Post-Setup Security Updates

Applies To: Windows Server 2003 with SP1

What does Post-Setup Security Updates do?

Post-Setup Security Updates is designed to help protect a new server installation from risk of infection between the time the server is first connected to the network and the application of the most recent security updates from Windows Update.

Post-Setup Security Updates is a user interface that appears the first time an administrator logs onto the new server and provides links for you to apply updates to your server and to configure automatic updates. Post-Setup Security Updates also informs the administrator that all inbound connections other than those specifically opened during setup or by policy settings, were blocked. If the administrator set exceptions to the firewall through Group Policy or by an unattended setup script, inbound connections assigned to these exceptions remain open.

Post-Setup Security Updates is not available from the Start menu and is only available under specific conditions as described later in this document.

Note

Post-Setup Security Updates does not appear when the server is being upgraded from the following operating systems: - Windows NT Server 4.0 to Windows Server 2003 with Service Pack 1 - Windows 2000 Server to Windows Server 2003 with Service Pack 1 - Windows Server 2003 to Windows Server 2003 with Service Pack 1

Who does this feature apply to?

Post-Setup Security Updates applies to Windows server administrators who are performing a full installation of Windows Server 2003 that includes Service Pack 1 or later (such as a slip-stream version of Windows Server 2003 with Service Pack 1). This feature does not apply if either of the following statements is true:

  • Windows Firewall is enabled or disabled using an unattended-setup script for operating system installation.

  • Windows Firewall is enabled or disabled by application of Group Policy before Post-Setup Security Updates is displayed.

This feature does not apply if the administrator is updating an existing Windows Server 2003 operating system by adding a service pack or if the administrator is upgrading an existing Windows 2000 Server operating system to Windows Server 2003 with Service Pack 1.

Why is this change important?

Security updates that mitigate virus threats may have been released by Microsoft since the release of the operating system files being installed. If the new server is connected to the network and a firewall is not enabled, the server may be infected with a virus before the security updates can be downloaded and installed. Post-Setup Security Updates uses the Windows Firewall to mitigate this risk.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

Post-Setup Security Updates is a new feature in Windows Server 2003 Service Pack 1.

Post-Setup Security Updates

Detailed description

If Windows Server 2003 with Service Pack 1 or later is installed as a new installation and Windows Firewall is not explicitly enabled or disabled using an unattended-setup script during the installation or by application of Group Policy, Windows Firewall will be enabled by default on first startup and logon in order to allow the administrator to securely download and install updates from Windows Update, and the Windows Server Post-Setup Security Updates screen will be shown. The Post-Setup Security Updates screen informs you that all inbound connections other than those specifically opened during setup or by policy settings, were blocked.

Windows Firewall blocks all inbound connections with the following exceptions:

  • If Remote Desktop was enabled using an unattended-setup script during installation, port 3389 is not blocked.

  • If Group Policy is used to apply policy settings that do not enable or disable Windows Firewall, but define exceptions to the firewall, exceptions defined by the policy settings are not blocked.

Post-Setup Security Updates offers links to Windows Update to allow you to download any security updates released since this operating system version was released and, if you have not already done so, provides the opportunity for you to configure Automatic Updates to help protect this server in the future.

What happens when Post-Setup Security Updates is closed?

If Windows Update or any other configuration change causes a restart before you click the Finish button on Post-Setup Security Updates, it reopens the next time an administrator logs on to the server.

If you close Post-Setup Security Updates using ALT+F4 or Task Manager, no change is made to the configuration of Windows Firewall. The tests the server uses to determine whether Post-Setup Security Updates should be displayed run again the next time a user logs on.

When you click the Finish button on the Post-Setup Security Updates dialog box, a dialog box explaining the consequences of closing Post-Setup Security Updates is displayed. In order to provide correct information, the following steps are taken to determine the current status of Windows Firewall:

  • If you made no changes to the Windows Firewall configuration since Post-Setup Security Updates appeared, a confirmation dialog box appears explaining that inbound connections will now be opened and giving you the opportunity to confirm that you are done with any post-setup security updates. When the action is confirmed, Post-Setup Security Updates attempts to disable Windows Firewall and stop and disable the Windows Firewall/Internet Connection Sharing service.

  • If Windows Firewall is disabled successfully, a registry value is set to suppress Post-Setup Security Updates in the future. It is possible that Windows Firewall is disabled successfully, but the attempt to stop the Windows Firewall/Internet Connection Sharing service fails.

  • If Windows Firewall settings cannot be changed, a dialog box appears explaining that no changes will be made to inbound connection settings. Post-Setup Security Updates is not suppressed and the tests to determine whether Post-Setup Security Updates should be displayed will be run again the next time a user logs on.

  • If Windows Firewall was explicitly enabled or disabled since Post-Setup Security Updates appeared, a dialog box appears explaining that no changes will be made to inbound connection settings. These changes could have been made by the application of Group Policy settings or by opening the Windows Firewall control panel and clicking OK to confirm the firewall settings. A registry value is set to suppress Post-Setup Security Updates in the future.

  • If the Windows Firewall/Internet Connection Sharing service was stopped or disabled since Post-Setup Security Updates appeared, a dialog box appears explaining that no changes will be made to inbound connection settings. A registry value is set to suppress Post-Setup Security Updates in the future.

  • If Internet Connection Sharing was enabled since Post-Setup Security Updated appeared, a confirmation dialog box appears explaining that inbound connections will now be opened and giving you the opportunity to confirm that you are done with any post-setup security updates. When the action is confirmed, Post-Setup Security Updates attempts to disable Windows Firewall. The service shared between Windows Firewall and Internet Connection Sharing is not turned off.

  • If the state of the firewall cannot be determined, a dialog box appears explaining that no changes will be made to inbound connection settings. Post-Setup Security Updates is not suppressed and the tests to determine whether Post-Setup Security Updates should be displayed will be run again the next time a user logs on.

Note

The text on Post-Setup Security Updates is not refreshed if the firewall status changes after the initial display. If the status of the firewall changes after it appears and before the Finish button is clicked, the text may state that all inbound connections are blocked when, in fact, they are not. When you click Finish, Post-Setup Security Updates checks the status of the firewall again before displaying a dialog box explaining any changes to be made on closure.

When will the Post-Setup Security Updates screen be displayed?

Because this feature runs automatically and cannot be started on request, you can use the following information to determine whether your server will display the Post-Setup Security Updates feature.

The following tests are run to determine whether or not to display Post-Setup Security Updates.

Test Positive Result Negative result

Is the logged-on user an administrator?

Continue on to the next test

Skip the remaining tests and do not display Post-Setup Security Updates. These tests run again the next time a user logs on.

Is this is a new installation of a version of Windows Server 2003 that includes Service Pack 1 or later (not an upgrade)

Continue on to the next test

Skip the remaining tests and do not display Post-Setup Security Updates. The registry value is set to suppress Post-Setup Security Updates in the future.

Has Post-Setup Security Updates been suppressed in the registry?

Skip the remaining tests and do not display Post-Setup Security Updates

Continue on to the next test

Is the Windows Firewall/Internet Connection Sharing service running?

Continue on to the next test.

Repeat this test for two minutes. If the service has still not started, do not display Post-Setup Security Updates. These tests are run again the next time a user logs on.

Has Windows Firewall been explicitly enabled or disabled for the current Windows Firewall profile?

(The firewall may have been enabled or disabled using an unattended-setup script at the time of installation or through the application of Group Policy settings or by opening the Windows Firewall control panel and clicking OK to confirm the firewall settings.)

Skip the remaining tests and do not display Post-Setup Security Updates. A registry value is set to suppress Post-Setup Security Updates in the future.

If Windows Firewall is enabled and the user did not enable it, display Post-Setup Security Updates.

If the status of Windows Firewall cannot be determined do not display Post-Setup Security Updates. These tests are run again the next time a user logs on.

What works differently?

Manage Your Server is not automatically displayed until Post-Setup Security Updates closes.

Post-Setup Security Updates does not cause any applications to work differently.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Windows Firewall (previously known as Internet Connection Firewall) was not enabled by default at the end of a new installation unless the administrator enabled it using an unattended-setup script. Under the circumstances described earlier in this document, Windows Firewall is now enabled automatically until Post-Setup Security Updates is finished.

What settings are added or changed in Windows Server 2003 Service Pack 1?

No new policy settings were created relating to Post-Setup Security Updates. The following value in the registry was added. This key does not affect firewall settings.

Setting name Location Previous default value Default value Possible values

DontLaunchSecurityOOBE

(DWORD)

HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \Current Version \ServerOOBE \SecurityOOBE

N/A

This key does not exist by default.

The key can exist or not exist. If the key exists, Post-Setup Security Updates does not display. The numerical value of this setting is irrelevant.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

If you do new installations of a version of Windows Server 2003 that includes a service pack by using an unattended-setup script and you want to suppress Post-Setup Security Updates, it is recommended that you explicitly enable or disable Windows Firewall in either your setup script or by Group Policy. This change automatically suppresses Post-Setup Security Updates.