The Pros and Cons of Automatic Updates
Computer system security is a journey, not a destination. The moment you think you have a secure system, you don't. The process of securing a system includes constantly monitoring for newly discovered security holes and vulnerabilities.
The objective, of course, is to find out about the freshly unearthed flaw, obtain a patch, and implement it before any malicious-minded individual discovers your unpatched system. If this seems like a daunting task requiring non-stop attention, well, that's a rather accurate description for it.
At first look, it seems an excellent idea would be to have a mechanism that automatically obtains security patches for identified holes and exploits. There are a variety of list and sites available for security conscious system administrators to notify each other of holes, with the NTBugTraq mailing list service standing out as a useful example.
NTBugTraq makes it possible for system administrators to keep each other informed on breaking Windows security issues. Complete details on the list service can be found at www.ntbugtraq.com. (To subscribe, send a message to firstname.lastname@example.org with no subject and 'subscribe ntbugtraq' in the message area.)
Those who are in the best position to discover flaws and holes in an operating system are those who know it best — namely, its authors. As the author of the Windows family of operating systems, Microsoft (among other things) keeps a close eye on NTBugtraq.
Windows Automatic Update
It is Microsoft that is in the sole position to create patches for these holes, since only it has access to all of the operating system source code. It is therefore the security team at Microsoft that is in the best position to notify you when a vulnerability is identified as well as when a patch becomes available. To this end, Microsoft came up with the Windows Automatic Update feature.
Automatic Update can be found in the control panel in Windows 2000 and as a tab of System Properties in Windows XP and 2003. The feature can be turned off, which is probably only a reasonable option for a machine that is never connected to the Internet or when there are several machines in a site, all of which will need the updates, and you wish to conserve bandwidth by downloading only once.
When on, it can be set to notify you before downloading updates, to notify after downloading updates, or to simply download updates and install them on a specified schedule.
The use of Windows Automatic Update to notify you of security patches is an excellent mechanism. If you only have a few systems to maintain, or if you don't believe bandwidth consumption will be an issue, then it also serves as a great method of obtaining updates. There may even be some circumstances in which it would be advisable to use the capability to install updates on a specified schedule, but be careful, however, as a closer look at the subject can reveal a downside to automated updates.
The problem with an automated system is that an administrator can quickly lose track of changes that are being made to his or her systems when those changes don't actually require the administrator's intervention. This may seem relatively minor, but consider the following example. A recent security update from Microsoft was presented to systems by the automatic update even though it had a prerequisite of a particular service pack level that had not been met by all of the systems.
When installed, the patch caused an incompatibility with a core DLL, resulting in systems that would halt with Stop errors on restart (see Q318533 and related articles). Had the install been performed manually, the administrator would have been clued right away to the prerequisite.
Making matters worse, the automatically installed updates in this case were put in place a few days prior to the restarts, preventing them from being immediately associated with the errors in the mind of the administrator. As you can imagine, diagnosing the issue took considerable time that could have been avoided had the install required manual approval.
As mentioned earlier, though, there are numerous advantages to the automated system. My personal preference is to have automatic updates on systems that I am physically close to and that are not in critical settings. For more mission critical machines, I like to monitor for updates by subscribing to Microsoft's Product Security Notification Service and scheduling times to apply the fixes based on severity of threat, applicability, etc.
As the number of threats increase, it is becoming more and more critical that hotfixes be applied in a timely manner. The same holds true for service packs. It can be a risky proposition to allow time to go by before patching your system.
One final note — remember that those with malicious intent also subscribe to the NTBugTraq and MS Notification services. To them, these services provide a list of new things to look for and try. If your system is already patched when they come looking, they'll just have to move on to the next one.
This feature originally appeared on Enterprise IT Planet.