Troubleshooting the Windows Update Client CHAPTER 23
1103
4.
If you can reach the WSUS server, verify that the client is configured correctly. If you
are using Group Policy settings to configure Windows Update, use the Resultant Set of
Policy (RSOP) tool (Rsop.msc) to check the computer’s effective configuration. Within
RSOP, browse to the Computer Configuration\Administrative Templates\Windows
Components\Windows Update node and verify the configuration settings. Figure 23-5
shows the RSOP snap-in.
FIGURE 23-5
Use the RSOP snap-in to verify Windows Update configuration.
5.
If you think WSUS is not configured correctly, verify the IIS configuration. WSUS uses
IIS to update most client computers automatically to the WSUS-compatible Automatic
Updates. To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate
under the Web site running on port 80 of the computer on which you install WSUS. This
virtual directory, called the self-update tree, holds the latest WSUS client. For this reason,
a Web site must be running on port 80, even if you put the WSUS Web site on a custom
port. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS
uses the site on port 80 only to host the self-update tree. To ensure that the self-update
tree is working properly, first make sure a Web site is set up on port 80 of the WSUS
server. Next, type the following at the command prompt of the WSUS server.
cscript <WSUSInstallationDrive>:\program files\microsoft windows server
update services\setup\InstallSelfupdateOnPort80.vbs
MoRe inFo
For more information about troubleshooting WSUS, visit
/>If you identify a problem and make a configuration change that you hope will resolve it,
restart the Windows Update service on the client computer to make the change take effect
and begin another update cycle. You can do this using the Services console or by running the
following two commands.
net stop wuauserv

net start wuauserv
Within 6 to 10 minutes, Windows Update will attempt to contact your update server.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates
1104
The Process of Updating Network Software
You must plan to update every network feature that uses software. This naturally includes
client and server operating systems and applications, but it also includes routers, firewalls,
wireless access points, and switches. To keep your systems up to date, follow these steps:
1.
Assemble an update team.
2.
Inventory all software in your organization, and then contact each software vendor
and determine its process of notifying customers of software updates. Some vendors
will notify you of updates directly via e-mail, but others require you to check a Web
site regularly. Assign individuals to identify software updates on a regular basis. For
example, someone on your team should be responsible for checking every software
vendor’s Web site for new updates on at least a weekly basis.
3.
Create an update process for discovering, evaluating, retrieving, testing, installing,
auditing, and removing updates. Although most of the process will be the same for all
vendors, you might have to customize parts of the process to accommodate different
uptime and testing requirements for servers, clients, and network equipment. As an
example, this chapter will thoroughly document the update process to use for
Microsoft operating system updates.
This resource kit focuses only on updating the Windows 7 operating system. However,
your process should include the ability to manage updates for other operating systems, ap-
plications, and network devices. The sections that follow discuss these steps in more detail.
Assembling the Update Team
Identifying individuals with the right mix of technical and project management skills for

deploying updates is one of the first decisions that you and your company’s management
will make. Even before staffing can begin, however, you need to identify the team roles,
or areas of expertise, required for update management. Microsoft suggests using the
Microsoft Solutions Framework (MSF) team model, which is based on six interdependent,
multidisciplinary roles: product management, program management, development, testing,
user experience, and release management. This model applies equally well to both Microsoft
and non-Microsoft software.
n
Program management The program management team’s goal is to deliver updates
within project constraints. Program management is responsible for managing the
update schedule and budget, reporting status, managing project-related risk factors
(such as staff illnesses), and managing the design of the update process.
n
Development The development team builds the update infrastructure according to
specification. The team’s responsibilities include specifying the features of the update
infrastructure, estimating the time and effort required to deploy the update infrastruc-
ture, and preparing the infrastructure for deployment.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The Process of Updating Network Software CHAPTER 23
1105
n
Testing The testing team ensures that updates are released into the production en-
vironment only after all quality issues are identified and resolved. The team’s responsi-
bilities include developing the testing strategy, designing and building the update lab,
developing the test plan, and conducting tests.
n
User experience The user experience team ensures that the update process meets
the users’ needs. The team gathers, analyzes, and prioritizes user requirements and
complaints.
n

Release management The release management team is responsible for deploying
the updates. In large environments, the release management team also designs and
manages a pilot deployment of an update to ensure that the update is sufficiently
stable for deployment into the production environment.
The MSF team roles are flexible; they can be adapted to your organization’s own processes
and management philosophy. In a small organization or a limited deployment, one individual
might play multiple roles. In larger organizations, a team might be required to perform all of
the tasks assigned to each role.
MoRe inFo
For more information about the MSF team model, visit
/>2083c768e9ab.
Inventorying Software
After you create an update team, you must inventory the software on your network.
Specifically, you need to know which operating systems and applications you have installed
to identify updates that need to be deployed. You also need to understand the security
requirements for each computer system, including which computers store highly confidential
information, which are connected to the public Internet, and which will connect to exterior
networks.
For each computer in your environment, gather the following information:
n
Operating system Document the operating system version and update level.
Remember that most routers, firewalls, and switches have operating systems. Also
document which optional features, such as IIS, are installed.
n
Applications Document every application installed on the computer, including
versions and updates.
n
Network connectivity Document the networks to which the computer is connected,
including whether the computer is connected to the public Internet, whether it connects
to other networks across a virtual private network (VPN) or dial-up connection, and

whether it is a mobile computer that might connect to networks at other locations.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates
1106
n
Existing countermeasures Firewalls and virus checkers might already protect a
computer against a particular vulnerability, making the update unnecessary. For fire-
walls, document the firewall configuration, including which ports are open.
n
Site If your organization has multiple sites, you can choose to deploy updates to
computers from a server located at each site to optimize bandwidth usage. Knowing at
which site a computer or piece of network equipment is located allows you to deploy
the updates efficiently.
n
Bandwidth Computers connected across low-bandwidth links have special require-
ments. You can choose to transfer large updates during nonbusiness hours. For dial-up
users, it might be more efficient to bypass the network link and transfer updates on
removable media, such as CD-ROMs.
n
Administrator responsibility You must understand who is responsible for deploy-
ing updates to a particular device and who will fix a problem if the device fails during
the update process. If others are responsible for individual applications or services,
make note of that as well.
n
Uptime requirements Understand any service-level agreements or service-level
guarantees that apply to a particular device and whether scheduled downtime counts
against the total uptime. This will enable you to prioritize devices when troubleshoot-
ing and testing updates.
n
Scheduling dependencies Applying updates requires planning systems to be

offline. This can be a disruption for users, even if the device requires only a quick
reboot. Understand who depends on a particular device so that you can clear
downtime with that person ahead of time.
Some of this information, including operating system and installed applications, can be
gathered in an automated fashion. Most network management tools have this capability,
including Configuration Manager 2007 R2. You can also inventory Microsoft software on a
computer by using Microsoft Software Inventory Analyzer (MSIA), a free download.
MoRe inFo
For information about MSIA, visit
/msia.mspx.
Creating an Update Process
Deploying updates involves more than just choosing a technology to install the updates. An
effective update process involves planning, discussion, and testing. Although you should
use your organization’s existing change-management process (if one exists), this section will
describe the fundamental steps of an update process. The sections that follow describe each
of these steps in more detail.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The Process of Updating Network Software CHAPTER 23
1107
Discovering Updates
The security update process starts when Microsoft releases or updates a security bulletin.
Reissued bulletins that have a higher severity rating should be evaluated again to determine
whether an already-scheduled security release should be reprioritized and accelerated. You
might also initiate the security update process when a new service pack is released.
You can be notified of Microsoft-related security issues and fixes by subscribing to the
Microsoft Security Notification Services. You can register for this service from the following
Web site: If you subscribe to
this service, you will receive automatic notification of security issues by e-mail. Note that you
will never receive the update as an attachment from Microsoft. E-mail is easy to spoof, so
Microsoft includes a digital signature that can be verified. However, it’s generally easier to

simply check the Microsoft Web site to ensure that the bulletin is officially listed.
In addition, use non-Microsoft sources to receive an objective opinion of vulnerabilities.
The following sources provide security alert information:
n
Security alert lists, especially SecurityFocus ()
n
Security Web sites, such as and
n
Alerts from antivirus software vendors
Evaluating Updates
After you learn of a security update, you need to evaluate the update to determine which
computers at your organization, if any, should have the update applied. Read the information
that accompanies the security bulletin and refer to the associated Knowledge Base article
after it is released.
Next, look at the various parts of your environment to determine whether the vulnerability
affects the computers on your network. You might not be using the software that is being
updated, or you might be protected from the vulnerability by other means, such as a fire-
wall. For example, if Microsoft releases a security update for Microsoft SQL Server and your
company doesn’t use SQL Server (and it’s not a requirement for other installed applications),
you don’t need to act. If Microsoft releases a security update for the Server service but you
have blocked the vulnerable ports by using Windows Firewall, you don’t necessarily need to
apply the update (although applying the update will provide an important additional layer
of protection). As an alternative, you might decide that applying the update is not the best
countermeasure for a security vulnerability. Instead, you might choose to add a firewall or
adjust firewall filtering rules to limit the vulnerability’s exposure.
Determining whether an update should be applied is not as straightforward as you might
think. Microsoft updates are free downloads, but applying an update does have a cost: You
will need to dedicate time to testing, packaging, and deploying the update. In larger orga-
nizations, applying a software update to a server requires that many hours be dedicated to
justifying the update and scheduling the associated downtime with the groups who use the

server.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates
1108
Any type of update also carries the risk of something going wrong when the update is
applied. In fact, any time you restart a computer, there is a small risk that the computer won’t
start up successfully. There’s also the very real risk that the update will interfere with exist-
ing applications. This risk, fortunately, can be offset by extensively testing the update before
applying it. Deciding not to apply a security update also has a cost: an increased risk of a
security vulnerability being exploited.
Besides testing, you can offset the risk that an update will cause problems by having a
plan to roll back the update. When evaluating an update, determine whether the release can
be easily uninstalled if it causes a problem that isn’t identified during testing. Functionality
for uninstalling updates can vary from fully automated uninstall support, to manual uninstall
procedures, to no uninstall. If an update cannot be uninstalled, your only option might be
to restore the computer from a recent backup. Regardless of the uninstall method required
for an update, ensure that you have a defined rollback plan in case the deployment doesn’t
match the success encountered in the test environment.
To be prepared for the worst, verify that you have recent backups of all computers that will be
updated and that you are prepared to restore those systems if the update cannot be removed
successfully. It’s not likely that an update will cause your systems to fail completely and require
them to be restored from backup, but it is a circumstance that you must be prepared to handle.
Choosing whether to apply an update is such a complicated, yet critical, decision that
larger organizations should create a security committee that collectively determines which
updates should be applied. The committee should consist of employees who are familiar with
the update requirements of each different type of computer on your network. For example, if
you have separate organizations that manage desktop and client computers, both organiza-
tions should have a representative on the committee. If separate individuals manage each of
the Web, messaging, and infrastructure servers on your network, each person should have
input into whether a particular update is applied. Ask members from your database teams,

networking groups, and internal audit teams to play an active role—their experience and
expertise can be an asset in determining risk. Depending on your needs, the committee can
discuss each update as it is released, or it can meet on a weekly or biweekly basis.
If the committee determines that an update needs to be deployed, you then need to de-
termine the urgency. In the event of an active attack, you must make every effort to apply the
update immediately before your system is infected. If the attack is severe enough, it might even
warrant removing vulnerable computers from the network until the update can be applied.
Speeding the Update Process
I
f it usually takes your organization more than a few days to deploy an update, cre-
ate an accelerated process for critical updates. Use this process to speed or bypass
time-consuming testing and approval processes. If a vulnerability is currently being
exploited by a quickly spreading worm or virus, deploying the update immediately
could save hundreds of hours of recovery time.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The Process of Updating Network Software CHAPTER 23
1109
Retrieving Updates
After you decide to test and/or deploy an update, you must retrieve it from Microsoft. If
you are using WSUS as your deployment mechanism, WSUS can download the update
automatically. If you are deploying updates by using another mechanism, download the
update from a trusted Microsoft server.
Testing Updates
After applying an update or group of updates to your test computers, test all applications
and functionality. The amount of time and expense that you dedicate to testing the update
should be determined by the potential damage that can be caused by a problematic update
deployment. There are two primary ways you can test an update: in a test environment and
in a pilot deployment. A test environment consists of a test lab or labs and includes test plans,
which detail what you will test, and test cases, which describe how you will test each feature.
Organizations that have the resources to test updates in a test environment should always

do so because it will reduce the number of problems caused by update incompatibility with
applications. Even if your organization does not have the resources to test critical updates and
security updates, always test service packs before deploying them to production computers.
The test lab can be made up of a single lab or of several labs, each of which supports test-
ing without presenting risk to your production environment. In the test lab, members of the
testing team can verify their deployment design assumptions, discover deployment problems,
and improve their understanding of the changes implemented by specific updates. Such
activities reduce the risk of errors occurring during deployment and allow the members of
the test team to rapidly resolve problems that might occur while deploying an update or after
applying an update.
Many organizations divide their testing teams into two subteams: the design team and
the deployment team. The design team collects information that is vital to the deployment
process, identifies immediate and long-term testing needs, and proposes a test lab design
(or recommends improvements to the existing test lab). The deployment team completes the
process by implementing the design team’s decisions and then testing new updates on an
ongoing basis.
During the beginning of the lifetime of the update test environment, the deployment team
will test the update deployment process to validate that the design is functional. Later, after
your organization identifies an update to be deployed, the deployment will test the individual
updates to ensure that all of the updates are compatible with the applications used in your
environment.
An update test environment should have computers that represent each of the major
computer roles in your organization, including desktop computers, mobile computers, and
servers. If computers within each role have different operating systems, have each operating
system available on either dedicated computers, a single computer with a multiboot configu-
ration, or in a virtual desktop environment.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates
1110
After you have a set of computers that represent each of the various types of computers

in your organization, connect them to a private network. You will also need to connect test
versions of your update infrastructure computers. For example, if you plan to deploy updates
by using WSUS, connect a WSUS server to the lab network.
Load every application that users will use onto the lab computers and develop a procedure
to test the functionality of each application. For example, to test the functionality of Internet
Explorer, you can visit both the Microsoft Web site and an intranet Web site. Later, when test-
ing updates, you will repeat this test. If one of the applications fails the test, the update you
are currently testing might have caused a problem.
note
If you will be testing a large number of applications, identify ways to automate the
testing of updates by using scripting.
In addition to testing your implementation of an update, conducting a pilot deployment
provides an opportunity to test your deployment plan and the deployment processes. It helps
you to determine how much time is required to install the update as well as the personnel
and tools needed to do so. It also provides an opportunity to train support staff and to gauge
user reaction to the update process. For example, if a particular update takes an hour for a
dial-up user to download, you might have to identify an alternative method for delivering the
update to the user.
note
The more significant the update, the more important it is to use a pilot program.
Service packs, in particular, require extensive testing both in and out of the lab.
Besides testing the update yourself, subscribe to mailing lists and visit newsgroups fre-
quented by your peers. People tend to report problems with updates to these forums before
an official announcement is made by Microsoft. If you do discover a problem, report it to
Microsoft. Historically, Microsoft has fixed and re-released security updates that have caused
serious problems. On the other hand, Microsoft support might be able to suggest an alterna-
tive method for reducing or eliminating the vulnerability.
Installing Updates
After you are satisfied that you have sufficiently tested an update, you can deploy it to your
production environment. During the installation process, be sure to have sufficient support

staff to handle problems that might arise. Have a method in place to monitor the progress
of the updates, and have an engineer ready to resolve any problems that occur in the update
deployment mechanism. Notify network staff that an update deployment is taking place so
that they are aware of the cause of the increased network utilization.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The Process of Updating Network Software CHAPTER 23
1111
Removing Updates
Despite following proper planning and testing procedures, problems can arise when you
deploy an update to production computers. Before you deploy updates, have a plan in place
to roll back updates from one, many, or all of the target computers. The main steps for the
rollback and redeployment of updates are as follows:
1.
Stop the current deployment. Identify any steps necessary for deactivating release
mechanisms used in your environment.
2.
Identify and resolve any update deployment issues. Determine what is causing an
update deployment to fail. The order in which updates are applied, the release mecha-
nism used, and flaws in the update itself are all possible causes for a failed deployment.
3.
Uninstall updates if necessary. Updates that introduce instabilities to your production
environment should be removed if possible. For instructions, refer to the section titled
“How to Remove Updates” earlier in this chapter.
4.
Reactivate release mechanisms. After resolving update issues, reactivate the appropri-
ate release mechanism to redeploy updates. Security bulletins issued by Microsoft will
always indicate whether an update can be uninstalled. Because reverting computers to
a previous state is not always possible, pay close attention to this detail before deploying
an update that cannot be uninstalled.
When a simple uninstall process is not available for a security update, ensure that the nec-

essary provisions are in place for reverting your critical computers back to their original states
in the unlikely event that a security update deployment causes a computer to fail. These pro-
visions might include having spare computers and data backup mechanisms in place so that a
failed computer can be rebuilt quickly.
Auditing Updates
After you deploy an update, it is important to audit your work. Ideally, someone who is
not responsible for deploying the update should perform the actual audit. This reduces
the possibility that the person or group responsible for deploying the update would
unintentionally overlook the same set of computers during both update deployment and
auditing; it would also reduce the likelihood of someone deliberately covering up oversights
or mistakes.
Auditing an update that resolves a security vulnerability can be done in one of two ways.
The simplest way to audit is to use a tool, such as MBSA, to check for the presence of the
update. This can also be done by checking the version of updated files and verifying that the
version matches the version of the file included with the update.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates
1112
Quarantine Control for Computers That Haven’t Been
Updated
Y
ou should require updates for remote computers connecting via dial-up and
VPN solutions because they might miss your update and auditing. Windows 7
and Windows Server 2008 both support NAP, which you can use to restrict access
to computers that do not meet specific security requirements, such as having the
latest updates, and to distribute the updates to the client computer so that they can
safely join the intranet. For more information about Network Access Protection,
refer to Chapter 25. You can use NAP with a Windows Server 2008 infrastructure as
described in Windows Server 2008 Networking and Network Access Protection (NAP)
(Microsoft Press, 2008).

How Microsoft Distributes Updates
Microsoft continually works to reduce the risk of software vulnerabilities in its software,
including Windows 7. This section describes the different types of updates released
by Microsoft. It also describes the Microsoft product life cycle, which affects update
management because Microsoft stops releasing security updates for a product at the end
of its life cycle.
Security Updates
A security update is an update that the Microsoft Security Response Center (MSRC) releases
to resolve a security vulnerability. Microsoft security updates are available for customers
to download and are accompanied by two documents: a security bulletin and a Microsoft
Knowledge Base article.
MoRe inFo
For more information about the MSRC, visit
/security/msrc/default.mspx.
A Microsoft security bulletin notifies administrators of critical security issues and vulner-
abilities and is associated with a security update that can be used to fix the vulnerability.
Security bulletins generally provide detailed information about whom the bulletin concerns,
the impact and severity of the vulnerability, and a recommended course of action for affected
customers.
Security bulletins usually include the following pieces of information:
n
Title The title of the security bulletin, in the format MSyy-###, where yy is the last
two digits of the year and ### is the sequential bulletin number for that year.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How Microsoft Distributes Updates CHAPTER 23
1113
n
Summary Information about who should read the bulletin, the impact of the vulner-
ability and the software affected, the maximum severity rating, and the MSRC’s recom-
mendation on how to respond to the bulletin. The severity rating of a bulletin gauges

the maximum risk posed by the vulnerability that the update fixes. This severity level
can be Low, Moderate, Important, or Critical. The MSRC judges the severity of a vulner-
ability on behalf of the entire Microsoft customer base. The impact a vulnerability has
on your organization might be more or less serious than this severity rating.
n
Executive summary An overview of the individual vulnerabilities discussed in the
security bulletin and their severity ratings. One security bulletin might address multiple,
related vulnerabilities that are fixed with a single update.
n
Frequently asked questions Discusses updates that are replaced, whether you can
audit the presence of the update using MBSA or Configuration Manager 2007 R2, life-
cycle information, and other relevant information.
n
Vulnerability details The technical details of the vulnerabilities, a list of mitigating
factors that might protect you from the vulnerability, and alternative workarounds that
you can use to limit the risk if you cannot install the update immediately. One of the
most important pieces of information in this section is whether there are known, active
exploits that attackers can use to compromise computers that haven’t been updated. If
you are unable to install the update immediately, you should read this section carefully
to understand the risk of managing a computer that hasn’t been updated.
n
Security update information Instructions on how to install the update and what
files and configuration settings will be updated. Refer to this section if you need to
deploy updated files manually or if you are configuring custom auditing to verify that
the update has been applied to a computer.
MoRe inFo
If you are not familiar with the format of security bulletins, take some time
to read current bulletins. You can browse and search bulletins at
/technet/security/current.aspx.
In addition to security bulletins, Microsoft also creates Knowledge Base articles about

security vulnerabilities. Knowledge Base articles generally include more detailed information
about the vulnerability and step-by-step instructions for updating affected computers.
From time to time, Microsoft releases security advisories. Security advisories are not as-
sociated with a security update. Instead, advisories communicate security guidance that might
not be classified as a vulnerability to customers.
Update Rollups
At times, Microsoft has released a significant number of updates between service packs. It is
cumbersome to install a large number of updates separately, so Microsoft releases an update
rollup to reduce the labor involved in applying updates. An update rollup is a cumulative
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates
1114
set of hotfixes, security updates, critical updates, and other updates all packaged together
for easy deployment. An update rollup generally targets a specific area of a product, such
as security, or a feature of a product, such as IIS. Update rollups are always released with a
Knowledge Base article that describes the rollup in detail.
Update rollups receive more testing from Microsoft than individual security updates but
less testing than service packs. In addition, because update rollups consist of updates that
have been released previously and are being run by many other Microsoft customers, it is
more likely that any incompatibilities associated with the update rollup have already been
discovered. Therefore, the risk associated with deploying update rollups is typically lower
overall than the risk of deploying security updates, despite the fact that rollups affect more
code. However, you still need to test update rollups with critical applications before deploying
them.
Service Packs
A service pack is a cumulative set of all of the updates that have been created for a Microsoft
product. A service pack also includes fixes for other problems that have been found by
Microsoft since the release of the product. In addition, a service pack can contain customer-
requested design changes or features. Like security updates, service packs are available for
download and are accompanied by Knowledge Base articles.

The chief difference between service packs and other types of updates is that service
packs are strategic deliveries, whereas updates are tactical. That is, service packs are carefully
planned and managed—the goal is to deliver a well-tested, comprehensive set of fixes that is
suitable for use on any computer. In contrast, security updates are developed on an as-needed
basis to combat specific problems that require an immediate response.
note
Service packs undergo extensive regression testing that Microsoft does not per-
form for other types of updates. However, because they can make significant changes to
the operating system and add new features, they still require extensive testing within your
environment.
Microsoft does not release a service pack until it meets the same quality standards as the
product itself. Service packs are constantly tested as they are built, undergoing weeks or months
of rigorous final testing that includes testing in conjunction with hundreds or thousands of non-
Microsoft products. Service packs also undergo a beta phase, during which customers participate
in the testing. If the testing reveals bugs, Microsoft will delay the release of the service pack.
Even though Microsoft tests service packs extensively, they frequently have known ap-
plication incompatibilities. However, they are less likely to have unknown application incom-
patibilities. It is critical that you review the service pack release notes to determine how the
service pack might affect your applications.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
How Microsoft Distributes Updates CHAPTER 23
1115
Because service packs can make substantial changes to Windows 7, thorough testing and
a staged deployment are essential. After Microsoft releases a service pack for beta, begin
testing it in your environment. Specifically, test all applications, desktop configurations, and
network connectivity scenarios. If you discover problems, work with Microsoft to identify the
problem further so that Microsoft can resolve the issues before the service pack is released.
After the service pack is released, you need to test the production service pack carefully
before deploying it.
While testing a newly released service pack, stay in touch with the IT community to

understand the experiences of organizations that deploy the service pack before you. Their
experiences can be valuable for identifying potential problems and refining your deployment
process to avoid delays and incompatibilities. Microsoft security updates can be applied to
systems with the current or previous service pack so you can continue with your usual
Microsoft update process until after you have deployed the new service pack.
MoRe inFo
For more information about the Microsoft TechNet IT Professional
Community, visit />After testing, you should use staged deployments with service packs, just as you would
for any major change. With a staged deployment, you install the service pack on a limited
number of computers first. Then, you wait days or weeks for users to discover problems with
the service pack. If a problem is discovered, you should be prepared to roll back the service
pack by uninstalling it. Work to resolve all problems before distributing the service pack to a
wider audience.
Microsoft Product Life Cycles
Every product has a life cycle, and, at the end of the product life cycle, Microsoft stops
providing updates. However, this doesn’t mean that no new vulnerabilities will be discovered
in the product. To keep your network protected from the latest vulnerabilities, you will need
to upgrade to a more recent operating system.
Microsoft offers a minimum of five years of mainstream support from the date of a
product’s general availability. When mainstream support ends, businesses have the option
to purchase two years of extended support. In addition, online self-help support, such as the
Knowledge Base, will still be available.
Security updates will be available through the end of the extended support phase at no
additional cost for most products. You do not have to have an extended support contract
to receive security updates during the extended support phase. For more information on
the Windows 7 product life cycle, see When
planning future operating system upgrades, you must keep the product life cycle in mind,
particularly the period during which security updates will be released.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 23 Managing Software Updates

1116
You have to stay reasonably current on updates to continue to receive Microsoft support
because Microsoft provides support only for the current service pack and the one that im-
mediately precedes it. This support policy allows you to receive existing hotfixes or to request
new hotfixes for the currently shipping service pack, the service pack immediately preceding
the current one, or both during the mainstream phase.
Summary
Networks and the Internet are constantly changing. In particular, network security threats
continue to evolve, and new threats are introduced daily. Therefore, all software must change
constantly to maintain high levels of security and reliability.
Microsoft provides tools for managing Windows 7 software updates for home users, small
organizations, and large enterprises. Regardless of the organization, the Windows Update
client in Windows 7 is responsible for downloading, sharing, and installing updates. Small
organizations can download updates directly from Microsoft to a Windows 7 computer, which
will then share the update with other computers on the same LAN. Larger organizations, as
well as organizations that must test updates prior to installation, can use WSUS to identify,
test, and distribute updates. Combined with AD DS Group Policy settings, you can manage
updates centrally for an entire organization.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
n
The Microsoft Update Management Web site at
/updatemanagement.
n
See the MBSA 2.1 Web site at for more information
and to download MBSA.
n
“MBSA 2.0 Scripting Samples” at
/details.aspx?familyid=3B64AC19-3C9E-480E-B0B3-6B87F2EE9042 includes

examples of how to create complex auditing scripts using MBSA.
n
The Configuration Manager 2007 R2 Web site at
includes more information about using Configuration Manager 2007 R2.
n
“Microsoft Update Product Team Blog” at provides the
latest Microsoft Update news direct from the Microsoft Update product team.
n
“WSUS Product Team Blog” at has the latest WSUS
news.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Additional Resources CHAPTER 23
1117
On the Companion Media
n
ConfigureSoftwareUpdatesSchedule.ps1
n
DownloadAndInstallMicrosoftUpdate.ps1
n
Get-MicrosoftUpdates.ps1
n
Get-MissingSoftwareUpdates.ps1
n
ScanForSpecificUpdate.ps1
n
TroubleshootWindowsUpdate.ps1
n
UninstallMicrosoftUpdate.ps1
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

1119
CHAPTER 24
Managing Client Protection
n
Understanding the Risk of Malware 1119
n
User Account Control 1121
n
AppLocker 1142
n
Using Windows Defender 1149
n
Network Access Protection 1159
n
Forefront 1160
n
Summary 1162
n
Additional Resources 1162
N
etworked client computers are constantly under attack. In the past, repairing
computers compromised by malware was a significant cost to IT departments.
The Windows 7 operating system strives to reduce this cost by using a combination of
technologies—including User Account Control (UAC), Windows AppLocker, and Windows
Defender. Additionally, Microsoft offers Microsoft Forefront separately from Windows 7
to provide better manageability of client security.
Understanding the Risk of Malware
Malware (as described in Chapter 2, “Security in Windows 7”) is commonly spread in
several different ways:
n

Included with legitimate software Malware is often bundled with legitimate
software. For example, a peer-to-peer file transfer application might include
potentially unwanted software that displays advertisements on a user’s com-
puter. Sometimes, the installation tool might make the user aware of the malware
(although users often do not understand the most serious compromises, such
as degraded performance and compromised privacy). Other times, the fact that
unwanted software is being installed might be hidden from the user (an event
known as a non-consensual installation). Windows Defender, as described later
in this chapter, can help detect both the legitimate software that is likely to be
bundled and the potentially unwanted software bundled with it, and it will notify
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1120
the user about the software running on their system. Additionally, when UAC is active,
standard user accounts will not have sufficient privileges to install most dangerous
applications.
n
Social engineering Users are often tricked into installing malware. A common
technique is to attach a malware installer to an e-mail and provide instructions for
installing the attached software in the e-mail. For example, the e-mail might appear to
come from a valid contact and indicate that the attachment is an important security
update. E-mail clients such as Microsoft Office Outlook now prevent the user from run-
ning executable attachments. Modern social engineering attacks abuse e-mail, instant
messages, social networking, or peer-to-peer networks to instruct users to visit a Web
site that installs the malware, either with or without the user’s knowledge. The most
effective way to limit the impact of social engineering attacks is to train users not to
install software from untrustworthy sources and not to visit untrusted Web sites. Addi-
tionally, UAC reduces the user’s ability to install software, AppLocker can prevent users
from running untrusted software, and Windows Defender makes users more aware of
when potentially unwanted software is being installed. For more information about

social engineering, read “Behavioral Modeling of Social Engineering–Based Malicious
Software” at
/details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73.
note
Windows XP Service Pack 2 (SP2), Windows Vista, and Windows 7 support
using Group Policy settings to configure attachment behavior. The relevant Group
Policy settings are located in User Configuration\Administrative Templates
\Windows Components\Attachment Manager.
n
Exploiting browser vulnerabilities Some malware has been known to install itself
without the user’s knowledge or consent when the user visits a Web site. To accomplish
this, the malware needs to exploit a security vulnerability in the browser or a browser
add-on to start a process with the user’s or system’s privileges, and then use those
privileges to install the malware. The risk of this type of exploit is significantly reduced
by Windows Internet Explorer Protected Mode in Windows Vista and Windows 7. Ad-
ditionally, the new Internet Explorer 8 feature, SmartScreen, can warn users before they
visit a malicious site. For more information about Internet Explorer, read Chapter 20,
“Managing Windows Internet Explorer.”
n
Exploiting operating system vulnerabilities Some malware might install itself by
exploiting operating system vulnerabilities. For example, many worms infect computers
by exploiting a network service to start a process on the computer and then install the
malware. The risks of this type of exploit are reduced by UAC, explained in this chapter,
and Windows Service Hardening, described in Chapter 26, “Configuring Windows
Firewall and IPsec.”
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
User Account Control CHAPTER 24
1121
User Account Control
Most administrators know that users should log on to their computers using accounts that

are members of the Users group, but not the Administrators group. By limiting your user ac-
count’s privileges, you also limit the privileges of any applications that you start—including
software installed without full consent. Therefore, if you can’t add a startup application,
neither can a malicious process that you accidentally start.
With versions of Windows prior to Windows Vista, however, not being a member of the
Administrators group could be very difficult, for a few reasons:
n
Many applications would run only with administrative privileges.
n
Running applications with elevated privileges required users to either right-click the
icon and then click Run As or create a custom shortcut, which is inconvenient, requires
training, and requires that the user has a local administrator account (largely defeating
the purpose of limiting privileges).
n
Many common operating system tasks, such as changing the time zone or adding a
printer, required administrative privileges.
UAC is a feature of Windows Vista and Windows 7 that improves client security by making
it much easier to use accounts without administrative privileges. At a high level, UAC offers
the following benefits:
n
Most applications can now run without administrative privileges Applications
created for Windows Vista or Windows 7 should be designed to not require admin-
istrator credentials. Additionally, UAC virtualizes commonly accessed file and registry
locations to provide backward compatibility for applications created for earlier versions
of Windows that still require administrator credentials. For example, if an application
attempts to write to a protected portion of the registry that will affect the entire com-
puter, UAC virtualization will redirect the write attempt to a nonprotected area of the
user registry that will affect only that single application.
n
Applications that require administrative privileges automatically prompt the

user for administrator credentials For example, if a standard user attempts to
open the Computer Management console, a User Account Control dialog box ap-
pears and prompts for administrator credentials, as shown in Figure 24-1. If the current
account has administrator credentials, the dialog box prompts to confirm the action
before granting the process administrative privileges.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1122
FIGURE 24-1
UAC prompts standard users for administrator credentials when necessary.
n
Users no longer require administrative privileges for common tasks Windows
Vista and Windows 7 have been improved so that users can make common types of
configuration changes without administrator credentials. For example, in earlier versions
of Windows, users needed administrator credentials to change the time zone. In
Windows Vista and Windows 7, any user can change the time zone, which is important
for users who travel. Changing the system time, which has the potential to be malicious,
still requires administrator credentials, however.
n
Operating system features display an icon when administrator credentials are
required In earlier versions of Windows, users were often surprised when an aspect
of the operating system required more privileges than they had. For example, users
might attempt to adjust the date and time, only to see a dialog box informing them
that they lack necessary privileges. In Windows Vista and Windows 7, any user can
open the Date And Time properties dialog box. However, users need to click a but-
ton to change the time (which requires administrative privileges), and that button has
a shield icon indicating that administrative privileges are required. Users will come to
recognize this visual cue and not be surprised when they are prompted for credentials.
n
If you log on with administrative privileges, Windows Vista and Windows 7

will still run applications using standard user privileges by default Most users
should log on with only standard user credentials. If users do log on with an account
that has Administrator privileges, however, UAC will still start all processes with only
user privileges. Before a process can gain administrator privileges, the user must con-
firm the additional rights using a UAC prompt.
Table 24-1 illustrates the key differences in the behavior of Windows 7 with UAC installed
when compared to Windows XP.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.