Automatic XP Updates for PC DVR good or bad?

[Doug 0]

What is the opinion of having automatic windows updates on DVRs running XP, is it a good thing or can it cause more trouble than its worth ?

 

Doug

[VST_Man 1]

never had a problem..................secdurity type updates are essential

[Jasper 0]

One thing I don't like about how they have been updating is when they download automatically and force a reboot if your not there to prevent it.

 

I had to change the setting to prevent it from doing that. So maybe set up as manual so you can control when they update. Maybe do them remotely at a good time. It could reboot at a bad time otherwise.

[rory 0]

update to XP SP2 then turn it off.

[toughman 0]

If you turn off the automatic update, how about the security update? I think you never know what is going to happen with virus, spyware, trojan and you name it.

I have been experiencing the problem with the systems connected to internet.

[rory 0]

Use TCP and UDP Port Filtering, turn off all uneeded services.

Unless you publish the IP/DDNS on google, browse the web, or run MSN IM

you should be safe.

[Jasper 0]

I have to disagree. The security updates will only make your system more secure, not less.

 

If there is a way for some nitwit to able to access the system and do what they want they will find away. That is the reason for the security updates in the first place. You might as well make it harder for them.

 

They'll move on to a less secure system and try and exploit it.

 

And a lot of people don't know how or even want to know what Rory knows in order to secure a system. He works on maintaing government level security without the updates.

[toughman 0]

rory,

 

You wrote an excellent procedure about making a simple and clear PC based DVR system.

 

http://www.cctvforum.com/viewtopic.php?t=4074&postdays=0&postorder=asc&start=15

 

Would you please share with us one step forther on PC based DVR security protection?

 

I currently have a worm attack and I believe the reason of almost 100% CPU of my DVR system is it is attacking other PCs (port 80 and 21) now. I need to figure it out the solution to protect my system.

 

Thank you very much! You always a big helper on this forum.

[Securitymaster 0]

My motto "if it ain't broke, don't fix it"

[CollinR 0]

My motto "if it ain't broke, don't fix it"

 

 

 

I have had many problems with media servers after automatic updates, it's a complete PITA too cause they all call on the same damn day! People will go longer without CCTV then regular TV for sure.

[Soundy 1]

I'm all for automatic security updates... except on unattended systems. As Jasper noted, forced reboots CAN cause problems.

 

Also, it's rare, but I have seen updates break some software and/or drivers, and even cause systems to BSOD after they're installed and the system rebooted.

 

With a system that's supposed to be up 24/7, like a DVR, that may not be physically checked on a regular basis (I have one running in a comms closet in an underground parking structure that someone may not look in on for a month or two at a time, for example), do you really want to take the chance that an update may break something or it may not restart properly from a forced reboot, and potentially sit there for days or weeks waiting for some kind of interaction or repair?

 

There's nothing like the 3am call from an irate user who's trying to pull up footage for the police officer who's standing right there, of a break-in that just happened a half hour before, and finds there IS no footage because the system is stuck at a "Are you sure you want to close ?" prompt....

 

Personally, I prefer the "Download updates but let me choose when to install them" option... then when and if I do check in on a system, I can apply any updates and make sure everything restarts the way it should while I'm sitting right there.

 

And as rory said, if you've done a good job of securing the system beyond the defaults, you should be pretty safe. I won't hook a DVR up to the 'net without some sort of hardware isolation - at the very least, a basic $30-$50 residential broadband router provides a good physical separation from the 'net, and a lot of inherant security for the price.

[libertysurveillance 0]

I'll say this, you're never 100% safe, so you basically must be as safe as possible, its like using a condom, there's always a chance it will break.

 

Most of your servers should be behind a router, not to route, but it makes it that much more secure, and if you setup the router for remote access, and your customers have problems, you can just login.

 

Shut all unnecessary ports/services down, you dont need most of that crap open that windows has open, one thing to do is go get a "gamers tweak guide" and disable whatever they say to disable, if a game doesnt need it, chances are your dvr doesnt need it.

 

SHUT DOWN WINDOWS BUILT IN FIREWALL. - this will just create headaches!

 

Use your router to filter all the other crap out, there should not be a direct connection to your DVR and the internet. Use port forwarding to create a tunnel to your DVR.

 

From the outside, the only thing visible to the world and your dvr, should be the DVR's remote access port, and thats it.

 

If its setup correctly you have a 98% chance nothing is going to happen. You can leave the updates on or off, if no one can connect to it, it doesnt really matter.

[Billyk 0]

From a network admins perspective, these d*mn updates are a painful necessity. I use an update manager to assist me in rolling out my updates and patches. I have over 300 nodes to deal with, workstations, servers, etc. That way I control what gets updated and when. When MS announces a patch, I download it, test it on my more finicky systems and then decide where to roll it out. I also use the corporate edition of Symantec AV for virus protection, it makes it very easy to manage the updates for the AV code and signature files.

One of my servers is at a state police HQ and sometimes its a bear to get at it when it goes down. I invested in a IP remote power switch and have not had to travel there since. That may be a decent solution to some of the remote sites I read about here.

I guess what I am saying is if you have enough installations out there this may be a good way to manage them or a value added service to enhance your offerings.

Just my $.02

Bill