RE: Another SUS / Autoupdate question

From: Tosh, Michael J (N-Joule) (michael.j.tosh@lmco.com)
Date: 08/12/02 

Date: Mon, 12 Aug 2002 14:04:05 -0400
From: "Tosh, Michael J (N-Joule)" <michael.j.tosh@lmco.com>
To: "'Dan Bartley'" <bartleyd@corp.netcarrier.com>

"Windows Update Privacy Statement
...

Operating-system version number and Product Identification number
Internet Explorer version number
Version numbers of other software
Plug and Play ID numbers of hardware devices
The Product Identification number is collected to confirm that you are
running a validly licensed copy of Windows. A validly licensed copy of
Windows ensures that you will receive on-going updates from Windows Update.
...

To provide you with the best possible service, Windows Update also tracks
and records how many unique machines visit its site and whether the download
and installation of specific updates succeeded or failed. In order to do
this, Windows generates a Globally Unique Identifier (GUID) that is stored
on your computer to uniquely identify it. Windows Update records the GUID of
the computer that attempted the download, the ID of the item that you
attempted to download and install, and information about your operating
system version and Internet Explorer version.

Because Windows Update does not collect personally identifiable information,
the configuration information and GUID cannot be used to identify you."

This is directly copied from
http://v4.windowsupdate.microsoft.com/en/about.asp
<http://v4.windowsupdate.microsoft.com/en/about.asp>

So Product Keys, or product ID's, ARE collected and ARE sent to MS. At
least according to their documentation, but what other ways would you use to
say what is being sent? Besides a packet capture, but since it is over an
https connection on SSL, that really isn't that easy to do!

-----Original Message-----
From: Dan Bartley [mailto:bartleyd@corp.netcarrier.com]
Sent: Monday, August 12, 2002 11:03 AM
To: focus-ms@securityfocus.com
Subject: RE: Another SUS / Autoupdate question

Just a little info on the original post as I understand it.

SUS does not have clients communicating with MS, your SUS server talks
to MS and then clients communicate with your SUS server.

Product Keys are not sent to MS via Update. The disable feature in XP
SP1 is targeted to a specific set of installs that used a stolen volume
license key and was circulated around the Net. Again, it does not
communicate to MS about it, the code checks to see if you match that
key, and if so, disables the OS in the same manner a WPA grace period
expiration would.

Why would it cost hundreds of thousands of man-hours to pull out a few
pieces of paper that show number of licenses purchased?

Best Regards,
Dan Bartley

-----Original Message-----
From: Ian Webb [mailto:iwebb@carolina.rr.com]
Sent: Saturday, August 10, 2002 11:32
To: 'Tosh, Michael J (N-Joule)'; focus-ms@securityfocus.com
Subject: RE: Another SUS / Autoupdate question

I'm going to second the earlier recommendation of Shavlik's HFNetChkPro.
I recently purchased it for the network I admin (~50 users) and even at
that size, it's much better than manual updates or SUS / Windows Update.
It does real hotfix verification, not just registry checks, and it
doesn't send any information to Microsoft. It just downloads some XML
documents from MS, and then downloads the necessary patches. It's not
free, but I think the cost is definitely worth it. It's really the best
tool for the job.

-----Original Message-----
From: Tosh, Michael J (N-Joule) [mailto:michael.j.tosh@lmco.com]
Sent: Thursday, August 08, 2002 2:05 PM
To: 'Igor' Spivak'; focus-ms@securityfocus.com
Subject: RE: Another SUS / Autoupdate question

The hope is to not have any PC's raise red flags at MS. We own licenses
for
all installations of our operating systems, and then some, but to ease
our
work load, we installed w2k on one machine and just made 1600 copies of
it.
So we have 1600 pc's that have the same Product ID on them. I have
heard
recent stories of people getting locked out of XP due to fake product
ids
after visiting windows update, and if we get 1599 locked pcs, or worse,
an
MS audit, that will costs hundreds of thousands in man-hours to prove
ownership of that many licenses. If an SUS works exactly as the
Windowsupdate.microsoft.com site, then it is not what we are looking
for.
And manual installation of an update to 1600 pcs is also too time
consuming.
That is the main reason for using the auto update feature.

-----Original Message-----
From: Igor' Spivak [mailto:urbanachiever@attbi.com]
Sent: Thursday, August 08, 2002 12:28 PM
To: focus-ms@securityfocus.com; Tosh, Michael J (N-Joule)
Subject: Re: Another SUS / Autoupdate question

> Has any set up an MS Software Update Service server on their network?
We
do
> not want any Product ID information to be accessible to ANYONE outside
of
my
> organization, including MS. If anyone has the SUS running, does it
forward
> the Product ID, Product version, Plug-and-play information, and IE
version
> of each computer that connects to it to one of the MS servers?

AFAIK no, the SUS server doesn't seem to log any specific information of
the
kind about the clients that use it. Also SUS server doesn't seem to log
IPs,
just a uniquely generated ID number of the client and various status
flags
on update success, etc.

My plan is
> to maybe point this SUS Server to itself for auto updates, give it no
> gateway address so it can only work inside our organization, and
manually
> move any updates over to it from another PC on our LAN.

you could do that by manually coping the windows update catalog and all
the
patches from the MS Download sites, but that is a chore. By default SUS
server synchronizes with windows update and downloads the catalog and
updates either on admin specified schedule, or by the admin manually
telling
it to.

Alternatively, you could use SMS to push updates. My question is, what
are
you hoping to accomplish by manually synchronizing the SUS server?

cheers,

IDS

Relevant Pages

  • Re: sp2? is it just a mith
    ... > simply going to the windows update site. ... > computers on your network I would suggest you look into SUS. ... > download all the windows updates and then push them to clients. ...
    (microsoft.public.cert.exam.mcse)
  • RE: Another SUS / Autoupdate question
    ... installation key. ... As it is still only the SUS server that talks to MS ... To provide you with the best possible service, Windows Update also ...
    (Focus-Microsoft)
  • RE: SUS server
    ... Have you also installed the Windows Update client via group policy on ... Subject: SUS server ... I can't seem to get the client to connect and download patches. ... Windows Update in the Group Policy to "enable", and set it to the server ...
    (Focus-Microsoft)
  • RE: SUS server
    ... Subject: SUS server ... I can't seem to get the client to connect and download patches. ... Windows Update in the Group Policy to "enable", and set it to the server ... leverages multiple layers of technology to defeat ...
    (Focus-Microsoft)
  • Re: SUS for XPE through internet
    ... Read everything about SUS here: http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/default.mspx ... > 1) SUS Server Program is free? ... Windows Update Services is the next version of Software Update Services. ... When XPE ...
    (microsoft.public.windowsxp.embedded)