Maintaining Security by Implementing, Managing, and Troubleshooting Service Packs and Security Updates
Windows XP Dynamic Update and Windows Update
Windows XP Dynamic Update is a service that runs only at the beginning of a Windows XP installation. Dynamic Update can be configured to automatically connect the Windows XP computer to the Internet and download all fixes and driver updates during installation.
The Windows Update service is an online service that can be used to update Windows computers with new utilities, drivers, and critical security updates.
Windows XP Dynamic Update
Dynamic Update is meant to provide a convenient way to obtain the latest fixes and newest drivers. You can select the option to use Dynamic Update during the Windows XP installation process. Obviously, an Internet connection is necessary for this. Administrators should consider the security issue here: Connecting a computer to the Internet during installation is not an industry best practice. In fact, best practice states that you should never do this.
Dynamic Update is not available by default on a computer that is installed via an unattended installation with an answer file. However, administrators can configure an installation to use Dynamic Update to download Dynamic Update packages to the corporate network from the Windows Update Catalog site. Thus, the update can occur from a safe, local network location instead of the Internet.
Windows XP can beconfigured to automatically and periodically contact the Windows Update site and download critical patches. Windows 2000 with Service Pack 3 or later can also be configured to contact the update site periodically. All Windows computers can also manually access the public update site, request evaluation, and approve downloads and installations.
The first time you connect a Windows system to the Windows Update site, a Web service control is downloaded and then used to scan the computer for needed updates. You can download new versions of the Web service from the Windows Update site.
The following are options for automatic updates:
Download automatically and notify the user when the updates are ready to be installed.
Notify the user when downloading and notify the user when the updates are ready to be installed.
Turn off automatic updating.
Group Policy Control of Windows Update Technologies
In order for users to take advantage of the Windows Update service, they must have administrative privileges to download and install updates. You can use group policy to disable Windows Update services for all XP users, including other administrators. To do this, you must set the following policies that affect Windows Update:
User Configuration\Administrative Templates\Windows Components\Windows Update\Remove Access to Use All Windows Update FeaturesYou can select Enabled to cause all access to Windows Update features to be removed.
User Configuration\Administrative Templates\System\Configure Driver Search LocationsYou should select Enabled to search Windows Update for updates and then select Don't Search Windows Update.
User Configuration\Administrative Templates\Windows Components\Windows Media Player\Playback\Prevent Codec DownloadYou should select Enabled to prevent downloads of updates.
User Configuration\Administrative Templates\Windows Components\Windows Messenger or Computer Configuration\Administrative Templates\Windows Components\Windows MessengerYou should set Do Not Allow Windows Messenger to Be Run to Enabled. Note that if both the user and computer configuration settings are configured, the computer configuration settings will take precedence.
Windows Settings\Security Settings\Public Key PolicyYou should right-click Trusted Root Certificate Authorities and select Properties. Then you select Enterprise Root Certificate Authorities and add the CAs that are to be trusted. Doing this removes any currently trusted CAs in the trusted authorities store.
Setting group policy to enter approved trusted root CAs removes the root CAs initially configured during installation. This could affect the functionality of the Windows system. Before using this choice, you should determine which certificates are essential to the operation of the clients you control. To fully understand the implications of making these changes, you need to understand Public Key Infrastructure (PKI) and how it is used in Windows. For more information, see Chapter 7, "Implementing and Managing PKI and EFS," and the resources mentioned in that chapter.
User Configuration\Administrative Templates\System\Windows Automatic UpdatesYou should select Disabled.
Windows XP uses the Windows Update service to search for drivers for Plug and Play devices if a new Plug and Play device is plugged in to the computer and there is not a local driver available. Windows XP's Windows Update service can also be configured to automatically search for updated drivers for existing devices, including printers. This feature can also be controlled via group policy.
Other Windows Automatic Technology Updates
Many Windows components are designed to automatically update. Although this is considered by some to be a boonbecause security fixes can automatically be deliveredothers feel that this can cause more problems than it solves. Nevertheless, you need to know about these automation capabilities and how to manage them. The following technologies are also updated automatically:
Media Player updates
MSN Explorer updates
Windows Messenger updates
The Windows Help and Support Center
Microsoft Update Root Certificates