Re: WSUS Blocking

[[ Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities...pdate_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
]]
\

David wrote:
> As a stand alone client, I don't like installed programs calling home or
> however WSUS allows this to occur.
>
> Is there anyway to block / stop the call home or update notification
> feature
> for installed programs (Adobe is one I know does this)?

PA Bear
Thanks for assist.
David

"PA Bear [MS MVP]" <> wrote in message
news:...
> [[ Right pew, wrong church. Forwarded to WSUS newsgroup
> (microsoft.public.windows.server.update_services) via crosspost as a
> convenience to OP.
>
> On the web:
> http://www.microsoft.com/communities...pdate_services
>
> In your newsreader:
> news://msnews.microsoft.com/microsof...pdate_services
> ]]
> \
>
> David wrote:
>> As a stand alone client, I don't like installed programs calling home or
>> however WSUS allows this to occur.
>>
>> Is there anyway to block / stop the call home or update notification
>> feature
>> for installed programs (Adobe is one I know does this)?
>

> David wrote:
>> As a stand alone client, I don't like installed programs calling home or
>> however WSUS allows this to occur.

Interesting...

>> Is there anyway to block / stop the call home or update notification
>> feature for installed programs (Adobe is one I know does this)?

Eh???

Well, for one, you could simply not install WSUS? I mean, if you don't like
the purpose for which it was intended, then simply Do Not Use!


Btw.... how have you been updating Windows computers for the past ten years?
There's absolutely no difference in the behavior of a WSUS environment than
there has been in the behavior of Automatic Updates since it's inception way
back in the dark ages.

As far as Adobe, et.al. SURE they let you block the "call home" feature....
and you don't get any updates. You can do the same thing with Windows.
You've *always* been able to do this with Windows, there's nothing any
different now than there was ten years ago.

If you don't WANT updates for your Windows systems, then just disable the
Automatic Updates service and be done with it.

But, maybe, the better way to approach this discusion is for you to describe
*EXACTLY* what it is that you don't want to do, and what is it that makes
you believe this is happening? And, more to the point, I'm curious if your
questions are based on a full understanding of how the WU Agent and WU/MU
and WSUS work, and what exactly happens when they (as you are wont to put
it)... "phone home". Your use of the phrase "...or however WSUS allows this
to occur" suggests to me that you're not really aware of what does or does
not happen, and maybe your questions/reactions are based on misinformation
and misunderstanding. What exactly is it about what you perceive as the
"phone home" operation that you do not want to happen, that you think is
happening.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Mr. Garvin

Thanks for the response.

1) I have Automatic Updates disabled in Services.
and invoke it as needed -- and --
yes you are right I do not fully comprehend WSUS but have
been reading MSDN trying to increase my knowledge.

2) Where my problem lies is I don't like installed software calling home or
getting outside of my system (onto the web) without my knowledge. This
occured the other day with Adobe Shockwave when it asked me if I wanted to
update.

Over the years MS has added capability to have terminal services, windows
messenger, remote access, Winsock, and who knows what else. Even dll's,
from my perspective, pose issues, for who knows what all functions do that
reside within any given dll. Yes you can get the header, and even the
params if you want to put in some work, but to try and reverse engineer
every dll would take one a lifetime.

In other words, I don't like the fact Microsoft -- by default -- installs
all this stuff and the end user -- me -- has no knowledge it even exists on
their system until you somehow stumble across it.

SO, my interest lies in how to "control", monitor, or limit installed
software (including Microsofts) on a stand alone client and stop any
service, dll, or whatever from accessing the web without my knowledge.

I have never seen anything published that explains the above issues and
solutions on where to go and what to set in order to stop them -- the
above -- on a stand alone client.



"Lawrence Garvin [MVP]" <> wrote in message
news:2E2F49E2-2DE3-44A3-8B77-...
>> David wrote:
>>> As a stand alone client, I don't like installed programs calling home or
>>> however WSUS allows this to occur.
>
> Interesting...
>
>>> Is there anyway to block / stop the call home or update notification
>>> feature for installed programs (Adobe is one I know does this)?
>
> Eh???
>
> Well, for one, you could simply not install WSUS? I mean, if you don't
> like the purpose for which it was intended, then simply Do Not Use!
>
>
> Btw.... how have you been updating Windows computers for the past ten
> years? There's absolutely no difference in the behavior of a WSUS
> environment than there has been in the behavior of Automatic Updates since
> it's inception way back in the dark ages.
>
> As far as Adobe, et.al. SURE they let you block the "call home"
> feature.... and you don't get any updates. You can do the same thing with
> Windows. You've *always* been able to do this with Windows, there's
> nothing any different now than there was ten years ago.
>
> If you don't WANT updates for your Windows systems, then just disable the
> Automatic Updates service and be done with it.
>
> But, maybe, the better way to approach this discusion is for you to
> describe *EXACTLY* what it is that you don't want to do, and what is it
> that makes you believe this is happening? And, more to the point, I'm
> curious if your questions are based on a full understanding of how the WU
> Agent and WU/MU and WSUS work, and what exactly happens when they (as you
> are wont to put it)... "phone home". Your use of the phrase "...or however
> WSUS allows this to occur" suggests to me that you're not really aware of
> what does or does not happen, and maybe your questions/reactions are based
> on misinformation and misunderstanding. What exactly is it about what you
> perceive as the "phone home" operation that you do not want to happen,
> that you think is happening.
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

"David" <> wrote in message
news:%...

> 1) I have Automatic Updates disabled in Services and invoke it as needed

I understand your reasoning for doing this; however, doing this is not the
most optimal methodology for maintaining updates on a Windows computer.

-- and --

> yes you are right I do not fully comprehend WSUS but have
> been reading MSDN trying to increase my knowledge.

Cool.. I'll help where I can.

> 2) Where my problem lies is I don't like installed software calling home
> or getting outside of my system (onto the web) without my knowledge.

This is a reasonable desire. My answer to this desire would be that the
correct solution is to *uninstall* (or never install in the first place),
those products which are intended to automate the installation of updates,
if you do not want those utilties automatically installing updates. We all
have annoyances with Apple, Sun, and Adobe for their individual product
updaters, and I agree they do not need to run as always-on applications. I
have a couple of other applications who *ask* if they can check when the
application is started up, and I get to say Yay/Nay at each invocation. I
like that methodology.

However, the dark side of this is that if you disable them, you need to come
up with a methodology for ensuring security updates for those
Internet-enabled applicatiosns

> Over the years MS has added capability to have terminal services, windows
> messenger, remote access, Winsock, and who knows what else. Even dll's,
> from my perspective, pose issues, for who knows what all functions do that
> reside within any given dll. Yes you can get the header, and even the
> params if you want to put in some work, but to try and reverse engineer
> every dll would take one a lifetime.
>
> In other words, I don't like the fact Microsoft -- by default -- installs
> all this stuff and the end user -- me -- has no knowledge it even exists
> on their system until you somehow stumble across it.

Let's not get confused between updating methodologies and whatever other
applications, utilities, etc. may or may not be installed on a system.

I'm willing to address technical questions based on the design and
operational parameters of WSUS and the WUAgent, but I'm not going to feed
irrational paranoia.... OK? :-)

I truly doubt you understand all of the detailed working of the inside of
the internal combustion engine in your car either -- but you have no problem
pumping gasoline into it, or letting the local JiffyLube change the oil,
right? At some point, with *every* product, you have to have a certain level
of TRUST in the vendor of that product. If you can't have the trust -- a
condition I referred to above as irrational paranoia -- then you're probably
better off avoiding the product altogether.

The first thing to understand is that *ALL* Microsoft products, by fiat of
Microsoft Corporation over four years ago, are updated via one client-side
utility (the Windows Update Agent) and those updates are made available to
the WUAgent either through Automatic Updates, the Windows Update/Microsoft
Update websites, or for corporations/organizations -- Windows Server Update
Services.

> SO, my interest lies in how to "control", monitor, or limit installed
> software (including Microsofts) on a stand alone client and stop any
> service, dll, or whatever from accessing the web without my knowledge.

Before we get all caught up in "controlling" anything... you need to first
determine what your criteria, and the critiera of the
corporation/organization you work for, is with regard to maintaining
security updates and operational updates on computers in order to ensure
their continued functioning day to day. The *COST* of that maintenance is
the use of the Windows Update Agent.

> I have never seen anything published that explains the above issues and
> solutions on where to go and what to set in order to stop them -- the
> above -- on a stand alone client.

That's because there's not really a lot of options. The functionality has
existed, virtually unchanged with the same basic architecture, for over ten
years now. To wit, here are the three basic options you have:

1. You could not update comptuers. This is a perfectly acceptable solution
for computers that do not have Internet access, and are fairly well secured
physically. Almost every security vulnerability identified today is
Internet-borne, and the truth is that a non-connected machine is always
going to be more secure than even a machine with every security patch
applied the moment it becomes available.

2. You could take an overly controlling perspective on updating computers,
and run the very significant risk that your attempts to control what goes on
the machines, or the manner and time in which they get there, and end up
having your machines infected because your methodogies create more risk than
the system you're trying to avoid using.

3. You could accept that after ten years of existence, the Windows Update
system (including Automatic Updates, Microsoft Update, and the Windows
Server Update Services application) and the Windows Update Agent, are the
single most efficient means of getting updates installed onto Windows-based
systems.

The key with #3 is not being concerned about the methodology of obtaining
and deploying those updates, but being reasonably involved with *what*
updates are actually installed vs what updates are not really needed and can
be Never Installed. This is the primary purpose of Windows Server Updates
Services -- giving the control of the *what is installed* to you, without
requiring the overly controlling behavior of denying everything as a matter
of practice.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Having read all your post I can only answer for WSUS (especially in this group)
Windows Update/Microsoft Update is a web based system that allows the client to
go to MS and get the updates and other bits that MS publish. You have little
control over this except by allowing or denying access to WU/MU

WSUS on the other hand allows you to download a "list" of possible updates. YOU
then decide which of those will be permitted to install on all of your clients.
None of them can be installed without your explicit approval. If you deny access
to WU/MU then there will be no way for the client to get updates without going
via your WSUS server on which you decide what will be available.

WSUS also allows you to FORCE users to have the updates you want them to have,
they can be set up to have little choice in this.

If however you clients have admin rights to their workstations you cannot stop
them doing anything they wish. A Local Admin can always override the central
administrator if they are cleaver enough.

In short WSUS will give you exactly the control you wish to have over MS
Updates. Start reading the Ops and Deployment guides and you will see the
control you will get.

Of course WSUS does nothing for Adobe, or any other 3rd party software. They do
their own thing as always.


On Wed, 26 Aug 2009 11:28:14 -0400, "David" <> wrote:

>Mr. Garvin
>
>Thanks for the response.
>
>1) I have Automatic Updates disabled in Services.
> and invoke it as needed -- and --
> yes you are right I do not fully comprehend WSUS but have
> been reading MSDN trying to increase my knowledge.
>
>2) Where my problem lies is I don't like installed software calling home or
>getting outside of my system (onto the web) without my knowledge. This
>occured the other day with Adobe Shockwave when it asked me if I wanted to
>update.
>
>Over the years MS has added capability to have terminal services, windows
>messenger, remote access, Winsock, and who knows what else. Even dll's,
>from my perspective, pose issues, for who knows what all functions do that
>reside within any given dll. Yes you can get the header, and even the
>params if you want to put in some work, but to try and reverse engineer
>every dll would take one a lifetime.
>
>In other words, I don't like the fact Microsoft -- by default -- installs
>all this stuff and the end user -- me -- has no knowledge it even exists on
>their system until you somehow stumble across it.
>
>SO, my interest lies in how to "control", monitor, or limit installed
>software (including Microsofts) on a stand alone client and stop any
>service, dll, or whatever from accessing the web without my knowledge.
>
>I have never seen anything published that explains the above issues and
>solutions on where to go and what to set in order to stop them -- the
>above -- on a stand alone client.
>
>
>
>"Lawrence Garvin [MVP]" <> wrote in message
>news:2E2F49E2-2DE3-44A3-8B77-...
>>> David wrote:
>>>> As a stand alone client, I don't like installed programs calling home or
>>>> however WSUS allows this to occur.
>>
>> Interesting...
>>
>>>> Is there anyway to block / stop the call home or update notification
>>>> feature for installed programs (Adobe is one I know does this)?
>>
>> Eh???
>>
>> Well, for one, you could simply not install WSUS? I mean, if you don't
>> like the purpose for which it was intended, then simply Do Not Use!
>>
>>
>> Btw.... how have you been updating Windows computers for the past ten
>> years? There's absolutely no difference in the behavior of a WSUS
>> environment than there has been in the behavior of Automatic Updates since
>> it's inception way back in the dark ages.
>>
>> As far as Adobe, et.al. SURE they let you block the "call home"
>> feature.... and you don't get any updates. You can do the same thing with
>> Windows. You've *always* been able to do this with Windows, there's
>> nothing any different now than there was ten years ago.
>>
>> If you don't WANT updates for your Windows systems, then just disable the
>> Automatic Updates service and be done with it.
>>
>> But, maybe, the better way to approach this discusion is for you to
>> describe *EXACTLY* what it is that you don't want to do, and what is it
>> that makes you believe this is happening? And, more to the point, I'm
>> curious if your questions are based on a full understanding of how the WU
>> Agent and WU/MU and WSUS work, and what exactly happens when they (as you
>> are wont to put it)... "phone home". Your use of the phrase "...or however
>> WSUS allows this to occur" suggests to me that you're not really aware of
>> what does or does not happen, and maybe your questions/reactions are based
>> on misinformation and misunderstanding. What exactly is it about what you
>> perceive as the "phone home" operation that you do not want to happen,
>> that you think is happening.
>>
>> --
>> Lawrence Garvin, M.S., MCITP:EA, MCDBA
>> Principal/CTO, Onsite Technology Solutions, Houston, Texas
>> Microsoft MVP - Software Distribution (2005-2009)
>>
>> MS WSUS Website: http://www.microsoft.com/wsus
>> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Mr. Garvin:

Thanks for the response and offer. Will take me a bit to digest what MSDN
has but if any questions will post this thread.

You make some valid points. I still prefer the manual method -- I guess
its a control issue -- but given MS problems with updates (XP SP3 for
example) who can blame me.

As indicated in your response I was painting a fairly broad brush which
encompassed more than WSUS. While my points I believe are valid, this forum
is obviously is not the place to address them.

Will try Window Security unless you have a better suggestion?

============

BTW - I change my own oil and just rebuilt an engine. This is another pet
peave of mine -- the number of TSB's (Technical Service Bulletins) each auto
manufacturer issues with the same / similiar problems that repeat year after
year.

Unfortunately my "trust" has been eroded over the years. All you have to do
is read the paper (banks, Madoff, programmer for Goldman Sachs, # of
politicians convicted, Enron, Love Canal, Viet Nam club and mess scandals,
etc., etc.). So a little "irrational paranoia" may be what the doctor
ordered. :>)

Thanks for your time, input, and offer.
Have a nice day!

David




"Lawrence Garvin [MVP]" <> wrote in message
news:E52E69E1-C761-4CBA-861F-...
> "David" <> wrote in message
> news:%...
>
>> 1) I have Automatic Updates disabled in Services and invoke it as
>> needed
>
> I understand your reasoning for doing this; however, doing this is not the
> most optimal methodology for maintaining updates on a Windows computer.
>
> -- and --
>
>> yes you are right I do not fully comprehend WSUS but have
>> been reading MSDN trying to increase my knowledge.
>
> Cool.. I'll help where I can.
>
>> 2) Where my problem lies is I don't like installed software calling home
>> or getting outside of my system (onto the web) without my knowledge.
>
> This is a reasonable desire. My answer to this desire would be that the
> correct solution is to *uninstall* (or never install in the first place),
> those products which are intended to automate the installation of updates,
> if you do not want those utilties automatically installing updates. We all
> have annoyances with Apple, Sun, and Adobe for their individual product
> updaters, and I agree they do not need to run as always-on applications. I
> have a couple of other applications who *ask* if they can check when the
> application is started up, and I get to say Yay/Nay at each invocation. I
> like that methodology.
>
> However, the dark side of this is that if you disable them, you need to
> come up with a methodology for ensuring security updates for those
> Internet-enabled applicatiosns
>
>> Over the years MS has added capability to have terminal services, windows
>> messenger, remote access, Winsock, and who knows what else. Even dll's,
>> from my perspective, pose issues, for who knows what all functions do
>> that reside within any given dll. Yes you can get the header, and even
>> the params if you want to put in some work, but to try and reverse
>> engineer every dll would take one a lifetime.
>>
>> In other words, I don't like the fact Microsoft -- by default -- installs
>> all this stuff and the end user -- me -- has no knowledge it even exists
>> on their system until you somehow stumble across it.
>
> Let's not get confused between updating methodologies and whatever other
> applications, utilities, etc. may or may not be installed on a system.
>
> I'm willing to address technical questions based on the design and
> operational parameters of WSUS and the WUAgent, but I'm not going to feed
> irrational paranoia.... OK? :-)
>
> I truly doubt you understand all of the detailed working of the inside of
> the internal combustion engine in your car either -- but you have no
> problem pumping gasoline into it, or letting the local JiffyLube change
> the oil, right? At some point, with *every* product, you have to have a
> certain level of TRUST in the vendor of that product. If you can't have
> the trust -- a condition I referred to above as irrational paranoia --
> then you're probably better off avoiding the product altogether.
>
> The first thing to understand is that *ALL* Microsoft products, by fiat of
> Microsoft Corporation over four years ago, are updated via one client-side
> utility (the Windows Update Agent) and those updates are made available to
> the WUAgent either through Automatic Updates, the Windows Update/Microsoft
> Update websites, or for corporations/organizations -- Windows Server
> Update Services.
>
>> SO, my interest lies in how to "control", monitor, or limit installed
>> software (including Microsofts) on a stand alone client and stop any
>> service, dll, or whatever from accessing the web without my knowledge.
>
> Before we get all caught up in "controlling" anything... you need to first
> determine what your criteria, and the critiera of the
> corporation/organization you work for, is with regard to maintaining
> security updates and operational updates on computers in order to ensure
> their continued functioning day to day. The *COST* of that maintenance is
> the use of the Windows Update Agent.
>
>> I have never seen anything published that explains the above issues and
>> solutions on where to go and what to set in order to stop them -- the
>> above -- on a stand alone client.
>
> That's because there's not really a lot of options. The functionality has
> existed, virtually unchanged with the same basic architecture, for over
> ten years now. To wit, here are the three basic options you have:
>
> 1. You could not update comptuers. This is a perfectly acceptable solution
> for computers that do not have Internet access, and are fairly well
> secured physically. Almost every security vulnerability identified today
> is Internet-borne, and the truth is that a non-connected machine is always
> going to be more secure than even a machine with every security patch
> applied the moment it becomes available.
>
> 2. You could take an overly controlling perspective on updating computers,
> and run the very significant risk that your attempts to control what goes
> on the machines, or the manner and time in which they get there, and end
> up having your machines infected because your methodogies create more risk
> than the system you're trying to avoid using.
>
> 3. You could accept that after ten years of existence, the Windows Update
> system (including Automatic Updates, Microsoft Update, and the Windows
> Server Update Services application) and the Windows Update Agent, are the
> single most efficient means of getting updates installed onto
> Windows-based systems.
>
> The key with #3 is not being concerned about the methodology of obtaining
> and deploying those updates, but being reasonably involved with *what*
> updates are actually installed vs what updates are not really needed and
> can be Never Installed. This is the primary purpose of Windows Server
> Updates Services -- giving the control of the *what is installed* to you,
> without requiring the overly controlling behavior of denying everything as
> a matter of practice.
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>

Mr. Mills:

Thanks for your input.

David

"Dave Mills" <> wrote in message
news:...
> Having read all your post I can only answer for WSUS (especially in this
> group)
> Windows Update/Microsoft Update is a web based system that allows the
> client to
> go to MS and get the updates and other bits that MS publish. You have
> little
> control over this except by allowing or denying access to WU/MU
>
> WSUS on the other hand allows you to download a "list" of possible
> updates. YOU
> then decide which of those will be permitted to install on all of your
> clients.
> None of them can be installed without your explicit approval. If you deny
> access
> to WU/MU then there will be no way for the client to get updates without
> going
> via your WSUS server on which you decide what will be available.
>
> WSUS also allows you to FORCE users to have the updates you want them to
> have,
> they can be set up to have little choice in this.
>
> If however you clients have admin rights to their workstations you cannot
> stop
> them doing anything they wish. A Local Admin can always override the
> central
> administrator if they are cleaver enough.
>
> In short WSUS will give you exactly the control you wish to have over MS
> Updates. Start reading the Ops and Deployment guides and you will see the
> control you will get.
>
> Of course WSUS does nothing for Adobe, or any other 3rd party software.
> They do
> their own thing as always.
>
>
> On Wed, 26 Aug 2009 11:28:14 -0400, "David" <>
> wrote:
>
>>Mr. Garvin
>>
>>Thanks for the response.
>>
>>1) I have Automatic Updates disabled in Services.
>> and invoke it as needed -- and --
>> yes you are right I do not fully comprehend WSUS but have
>> been reading MSDN trying to increase my knowledge.
>>
>>2) Where my problem lies is I don't like installed software calling home
>>or
>>getting outside of my system (onto the web) without my knowledge. This
>>occured the other day with Adobe Shockwave when it asked me if I wanted to
>>update.
>>
>>Over the years MS has added capability to have terminal services, windows
>>messenger, remote access, Winsock, and who knows what else. Even dll's,
>>from my perspective, pose issues, for who knows what all functions do that
>>reside within any given dll. Yes you can get the header, and even the
>>params if you want to put in some work, but to try and reverse engineer
>>every dll would take one a lifetime.
>>
>>In other words, I don't like the fact Microsoft -- by default -- installs
>>all this stuff and the end user -- me -- has no knowledge it even exists
>>on
>>their system until you somehow stumble across it.
>>
>>SO, my interest lies in how to "control", monitor, or limit installed
>>software (including Microsofts) on a stand alone client and stop any
>>service, dll, or whatever from accessing the web without my knowledge.
>>
>>I have never seen anything published that explains the above issues and
>>solutions on where to go and what to set in order to stop them -- the
>>above -- on a stand alone client.
>>
>>
>>
>>"Lawrence Garvin [MVP]" <> wrote in message
>>news:2E2F49E2-2DE3-44A3-8B77-...
>>>> David wrote:
>>>>> As a stand alone client, I don't like installed programs calling home
>>>>> or
>>>>> however WSUS allows this to occur.
>>>
>>> Interesting...
>>>
>>>>> Is there anyway to block / stop the call home or update notification
>>>>> feature for installed programs (Adobe is one I know does this)?
>>>
>>> Eh???
>>>
>>> Well, for one, you could simply not install WSUS? I mean, if you don't
>>> like the purpose for which it was intended, then simply Do Not Use!
>>>
>>>
>>> Btw.... how have you been updating Windows computers for the past ten
>>> years? There's absolutely no difference in the behavior of a WSUS
>>> environment than there has been in the behavior of Automatic Updates
>>> since
>>> it's inception way back in the dark ages.
>>>
>>> As far as Adobe, et.al. SURE they let you block the "call home"
>>> feature.... and you don't get any updates. You can do the same thing
>>> with
>>> Windows. You've *always* been able to do this with Windows, there's
>>> nothing any different now than there was ten years ago.
>>>
>>> If you don't WANT updates for your Windows systems, then just disable
>>> the
>>> Automatic Updates service and be done with it.
>>>
>>> But, maybe, the better way to approach this discusion is for you to
>>> describe *EXACTLY* what it is that you don't want to do, and what is it
>>> that makes you believe this is happening? And, more to the point, I'm
>>> curious if your questions are based on a full understanding of how the
>>> WU
>>> Agent and WU/MU and WSUS work, and what exactly happens when they (as
>>> you
>>> are wont to put it)... "phone home". Your use of the phrase "...or
>>> however
>>> WSUS allows this to occur" suggests to me that you're not really aware
>>> of
>>> what does or does not happen, and maybe your questions/reactions are
>>> based
>>> on misinformation and misunderstanding. What exactly is it about what
>>> you
>>> perceive as the "phone home" operation that you do not want to happen,
>>> that you think is happening.
>>>
>>> --
>>> Lawrence Garvin, M.S., MCITP:EA, MCDBA
>>> Principal/CTO, Onsite Technology Solutions, Houston, Texas
>>> Microsoft MVP - Software Distribution (2005-2009)
>>>
>>> MS WSUS Website: http://www.microsoft.com/wsus
>>> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>>>
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.

David wrote:

> 2) Where my problem lies is I don't like installed software calling home or
> getting outside of my system (onto the web) without my knowledge. This
> occured the other day with Adobe Shockwave when it asked me if I wanted to
> update.

OK, just to spell this out in case you're still confused about it: this
behaviour has nothing to do with anything that Microsoft installed. It's all
Adobe.

WSUS can't help with third-party products, and from the sounds of it, it won't
be any use to you anyway - WSUS is for controlling (Microsoft) updating for lots
of computers at once, and provides no useful functionality whatsoever if you
only have one computer to update.

It seems to me that what you really want is a two-way firewall. I believe the
built-in firewall in Windows Vista and above can do this, but there are also
lots of free products out there if you don't like the Windows one. Most
software installers will open holes in the Windows firewall as necessary for
their updaters, but you can close them again, so long as you remember to check.

Be aware also that sufficiently determined software (e.g., malware) can bypass
any software-based firewall; if you're really worried, you might want to invest
in a two-way hardware firewall instead.

Harry.


David wrote:
> Mr. Garvin
>
> Thanks for the response.
>
> 1) I have Automatic Updates disabled in Services.
> and invoke it as needed -- and --
> yes you are right I do not fully comprehend WSUS but have
> been reading MSDN trying to increase my knowledge.
>
> 2) Where my problem lies is I don't like installed software calling home or
> getting outside of my system (onto the web) without my knowledge. This
> occured the other day with Adobe Shockwave when it asked me if I wanted to
> update.
>
> Over the years MS has added capability to have terminal services, windows
> messenger, remote access, Winsock, and who knows what else. Even dll's,
> from my perspective, pose issues, for who knows what all functions do that
> reside within any given dll. Yes you can get the header, and even the
> params if you want to put in some work, but to try and reverse engineer
> every dll would take one a lifetime.
>
> In other words, I don't like the fact Microsoft -- by default -- installs
> all this stuff and the end user -- me -- has no knowledge it even exists on
> their system until you somehow stumble across it.
>
> SO, my interest lies in how to "control", monitor, or limit installed
> software (including Microsofts) on a stand alone client and stop any
> service, dll, or whatever from accessing the web without my knowledge.
>
> I have never seen anything published that explains the above issues and
> solutions on where to go and what to set in order to stop them -- the
> above -- on a stand alone client.
>
>
>
> "Lawrence Garvin [MVP]" <> wrote in message
> news:2E2F49E2-2DE3-44A3-8B77-...
>>> David wrote:
>>>> As a stand alone client, I don't like installed programs calling home or
>>>> however WSUS allows this to occur.
>> Interesting...
>>
>>>> Is there anyway to block / stop the call home or update notification
>>>> feature for installed programs (Adobe is one I know does this)?
>> Eh???
>>
>> Well, for one, you could simply not install WSUS? I mean, if you don't
>> like the purpose for which it was intended, then simply Do Not Use!
>>
>>
>> Btw.... how have you been updating Windows computers for the past ten
>> years? There's absolutely no difference in the behavior of a WSUS
>> environment than there has been in the behavior of Automatic Updates since
>> it's inception way back in the dark ages.
>>
>> As far as Adobe, et.al. SURE they let you block the "call home"
>> feature.... and you don't get any updates. You can do the same thing with
>> Windows. You've *always* been able to do this with Windows, there's
>> nothing any different now than there was ten years ago.
>>
>> If you don't WANT updates for your Windows systems, then just disable the
>> Automatic Updates service and be done with it.
>>
>> But, maybe, the better way to approach this discusion is for you to
>> describe *EXACTLY* what it is that you don't want to do, and what is it
>> that makes you believe this is happening? And, more to the point, I'm
>> curious if your questions are based on a full understanding of how the WU
>> Agent and WU/MU and WSUS work, and what exactly happens when they (as you
>> are wont to put it)... "phone home". Your use of the phrase "...or however
>> WSUS allows this to occur" suggests to me that you're not really aware of
>> what does or does not happen, and maybe your questions/reactions are based
>> on misinformation and misunderstanding. What exactly is it about what you
>> perceive as the "phone home" operation that you do not want to happen,
>> that you think is happening.
>>
>> --
>> Lawrence Garvin, M.S., MCITP:EA, MCDBA
>> Principal/CTO, Onsite Technology Solutions, Houston, Texas
>> Microsoft MVP - Software Distribution (2005-2009)
>>
>> MS WSUS Website: http://www.microsoft.com/wsus
>> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>>
>
>

Mr. Johnston:

Thanks for your input.

Re: Hardware Firewall -- have one.
I don't know if you're aware but per Gibson, running two in series
gives "ultimate??" protection.

FWIW - my biggest issue lies with "dll's".

I guess I'm at a Catch 22.

If a 3rd party program -- or even one you develop yourself which uses a 3rd
party dll, the only options appear to be:

If I need it -- I need it, and if I don't -- don't load it!

So much for security!!

David


"Harry Johnston [MVP]" <> wrote in message
news:%...
> David wrote:
>
> > 2) Where my problem lies is I don't like installed software calling
> > home or
> > getting outside of my system (onto the web) without my knowledge. This
> > occured the other day with Adobe Shockwave when it asked me if I wanted
> > to
> > update.
>
> OK, just to spell this out in case you're still confused about it: this
> behaviour has nothing to do with anything that Microsoft installed. It's
> all Adobe.
>
> WSUS can't help with third-party products, and from the sounds of it, it
> won't be any use to you anyway - WSUS is for controlling (Microsoft)
> updating for lots of computers at once, and provides no useful
> functionality whatsoever if you only have one computer to update.
>
> It seems to me that what you really want is a two-way firewall. I believe
> the built-in firewall in Windows Vista and above can do this, but there
> are also lots of free products out there if you don't like the Windows
> one. Most software installers will open holes in the Windows firewall as
> necessary for their updaters, but you can close them again, so long as you
> remember to check.
>
> Be aware also that sufficiently determined software (e.g., malware) can
> bypass any software-based firewall; if you're really worried, you might
> want to invest in a two-way hardware firewall instead.
>
> Harry.
>
>
> David wrote:
>> Mr. Garvin
>>
>> Thanks for the response.
>>
>> 1) I have Automatic Updates disabled in Services.
>> and invoke it as needed -- and --
>> yes you are right I do not fully comprehend WSUS but have
>> been reading MSDN trying to increase my knowledge.
>>
>> 2) Where my problem lies is I don't like installed software calling home
>> or getting outside of my system (onto the web) without my knowledge.
>> This occured the other day with Adobe Shockwave when it asked me if I
>> wanted to update.
>>
>> Over the years MS has added capability to have terminal services, windows
>> messenger, remote access, Winsock, and who knows what else. Even dll's,
>> from my perspective, pose issues, for who knows what all functions do
>> that reside within any given dll. Yes you can get the header, and even
>> the params if you want to put in some work, but to try and reverse
>> engineer every dll would take one a lifetime.
>>
>> In other words, I don't like the fact Microsoft -- by default -- installs
>> all this stuff and the end user -- me -- has no knowledge it even exists
>> on their system until you somehow stumble across it.
>>
>> SO, my interest lies in how to "control", monitor, or limit installed
>> software (including Microsofts) on a stand alone client and stop any
>> service, dll, or whatever from accessing the web without my knowledge.
>>
>> I have never seen anything published that explains the above issues and
>> solutions on where to go and what to set in order to stop them -- the
>> above -- on a stand alone client.
>>
>>
>>
>> "Lawrence Garvin [MVP]" <> wrote in message
>> news:2E2F49E2-2DE3-44A3-8B77-...
>>>> David wrote:
>>>>> As a stand alone client, I don't like installed programs calling home
>>>>> or
>>>>> however WSUS allows this to occur.
>>> Interesting...
>>>
>>>>> Is there anyway to block / stop the call home or update notification
>>>>> feature for installed programs (Adobe is one I know does this)?
>>> Eh???
>>>
>>> Well, for one, you could simply not install WSUS? I mean, if you don't
>>> like the purpose for which it was intended, then simply Do Not Use!
>>>
>>>
>>> Btw.... how have you been updating Windows computers for the past ten
>>> years? There's absolutely no difference in the behavior of a WSUS
>>> environment than there has been in the behavior of Automatic Updates
>>> since it's inception way back in the dark ages.
>>>
>>> As far as Adobe, et.al. SURE they let you block the "call home"
>>> feature.... and you don't get any updates. You can do the same thing
>>> with Windows. You've *always* been able to do this with Windows, there's
>>> nothing any different now than there was ten years ago.
>>>
>>> If you don't WANT updates for your Windows systems, then just disable
>>> the Automatic Updates service and be done with it.
>>>
>>> But, maybe, the better way to approach this discusion is for you to
>>> describe *EXACTLY* what it is that you don't want to do, and what is it
>>> that makes you believe this is happening? And, more to the point, I'm
>>> curious if your questions are based on a full understanding of how the
>>> WU Agent and WU/MU and WSUS work, and what exactly happens when they (as
>>> you are wont to put it)... "phone home". Your use of the phrase "...or
>>> however WSUS allows this to occur" suggests to me that you're not really
>>> aware of what does or does not happen, and maybe your
>>> questions/reactions are based on misinformation and misunderstanding.
>>> What exactly is it about what you perceive as the "phone home" operation
>>> that you do not want to happen, that you think is happening.
>>>
>>> --
>>> Lawrence Garvin, M.S., MCITP:EA, MCDBA
>>> Principal/CTO, Onsite Technology Solutions, Houston, Texas
>>> Microsoft MVP - Software Distribution (2005-2009)
>>>
>>> MS WSUS Website: http://www.microsoft.com/wsus
>>> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>>>
>>