Post-Setup Security Updates

Applies To:Windows Server 2003 with SP1
What does Post-Setup Security Updates do?
Post-Setup Security Updates is designed to help protecta new server installation from risk of infection between thetimethe
server is first connected to the network and theapplication of the most recent security updates from Windows Update.
Post-Setup Security Updates is a user interfacethatappears thefirst timean administrator logs onto the new server and
provides links for you to apply updates to your server and to configureautomatic updates. Post-Setup Security Updates also
informs theadministrator thatall inbound connections other than thosespecifically opened during setup or by policy settings,
were blocked. If theadministrator setexceptions to thefirewall through Group Policy or by an unattended setup script,
inbound connections assigned to theseexceptions remain open.
Post-Setup Security Updates is notavailablefrom the Start menu and is only available under specific conditions as described
later in this document.
Note
Post-Setup Security Updates does notappear when theserver is being upgraded from thefollowing operating systems:
– Windows NTServer 4.0 to Windows Server 2003 with Service Pack 1
– Windows 2000 Server to Windows Server 2003 with Service Pack 1
– Windows Server 2003 to Windows Server 2003 with Service Pack 1
Who does this feature apply to?
Post-Setup Security Updates applies to Windows server administrators who are performing a full installation of Windows
Server 2003 that includes Service Pack 1 or later (such as a slip-stream version of Windows Server 2003 with Service Pack 1).
This feature does notapply if either of thefollowing statements is true:
Windows Firewall is enabled or disabled using an unattended-setup script for operating system installation.
Windows Firewall is enabled or disabled by application of Group Policy before Post-Setup Security Updates is displayed.
This feature does notapply if theadministrator is updating an existing Windows Server 2003 operating system by adding a
service pack or if theadministrator is upgrading an existing Windows 2000 Server operating system to Windows Server 2003
with Service Pack 1.
Why is this change important?
Security updates that mitigatevirus threats may have been released by Microsoft sincetherelease of the operating system
files being installed. If the new server is connected to the network and a firewall is notenabled, theserver may beinfected with
a virus beforethesecurity updates can be downloaded and installed. Post-Setup Security Updates uses the Windows Firewall
to mitigatethis risk.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Post-Setup Security Updates is a new featurein Windows Server 2003 Service Pack 1.
Post-Setup Security Updates
Detailed description
If Windows Server 2003 with Service Pack 1 or later is installed as a new installation and Windows Firewall is notexplicitly
enabled or disabled using an unattended-setup script during theinstallation or by application of Group Policy,Windows
Firewall will beenabled by default on first startup and logon in order to allow theadministrator to securely download and
install updates from Windows Update,and the Windows Server Post-Setup Security Updates screen will beshown.The PostSetup
Security Updates screen informs you thatall inbound connections other than thosespecifically opened during setup or
by policy settings, were blocked.
Windows Firewall blocks all inbound connections with thefollowing exceptions:
If Remote Desktop was enabled using an unattended-setup script during installation, port 3389 is not blocked.
If Group Policy is used to apply policy settings that do notenable or disable Windows Firewall, but defineexceptions to
thefirewall,exceptions defined by the policy settings are not blocked.
Post-Setup Security Updates offers links to Windows Updateto allow you to download any security updates released sincethis
operating system version was released and, if you have notalready doneso, provides the opportunity for you to configure
Automatic Updates to help protect this server in thefuture.
What happens when Post-Setup Security Updates is closed?
If Windows Update or any other configuration changecauses a restart beforeyou click theFinish button on Post-Setup
Security Updates, it reopens the next timean administrator logs on to theserver.
If you close Post-Setup Security Updates using ALT+F4 or Task Manager, no changeis madeto theconfiguration of Windows
Firewall.Thetests theserver uses to determine whether Post-Setup Security Updates should be displayed run again the next
timea user logs on.
When you click theFinish button on the Post-Setup Security Updates dialog box,a dialog boxexplaining theconsequences
of closing Post-Setup Security Updates is displayed. In order to providecorrect information, thefollowing steps aretaken to
determinethecurrent status of Windows Firewall:
If you made no changes to the Windows Firewall configuration since Post-Setup Security Updates appeared,a
confirmation dialog boxappears explaining that inbound connections will now be opened and giving you the
opportunity to confirm thatyou are done with any post-setup security updates.When theaction is confirmed, Post-Setup
Security Updates attempts to disable Windows Firewall and stop and disablethe Windows Firewall/Internet Connection
Sharing service.
If Windows Firewall is disabled successfully,a registry valueis set to suppress Post-Setup Security Updates in thefuture.
It is possiblethat Windows Firewall is disabled successfully, but theattempt to stop the Windows Firewall/Internet
Connection Sharing servicefails.
If Windows Firewall settings cannot bechanged,a dialog boxappears explaining that no changes will be madeto
inbound connection settings. Post-Setup Security Updates is not suppressed and thetests to determine whether PostSetup
Security Updates should be displayed will berun again the next timea user logs on.
If Windows Firewall was explicitly enabled or disabled since Post-Setup Security Updates appeared,a dialog boxappears
explaining that no changes will be madeto inbound connection settings.Thesechanges could have been made by the
application of Group Policy settings or by opening the Windows Firewall control panel and clicking OK to confirm the
firewall settings. A registry valueis set to suppress Post-Setup Security Updates in thefuture.
If the Windows Firewall/Internet Connection Sharing service was stopped or disabled since Post-Setup Security Updates
appeared,a dialog boxappears explaining that no changes will be madeto inbound connection settings. A registry value
is set to suppress Post-Setup Security Updates in thefuture.
If Internet Connection Sharing was enabled since Post-Setup Security Updated appeared,a confirmation dialog box
appears explaining that inbound connections will now be opened and giving you the opportunity to confirm thatyou are
done with any post-setup security updates.When theaction is confirmed, Post-Setup Security Updates attempts to
disable Windows Firewall.Theserviceshared between Windows Firewall and Internet Connection Sharing is not turned
off.
If thestate of thefirewall cannot be determined,a dialog boxappears explaining that no changes will be madeto
inbound connection settings. Post-Setup Security Updates is not suppressed and thetests to determine whether PostSetup
Security Updates should be displayed will berun again the next timea user logs on.
Note
Thetext on Post-Setup Security Updates is not refreshed if thefirewall status changes after theinitial display. If thestatus of
thefirewall changes after itappears and beforetheFinish button is clicked, thetext may statethatall inbound connections
are blocked when, in fact, they are not.When you click Finish, Post-Setup Security Updates checks thestatus of thefirewall
again before displaying a dialog boxexplaining any changes to be made on closure.
When will the Post-Setup Security Updates screen be displayed?
Becausethis featureruns automatically and cannot bestarted on request,you can usethefollowing information to determine
whether your server will display the Post-Setup Security Updates feature.
Thefollowing tests arerun to determine whether or not to display Post-Setup Security Updates.
Test Positive Result Negative result
Is thelogged-on user an administrator? Continue on to the next test Skip theremaining tests and do not
display Post-Setup Security
Updates.Thesetests run again the
next timea user logs on.
Is this is a new installation of a version of Windows
Server 2003 that includes Service Pack 1 or later (notan
upgrade)
Continue on to the next test Skip theremaining tests and do not
display Post-Setup Security
Updates.Theregistry valueis set to
suppress Post-Setup Security
Updates in thefuture.
Has Post-Setup Security Updates been suppressed in the
registry?
Skip theremaining tests and do
not display Post-Setup Security
Updates
Continue on to the next test
Is the Windows Firewall/Internet Connection Sharing
servicerunning?
Continue on to the next test. Repeat this test for two minutes. If
theservice has still not started, do
not display Post-Setup Security
Updates.Thesetests arerun again
the next timea user logs on.
Has Windows Firewall been explicitly enabled or
disabled for thecurrent Windows Firewall profile?
(Thefirewall may have been enabled or disabled using
an unattended-setup scriptat thetime of installation or
through theapplication of Group Policy settings or by
opening the Windows Firewall control panel and clicking
OK to confirm thefirewall settings.)
Skip theremaining tests and do
not display Post-Setup Security
Updates. A registry valueis set
to suppress Post-Setup Security
Updates in thefuture.
If Windows Firewall is enabled and
the user did notenableit, display
Post-Setup Security Updates.
If thestatus of Windows Firewall
cannot be determined do not
display Post-Setup Security
Updates.Thesetests arerun again
the next timea user logs on.
What works differently?
Manage Your Server is notautomatically displayed until Post-Setup Security Updates closes.
Post-Setup Security Updates does not causeany applications to work differently.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Windows Firewall (previously known as Internet Connection Firewall) was notenabled by defaultat theend of a new
installation unless theadministrator enabled it using an unattended-setup script. Under thecircumstances described earlier in
this document,Windows Firewall is now enabled automatically until Post-Setup Security Updates is finished.
What settings are added or changed in Windows Server 2003 Service Pack 1?
No new policy settings werecreated relating to Post-Setup Security Updates.Thefollowing valuein theregistry was added.
This key does notaffect firewall settings.
Setting name Location Previous
default
value
Default
value
Possible values
DontLaunchSecurityOOBE
(DWORD)
HKEY_LOCAL_MACHINE
\SOFTWARE \Microsoft \Windows
\Current Version \ServerOOBE
\SecurityOOBE
N/A This key
does not
exist by
default.
Thekey can exist or notexist. If thekey
exists, Post-Setup Security Updates does
not display.The numerical value of this
setting is irrelevant.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
If you do new installations of a version of Windows Server 2003 that includes a service pack by using an unattended-setup
scriptand you want to suppress Post-Setup Security Updates, it is recommended thatyou explicitly enable or disable Windows
Firewall in either your setup script or by Group Policy.This changeautomatically suppresses Post-Setup Security Updates.