The Pros and Cons of Automatic Updates
Ask any administrator and they'll tell you that maintaining a secure network is a continual juggling act. If you're considering letting your Windows server automatically download and install security updates, there are a few things you should know in order to avoid accidentally dropping any balls.
Computer system security is a journey, not a destination. The moment you think you have a secure system, you don't. The process of securing a system includes constantly monitoring for newly discovered security holes and vulnerabilities.
The objective, of course, is to find out about the freshly unearthed flaw, obtain a patch, and implement it before any malicious-minded individual discovers your unpatched system. If this seems like a daunting task requiring non-stop attention, well, that's a rather accurate description for it.
At first look, it seems an excellent idea would be to have a mechanism that automatically obtains security patches for identified holes and exploits. There are a variety of list and sites available for security conscious system administrators to notify each other of holes, with the NTBugTraq mailing list service standing out as a useful example.
NTBugTraq makes it possible for system administrators to keep each other informed on breaking Windows security issues. Complete details on the list service can be found at www.ntbugtraq.com. (To subscribe, send a message to firstname.lastname@example.org with no subject and 'subscribe ntbugtraq' in the message area.)
Those who are in the best position to discover flaws and holes in an operating system are those who know it best — namely, its authors. As the author of the Windows family of operating systems, Microsoft (among other things) keeps a close eye on NTBugtraq.
Windows Automatic Update
It is Microsoft that is in the sole position to create patches for these holes, since only it has access to all of the operating system source code. It is therefore the security team at Microsoft that is in the best position to notify you when a vulnerability is identified as well as when a patch becomes available. To this end, Microsoft came up with the Windows Automatic Update feature.
Automatic Update can be found in the control panel in Windows 2000 and as a tab of System Properties in Windows XP and 2003. The feature can be turned off, which is probably only a reasonable option for a machine that is never connected to the Internet or when there are several machines in a site, all of which will need the updates, and you wish to conserve bandwidth by downloading only once.
When on, it can be set to notify you before downloading updates, to notify after downloading updates, or to simply download updates and install them on a specified schedule.
The use of Windows Automatic Update to notify you of security patches is an excellent mechanism. If you only have a few systems to maintain, or if you don't believe bandwidth consumption will be an issue, then it also serves as a great method of obtaining updates. There may even be some circumstances in which it would be advisable to use the capability to install updates on a specified schedule, but be careful, however, as a closer look at the subject can reveal a downside to automated updates.