Search This Blog

Monday, November 24, 2008

Corporate Windows Update

While corporate spent tons on getting their system protected by anti-virus, IPS/IDS and firewalls, its the very fundermental that they overlook much very often. Yes, I am talking about Windows Update or Microsoft Updates. There is no doubt why the update services is often blocked by the corporate policy is due to a need to test updates before deployment. The excuse that it is not compatible with some of the software is lame in my view. If it is so, that piece of (crap) software should be updated or thrown away. People makes patches to make things work. They do not avoid patching just to keep it working. That's precisely the phase :

"If it's not broken, don't fix it!"

Well, I do not know if I had mentioned this before, but the weakest link on my network was my company laptop. It has easily 20 high findings just after scanning for 5 minutes with a commerical vulnerability scanner. Well, you also notice I use the word WAS. It is no longer. 

There are times that certain updates are necessary. For example, you had needed XML DCOM or MSSQL for some project. But you are then not allowed to update these component after you installed them. This will be the time to ask. Do you want to go as far as to "break" the corporate blocking of the Windows Update? If not, you can do what I do. Prohibits the stupid laptop from connecting to your network. That's one against working from home.

But if you figure to yourself: "Ya hell just do it!". Here is the solution.
Create a registry file (with extension .reg) with :

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess] 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDevMgrUpdate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
"DisableWindowsUpdateAccess"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000  

Save it and run it. Of course if you are hardcore enough, you can manually edit these registry. Make sure you make a backup in any case. There is also a file which is done up so you can download and run it from : Link

Well, happy updating.

No comments:

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008 nemesisv.blogspot.com, All rights reserved.