Keeping your computer systems well-defended against the latest attacks is a daunting task, but fortunately, one of the most important defenses is really quite easy to maintain. Microsoft has provided some powerful tools that can keep your Windows systems patched with very little ongoing effort.
If the idea of configuring Windows Group Policy makes you break out in a sweat, be afraid no longer. We’ll go step-by-step through the process so that even a relative neophyte can get good results.
GPMC
GPMC (Group Policy Management Console) is an excellent tool for configuring and managing Group Policy. If you don’t already have it installed, you can get it from here. Fire it up by clicking Start, selecting Run…, then typing gpmc.msc and clicking OK.
Navigate through the domain tree in the left pane to Forest (for your domain), Domains, then open your domain, then open Group Policy Objects. You should find at least two GPOs (Group Policy Objects) there, among them being Default Domain Controllers Policy and Default Domain Policy. Click on one of these policies to open it in the right pane. Select the Settings tab to display the rules that make up the policy. Click on show all in the upper right corner to expand the rule hierarchy. Look through these policies to see if you already have rules governing Automatic Updates. If so, you can modify them in place, but we will proceed assuming a clean slate.
Create GPOs
Right-click on Group Policy Objects in the left pane and select New. Assign a name like Automatic Updates-Desktops and click OK. Now right-click your new policy in the left pane and select Edit. This will start up the Group Policy Object Editor.
In the left pane, drill down to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. All Automatic Updates settings will appear in the right pane. As you click on each one, a description of the item will appear adjacent to the list. We won’t set every value, but we will set most of them. Open a setting by double-clicking its entry to open a configuration window. Each configuration window also has an Explain tab to help you understand the meaning of each aspect of the setting.
Let’s walk through the first one. Double click Configure Automatic Updates. Select the Enabled radio button. Set the first pull-down to 4 – Auto download and schedule the install. Set the install day to 0 – Every day. Set the scheduled install time to whatever you prefer. Finally, click OK to save the settings and close the box.
Here’s how I typically set it up:
- Configure Automatic Updates
- Enabled
- Configure automatic updating: 4 – Auto download and schedule the install
- Scheduled install day: 0 – Every day
- Scheduled install time: 11:00
- Specify intranet Microsoft update service location
- Disabled
- Reschedule Automatic Updates scheduled installations
- Enabled
- Wait after system startup (minutes): 5
- No auto-restart with logged on users for scheduled automatic updates installations
- Disabled
- Automatic Updates detection frequency
- Enabled
- Check for updates at the following interval (hours): 4
- Allow Automatic Updates immediate installation
- Enabled
- Delay Restart for scheduled installations
- Enabled
- Wait the following period before proceeding with a scheduled restart (minutes): 5
- Re-prompt for restart with scheduled installations
- Enabled
- Wait the following period before prompting again with a scheduled restart (minutes): 480
- Allow non-administrators to receive update notifications
- Enabled
- Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
- Enabled
A few notes on the above values: You’ve got to let Automatic Updates reboot the computer; time and time again I’ve seen installations go literally months without applying patches because a user doesn’t want to be bothered with maintaining his machine. That’s OK; we’ll do it for him. Don’t check for updates more often than 3 or 4 hours; Microsoft says it can cause problems, and I, for one, don’t need any more problems with Windows than I already have. The 480 minute re-prompt number works out to 8 hours; I figure if someone actually doing their job sees a notice, they don’t need to be nagged again. Let it update once they’ve gone home. The power management setting is mostly wishful thinking on my part. Maybe someday I’ll go around and set up Wake-on-LAN in the BIOS on all those machines.
That was a lot of work, but there’s still plenty to do. Create a nearly identical GPO called Automatic Updates-Servers. The only change I make is to set the Configure Automatic Updates value to 3 – Auto download and notify for install. This prevents the possibility of a server rebooting while in use, disrupting work flow and generally wreaking havoc, but it also prevents the server from staying up to date unless you put forth an effort to keep it so. Hint: A particularly easy way to complete 90% of the work on your second GPO is to duplicate, then rename, the first one.
You can now close the Group Policy Object Editor.
Tie GPOs to Machines
So far, nothing we have done has affected any machine, but that’s about to change. What we’d like to see is for the server policy to apply to all of our servers and for the desktop policy to apply to everything else. The first step in making that happen is to define which machines are servers.
Open up Active Directory Users and Computers. If you can’t find it under Start -> Administrative Tools, then go to Start -> Run, enter dsa.msc and click OK. Navigate in the left pane down through your domain to the Computers folder. Right-click on the Computers folder and select New -> Group. Name the group Servers, leave the scope and type as a global security group, then click OK. It should show up in the list in the right pane.
Double-click your new group and select the Members tab. Add each server, one-by-one using the Add button and making sure the Select this object type field contains the word Computers. You can change it by clicking the Object Types button. Click OK when complete, then close the Active Directory Users and Computers window.
Next, we tie the Automatic Updates-Servers GPO to our new Servers security group. Back in GPMC, select the servers GPO and click on the Scope tab. In the bottom window, click the Add button and type Servers into the window, then click OK. Your security group should now be listed in the Security Filtering table. Highlight the other entry in the table (Authenticated Users) and click Remove, then OK. Now servers and only servers will be able to use the Automatic Updates-Servers GPO.
Last but certainly not least, link your new GPOs to the domain. In the left pane of GPMC, locate your domain name; it should be directly under the folder called Domains. Right-click your domain and choose Link an Existing GPO. Highlight both of your new GPOs with shift-click then click OK.
You are now in business. Your policies are complete and in place.
Check Your Work
If you log on to a domain member machine and look at the Automatic Updates page of the control panel, all the settings should be grayed out, but should match the values you set in your policies. If they’re not grayed out, you can wait, or you can give your policies a push.
Group policy flows gradually to domain member machines. They update at reboot time, but sometimes it takes more than one reboot for new policies to take effect. If you are impatient, or if a machine seems to get stuck, you can hurry along the process by running the command gpupdate /force from within a command window on the stuck machine. That, and maybe a reboot, usually get things moving along.
Another way to check is by examining the Windows Registry. Nearly all Group Policy operates by forcing certain registry settings on member computers, which then modify the computer’s behavior. Enter the following in a command window on any computer:
reg query hklm\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions
and it should display the value 0×3 on servers and 0×4 on all other machines. You can run all your queries from one machine if you prepend each query target with its IP address or hostname, as follows:
reg query \\hostname\hklm\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions
If the value is not found, try the gpupdate trick or a reboot. If it is found but does not match what you expected, make sure your Servers security group contains the right machine names; also make sure it is properly linked to the server GPO.
Maintaining Patched Systems
Your GPOs will do a reasonably thorough job of keeping your systems up to date, but you still have work to do. Put Patch Tuesday on your calendar—Microsoft publishes new security updates on the second Tuesday of every month. Your desktops should automatically update themselves within a day or two, but you’ll have to patch the servers yourself. On each one, either go to Start -> All programs -> Windows Update, or find the yellow shield in the systray (the row of tiny icons in the lower right corner of your screen) and apply the patches that should be downloaded and ready to install.
I also recommend checking the patch state of each machine with MBSA, the Microsoft Baseline Security Analyzer (of which the latest version, currently 2.1.1, is available here). MBSA can scan a single machine, all machines on your domain, or a LAN segment. It displays quite a bit of information, but the most critical is the list of missing patches. If a machine is chronically behind, it may be more than just group policy slowness. Many malware infections disable automatic updates, so a reformat and reinstall may be in order.
Congratulations!
Your machines are patched. You have taken a critical step that every security policy framework and every set of security regulations requires. And you have eliminated much of your vulnerability to the most popular current malware attacks. And you are no longer a Group Policy newbie!
