Registry/command line way to turn on pre-SP2 firewall & automatic updates?

M

mpeg4v3

Gawd
Joined
Sep 14, 2001
Messages
644
I work as tech support for a 550-person residence hall, and have to deal with all of the people that don't understand the concept of patching their computer or clicking "no" instead of "yes" in IE.

Here it is, a year after Blaster, and I still get dozens of new residents with blaster, sasser, gaobot, korgo, or one of the tons of others. I know the best way would be for them to just run automatic updates for every day as well as regular visits to Windows Update, but it's not easy to tell that to 550 people.

So I'm looking for an automated solution. Something I can stick in a .cmd file that will auto-run off a CD. I need to figure out how to do the following things without having to go through a GUI interface:
1.) Turn on the Windows Firewall on the LAN interface (which I'm not sure is even possible since there may be unique keys for each computer in the registry for the LAN device?)
2.) Turn on Automatic Updates for every day at 12pm (yes, I mean 12pm. They can deal with the intrusion if it means a more secure computer).

Unfortunately, I CANNOT add a line to run the SP2 installer due to some liability crap that is a long story, so I need to do this all pre-SP2. Does anyone have any ideas?

If I can't get the firewall working through registry I'll probably force an install of a freeware firewall, and if I can't get automatic updates I'm going to look into AutoPatcherXP (I believe that is the name), but I'd rather use the built in stuff than having to force install freeware.
 
I use Software Update Service to push out what is needed. That and group policy for the firewall. Granted, it's a domain environment solution...
 
Yeah, I don't have that much control over the residents here. I want to be able to drop a CD off at the front desk and with the RA's that will basically say "This will clean your computer and protect it from most future problems" that will do all of the things I would need to be in the resident's room to do otherwise.
 
Best policy is to have them install SP2. I don't know what "liability crap" you're referring to, but your network is more of a liability without SP2 than with.

I'd say look into GP settings. Start here, and page back and forward for more information. Windows.com Search is your friend.
 
This isn't my network. I'm just the official tech support guy for this hall. There are five other halls on campus all like this one with similar people. We don't control the resident's computers.
The issue with SP2 is that if we make people install it, we will have to provide support for it, which means more issues for us since SP2 breaks several applications. This is a decision made by my boss's boss's boss, so I have NO control over it.
Also, unless group policy can be executed from the command line automatically, and, with no user intervention, turn on the firewall, I can't use it.
 
Actually, the biggest problem isn't SP2 breaking specific apps it's SP2 breaking the system. I'm suprised that you're concerned about 'liability' as I know several schools strongly suggest or even require SP2 installation as a requirement for getting on the network & provide absolutely no support for post-install problems.
 
mpeg4v3 said:
This isn't my network. I'm just the official tech support guy for this hall. There are five other halls on campus all like this one with similar people. We don't control the resident's computers.
The issue with SP2 is that if we make people install it, we will have to provide support for it, which means more issues for us since SP2 breaks several applications. This is a decision made by my boss's boss's boss, so I have NO control over it.
Also, unless group policy can be executed from the command line automatically, and, with no user intervention, turn on the firewall, I can't use it.
Click to expand...
Then you are SOL. Why not just have a firewall between the hall and the rest of the network or the internet?

And I would challenge your boss' boss' boss to name one app that SP2 actually breaks.
 
GreNME said:
Then you are SOL. Why not just have a firewall between the hall and the rest of the network or the internet?
Click to expand...

Because people are still stupid and bring computers infected with sasser onto the network... which then makes it spread like wildfire to all of the people who never patched their computers.

GreNME said:
And I would challenge your boss' boss' boss to name one app that SP2 actually breaks.
Click to expand...

The fact that it COULD break an app is enough of an issue. Unfortunately school started the day after SP2 got released to automatic updates so none of the "daddy bought me a new, overpowered computer" freshmen have SP2 installed on their brand new $4000 20lb laptops.

In order to get any changes done requires going through a multiple departments of stupidity that would take forever. What I want to be able to do is find a way to accomplish this just based on what is currently setup, not get ideas for things that I cannot change at all.
 
mpeg4v3 said:
Because people are still stupid and bring computers infected with sasser onto the network... which then makes it spread like wildfire to all of the people who never patched their computers.
Click to expand...
Which is why you can firewall the hall from the rest of the network and minimize damage.

The fact that it COULD break an app is enough of an issue. Unfortunately school started the day after SP2 got released to automatic updates so none of the "daddy bought me a new, overpowered computer" freshmen have SP2 installed on their brand new $4000 20lb laptops.

In order to get any changes done requires going through a multiple departments of stupidity that would take forever. What I want to be able to do is find a way to accomplish this just based on what is currently setup, not get ideas for things that I cannot change at all.
Click to expand...
I dunno, the biggest flaw I see is that not everyone is going to be running XP to begin with, so handing out a CD saying that everyone must run something that will only work in XP anyway is not going to solve your problem. Sure, you might have most people secured off, but then you'll still have that one shmuck who comes in infected and gets everyone who doesn't have a firewall.

Then you have the Mac people, who think they are invulnerable to viruses. The sad part there is that it isn't true, and that they are far more likely to be the carriers of the kind of virus that sneaks inside of a firewalled network. That's right, Macs can easily be carriers, and for every time I've come across an infected Mac, I've come across 20 incredulous users saying that it can't happen.

So, where is XP's firewall going to help with these situations?
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;884130

Note the line where it says: "If you are using a program that appears on this list, contact the software vendor for more information."

Now that SP2 is on windows update and widely available just by people passing it around, you are going to get people installing it, which means you will be helping them anyway. Tell your boss that there is no easy way to do what they think should be done. If they suck it up, recommend SP2, have documentations like the article above ready for students, then it might suck a little bit, but it will be better in the long run by far. Whats better, a few machines with non-updated apps getting broken with an SP2 install, or savage raping by viruses and hackers because they aren't protected? Maybe you can just burn that windows update CD that came out back in Feb. It covers all OS's up till February and I think it actually tells you to "click here" to turn on your firewall, etc. Since its not available anymore, I can ISO it for you and send it over if you give me a method. Once again though, tell your bosses that SP2 is here to stay, and the sooner they adopt it the sooner they will get to the next "safe plateau."

Update CD pics I found, I assume its kosher to link:
http://www.neowin.net/staff/magoo/update/welcome.gif
http://www.neowin.net/staff/magoo/update/update.gif
http://www.neowin.net/staff/magoo/update/winsec.gif (firewall one)
http://www.neowin.net/staff/magoo/update/thanks.gif
 
GreNME said:
Which is why you can firewall the hall from the rest of the network and minimize damage.
Click to expand...

How long has it been since you've been in college? It's not just as simple as "firewall of the dorms" or "firewall off the computer labs" - this shit costs money and requires people to maintain it and, given the fucked up way that funding tends to flow into campus IT departments (and the fact that most schools have woefully underpaid IT staff, it's hard to find people who could do the job right in the first place), it's hard to get common sense thigns like this done.
 
to enable the automatic update service via the registry try this in a .reg file.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002

as far as the firewall goes.... once automatic update is turned on the pc's will automattically install sp2, enabling the firewall.... problem solved. you didn't install sp2 so you don't have to support it. :)
 
smr219 said:
to enable the automatic update service via the registry try this in a .reg file.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002

as far as the firewall goes.... once automatic update is turned on the pc's will automattically install sp2, enabling the firewall.... problem solved. you didn't install sp2 so you don't have to support it. :)
Click to expand...

You sneaky bastard.... This is a good point, the stance of "we didnt install it so we dont support it" is kind of hard to apply to windows update since they are literally OS updates, not third party apps.
 
Step 1. Get Regmon

Now run the software, and monitor the registry changes when you enable the firewall. This should lead you down the right path. Its the software I use whenever I want to know which reg. key changes something in windows. Its basically a realtime registry monitor, that tells you any reads/writes to the registry that occur. You can tell it specifically what to include/exclude, my favorite part is that you can double click on a line and it will open the corresponding registry entry in regedit.

I recommend at least checking this out ;). It should help you out.
 
mpeg4v3 said:
This isn't my network. We don't control the resident's computers.
The issue with SP2 is that if we make people install it, we will have to provide support for it, which means more issues for us since SP2 breaks several applications.
Click to expand...

First, it is your network (the college's), second, if there is a requirement for all machines to have SP2, then you are not installing it. THEY are, in order to access YOUR network. It's simple, if they don't patch, they will not get on YOUR network. When they patch, they get access.

Since THEY are installing SP2, and maybe your just providing them the download, support isn't your responsibility.

So the question is, is this a requirement of the network (whoever makes that call), or suggestion? What about other non-MS non-XP machines, or do you require XP? What about linux?

edit: Oh, one more thing, the logic here is very screwy... If you install SP2 but disable the firewall how does that get you out of supporting anything? In your view, ANY change to the computer, that you are asking for, could cause you to have to support it, which is BS. If that were the case, there would be no 'safe' method of deploying any patches to your network. Any patch/change could break software...
 
Here are some other registry options for automattic updates:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000002
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000012

Value: NoAutoUpdate
0 - Enable Automatic Updates (Default)
1 - Disable Automatic Updates

Value: AUOptions
2 - Notify for download and notify for install
3 - Auto download and notify for install
4 - Auto download and schedule the install

Value: ScheduledInstallDay
0 - Install every day
1 to 7 - Install on specific day of the week from Sunday (1) to Saturday (7).

Value: ScheduledInstallTime
0 to 23 - Install time of day in 24-hour format
 
Also be careful about pushing out registry changes. The registry in Win9x and Win2k/xp is very different, and you could potentially screw up someone. If they have an old 9x machine and use this "Magic CD" which is designed for XP/2k it might cause problems. Make sure to note on the CD or something that its for only the xp/2k systems.
 
Ok, let's see if I can do some clarification.
I go to San Diego State University. We DO NOT have a requirement on what computers can be on the network. We only have a "recommended specs" list and any computers under those specs we (the techs) do not have to fix.
I am a student here and just happened to get this job, which pays for my housing and food. What it entails, is that people call me, I setup an appointment, then go fix their computer. I DO NOT handle anything past the jack in the wall. That's an entirely different department.
We don't care if users install SP2; infact, we encourage it. The issue lies in us going around and installing SP2. My boss said I can't. I'm not going to argue with him. Saying that I should will get me nowhere.
Each dorm is on two IP ranges behind a router. That means the entire network for my hall is two different, large Workgroups. If one person gets sasser, then the virus can easily autoscan the entire network and send itself out to unpatched computers. Using Ethereal I've managed to track down the MAC Addresses of who has it for MY hall and cross reference them against our activation database and go hunting. But this is a time consuming fix. We already have the halls firewall'd, it's just everything within that firewall still has a chance of getting sasser or whatever other RPC exploit virus from the people that don't understand computing basics.
The CD I'm going to make will not be mandatory. It will be located at the front desk and given to each RA and SUGGESTED that if you have problems, run it before contacting me. And don't worry, I know registry edits can be worrying, so I'm going to write in big, big, big, big, big bold letters that it's for Windows XP only. There will still be an idiot or two that runs it on 98 or ME, but at least my ass will be covered.

smr219 said:
Here are some other registry options for automattic updates:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000002
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000012

Value: NoAutoUpdate
0 - Enable Automatic Updates (Default)
1 - Disable Automatic Updates

Value: AUOptions
2 - Notify for download and notify for install
3 - Auto download and notify for install
4 - Auto download and schedule the install

Value: ScheduledInstallDay
0 - Install every day
1 to 7 - Install on specific day of the week from Sunday (1) to Saturday (7).

Value: ScheduledInstallTime
0 to 23 - Install time of day in 24-hour format
Click to expand...

THANK YOU THANK YOU THANK YOU! That's exactly what I need. The stance of "we didn't install it, Windows did" is perfectly acceptable by my boss. It may not be as good as doing Automatic Updates and turning the Firewall on, but at least this way the next day at 12pm they'll get a nice box asking them to restart the computer since updates are installed.

Direwolf20 said:
Step 1. Get Regmon

Now run the software, and monitor the registry changes when you enable the firewall. This should lead you down the right path. Its the software I use whenever I want to know which reg. key changes something in windows. Its basically a realtime registry monitor, that tells you any reads/writes to the registry that occur. You can tell it specifically what to include/exclude, my favorite part is that you can double click on a line and it will open the corresponding registry entry in regedit.

I recommend at least checking this out ;). It should help you out.
Click to expand...

Ahh, thanks for the link. The only problem is I have no SP1 boxes to test it on ;) Looks like I'll have to go grab that trial of VMWare or start up VirtualPC on my Powerbook...
 
ameoba said:
How long has it been since you've been in college? It's not just as simple as "firewall of the dorms" or "firewall off the computer labs" - this shit costs money and requires people to maintain it and, given the fucked up way that funding tends to flow into campus IT departments (and the fact that most schools have woefully underpaid IT staff, it's hard to find people who could do the job right in the first place), it's hard to get common sense thigns like this done.
Click to expand...
Easy there, tiger. I realize that, with bureaucracy being what it is, that I'm describing a pipe dream. However, in many cases, what needs to be pointed out to the bureaucrats who would rather spend time running red tape than they would fixing a problem is majorly two things:
  1. That they are not dealing with a stagnant or dormant situation. Volatile is putting such things lightly when describing these networks.
  2. It's either lock down or limit usage (ports, protocols, etc.). There are too many variables (see my statements about non-XP OSes) to take into account for someone to just expect the best from a weak or limited control system.

I understand the problems that go into maintenance. However, if there is a DHCP server handing out addresses, then communications can be cordoned off between different areas. This is not incredibly difficult in Win-, Lin-, or OS X-based networks. However, if he wants the easiest road, he can only allow http traffic to travel from and to non-authenticated machines.

Sure, it'd be a bitch and students would complain, but it's either that or the next dimwit with a 9x or 2k system without a firewall that is infected is going to wreak havoc.

Oh, and mpeg4v3, good luck with that. I understand the situation you're in, and it can be a real PITA for you guys. If you can talk your superiors into allowing for it, recommending that people think about installing SP2 would also be helpful on a lot of the machines. However, find a way to suggest in a manner that gives the students a choice to do it themselves, thus removing liability from you. ;)
 
You must log in or register to reply here.
Back
Top