#124552 - 2004-08-06 05:47 PM
Re: Automatic updates and XP SP2
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
the simple fix for many orgs, is to just block windowsupdate.microsoft.com on thr proxy or dns server, until SP2 gets tested.
The unmanaged/unmanageable companies are the ones that cause many problems to the internet as a whole... no AV, no techies, just out with their stuff blowing in the wind
|
|
Top
|
|
|
|
|
#124556 - 2004-08-06 09:07 PM
Re: Automatic updates and XP SP2
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Just to give you guys some idea of what people are using. Here is a poll that was taken by NTBugtraq on Patch Management in which 1241 of 5273 (23.5%) respondants indicated that they use AU for updates...
http://www.ntbugtraq.com/patchresults.asp
myITforum had a similar poll, but the number of respondants (167) is not a high enough sampling to produce good results.
Edited by Chris S. (2004-08-06 09:09 PM)
|
|
Top
|
|
|
|
|
#124557 - 2004-08-06 09:26 PM
Re: Automatic updates and XP SP2
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Quote:
We are coming out with documentation early next week (most probably Monday) that will answer questions on how to minimize the impact of SP2.
Affectionately known as the "how to undo what we did" document. :0)
-Shawn
[edit] Now, if your machines are hacked - its because of something YOU did, and not because of some MS security flaw. Don't get me wrong - I'm in favor of all this stuff and I'm a huge MS booster. Just think that what MS is calling a "service pack", given the nature of the changes, should actually be in the next major release (new OS i mean) - this is not a service pack in the true sense of the term.
|
|
Top
|
|
|
|
|
#124559 - 2004-08-06 11:24 PM
Re: Automatic updates and XP SP2
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
I have just sent the following open letter to Microsoft to Russ Cooper of NTBugtrag and Rod Trent of myITForum. Please forward this off or post it wherever you feel it will get the most attention...
---------------------------------------------------------
Not much has been said about a fundamental shift in Microsoft's policy regarding deploying Service Packs through Automatic Updates, but Microsoft is planning on deploying Windows XP SP2 to computers configured to receive updates using Automatic Updates. Previously, Microsoft's policy in regards to Service Packs and Automatic Updates was that Service Packs were not deployed with AU and had to be installed separately. The following is a quote from Microsoft's Windows Service Pack Road Map http://www.microsoft.com/windows/lifecycle/servicepacks.mspx:
"Automatic Updates in Windows XP Professional and Windows XP Home Edition can keep your computer up to date with the latest hotfixes. However, service packs are not automatically deployed at this time. You will need to visit the Windows Update website manually to install the Service Pack."
It is now apparent that Microsoft will, in fact, begin deploying Service Packs with Automatic Updates as referenced by Microsoft's Security website http://www.microsoft.com/athome/security/protect/default.aspx:
"Coming Soon: Windows XP Service Pack 2
Microsoft is preparing to release a free update for Windows XP that provides better protection against hackers, viruses, and worms. The best way to ensure you get Windows XP Service Pack 2 when it is released is by turning on Automatic Updates today. You can use our step-by-step instructions or, if you prefer, let us do it for you."
Given that the nature of SP2 is not your run-of-mill hotfix rollup, this policy shift is, in my opinion, a reckless policy that will cause a lot of Microsoft's corporate customers harm. The reason being that a large percentage of Microsoft's customers use Automatic Updates as a patch management solution. Take the results of NTBugraq's poll regarding patch management solutions http://www.ntbugtraq.com/patchresults.asp as an example. This poll had 5,273 respondents, 1241 (23.5%) of which replied that they use Windows Update (AU) to deploy their critical updates.
The scope of changes that Windows XP SP2 will have on customer's is detailed at Microsoft's Windows XP Service Pack 2 website http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx. Simply put, it WILL affect the way that Windows XP workstations behave, how they operate with SMS, SQL & MSDE, and more.
Regardless of the press that has been made of SP2's imminent arrival, for Microsoft to "force" SP2 on customers has the potential of causing as many (or more) problems as the security issues that they address. Undoubtedly, these security enhancements are needed, but at what cost should they be "forced" on customers? There is the very real possibility of customer's losing money and productivity as SP2's "enhanced security infrastructure" causes IT workers worldwide to address the "changes in functionality" that SP2 will bring into effect.
It is my opinion that Microsoft should NOT change their Automatic Updates policy in regards to automatically deploying service packs. If you agree with this opinion, please contact your Microsoft representative and make your feelings known.
Respectfully,
Chris Shilt
Systems Administrator
The Relizon Company
---------------------------------------------------------
|
|
Top
|
|
|
|
|
#124563 - 2004-08-10 04:50 PM
Re: Automatic updates and XP SP2
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Ok, some updates. Here is a response I received, but didn't get forwarded to the list...
Russ, I'd agree accept it's a bit apples and oranges on this comparision of SP2 to past service packs. XP SP2 is a monuemental (sound like a MS PR person eh) service pack of unprecedented scope and impact that makes the others look like simple hotfixes in comparision. Your comments about XP SP1 and W2K SP4, in my opinion (you know what they say about opinions), and the disasters they caused for some folks, would only reinfornce Chris' point about how reckless it is to auto-force XP SP2 out via Auto Updates. I have to concur with Chris on most all his points, this is big problems awaiting unlike anything we've ever seen. XP SP2 is for all practical purposes, a new operating system, not just a bunch of hotfixes rolled up into the typical service pack.
Felix seems to forget about the small business world and the huge number of businesses out there that probably have no clue what SUS is. Either way I thought this was such a well tested cure for all our internet security issues involving windows XP, home, business or whatnot? Don't get me wrong, well managed networks of XP PC's are likely to not have AU on (SUS or not) as any network admin worth a dime is going to know just how bad an idea it is to just let patches from Redmond be applied without any testing/controls in place.
In this day and age where home/poorly managed PC's are the root of most of the ills plaquing the internet security wise, I can feel your frustration...BUT....
This "the hell with it, secure it at all costs, if it breaks something then too bad" attitude you've taken on lately Russ, is almost as scary as Redmonds actions and statements of late, IMHO. Go back and check how many of the last few dozen patches released via security bulletins have had to have "patches for the patches" and the thought of being the first poor bastard to apply XP SP2 before it's been out for a few months, has to make the hair on the back of your neck stand up.
If Auto Updates and forced patching of the home users is such a cure all, then why do we have this problem to begin with if it's the cure? The typical home user that you are saying will be "reached" by this auto update would had to have Auto Update on to begin with? If it's on to begin with then why do we have so many home users PC's being the source of so many problems, why so many worms/viruses spreading so well? Would seem to me that the past history of Auto Update has proven itself to be a failure????
History turns the validity of Auto Updates being the cure of the internet ails into a chunk of swiss cheese.
My contacts in Microsoft have told me this service pack should of been delayed another 3-4 months as it's full of bugs and they secretly joke about how they'd hate to be in MS Product Support Services over the next few months as this thing didn't meet internal standards for Release Candidate more less RTM code. It was pushed out far too soon due to internal politics and pressures that have been growing since June. They know it's going to be a mess, and to shove this cluster-f$## out the door on auto updates ruins what little credibility Redmond has with me and others. What are they going to do when XP SP2 systems are still getting hammered with security issues after applying it.
I'm sorry, but like many others....I'm going to set back and laugh my ass off at the upcoming XP Screw-it-up-good Pack 2 mess that is inevitable the way this one is playing out.
Do I think XP SP2 is a bad thing? Nope, just poorly planned, debugged, tested, and executed as usual. I think it may help with the internet security nightmare we're dealing with, but will only be a drop in the bucket. If Redmond really cares so much, how about a similar service pack for Win2000? ME? Windows Server 2003? Okay, considering Redmond's history with the more run of the mill service packs, more less one like XP SP2....the thought of a service pack like XP SP2 for a server OS like Win Svr 2003 just scares the crap out of me?
Off to the fridge for a cold one as I set back to watch this comedy play out over the coming weeks and months. Going to be good entertainment for the poor souls stupid enough to apply this service pack from hell ;-) Let's see, I predict XP SP2a (or several silent unannounced updates pushed onto the download servers) out before thanksgiving.
Opinions vary. As I like to say "I've been called worse by better." Knock yourselves out.
Let the games (and pain for the poor bastards) begin.....
J. Thomas
|
|
Top
|
|
|
|
|
#124564 - 2004-08-10 04:53 PM
Re: Automatic updates and XP SP2
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
And another from the same gentleman after I thanked him for his response...
It doesn't fit Russ' agenda (remember what his company does to make $$$), so I really didn't expect it to make the list ;-)
Just set back, grab a cold one, and what the inevitable cluster f$#! unfold over the next few weeks and months. The media spin (especially Russ's spin) should prove very entertaining.
Seems very few folks noticed just the other day the announcement was that SP2 was going to be delayed, then suddenly a day or two later it's RTM time. Got 4 contacts in Microsoft myself, each say the same thing, it was no where near ready for release, over 3,000 known bugs in it, 400+ considered critical.
I also find it funny that just a couple years ago Russ was always ranting about thinking twice about applying a patch, now we are at this stage of patch like mad men then deal with the problems later. Three years ago, Russ would of been saying exactly what you said and screaming bloody murder over how this is playing out.
Granted something needs done for sure, but I don't foresee XP SP2 being a cure or even much more than just a good start in the right direction. Then to see this poorly tested, not ready for RC status, more less RTM status code being dumped out there the way they are doing it....ouch! Never mind all the contradictions in what is being said, Auto Update is not a new thing, why is it such a cure all of a sudden, it's been around for years.
Do I think XP SP2 is a bad idea, nope, it's a start, it's a nice shift in mentality at Redmond, but unfortunately its set up for failure in the way a good idea is being shoved down folks throats. Curious what they will do when a year later this mess has done as much harm as good and the internet security issues we face today, are still there. I'll consider testing it for deployment again when it's XP SP2a or SP2b status, grin.
I really feel sorry for "joe average user" and the typical small business networks out there.
Next few months should be interesting to say the least.
No one in my firm want's to take me up on my bet that we'll see XP SP2a (or a silent update of the download files out there on the servers) by Thanksgiving, grin.
The spin is almost so predictable, you'll see mainstream media and web sites talking XP SP2 up for the next few weeks as the bugs are ignored, it'll take weeks before the real facts get out there, both the good and the bad.
|
|
Top
|
|
|
|
|
#124565 - 2004-08-10 04:56 PM
Re: Automatic updates and XP SP2
|
Chris S.
MM club member
Registered: 2002-03-18
Posts: 2368
Loc: Earth
|
Here is a reply that did go through the list, but the information, policies, executables, and scripts aren't yet published from Microsoft...
Edit: fixed some links and formatting
The SP2 update can be disabled.
Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates
While recognizing the security benefits of Windows XP SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU. These organizations have populations of unmanaged PCs, upon which they have enabled AU. This is done to ensure that these unmanaged PCs receive all critical security updates. Since SP2 will start to be delivered to PCs running Windows XP or Windows XP with SP1 via AU starting on August 16, these customers would like to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update. In response to these requests, Microsoft is providing the following guidance, resources, and communication vehicles to meet the needs of these customers.
Please note that the mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 120 days (4 months) from August 16. At the end of this period, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems.
Summary of Relevant Windows XP SP2 Dates
8/6 Release to manufacturing
8/9 Release to Microsoft Download Center (full network install package)
8/10 Release to Automatic Updates (for machines running pre-release versions of Windows XP SP2 only)
8/16 Release to Automatic Updates (for machines not running pre-releases versions of Windows XP SP2)
8/16 Release to SUS via AU
Later in August
Release to Windows Update for interactive user installations
Guidance
As a best practice approach to implementing a managed rollout of Windows XP SP2, customers are encouraged to use a corporate update management solution such as Systems Management Server (SMS) 2003 or Software Update Services (SUS). Key benefits of using SMS 2003 or SUS to deploy Windows XP SP2
1. Allow administrators to control the deployment Windows XP SP2 (as well as other updates) across their Windows systems
2. Allow customers to safely disable direct AU or WU access from individual systems, while allowing these systems to get the necessary critical security updates and other administrator-approved updates.
3. SUS will automatically and silently install Windows XP SP2 (administrators can also achieve this behavior using SMS 2003), while installation of Windows XP SP2 via WU or AU requires user or administrator interaction on each system it is installed on
4. Dramatically reduces network traffic into the organization, since updates only need to be downloaded to one or a small number of servers within the organization, instead of being downloaded separately to each system requiring the update.
Information on SMS 2003 is available at www.microsoft.com/smserver Information on SUS is available at www.microsoft.com/sus
Note that SUS is available as a free download to customers with a Windows Server 2003 or Windows 2000 Server license and can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en
Resources
For customers with a population of unmanaged PCs for which the above solutions will not suffice, Microsoft is providing additional methods of managing the update process. These alternatives enable customers to temporarily disable delivery of Windows XP SP2 via AU and WU, while still allowing critical security updates to be delivered via AU and WU, thus providing more time to plan for deployment.
Options to temporarily disable and then re-enable delivery of Windows XP SP2 via AU and WU
1. For organizations that have implemented Active Directory based Group Policy, we will provide an ADM template to allow these customers to centrally and easily disable and re-enable delivery of SP2 to targeted groups of Windows XP systems using Group Policy
2. For organizations that have not implemented Group Policy, we are providing Microsoft signed executable software that can be run on systems to disable and re-enable Windows XP SP2 delivery. The disable and re-enable actions are specified as command-line parameters when running the executable.
Microsoft is also providing a sample script that will accept a machine name as a command-line parameter to enable execution of the executable software on a specific machine. The script can be used to run the executable on a remote machine or on a group of remote systems, using a mechanism that works best for the customer (run as logon script, via a remote script execution mechanism such as SMS, etc.).
3. For organizations that have machines that are not easily managed via scripting or Group Policy, but are accessible via e-mail, we are providing sample e-mail text that includes a URL link that users can click on to disable delivery of Windows XP SP2. This URL will point to an executable script hosted on www.microsoft.com/technet/winxpsp2. This option requires users to have administrator rights on their machines.
We are also providing sample e-mail text with a similar included URL link that can be clicked on to re-enable delivery of Windows XP SP2. IT administrators can send this e-mail to their users when they are ready to deploy Windows XP SP2 to these users' systems
Note 1: All of the above options rely on the presence of a registry key to disable delivery of SP2. This is a new registry key that is used only for the purpose of disabling and re-enabling delivery of SP2. Consequently, there is no additional impact or side effect on the system, and customers will be able to use these options immediately without need for any testing.
Note 2: Running the executable software requires administrative privileges. Users who are not administrators on their systems will not be able to run the executable. This is not an issue, since these users would not be able to install XP2 anyway, and disabling delivery of XP2 would not be a concern for these users.
Delivery
Customers will have access to these tools via the Windows XP SP2 section of Microsoft TechNet (www.microsoft.com/technet/winxpsp2) that provides
1. Information on options for temporarily disabling delivery of Windows XP SP2 via AU and Windows Update
2. Content to disable and re-enable delivery of Windows XP SP2
a. URL link to download a self-extracting zip file containing the ADM template, signed executable, and sample script
b. Sample email text with included link that can be clicked on to disable delivery of Windows XP SP2
c. Sample email text with included link that can be clicked on to re-enable delivery of Windows XP SP2
3. Link to a frequently asked questions (FAQ) page
Note: The main Windows XP SP2 page on TechNet will have an announcement about the availability of the Windows XP SP2 delivery-disabling options and will provide a link to the above Web page.
|
|
Top
|
|
|
|
|
#124567 - 2004-08-10 05:42 PM
Re: Automatic updates and XP SP2
|
Bryce
KiX Supporter
Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
|
grrr....
i have been watching this for some time now.
I have 28 remote sites, 2 to 4 computers at each site. We have no connection back to corporate for these sites, and they are just simple peer-to-peer networks. We use internet for everything from web based applications, to email...
To help manage these remote computers, we use AU. I am downloading xp sp2 onto one of the remote computers now, will install and see what breaks. Why do i have a nagging voice in the back of my head telling me that i will have to touch all of the remote computers and disable AU……
Bryce
|
|
Top
|
|
|
|
|
#124568 - 2004-08-10 07:46 PM
Re: Automatic updates and XP SP2
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
|
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 1455 anonymous users online.
|
|
|
