A recent eWEEK.com article quotes a network administrator critical of Microsoft for not providing essentially what Automatic Updates provides, especially in conjunction with Microsoft's Software Update Services, which basically allows an administrator to set up an internal update server for clients to use instead of the Windows Update site.

Tightening The Security Screws In Windows
Either we're not educating people or education is not working: Too many users still fail to take simple precautions to protect themselves, and many engage in dangerous practices that perpetuate attacks.

The incidents of the past couple of weeks are both illustrative. The Blaster worm succeeded in spite of a massive publicity campaign on the danger of the relevant flaw in Windows and the existence of a patch.

Worse, in monitoring several security mailing lists I saw many users looking for any excuse not to apply the patch. According to conservative estimates, some 500,000 systems were infected with Blaster, and I've seen much higher estimates. For example, Satellite ISP DirecWay just sent out an e-mail to their customers stating that "approximately 10 to 20 percent of DIRECWAY end-users are infected with the Blaster virus."

Meanwhile, based on the hundreds of Sobig.F e-mails I received in the first 24 hours of this week's outbreak, clearly users have left themselves wide open to it as well.

Has education failed? Short of making computer hygiene mandatory like driver's education with tests, something on the order of John Dvorak's idea to license computer users, I can't see public education campaigns having any better results than we found with Blaster. And that was completely unacceptable.

If users won't take care of their computers, the unfortunate answer (depending on your point of view) is to do it for them. This is what Microsoft is considering, according to a recent Washington Post article. It states that Microsoft is considering having Windows download and apply security patches automatically.

Currently available in Windows XP and Windows 2000 SP3+, this updating capability is called Automatic Updates and is accessible through the Control Panel System applet. It is turned off by default. (For Windows 2000 Server, Automatic Updates is only aware of patches for the OS, not for important server applications like SQL Server or IIS).

The applet has 3 options if you turn Automatic Updates on:


Notify the user that updates are available;

Download any updates that are available and notify the user, but don't install them; and

Download any updates that are available and install them according to a schedule specified by the user.
So, it sounds as if Microsoft is considering making the third option the default behavior, at least with respect to certain very critical updates, such as the one that prevented the Blaster worm.

Believe it or not, even some experienced admins are unaware of this feature in its current state. A recent eWEEK.com article quotes a network administrator critical of Microsoft for not providing essentially what Automatic Updates provides, especially in conjunction with Microsoft's Software Update Services, which basically allows an administrator to set up an internal update server for clients to use instead of the Windows Update site. This administrator said: "The only way it's going to happen is automation...Microsoft should provide this free."

Hello. They do.…

http://security.ziffdavis.com/article2/0,3973,1227322,00.asp