mitigate the impact of 0-day exploits (developed through
> reverse engineering of changes.)
>  
No, if I were a conspiracy theorist I'd say Microsoft was pushing 
Automatic Updates so they could install secret backdoors on everyone's 
computers and then sneak in during the night to steal CPU cycles to 
donate to their friends from Betelgeuse 5 who need the help to plan 
their takeover of Planet Earth.

-d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html