By Mike Mullins
Patch management is one of the most crucial and intricate parts of Windows security. In the past few years, this issue has mushroomed due to the increased frequency of critical Microsoft patches.
For small business networks, the patch management solution of choice is the Windows Update service. Let's look at how you can manage patches with Windows Update.
New patches are available for download on the second Tuesday of each month. The exception is critical releases, which Microsoft publishes as needed.
The Windows Update service runs in the security context of the Local System account and starts at the operating system startup (which you can disable). Clients connect automatically to the Windows Update servers and receive a list of missing updates.
Let's look at how you can manage updates via Active Directory and the registry.
Manage updates via Active Directory
With Windows 2000, XP, and Server 2003, you can easily manage Windows Update through group policies. If you don't already have the Wuau.adm template, download it from Microsoft, and save it to the C:\Windows\inf folder on the Active Directory (AD) domain controller.
To load policy settings by using Group Policy in Active Directory, follow these steps:
This creates the following entries in the Computer Configuration | Administrative Templates | Windows Components | Windows Update folder:
In addition, the User Configuration | Administrative Templates | Windows Components | Windows Update folder contains a single entry: Remove Access To Use All Windows Update Features. If enabled, this disables user-initiated downloads from the Windows Update Web site.
Manage updates via the registry
On any Windows 2000, XP, or Server 2003 system, go to Start | Run, type regedit.exe, and click OK. Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU.
Add the following settings. (All value types are Reg_DWORD.)
Value data: 0 or 1
0 enables Automatic Updates. (This is the default.)
1 disables Automatic Updates.
Value data: 2 to 4
2 notifies of download and installation.
3 automatically downloads and notifies of installation.
4 automatically downloads and schedules installation.
Value data: 0 to 7
0 specifies every day.
1 through 7 designate a specific weekday, where Sunday is 1 and Saturday is 7.
Value data: n, where n equals the time of day in a 24-hour format (i.e., 0 to 23).
Value data: Setting this value to 1 configures Automatic Updates to use a server that runs Software Update Services instead of Windows Update.
Value data: m, where m equals the amount of time in minutes (i.e., 1 to 60) to wait before proceeding with a scheduled installation.
Value data: 0 or 1
1 specifies that Automatic Updates doesn't automatically restart a computer while users are logged on.
Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.
Windows Update depends on the rights of logged-on users. If you decide to use notifications and let users decide which updates to download and install, updates will fail if a user doesn't have local admin privileges.
I recommend always scheduling automatic download and installation. That way, your updates won't depend on logged-on users.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.