Tired of Windows XP Phoning Home?
If you use Windows XP, like the millions of users around the world, you may have heard that Windows XP likes to occasionally touch base with its creator. In other words, it likes to "phone home" to Microsoft for various reasons, which range anywhere from updating your files and blacklisting certain applications on your computer to reporting errors and updating your system time. Some users feel pretty uncomfortable when their computer starts to update software without their permission, or reports anything to a vendor without their knowledge.
Microsoft refers to this feature as Automatic Updating and Downloading Technologies. The idea is to make things easier for the end users and administrators and to automatically provide latest updates to bug fixes, security patches, and the like.
In this article, I examine the various methods Microsoft uses to automatically install the latest updates on your Windows XP computer. Some of the features discussed in this article do not apply to Windows XP Home Edition, so our focus is on Windows XP Professional. For those of you who are not thrilled about XP phoning home, I'll show you how to best manage your own computer by disabling these automatic updates whenever possible.
Windows XP ships with lots of services that most users don't need. On an average Windows XP computer, I've noticed at least 78 services. About three dozen of these are configured to start automatically. According to some experts, fewer than 10 services are actually required to start automatically. When it comes to security, the fewer the services are running on your computer, the safer your computer is going to be. The same goes for the programs. Don't install applications that you don't need. Extraneous services and applications are not only a security risk; they also slow down your computer.
One of the major issues with these automatic updates is that once you've checked the box that you agree to always trust a vendor's (for example, Microsoft's) published content or certificate, from that point on software can be downloaded and installed on your computer without any notification. This means that a vendor can potentially download harmful or buggy updates to your computer without your knowledge.
An average user will be tempted to trust Microsoft's products and expects them to be safe and virus-free. This may be true most of the time, but unfortunately that's not always the case. Just recently a fellow Microsoft Certified Trainer (MCT) downloaded a virus in a class setup guide from Microsoft's MCT download Web site. I once found a virus in Microsoft Baseline Security Analyzer, an application that scans Windows NT/2000/XP for common security misconfigurations. And we've all heard about Microsoft inadvertently shipping Visual Studio .NET CDs to South Korea that contained the NIMDA virus in a help file. It's tough enough for consumers to keep up with all the security patches and to worry about the updates to protect their computers against viruses, worms, and parasites. With automatic updates, you have the benefit of keeping your system current with the latest patches, but you are still vulnerable for a couple of reasons:
Automatic updates can possibly download buggy security patches, which can make your computer even more susceptible to attacks. I am sure you've heard some horror stories already.
There's no guarantee that the software or driver that's downloaded silently in the background is totally compatible with all the other software installed on your computer. This can result in your system becoming unstable, or it can potentially crash your computer.
Let's look at various Windows XP Professional services and applications and see how to disable the automatic update feature. Due to space limitation, I won't be going into a detailed explanation of each and every service or application listed in this article. Make sure you understand the consequences of turning off these updates before you take any action. For a more detailed explanation of what these applications and services do and how the updates are performed, check out Microsoft's whitepaper "Managing Automatic Updating and Download Technologies in Windows XP."
ActiveX controls are installed when you visit a Web site that requires ActiveX controls. Only the members of Administrators group and the Power Users group can install these controls. If you disable these controls, you should keep in mind that any Web applications that require ActiveX controls, such as Windows Update, will cease to function. Because ActiveX controls can be a security risk, some people prefer to disable them.
To disable ActiveX controls, you can use the Group Policy. On a domain, you may want to use a domain policy. On a standalone computer, use the local Group Policy, as shown in Figure 1.
Figure 1 Disabling ActiveX controls.
Here's the procedure for disabling ActiveX controls on a standalone computer:
On a standalone Windows XP computer, go to Start, Run, and type MMC.
In the console window, click File and then select Add/Remove Snap-in.
Click Add and select Group Policy in the Add Standalone Snap-in box.
Click Add, Finish, Close. Then click OK.
Go to Computer Configuration, Administrative Templates, Windows Components, Internet Explorer.
In the right pane, double-click the option Disable Automatic Install of Internet Explorer Components.
Click Enable and then click OK.
Double-click the option Disable Period Check for Internet Explorer Software Updates.
Click Enable and then click OK.