Post-Setup Security Updates

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Post-Setup Security Updates

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 weeks, 1 day ago.

  • Author
    Posts
  • #2214

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does Post-Setup Security Updates do?
    Post-Setup Security Updates is designed to help protecta new server installation from risk of infection between thetimethe
    server is first connected to the network and theapplication of the most recent security updates from Windows Update.
    Post-Setup Security Updates is a user interfacethatappears thefirst timean administrator logs onto the new server and
    provides links for you to apply updates to your server and to configureautomatic updates. Post-Setup Security Updates also
    informs theadministrator thatall inbound connections other than thosespecifically opened during setup or by policy settings,
    were blocked. If theadministrator setexceptions to thefirewall through Group Policy or by an unattended setup script,
    inbound connections assigned to theseexceptions remain open.
    Post-Setup Security Updates is notavailablefrom the Start menu and is only available under specific conditions as described
    later in this document.
    Note
    Post-Setup Security Updates does notappear when theserver is being upgraded from thefollowing operating systems:
    – Windows NTServer 4.0 to Windows Server 2003 with Service Pack 1
    – Windows 2000 Server to Windows Server 2003 with Service Pack 1
    – Windows Server 2003 to Windows Server 2003 with Service Pack 1
    Who does this feature apply to?
    Post-Setup Security Updates applies to Windows server administrators who are performing a full installation of Windows
    Server 2003 that includes Service Pack 1 or later (such as a slip-stream version of Windows Server 2003 with Service Pack 1).
    This feature does notapply if either of thefollowing statements is true:
    Windows Firewall is enabled or disabled using an unattended-setup script for operating system installation.
    Windows Firewall is enabled or disabled by application of Group Policy before Post-Setup Security Updates is displayed.
    This feature does notapply if theadministrator is updating an existing Windows Server 2003 operating system by adding a
    service pack or if theadministrator is upgrading an existing Windows 2000 Server operating system to Windows Server 2003
    with Service Pack 1.
    Why is this change important?
    Security updates that mitigatevirus threats may have been released by Microsoft sincetherelease of the operating system
    files being installed. If the new server is connected to the network and a firewall is notenabled, theserver may beinfected with
    a virus beforethesecurity updates can be downloaded and installed. Post-Setup Security Updates uses the Windows Firewall
    to mitigatethis risk.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Post-Setup Security Updates is a new featurein Windows Server 2003 Service Pack 1.
    Post-Setup Security Updates
    Detailed description
    If Windows Server 2003 with Service Pack 1 or later is installed as a new installation and Windows Firewall is notexplicitly
    enabled or disabled using an unattended-setup script during theinstallation or by application of Group Policy,Windows
    Firewall will beenabled by default on first startup and logon in order to allow theadministrator to securely download and
    install updates from Windows Update,and the Windows Server Post-Setup Security Updates screen will beshown.The PostSetup
    Security Updates screen informs you thatall inbound connections other than thosespecifically opened during setup or
    by policy settings, were blocked.
    Windows Firewall blocks all inbound connections with thefollowing exceptions:
    If Remote Desktop was enabled using an unattended-setup script during installation, port 3389 is not blocked.
    If Group Policy is used to apply policy settings that do notenable or disable Windows Firewall, but defineexceptions to
    thefirewall,exceptions defined by the policy settings are not blocked.
    Post-Setup Security Updates offers links to Windows Updateto allow you to download any security updates released sincethis
    operating system version was released and, if you have notalready doneso, provides the opportunity for you to configure
    Automatic Updates to help protect this server in thefuture.
    What happens when Post-Setup Security Updates is closed?
    If Windows Update or any other configuration changecauses a restart beforeyou click theFinish button on Post-Setup
    Security Updates, it reopens the next timean administrator logs on to theserver.
    If you close Post-Setup Security Updates using ALT+F4 or Task Manager, no changeis madeto theconfiguration of Windows
    Firewall.Thetests theserver uses to determine whether Post-Setup Security Updates should be displayed run again the next
    timea user logs on.
    When you click theFinish button on the Post-Setup Security Updates dialog box,a dialog boxexplaining theconsequences
    of closing Post-Setup Security Updates is displayed. In order to providecorrect information, thefollowing steps aretaken to
    determinethecurrent status of Windows Firewall:
    If you made no changes to the Windows Firewall configuration since Post-Setup Security Updates appeared,a
    confirmation dialog boxappears explaining that inbound connections will now be opened and giving you the
    opportunity to confirm thatyou are done with any post-setup security updates.When theaction is confirmed, Post-Setup
    Security Updates attempts to disable Windows Firewall and stop and disablethe Windows Firewall/Internet Connection
    Sharing service.
    If Windows Firewall is disabled successfully,a registry valueis set to suppress Post-Setup Security Updates in thefuture.
    It is possiblethat Windows Firewall is disabled successfully, but theattempt to stop the Windows Firewall/Internet
    Connection Sharing servicefails.
    If Windows Firewall settings cannot bechanged,a dialog boxappears explaining that no changes will be madeto
    inbound connection settings. Post-Setup Security Updates is not suppressed and thetests to determine whether PostSetup
    Security Updates should be displayed will berun again the next timea user logs on.
    If Windows Firewall was explicitly enabled or disabled since Post-Setup Security Updates appeared,a dialog boxappears
    explaining that no changes will be madeto inbound connection settings.Thesechanges could have been made by the
    application of Group Policy settings or by opening the Windows Firewall control panel and clicking OK to confirm the
    firewall settings. A registry valueis set to suppress Post-Setup Security Updates in thefuture.
    If the Windows Firewall/Internet Connection Sharing service was stopped or disabled since Post-Setup Security Updates
    appeared,a dialog boxappears explaining that no changes will be madeto inbound connection settings. A registry value
    is set to suppress Post-Setup Security Updates in thefuture.
    If Internet Connection Sharing was enabled since Post-Setup Security Updated appeared,a confirmation dialog box
    appears explaining that inbound connections will now be opened and giving you the opportunity to confirm thatyou are
    done with any post-setup security updates.When theaction is confirmed, Post-Setup Security Updates attempts to
    disable Windows Firewall.Theserviceshared between Windows Firewall and Internet Connection Sharing is not turned
    off.
    If thestate of thefirewall cannot be determined,a dialog boxappears explaining that no changes will be madeto
    inbound connection settings. Post-Setup Security Updates is not suppressed and thetests to determine whether PostSetup
    Security Updates should be displayed will berun again the next timea user logs on.
    Note
    Thetext on Post-Setup Security Updates is not refreshed if thefirewall status changes after theinitial display. If thestatus of
    thefirewall changes after itappears and beforetheFinish button is clicked, thetext may statethatall inbound connections
    are blocked when, in fact, they are not.When you click Finish, Post-Setup Security Updates checks thestatus of thefirewall
    again before displaying a dialog boxexplaining any changes to be made on closure.
    When will the Post-Setup Security Updates screen be displayed?
    Becausethis featureruns automatically and cannot bestarted on request,you can usethefollowing information to determine
    whether your server will display the Post-Setup Security Updates feature.
    Thefollowing tests arerun to determine whether or not to display Post-Setup Security Updates.
    Test Positive Result Negative result
    Is thelogged-on user an administrator? Continue on to the next test Skip theremaining tests and do not
    display Post-Setup Security
    Updates.Thesetests run again the
    next timea user logs on.
    Is this is a new installation of a version of Windows
    Server 2003 that includes Service Pack 1 or later (notan
    upgrade)
    Continue on to the next test Skip theremaining tests and do not
    display Post-Setup Security
    Updates.Theregistry valueis set to
    suppress Post-Setup Security
    Updates in thefuture.
    Has Post-Setup Security Updates been suppressed in the
    registry?
    Skip theremaining tests and do
    not display Post-Setup Security
    Updates
    Continue on to the next test
    Is the Windows Firewall/Internet Connection Sharing
    servicerunning?
    Continue on to the next test. Repeat this test for two minutes. If
    theservice has still not started, do
    not display Post-Setup Security
    Updates.Thesetests arerun again
    the next timea user logs on.
    Has Windows Firewall been explicitly enabled or
    disabled for thecurrent Windows Firewall profile?
    (Thefirewall may have been enabled or disabled using
    an unattended-setup scriptat thetime of installation or
    through theapplication of Group Policy settings or by
    opening the Windows Firewall control panel and clicking
    OK to confirm thefirewall settings.)
    Skip theremaining tests and do
    not display Post-Setup Security
    Updates. A registry valueis set
    to suppress Post-Setup Security
    Updates in thefuture.
    If Windows Firewall is enabled and
    the user did notenableit, display
    Post-Setup Security Updates.
    If thestatus of Windows Firewall
    cannot be determined do not
    display Post-Setup Security
    Updates.Thesetests arerun again
    the next timea user logs on.
    What works differently?
    Manage Your Server is notautomatically displayed until Post-Setup Security Updates closes.
    Post-Setup Security Updates does not causeany applications to work differently.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Windows Firewall (previously known as Internet Connection Firewall) was notenabled by defaultat theend of a new
    installation unless theadministrator enabled it using an unattended-setup script. Under thecircumstances described earlier in
    this document,Windows Firewall is now enabled automatically until Post-Setup Security Updates is finished.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    No new policy settings werecreated relating to Post-Setup Security Updates.Thefollowing valuein theregistry was added.
    This key does notaffect firewall settings.
    Setting name Location Previous
    default
    value
    Default
    value
    Possible values
    DontLaunchSecurityOOBE
    (DWORD)
    HKEY_LOCAL_MACHINE
    \SOFTWARE \Microsoft \Windows
    \Current Version \ServerOOBE
    \SecurityOOBE
    N/A This key
    does not
    exist by
    default.
    Thekey can exist or notexist. If thekey
    exists, Post-Setup Security Updates does
    not display.The numerical value of this
    setting is irrelevant.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    If you do new installations of a version of Windows Server 2003 that includes a service pack by using an unattended-setup
    scriptand you want to suppress Post-Setup Security Updates, it is recommended thatyou explicitly enable or disable Windows
    Firewall in either your setup script or by Group Policy.This changeautomatically suppresses Post-Setup Security Updates.

You must be logged in to reply to this topic.