The following is one of three checklists to accompany Jonathan Hassell's Hardening Windows School, a series of six 10-minute webcasts designed to help you quickly and correctly lock down Windows systems. Lesson 1 -- Enabling automatic security updates in Windows Server 2003 -- will be available Wed., May 18. Future checklists and lessons will spotlight intermediate and advanced Windows security techniques. Click for the course outline.
It's the bane of an administrator's existence, the pain in the rear of every system manager, the headache that may be pounding at your CIO. You might have guessed by now that I'm referring to patch management -- and I use the term "management" loosely.
More than 40 updates had to be applied to a brand new Dell computer running Windows XP Service Pack 1 before Service Pack 2 was released. Over 20 updates had to be applied to new systems for Windows 2000 Service Pack 3 before Microsoft released the fourth service pack in the summer of 2003. Considering this ever-growing hairball of security fixes, bug fixes, critical updates and patch revisions, it would almost be easier to disconnect all machines from the Internet and work with stone tablets than deploy new systems.
Getting your machines to a consistent and stable update level is a major challenge. For networks with lots of systems, it's a daunting task. Even one unpatched PC can cause all sorts of problems for your IT infrastructure. Fortunately that's why you're reading this: You've come to find a way to make all of this patching more manageable -- and Automatic Updates is a great way to do so.
You need to know four things about Automatic Updates, which I'll outline in this checklist. (Click here for the printable version.)
|Hardening Windows School Beginner Checklist: Manage patching with Automatic Updates|
|Enable Automatic Updates|
|The client-side GUI is fairly easy to use. To see the GUI in Windows XP or Windows Server 2003, open Control Panel, navigate to the System applet and open it. Then click on the|
|Automatic Updates tab. In Windows 2000, open Control Panel, navigate to the Automatic Updates applet and double-click to open it. (You'll need Service Pack 3 or 4 for this to work|
|in Windows 2000.) Select Automatic, and then choose a time for updates to download. Click OK, and you're done.|
|Don't let updates knock users offline|
|Within Group Policy, there's a GPO called "No auto-restart for scheduled Automatic Updates installations." This option designates whether a client computer should automatically|
|reboot when a newly-installed update requires a system restart. If the status is set to Enabled, Automatic Updates will not restart a computer automatically if a user is logged in|
|to the computer. Instead, it will notify the user to restart the computer to complete the installation. If the status is set to Disabled or Not Configured, Automatic Updates will|
|notify the user that the computer will automatically restart in 5 minutes to complete the installation. You can see the obvious problem here if you have a lot of users running|
|detailed, intensive simulations overnight and an update becomes available.|
|Remember other updates|
|Automatic Updates will only give you Microsoft updates marked as "critical" and service packs upon their release. You need to visit Windows Update yourself -- or instruct your|
|users to if you dare -- in order to get the recommended updates, driver fixes and other software patches that might be released.|
Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.
More from the Hardening Windows School
|ABOUT THE AUTHOR: Go back to Checklists|
|Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.|