Date: Jan 31, 2003
Article is provided courtesy of Sams.
The so-called "phone home" feature of Windows XP helps end users and administrators automatically apply important updates and bug fixes. But at what price? Examine various methods Microsoft uses to apply automatic updates to a Windows XP computer and find out how to disable some of these features.
If you use Windows XP, like the millions of users around the world, you may have heard that Windows XP likes to occasionally touch base with its creator. In other words, it likes to "phone home" to Microsoft for various reasons, which range anywhere from updating your files and blacklisting certain applications on your computer to reporting errors and updating your system time. Some users feel pretty uncomfortable when their computer starts to update software without their permission, or reports anything to a vendor without their knowledge.
Microsoft refers to this feature as Automatic Updating and Downloading Technologies. The idea is to make things easier for the end users and administrators and to automatically provide latest updates to bug fixes, security patches, and the like.
In this article, I examine the various methods Microsoft uses to automatically install the latest updates on your Windows XP computer. Some of the features discussed in this article do not apply to Windows XP Home Edition, so our focus is on Windows XP Professional. For those of you who are not thrilled about XP phoning home, I'll show you how to best manage your own computer by disabling these automatic updates whenever possible.
Windows XP ships with lots of services that most users don't need. On an average Windows XP computer, I've noticed at least 78 services. About three dozen of these are configured to start automatically. According to some experts, fewer than 10 services are actually required to start automatically. When it comes to security, the fewer the services are running on your computer, the safer your computer is going to be. The same goes for the programs. Don't install applications that you don't need. Extraneous services and applications are not only a security risk; they also slow down your computer.
One of the major issues with these automatic updates is that once you've checked the box that you agree to always trust a vendor's (for example, Microsoft's) published content or certificate, from that point on software can be downloaded and installed on your computer without any notification. This means that a vendor can potentially download harmful or buggy updates to your computer without your knowledge.
An average user will be tempted to trust Microsoft's products and expects them to be safe and virus-free. This may be true most of the time, but unfortunately that's not always the case. Just recently a fellow Microsoft Certified Trainer (MCT) downloaded a virus in a class setup guide from Microsoft's MCT download Web site. I once found a virus in Microsoft Baseline Security Analyzer, an application that scans Windows NT/2000/XP for common security misconfigurations. And we've all heard about Microsoft inadvertently shipping Visual Studio .NET CDs to South Korea that contained the NIMDA virus in a help file. It's tough enough for consumers to keep up with all the security patches and to worry about the updates to protect their computers against viruses, worms, and parasites. With automatic updates, you have the benefit of keeping your system current with the latest patches, but you are still vulnerable for a couple of reasons:
Automatic updates can possibly download buggy security patches, which can make your computer even more susceptible to attacks. I am sure you've heard some horror stories already.
There's no guarantee that the software or driver that's downloaded silently in the background is totally compatible with all the other software installed on your computer. This can result in your system becoming unstable, or it can potentially crash your computer.
Let's look at various Windows XP Professional services and applications and see how to disable the automatic update feature. Due to space limitation, I won't be going into a detailed explanation of each and every service or application listed in this article. Make sure you understand the consequences of turning off these updates before you take any action. For a more detailed explanation of what these applications and services do and how the updates are performed, check out Microsoft's whitepaper "Managing Automatic Updating and Download Technologies in Windows XP."
ActiveX controls are installed when you visit a Web site that requires ActiveX controls. Only the members of Administrators group and the Power Users group can install these controls. If you disable these controls, you should keep in mind that any Web applications that require ActiveX controls, such as Windows Update, will cease to function. Because ActiveX controls can be a security risk, some people prefer to disable them.
To disable ActiveX controls, you can use the Group Policy. On a domain, you may want to use a domain policy. On a standalone computer, use the local Group Policy, as shown in Figure 1.
Figure 1 Disabling ActiveX controls.
Here's the procedure for disabling ActiveX controls on a standalone computer:
On a standalone Windows XP computer, go to Start, Run, and type MMC.
In the console window, click File and then select Add/Remove Snap-in.
Click Add and select Group Policy in the Add Standalone Snap-in box.
Click Add, Finish, Close. Then click OK.
Go to Computer Configuration, Administrative Templates, Windows Components, Internet Explorer.
In the right pane, double-click the option Disable Automatic Install of Internet Explorer Components.
Click Enable and then click OK.
Double-click the option Disable Period Check for Internet Explorer Software Updates.
Click Enable and then click OK.
Certificate revocation is a feature that automatically verifies the status of a certificate with the Certificate Authority. If the certificate has been revoked because it has been compromised, you should be informed immediately. This feature is enabled by default. Microsoft recommends that you do not disable this feature because it protects you from fraudulent digital certificates. However, if you decide to turn off this feature, you can use Internet Explorer, as shown in Figure 2.
Figure 2 Disabling checking for certificate revocation.
Follow these steps to turn off this feature:
Start Internet Explorer.
Go to Tools, Internet Options, and select the Advanced tab.
Uncheck the box Check for Publisher's Certificate Revocation under the Security section, and click OK.
For security reasons, I recommend that you leave this feature enabled.
Digital Rights Management
The Digital Rights Management (DRM) technology is part of Trusted Computing Platform Alliance and is implemented in Windows Media Player. It offers protection against tampered applications. To decrypt DRM-protected content, users must install a DRM license. The license is installed in one of following two modes:
Silent mode, in which the license is installed quietly in the background
Nonsilent mode, in which the user is prompted to install the license
By default, the Windows Media Player is installed in (yes, you guessed it right) silent mode, so the license is downloaded and installed without the user getting prompted. You can switch from silent to nonsilent mode by configuring the option in Windows Media Player, but users cannot disable this technology in Windows XP. See the section "Windows Media Player," later in this article, to learn how to switch to nonsilent mode.
DRM also includes a built-in feature known as application revocation. If secure DRM contents are compromised, Microsoft or other third-party vendors can place your application on a DRM revocation list. This blacklist of sorts is downloaded automatically inside a DRM license and is installed on the user's computer silently without the user's knowledge. The list is updated automatically so that digital content cannot be distributed illegally and played on blacklisted players. If you try to use the blacklisted application, you will receive an error and will be asked to contact the vendor. The vendor may decide to lock out all applications from accessing the old DRM-protected content.
While no reasonable person will argue against vendors' rights to ensure that their product is used legally, what makes people nervous is the control that a vendor can have over remotely controlling the applications running on their home computers.
The error-reporting option allows you to report software errors to Microsoft to help improve future products. If you want to participate in error reporting, leave this option alone. Some people argue that they should get paid for assisting software vendors in their software development. The error reporting is voluntary, and Microsoft uses it to prioritize debugging work on their products. Microsoft's chief executive, Steve Ballmer, said in an email memo to his customers, "There are risks in offering this option to have software 'phone home' like E.T. One risk is that error reporting could compound a customer's irritation over the error itself."
If the error reporting is causing you irritation and you want to disable this feature, use the following procedure:
Go to Control Panel, System.
Click on the Advanced tab and then click on Error Reporting, as shown in Figure 3.
Figure 3 Disabling error reporting.
On the Error Reporting dialog box, check the option Disable Error Reporting.
Click on the check box But Notify Me When Critical Errors Occur so that you are notified of the error.
Help and Support Center
If you have administrative privileges on your computer, you can update the Help and Support Center (HSC) contents. However, the contents are not updated automatically. Users are given the option to download and then install the updates. In addition, the content package that's downloaded must contain a digitally signed certificate.
Before you start to feel pretty good about HSC, let me give you some more information. Last year a security hole was discovered in the pluggable protocol hcp:// that HSC registers. The hcp:// protocol can be used to start the HSC from a Web browser. For example, type hcp://system/sysinfo/msinfo.htm in your browser. You'll notice that it starts the HSC and displays the system information. A research scientist discovered that by using the hcp:// protocol, it's possible to launch an attack that can arbitrarily delete files on your Windows XP computer. Microsoft provided a patch in Windows XP SP1 to fix this bug.
Microsoft doesn't offer any Group Policy settings or registry hacks that will allow you to control the behavior of HSC updates.
Internet Time Service
The Internet Time Service automatically synchronizes time on your Windows XP computer with Microsoft's time server time.windows.com. This server, in turn, synchronizes time with National Institute of Standards and Technology (NIST) computers, which synchronize with an atomic clock.
If your Windows XP computer is a standalone computer and is connected to the Internet, it will synchronize time automatically with time.windows.com every seven days by default, as shown in Figure 4. You will not be prompted to synchronize time manually. Whether you synchronize time automatically or manually, time is an important service, and it is best to ensure that your time is accurate on your computer. If you decide to turn off this feature, go to Control Panel, Date and Time. Then click on the Internet Time tab and uncheck the box Automatically Synchronize with an Internet Time Server.
Figure 4 Synchronizing time.
If your Windows XP computer has joined a domain, it will synchronize time with the time service on your domain controller. This cuts down on the traffic to the Internet. I don't recommend disabling this crucial service, but if you decide to disable time synchronization on your network, use the following procedure to modify the Group Policy:
Open the Group Policy that you want to configure.
Go to Computer Configuration, Administrative Templates, System, Windows Time Service, Time Providers.
In the right pane, double-click Enable Windows NTP Client, click Disabled, and then click OK.
In the right pane, double-click Configure Windows NTP Client, click Disabled, and then click OK.
Besides offering too many services, by default Windows XP setup installs software such as MSN Explorer, which isn't required for Windows XP to function properly. It wastes 13.5MB of disk space and performs forced automatic updates. Microsoft doesn't offer the ability to control automatic updates of MSN Explorer. The best thing is to remove MSN Explorer from Control Panel, Add or Remove Programs. Interestingly, Microsoft recommends that in a corporate environment, you should remove MSN Explorer and use Internet Explorer for browsing the Internet. Microsoft suggests that you use Internet Explorer because it offers better security and is customizable, yet the default configuration of Windows XP installs MSN Explorer anyway.
In a domain environment where you are deploying Windows XP using unattended installations, you can use the answer file to remove MSN Explorer from the default installation. Simply add the line msnexplr=off to the [component] section of the answer file. On a standalone computer, remove MSN Explorer from Control Panel, Add or Remove Programs.
Root certificates are used when you use Secure Socket Layer (SSL) on a Web site. Microsoft has added dozens of organizations to the list of trusted authorities. Microsoft uses specific criteria to add companies to this list. According to Microsoft, many users have limited resources to verify the authenticity of an authority; as a result, these users are unable to decide who to trust. As a public service, Microsoft provides the Update Root Certificates feature, which automatically adds new trusted authorities that were blessed by Microsoft to your trusted authorities list.
Some people will find it interesting that, in the case of DRM technology, Microsoft (and other vendors) can add applications running on your computer to their blacklist without your knowledge. With automatic root certificate updates, Microsoft decides (on your behalf) who you should trust because they figure that you're "uncomfortable" making the right choice. If you prefer to make your own decisions about who you should trust, you can remove the Update Root Certificates feature.
As I've pointed out earlier, Microsoft uses special criteria to add vendors to the trusted list. However, if these "trusted" vendors were to mistakenly issue some fraudulent certificates, then we are all at risk. That's exactly what happened last year when VeriSigna trusted third partyissued a pair of fraudulent digital certificates to an imposter claiming to be a Microsoft employee. For more details, check out the article "Microsoft Updates Windows to Combat VeriSign Glitch." In general, one will hope that updating the root certificates automatically is not a security risk. However, if you decide to disable this feature, use the following method on a standalone computer:
Go to Control Panel, Add or Remove Programs.
Click Add/Remove Windows Components.
Uncheck the box Update Root Certificates, as shown in Figure 5.
Figure 5 Disabling automatic updating of root certificates.
On a domain, you can disable the root certificate updates by implementing a Group Policy. However, make sure you understand the ramification of disabling this feature. Among other things, it can significantly increase the workload because you will have to do some research before you add organizations to your trusted authority list.
Windows Media Player
You can configure several features in Windows Media Player (WMP) to stop it from phoning home. These settings are configured on the Player tab of WMP, as shown in Figure 6. Notice that WMP will check for updates whether you like it or not. According to Microsoft, they don't offer you the option to turn off certain key features of DRM technology due to the nature of DRM technology. They suggest your best bet is to learn how the technology works instead of disabling some of its features.
Figure 6 Configuring automatic updates in Windows Media Player.
The automatic update feature has three options for checking for updates:
- Once a day
- Once a week
- Once a month (default setting)
I mentioned in the DRM section earlier in this article that you can configure WMP to acquire licenses in nonsilent mode. Simply uncheck the box Acquire Licenses Automatically, under Internet Settings, as shown in Figure 6.
Some vendors tend to think that everyone has a T1 connection to the Internet, so it's okay for them to link to a live page on the Internet as the default setting. Do yourself a favor and turn off the feature in which WMP starts by connecting to WindowsMedia.com. This can be done by unchecking the box Start Player in Media Guide, under Player settings. Changing this default setting can improve your performance and overall eXPerience.
Unfortunately, there's no Group Policy setting to disable the feature to check for updates to WMP in Windows XP. However, you can use the following registry hack to disable WMP updates in Windows XP:
Start the registry editor (regedit.exe).
Go to HKLM\SOFTWARE\Policies\Microsoft.
On the Edit menu, click New, Key.
Type WindowsMediaPlayer as the name for the key.
Highlight the WindowsMediaPlayer key in the left pane. Then on the Edit menu, click New, DWORD Value.
Type DisableAutoUpdate for the value and press Enter.
Double-click this new value in the right pane, and enter a decimal value 1 for Value data.
Windows Messenger also checks for updates automatically, but Microsoft was at least kind enough to give the users the option to install the new version rather than performing a forced installation. You must have administrative privileges to install the updates on your computer.
There's no Group Policy setting to disable the automatic version-checking feature, but there's a way to prevent Windows Messenger from running on a computer. To disable the automatic updates, you need to hack the registry. Depending on your version of Windows Messenger, the location to add the key might be different.
Start the registry editor (regedit.exe).
Go to HKLM\Software\Policies\Microsoft\Messenger\Client.
Add the key PreventAutoUpdate and set the value to 1.
For Windows Messenger 4.x, you may have to go to HKLM\Software\Microsoft\MessengerService\Policies, add the key DisableUpdates, and set the value to 1.
Keep in mind that the above modification prevents only the automatic version-checking feature; it doesn't prevent Windows Messenger from running on your computer. To prevent Windows Messenger from running on your computer altogether, use the Group Policy. On a domain, you may want to use a domain policy. On a standalone computer, use the local group policy. Here's the procedure for a standalone computer:
On a standalone Windows XP computer, go to Start, Run, and type MMC.
In the console window, click on File and then select Add/Remove Snap-in.
Click on Add and select Group Policy in the Add Standalone Snap-in box.
Click Add, Finish, Close. Then click OK.
Go to the User Configuration section of Group Policy.
Locate Administrative Templates, Windows Components, Windows Messenger.
In the right pane, double-click Do Not Allow Windows Messenger to Be Run.
Click Enabled and then click OK.
Although Microsoft provides a method to turn off automatic updates in Control Panel, System, Properties (see Figure 7), that option doesn't seem to be the best solution. On a Windows 2000 domain, you can use a Group Policy to turn off automatic updates on all your Windows XP computers. In case you are unable to deploy Group Policies, or on standalone computers, disable the Windows Update service (wuauserv) in the Services MMC. Go to Administrative Tools, Services, and configure the startup type of the Automatic Updates service to be Disabled, as shown in Figure 8. Then stop the service and apply the change.
Figure 7 Turning off automatic updates.
Figure 8 Disabling the Automatic Updates service.
In case you are wondering about the dependencies of this service on other components, you can click on the Dependencies tab to verify that this service has no dependencies. It doesn't rely on any other service to start, and no other service depends on this particular service. Needless to say, if you turn off automatic updates, then you are responsible for manually updating your computer by going to the Windows Update Web site. If this proves to be a daunting task, you can leave the startup type to its default Automatic state and select one of the other notification settings in Figure 7. The default setting is the middle one, which notifies you before downloading and installing any updates.
The so-called "phone home" feature of Windows XP is beneficial in the sense that it helps end users and administrators automatically apply important updates and bug fixes. Besides providing ease of administration, it secures your computer from potential attackers by making it easier to apply the security patches. On the flip side, you may be potentially more vulnerable to attacks than you were before, the risk of messing up your computer's configuration increases substantially, and external organizations have more control over your personal computer. In short, life becomes easier in many ways, but you wonder whether your PC should now be called Public Computer.
If you are an average user, you are most likely unaware that your computer communicates with the outside world so frequently, and perhaps you care less about the consequences. If you are a network administrator who supports the end users, you probably want more control over the updates on your corporate computers. If you are a techie, you definitely want complete control over your computer. You prefer to disable every automatic update and be your own boss, making your own decisions and taking your own risks. No matter which category you fit in, hopefully after reading this article you will be in a better position to decide what's right for you.