Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: WSUS overriding GPO for reboot

from [Jeff Gercken] Network Security [Permanent Link]
Subject: RE: WSUS overriding GPO for reboot
Date: Wed, 13 Jul 2005 12:18:46 -0400 

The "no automatical reboot" GPO setting is a little misleading in that it does 
not prevent a reboot  but rather postpones it if somebody is logged in.  I 
believe the recommendation is to manually apply patches to critical servers 
during maintenance periods (put them in a separate OU without different GPO).


From http://tinyurl.com/8nalu (microsoft.com)

"""
No Auto-restart for Scheduled Automatic Update Installation Options
This policy specifies that to complete a scheduled installation, Automatic 
Updates will wait for the computer to be restarted by any user who is logged 
on, instead of causing the computer to restart automatically.

If the status is set to Enabled, Automatic Updates will not restart a computer 
automatically during a scheduled installation if a user is logged on to the 
computer. Instead, Automatic Updates will notify the user to restart the 
computer in order to complete the installation.  
"""

The topic is also (sort-of) covered on Tim Rains' Blog
http://blogs.msdn.com/tim_rains/archive/2004/11/15/257877.aspx

-Jeff

-----Original Message-----
From: Dirk Doerflinger [mailto:dirk.doerflinger@h2o-gmbh.de] 
Sent: Tuesday, July 12, 2005 5:32 AM
To: focus-ms@securityfocus.com
Subject: WSUS overriding GPO for reboot

Hello, 

I'll put this here because I regard a spontaneous reboot of a live server as a 
security issue (Kind of a DOS):

I approved some bugfixes for Server 2003 in WSUS.

In the GPO which applies to the Servers I set "no automatical reboot", no other 
GPO overrides this.

Now all XP and 2000 Clients got a "Computer is going to restart now [OK]"
messagebox while the servers simply restarted without any warning.

Windowsupdate.log says:

2005-07-12      09:00:50        1020    494     AU      ##  END  ##  AU:
Search for updates [CallId = {B669678A-F994-43C0-861D-0203CDCDC6A2}]
2005-07-12      09:00:50        1020    494     AU      #############
2005-07-12      09:00:53        1020    494     Report  REPORT EVENT:
{A833EE07-F822-43BA-A7FA-E47D26C992E1}  2005-07-12 09:00:48+0200        1
191     101     {90B61E13-9028-4348-86B0-CED032EFBEF6}  102     0
AutomaticUpdates        Success Content Install Installation successful and
restart required for the following update: Sicherheitsupdate für Windows Server 
2003 (KB896426)
2005-07-12      09:00:53        1020    494     Report  REPORT EVENT:
{D0512843-F412-4203-A9A4-B142E4403FA7}  2005-07-12 09:00:48+0200        1
194     102     {00000000-0000-0000-0000-000000000000}  0       0
AutomaticUpdates        Success Content Install Restart Required: To
complete the installation of the following updates, the computer will be 
restarted within 5 minutes:  - Sicherheitsupdate für Windows Server 2003
(KB896426)
2005-07-12      09:01:02        1020    acc     AU      AU found 1 sessions
to launch client into
2005-07-12      09:01:02        1020    acc     AU      Launched new AU
client for directive 'Reboot Pending', session id = 0x1
2005-07-12      09:01:02         752    1438    Misc    ===========  Logging
initialized (build: 5.8.0.2469, tz: +0200)  ===========
2005-07-12      09:01:02         752    1438    Misc      = Process:
C:\WINDOWS\system32\wuauclt.exe
2005-07-12      09:01:02         752    1438    AUClnt  Launched Client UI
process
2005-07-12      09:01:03         752    1438    AUClnt  AU client got new
directive = 'Reboot Pending', serviceId = 
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000
2005-07-12      09:01:03        1020    df4     AU      AU setting client
response for sessionId 0x1 to 'Pending'
2005-07-12      09:01:17        1020    acc     AU      AU found 1 sessions
to launch client into
2005-07-12      09:15:52        1020    928     PT      Initializing simple
targeting cookie, clientId = a9d2ba6e-32c1-447a-91bf-a851ccfc3ac2, target group 
= Server, DNS name = h2oa1000.intranet.h2o-gmbh.de
2005-07-12      09:15:52        1020    928     PT        Server URL =
http://h2oa1001:8530/SimpleAuthWebService/SimpleAuth.asmx
2005-07-12      09:15:52        1020    928     Report  Uploading 1 events
using cached cookie, reporting URL =
http://h2oa1001:8530/ReportingWebService/ReportingWebService.asmx
2005-07-12      09:15:52        1020    928     Report  Reporter
successfully uploaded 1 events.
2005-07-12      09:47:48         752    1438    AUClnt  AU client got new
directive = 'Shutdown', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7},
return = 0x00000000
2005-07-12      09:47:48         752    1438    AUClnt  AU client reboot
notification: user clicked Restart Later
2005-07-12      09:47:48        1020    dec     AU      AU setting client
response for sessionId 0x1 to 'Pending'
2005-07-12      09:47:48        1020    dec     AU      Changing existing AU
client directive from 'Shutdown' to 'Reboot Pending', session id = 0x1
2005-07-12      09:48:02        1020    acc     AU      AU found 1 sessions
to launch client into
2005-07-12      09:48:02        1020    acc     AU      Launched new AU
client for directive 'Reboot Pending', session id = 0x1
2005-07-12      09:48:03        4424    17c4    Misc    ===========  Logging
initialized (build: 5.8.0.2469, tz: +0200)  ===========
2005-07-12      09:48:03        4424    17c4    Misc      = Process:
C:\WINDOWS\system32\wuauclt.exe
2005-07-12      09:48:03        4424    17c4    AUClnt  Launched Client UI
process
2005-07-12      09:48:03        4424    17c4    AUClnt  AU client got new
directive = 'Reboot Pending', serviceId = 
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000
2005-07-12      09:48:03        1020    e14     AU      AU setting client
response for sessionId 0x1 to 'Pending'
2005-07-12      09:48:17        1020    acc     AU      AU found 1 sessions
to launch client into
2005-07-12      10:02:55        1020    acc     AU      WARNING: Initiating
reboot since no user logged on
2005-07-12      10:02:55        1020    acc     AU      AU invoking
RebootSystem (OnRebootNow)
2005-07-12      10:02:55        1020    acc     Misc    WARNING: SUS Client
is rebooting system.
2005-07-12      10:02:55        1020    acc     AU      AU rebooting machine
since no user is logged on and reboot is required.
2005-07-12      10:03:04        1020    acc     AU      WARNING: Initiating
reboot since no user logged on
2005-07-12      10:03:04        1020    acc     AU      AU invoking
RebootSystem (OnRebootNow)
2005-07-12      10:03:04        1020    acc     Misc    WARNING: Failed to
reboot system, hr=8007045B.
2005-07-12      10:03:04        1020    acc     AU      WARNING:
RebootSystem failed, error = 0x8007045B
2005-07-12      10:03:04        1020    acc     AU      AU invoking
RebootSystem (OnRebootRetry)
2005-07-12      10:03:04        1020    acc     Misc    WARNING: SUS Client
is rebooting system.
2005-07-12      10:03:14        1020    acc     AU      AU invoking
RebootSystem (OnRebootRetry)
2005-07-12      10:03:14        1020    acc     Misc    WARNING: Failed to
reboot system, hr=800706BB.
2005-07-12      10:03:24        1020    acc     AU      AU invoking
RebootSystem (OnRebootRetry)
2005-07-12      10:03:24        1020    acc     Misc    WARNING: Failed to
reboot system, hr=800706BB.
2005-07-12      10:03:35        1020    acc     Service *********
2005-07-12      10:03:35        1020    acc     Service **  END  **
Service: Service exit [Exit code = 0x240001]
2005-07-12      10:03:35        1020    acc     Service *************
2005-07-12      10:09:09        1048    c68     Misc    ===========  Logging
initialized (build: 5.8.0.2469, tz: +0200)  ===========
2005-07-12      10:09:09        1048    c68     Misc      = Process:
C:\WINDOWS\System32\svchost.exe

Eventlog says:

The process winlogon.exe has initiated the restart of <computer name> for the 
following reason: No title for this reason could be found.
Minor Reason: 0x80020002
Shutdown Type: reboot

According to eventid.net this message is generated when SUS is forcing a 
computer to reboot.

Does anybody have an explanation or can point me anywhere where I can find one? 
MS KB didn't help me yet.

Regards,

DD



______________________________________
Dipl. Ing. Dirk Doerflinger
IT Operator
Telephone +49 (0) 7627 9239 - 230
Telefax +49 (0) 7627 9239 - 200
H2O GmbH process water engineering
Wiesenstrasse 32
79585 Steinen/ Germany
www.h2o-gmbh.com
______________________________________ 

Clever ideas for clean water! 
______________________________________ 



---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: exchange server attempting to connect to odd ports, Jeff Gercken
Next by Date:  Re: exchange server attempting to connect to odd ports, Roman Daszczyszak
Previous by Thread:  WSUS overriding GPO for reboot, Dirk Doerflinger
Next by Thread:  RE: Changing Windows domain password over Internet, Kern, Tom
Indexes:  [Date] [Thread] [Top] [All Lists]