A scan for Windows systems missing critical patches (see our vulnerablity note Microsoft -- Firewall & Critical Patch MS06-040 ) uncovered several systems where the owners report that their system was configured to have automatic updates and somehow that configuration was lost. Colleagues at others sites report similar problems. This note will help you recover the default Windows/XP Security Center settings -- we provide a quick Registry update.
We understand that that some malware will change your "Security Center" settings in the registry to disable patching, the firewall, and more. Further, that at least some anti-virus agents will remove the malware but not restore the registry settings. That should not be a surprise.
It is never a good idea to run any program directly that you retrieve from a web site -- especially not Registry updates. The prudent user would download the file and open it first with a program like MS/Notepad to view the contents. This file is 590 bytes long and should look like this when opened with Notepad.
Cautious users would use "Regedit" to dump the current contents of that location in the registry before loading anything new on top of it.Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify"=dword:00000000 "FirewallDisableNotify"=dword:00000000 "UpdatesDisableNotify"=dword:00000000 "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000
Finally, the Security Center is found on Windows/XP at Service Pack 2 -- do not apply these settings to older versions of Windows. If you are using an older version we recommend that you upgraded to Windows/XP. If you have not installed Service Pack 2 you should.
To restore default Security Center Settings download the following registry file and, as an Administrator, open with the "Registry Editor" to restore registry settings to their recommended values.
If your job function is to restore compromised machines you might find that having these settings in a file saved on a USB fob helps you to quickly "correct" security center settings when dealing with mucked up systems.
This is another argument for not running as administrator. A virus you pick up can only change "Security Center" settings if you're running with more privileges than you ought to.
Many thanks to colleagues on the Resnet-L mailing list. In particular, to Lisa Elias of University of Delaware for pointing out the registry entries involved.
Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070
Contact Us |
Give Us Feedback |
Privacy Statement