Force https on MS Updates
Posted: Sun Mar 22, 2009 11:49 pm
It doesn't seem to be widely known, but you can obtain Microsoft Updates through an https SSL-secured connection.
[This is an answer, not a question, but one of the recent upgrades to NS was forcing https on sites, so it seems pertinent as well as safety-related. If the admin or many members feel it's O/T and should be deleted, cool. On the other hand, if he wants to make it sticky, that's OK too. Or just delete this paragraph.]
First, if you have Automatic Updates enabled, either disable them or set them to "Notify me but don't download or install them". This is done through Control Panel > Automatic Updates. (I personally disable them completely, but if anyone wants to discuss why/why not, that's a topic for a separate thread.)
Add the following to your list of Trusted sites in IE: (IE Tools or Control Panel; > Internet Options > Security > click Trusted > Sites.
https://update.microsoft.com
https://www.update.microsoft.com (both needed, per MS.)
When you are notified, especially on Patch Tuesday, (second Tuesday of each month, Redmond, Washington, USA time, UTC-8 in winter and UTC-7 in summer), expand the descriptions and decide which ones you want. Otherwise, you end up with garbage like SP3 or IE7. Then "cancel" the Auto-Update box on your desktop. Of course, you can check for updates any time you like, especially if you hear or read about a vulnerability so terrible that even MS patches it without waiting for Tuesday of next month.
Now go to https://update.microsoft.com, in your admin-privilege IE browser. (Discussion later about how to do it in Fx.) I personally have deleted the Windows Update shortcut and replaced it with an IE bookmark to the secure site. If you get a dialog box:
"You are about to view pages over a secure connection", > OK.
At some point, you will get a second dialog box:
"This page contains both encrypted and unencrypted content. Do you wish to view the unencrypted items?" (or something close.) You must check "NO", or else you immediately will be taken back to the insecure update page.
Be sure to check "Custom" scan. "Express" will again sneak unwanted updates onto your machine.
The scan for pertinent updates will happen. (MS literature seems to indicate that this scan itself is over a secure connection by default, although no browser icons or anything else seem to indicate that.)
You then review them (they're the same ones you saw in the Auto-Update box), uncheck the ones you don't want, Review And Install Updates, and the process continues normally. They download over your secure connection, install as usual, and prompt you to restart as usual. Done.
Aside from safety issues, phishing, etc., this will cost MS a lot of money for bandwidth and server capacity if everyone does it. Seems like a good argument in favor right there. Let's let them know that there *are* security-conscious people out there (even people who run Windows lol). Maybe they'll get a clue.
**************************
If you have disabled Automatic Updates completely, you need to do the following before going to the Update site, else you get an error message that says to do these. Might as well do them first.
[quote=MS]The site cannot continue because one or more of these Windows services is not running:
Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed)
To make sure these services are running:
1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.[/quote]
(No reboot is required for these changes -- TT)
**************************************
Note that you might get a failure message from the Auto-updater, since you did not let it do its thing. But you got them manually. If any doubt, after reboot go to Control Panel > Add/Remove Programs, make sure "Show updates" is checked, and check the list near the bottom for the kb numbers of the desired updates. The date is a dead giveaway, too. But also check back again sometime after midnight on Patch Tuesday, i. e. about 1200 UTC on Wednesday. I've seen some updates released early in the day and others released later in the evening.
If you had Automatic Updates completely disabled, you will need to set it back to that after doing this. Also check back in the Services window (Start > Run type services.msc .> Enter.) Double-click "Automatic Updates" and "Background Intelligent Transfer Service" and set each to Manual. Since this takes effect only on the next boot, stop these services now, too. (I would keep "Event Log" on Auto for other purposes.) Saves RAM, CPU, battery, time, etc., and stops the machine from continuing to query the AU server.
Feedback on this post is *very* welcome.
Is anyone interested in knowing how to get the updates securely through Fx, *without* any IE-emulation stuff and without adding ActiveX support to Fx?
[This is an answer, not a question, but one of the recent upgrades to NS was forcing https on sites, so it seems pertinent as well as safety-related. If the admin or many members feel it's O/T and should be deleted, cool. On the other hand, if he wants to make it sticky, that's OK too. Or just delete this paragraph.]
First, if you have Automatic Updates enabled, either disable them or set them to "Notify me but don't download or install them". This is done through Control Panel > Automatic Updates. (I personally disable them completely, but if anyone wants to discuss why/why not, that's a topic for a separate thread.)
Add the following to your list of Trusted sites in IE: (IE Tools or Control Panel; > Internet Options > Security > click Trusted > Sites.
https://update.microsoft.com
https://www.update.microsoft.com (both needed, per MS.)
When you are notified, especially on Patch Tuesday, (second Tuesday of each month, Redmond, Washington, USA time, UTC-8 in winter and UTC-7 in summer), expand the descriptions and decide which ones you want. Otherwise, you end up with garbage like SP3 or IE7. Then "cancel" the Auto-Update box on your desktop. Of course, you can check for updates any time you like, especially if you hear or read about a vulnerability so terrible that even MS patches it without waiting for Tuesday of next month.
Now go to https://update.microsoft.com, in your admin-privilege IE browser. (Discussion later about how to do it in Fx.) I personally have deleted the Windows Update shortcut and replaced it with an IE bookmark to the secure site. If you get a dialog box:
"You are about to view pages over a secure connection", > OK.
At some point, you will get a second dialog box:
"This page contains both encrypted and unencrypted content. Do you wish to view the unencrypted items?" (or something close.) You must check "NO", or else you immediately will be taken back to the insecure update page.
Be sure to check "Custom" scan. "Express" will again sneak unwanted updates onto your machine.
The scan for pertinent updates will happen. (MS literature seems to indicate that this scan itself is over a secure connection by default, although no browser icons or anything else seem to indicate that.)
You then review them (they're the same ones you saw in the Auto-Update box), uncheck the ones you don't want, Review And Install Updates, and the process continues normally. They download over your secure connection, install as usual, and prompt you to restart as usual. Done.
Aside from safety issues, phishing, etc., this will cost MS a lot of money for bandwidth and server capacity if everyone does it. Seems like a good argument in favor right there. Let's let them know that there *are* security-conscious people out there (even people who run Windows lol). Maybe they'll get a clue.
**************************
If you have disabled Automatic Updates completely, you need to do the following before going to the Update site, else you get an error message that says to do these. Might as well do them first.
[quote=MS]The site cannot continue because one or more of these Windows services is not running:
Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed)
To make sure these services are running:
1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.[/quote]
(No reboot is required for these changes -- TT)
**************************************
Note that you might get a failure message from the Auto-updater, since you did not let it do its thing. But you got them manually. If any doubt, after reboot go to Control Panel > Add/Remove Programs, make sure "Show updates" is checked, and check the list near the bottom for the kb numbers of the desired updates. The date is a dead giveaway, too. But also check back again sometime after midnight on Patch Tuesday, i. e. about 1200 UTC on Wednesday. I've seen some updates released early in the day and others released later in the evening.
If you had Automatic Updates completely disabled, you will need to set it back to that after doing this. Also check back in the Services window (Start > Run type services.msc .> Enter.) Double-click "Automatic Updates" and "Background Intelligent Transfer Service" and set each to Manual. Since this takes effect only on the next boot, stop these services now, too. (I would keep "Event Log" on Auto for other purposes.) Saves RAM, CPU, battery, time, etc., and stops the machine from continuing to query the AU server.
Feedback on this post is *very* welcome.
Is anyone interested in knowing how to get the updates securely through Fx, *without* any IE-emulation stuff and without adding ActiveX support to Fx?