gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to keith2468
Re: Think about it.
B already addressed the issue in the first part of your post well; just a few additional comments about the rest:
said by keith2468  :The approach of having the user install sign on to an admin account to run MS, AV and AT updates once a week is the best approach....And the rest of the time the user should use a regular account. i think so too, and i've said in this thread that that's what i do, and what i'll recommend. my point is that it is NOT what MS recommends. they paradoxically recommend using a user account for routine surfing every day (correct) and at the same time, recommend (and nag) to have automatic updates turned on at all times, knowing it can't run while the person is in the user account. THAT'S the idiocy.
btw, what no one has addressed here, but is a major issue: if you set the automatic updates service to manual instead of automatic, it often does NOT start when, in the admin account, you manually go to WU. that's where the terrific batch file posted here a while ago comes in...i run it every time. however, i cannot expect every newbie to know about that batch file, so i'm exploring ways to assure that auto update will turn on when the user manually goes to WU reliably without having it set to start all the time.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
B
Premium,MVM
join:2000-10-28
| reply to keith2468
said by keith2468 :If MS had an automated process that would automatically install downloaded Windows Updates files as System or an Administrator, how long do you think it would be before hackers figured out how to create fake Windows Update files that would be automatically installed? The approach of having the user install sign on to an admin account to run MS, AV and AT updates once a week is the best approach. And the rest of the time the user should use a regular account. keith, with all due respect (and you're due plenty), what are you talking about?
Automatic Updates is an autonomous MS process that is ALREADY communicating on its own ONLY with Microsoft sites. And it's already downloading files on its own.
What is unsafe (other than the chance for system corruption that we have already seen) about letting Automatic Updates complete the process and scheduled the updates for installation on the next boot under the auspices of a privileged services account?
It doesn't seem as if malicious entitities have a chance of getting in the middle here at all (for a change!).
-- B
--
In a realm outside causality and function |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to gracie
If MS had an automated process that would automatically install downloaded Windows Updates files as System or an Administrator, how long do you think it would be before hackers figured out how to create fake Windows Update files that would be automatically installed?
The approach of having the user install sign on to an admin account to run MS, AV and AT updates once a week is the best approach.
And the rest of the time the user should use a regular account.
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC) |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to B
Re: auto updates and limited user
said by B : I agree, gracie, this is really stupid. If the administrator already decided to allow truly "automatic" updates, why wouldn't the process run as a privileged service? At least upon the next boot?...In any case, Automatic Updates may be nice in theory, but keeping with MS's performance to date vis a vis Windows Update and security in general, they are a BAD idea to allow in practice. my thoughts exactly. as i said, i never do AU, but this guy is a real newbie and i thought it might make his life a tad easier, and his new machine has sp2 so was nagging him constantly to enable it when i had it turned off for him.
instead, i'll just turn off the sec. center nag  . he has promised to update everything manually every week, which is a major step forward for him. the fact that he was willing to try at least to run as user for most stuff is a testament to his dawning understanding that the reason i have to keep cleaning out his machines is that he was totally unsafe in his practices.
i don't know if we'll really keep him off hotcheerleadersdodallas.com , but at least he's got a slew of anti-malware proggies, a locked down IE, and a list of good practices behind him now.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
B
Premium,MVM
join:2000-10-28
| reply to gracie
It seems you can download, but not install anything until you log in as administrator. I agree, gracie, this is really stupid. If the administrator already decided to allow truly "automatic" updates, why wouldn't the process run as a privileged service? At least upon the next boot?
Note To modify Automatic Updates settings, you must be logged on as an administrator or a member of the Administrators group.
When critical updates are detected, Automatic Updates automatically downloads these updates in the background while you are connected to the Internet. After the download is complete, Automatic Updates waits until the scheduled day and time to install the updates. On the scheduled day and time, all local users receive the following message that has a five minute countdown timer:
Windows is ready to begin installing the updates available for your computer.
Do you want Windows to install the updates now?
(Windows will restarts your computer if no action is taken within 5:00 minutes)
If you are logged on as an administrator, when you receive this message, you can either click Yes to install the updates or click No to have Automatic Updates install the updates at the next scheduled day and time. If you do not take any action in five minutes, Windows automatically installs the updates.
Emphasis added.
»support.microsoft.com/default.as···s;327838
In any case, Automatic Updates may be nice in theory, but keeping with MS's performance to date vis a vis Windows Update and security in general, they are a BAD idea to allow in practice.
-- B
--
In a realm outside causality and function |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to computerman2
thanx, all. it looks like my instincts were correct: despite ms' agreement that users should generally not run as admin for daily tasks on the net, windows update's auto update function won't work in user mode and therefore is totally useless except for those, like computerman2, who run all the time as admin (which i believe, right or wrong, is unsafe practice).
so i'm telling him to turn off auto updates for windows update and just go to WU during his weekly maintenance login as admin. just as i do. gives me time, also, to allow people (like those who have AU turned on) to be guinea pigs so i don't have to let a bad patch ruin my machine .
btw, autoupdate of many AVs works when in the user account...his mcafee updated a number of times while he was in user. so it may be a app-by-app thing.
just seems to me that ms would do well to make AU automatically 'run as' administrator even if the user is in user mode, so they would always install automatically if that's what the user wants. thinking of all the newbies who turn AU on, thinking they are protected, and then take the advice to run as user and aren't really getting the patches, without knowing it.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
computerman2
Premium
join:2002-04-20
Rockwood, MI
 ·AT&T Midwest
| reply to TerryMiller
I always run as admin, I couldn't live without my automatic updates for programs on here, and stuff, and that's just the way it has to be for me, and never once have I had a spyware problem, virus problem, trojan problem, or update killing my computer, so running as Admin is nice and convient for me, and it works well. |
|
TerryMiller
Premium
join:2003-10-23
| reply to gracie
Auto updates will download the updates while you're running as admin. I also believe if you set a scheduled task to check for updates weekly it will install them. The task has to be set to run with administrator privileges.
--
My family site |
|
Jarmo P
join:2003-11-12
Finland
| reply to gracie
quote:
I understand that the updates may need admin privileges to be actually installed. But, does the AU service atleast download the needed updates in non-admin mode?
Same here, not knowing that?
Although I actually prefer not to see some larger downloads happening, wondering what is going on?
The last 2 updates, I needed to log into Administrator account and check manually. That is the preferred way to me anyways.
But more ignorant users might not check there or keep reading a forum like BBR. |
|
trooper1
Premium
join:2002-03-13
·AirTel
|  reply to B
Does AU download the critical updates in non-admin
I am a little confused by this.
Will AU download the needed updates when a user is online in non-admin mode?
I understand that the updates may need admin privileges to be actually installed. But, does the AU service atleast download the needed updates in non-admin mode?
~d00by
--
XP Pro SP2 | Firefox | Allie Keys: People believe what they want to believe. They find meaning where they can and they cling to it. In the end, it really doesn't matter what's a trick and what's true. What matters is that people believe. |
|
B
Premium,MVM
join:2000-10-28
| reply to spooler0
Re: auto updates and limited user
said by spooler0 :Okay, now if it is installed and updated with all the vs, ts, adware and spyware scanners in the admin account, where is the user to run it from? If run from the admin account, will that check all the limited accounts in every case? And if not, will all of those programs run properly from the limited account? End question: If it needs to be installed and updated in the admin, but run in both admin and limited, will the user do so without getting confused? Since we're only talking about Automatic Updates for Windows, the answers are simply:
1. The user DOESN'T, except during that single weekly log-in as administrator.
2. Nothing is "checked". The updates are installed, and they will apply to all users.
3. The updates do not need to be re-run for each user. (Again, we're talking about Automatic Updates for Windows, NOT antispyware apps.)
4. The user won't get confused because once the Windows updates are applied they will be in effect for all users.
Having said all this, it won't suprise me at all to find that it's partially wrong, and that some functions must be re-established for each user (much as is the case with MS Office).
-- B
--
In a realm outside causality and function |
|
spooler0
Premium
join:2004-11-17
| reply to gracie
said by gracie : "i pretty much figured that avs, ats, anti-spywares, etc. are best updated from admin."seems better to turn off auto updates and just run windows update from admin once a week along with updating the other security/privacy-related programs. Okay, now if it is installed and updated with all the vs, ts, adware and spyware scanners in the admin account, where is the user to run it from?
If run from the admin account, will that check all the limited accounts in every case? And if not, will all of those programs run properly from the limited account?
End question: If it needs to be installed and updated in the admin, but run in both admin and limited, will the user do so without getting confused? |
|
B
Premium,MVM
join:2000-10-28
| reply to gracie
I've continued to see first-hand and hear of Automatic Updates screwing up people's computers. Somewhat reluctantly, I suggest that you leave it off, as long as the user is already behind either a router or personal firewall software, and as long as competent human help is within reasonable reach (e.g., one week's time).
Just as in the past, it's best to deploy patches and updates when, and ONLY when, the user or the administrator deems it appropriate.
An unpatched vulnerability is slightly less impactful than a machine that won't even boot to Safe Mode because an "automatic" MS update flummoxed the whole frobdingnag.
-- B
--
In a realm outside causality and function |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to Libra
said by Libra : I have XP Home and I have found if you want something to "take" it has to be done in the Admin account. I have to update BOClean, IE SpyAds, SpywareBlaster in the Admin Account before the settings will update in the limited user account. thanx guys for the thoughts. i pretty much figured that avs, ats, anti-spywares, etc. are best updated from admin. and instructed him to do so. my confusion was specifically about automatic updates for windows update. ms is pushing HARD for people to turn on automatic updates, at the same time as most security articles are finally encouraging people to run as user and limit their admin exposure. so i was wondering if they'd made a provision for automatic updates from windows update to be installable even if the user happens to be in their user account. if not (and i suspect it is not), their push to have users turn on auto updates is ridiculous.
seems better to turn off auto updates and just run windows update from admin once a week along with updating the other security/privacy-related programs.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
Libra
Premium
join:2003-08-06
USA
| reply to gracie
Hi Gracie,
I have XP Home and I have found if you want something to "take" it has to be done in the Admin account. I have to update BOClean, IE SpyAds, SpywareBlaster in the Admin Account before the settings will update in the limited user account. I recently changed AV because of numerous problems with EZAntivirus causing XP to freeze up. I was not able to update EZAv nor look at any logs, etc. while in a limited user account. I am now using AVG 7 free and it updates and runs scheduled scans in a limited user account! What a pleasure.
I changed a setting in Real Player in a limited user account, when I checked the setting, it didn't take. I had to do it in the admin account.
I also found as far as IE settings and Mozilla settings are concerned, you set each of them in the account you are using. I'm new to XP, but maybe this will help.
One more thing (this probably applies to XP Pro also) you are suppose to run Spybot in each account individually.
Sincerly, Libra |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to gracie
There will be updates that require admin privileges to install so i think your suggestion to use admin account, every now and then to update, will work the best
Cudni
--
Whether you think that you can, or that you can't, you are usually right.
Help yourself so God can help you..it does exactly what it says on the sig |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| i don't have automatic updates for WU enabled, and i run XP Pro so i'm just not sure of this. the friend whose computer i was setting up for him has agreed to my suggestion to run most of the time online as a user and not admin, using his admin account mainly for maintenance, installing, etc. he is running xp home (which believe me was a learning curve for me...who thunk that one up?).
though i usually advise against ms auto update (i like to see what the guinea pigs say before patching, after bitter experience), for this guy, auto is best, believe me . so once we got him on broadband, i enabled his windows automatic update. but now i'm concerned that if he's in his user account much of the time, auto updates won't work. when we do manual windows updates, you have to be running as admin.; is it the same for auto updates?
in other words, will he miss updates because he's running in user mode, necessitating him to go into admin and update manually once a week? no biggie (it's what i do) but figured then i would just turn off auto updates.
any insight into this, or any other xp home tips i might have missed (finally figured out how to get into the "hidden" admin account to at least set a password, though you can't rename it), would be appreciated! thanx.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
