Hardening Windows School: Beginner's checklist for managing patches

The following is one of three checklists to accompany Jonathan Hassell's Hardening Windows School, a series of six 10-minute webcasts designed to help you quickly and correctly lock down Windows systems. Lesson 1 -- Enabling automatic security updates in Windows Server 2003 -- will be available Wed., May 18. Future checklists and lessons will spotlight intermediate and advanced Windows security techniques. Click for the course outline.

It's the bane of an administrator's existence, the pain in the rear of every system manager, the headache that may be pounding at your CIO. You might have guessed by now that I'm referring to patch management -- and I use the term "management" loosely.

More than 40 updates had to be applied to a brand new Dell computer running Windows XP Service Pack 1 before Service Pack 2 was released. Over 20 updates had to be applied to new systems for Windows 2000 Service Pack 3 before Microsoft released the fourth service pack in the summer of 2003. Considering this ever-growing hairball of security fixes, bug fixes, critical updates and patch revisions, it would almost be easier to disconnect all machines from the Internet and work with stone tablets than deploy new systems.

Getting your machines to a consistent and stable update level is a major challenge. For networks with lots of systems, it's a daunting task. Even one unpatched PC can cause all sorts of problems for your IT infrastructure. Fortunately that's why you're reading this: You've come to find a way to make all of this patching more manageable -- and Automatic Updates is a great way to do so.

You need to know four things about Automatic Updates, which I'll outline in this checklist. (Click here for the printable version.)

Hardening Windows School Beginner Checklist: Manage patching with Automatic Updates

Enable Automatic Updates

The client-side GUI is fairly easy to use. To see the GUI in Windows XP or Windows Server 2003, open Control Panel, navigate to the System applet and open it. Then click on the

Automatic Updates tab. In Windows 2000, open Control Panel, navigate to the Automatic Updates applet and double-click to open it. (You'll need Service Pack 3 or 4 for this to work

in Windows 2000.) Select Automatic, and then choose a time for updates to download. Click OK, and you're done.

Don't let updates knock users offline

Within Group Policy, there's a GPO called "No auto-restart for scheduled Automatic Updates installations." This option designates whether a client computer should automatically

reboot when a newly-installed update requires a system restart. If the status is set to Enabled, Automatic Updates will not restart a computer automatically if a user is logged in

to the computer. Instead, it will notify the user to restart the computer to complete the installation. If the status is set to Disabled or Not Configured, Automatic Updates will

notify the user that the computer will automatically restart in 5 minutes to complete the installation. You can see the obvious problem here if you have a lot of users running

detailed, intensive simulations overnight and an update becomes available.

Remember other updates

Automatic Updates will only give you Microsoft updates marked as "critical" and service packs upon their release. You need to visit Windows Update yourself -- or instruct your

users to if you dare -- in order to get the recommended updates, driver fixes and other software patches that might be released.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.

ABOUT THE AUTHOR:   Go back to Checklists

Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. Click to ask Jon a question or purchase his book here. Copyright 2005

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patches, alerts and critical updates Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator The state of enterprise security and emerging threats in 2009 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.