Slashdot Mirror
Pushing Patches Across a Wide Area Windows Network?
meridian-gh asks: "Microsoft is releasing new patches and updates for their products continually. For those of us who have to deal with large, geographically diverse windows-based networks, managing patches can be a nightmare. You cannot trust the users to do it. Tools such as SMS and HFNetCHK Pro are neat, but incredibly expensive. Most free programs I have seen don't support Windows 98, which many of us are forced to deal with. My question is, how do you deal with the remote deployment of patches in a efficient (and cheap) manner?"
If you are going to pop the money for all those Windows licenses, licenses for SMS, or Zenworks or something isn't going to kill you. Or shouldn't if you budget properly. It's all part of the TCO. If the TCO of Windows is too high, perhaps it's time to look at something with a lower TCO.
-Brent
Perhaps a "apt-get update" virus could do the job.
Put 'em in the login-script?
Or you could build a SUS server
As I recall it will handle 9x, although they only admit to 2K on this page. It is limited though. Won't do full SP's or actual apps.
Anybody have more experience with it?
Most people I know, and I personally have used batch scripts. Honestly, I've looked at using bash scripts to provide a more powerful scripting language for pushing patches from servers to workstations.
this is an easy task:
.NET Server operating systems. This paper also presents solutions for some customer scenarios which Windows Update Corporate Edition addresses. This product will be available in Q2 / 2. http://www.microsoft.com/windows2000/windowsupdate /sus/default.asp Also, www.shavlik.com has an enterprise tool that will allow the remote installation of hotfixes.
first, go to this page at Microsoft TechNet, read everything about the Microsoft Baseline Security Analyzer.
This tool allows you to scan computers remotly if they installed all hotfixes.
This article says (somewehre in the middle):
Host Guest_Jerry_MS
Q: Guest_ AlanF : Can it install hotfixes on those machines remotely ?
Host Guest_rick_MS
A: Windows Update Corporate Edition. This white paper describes the features of Microsoft® Windows® Update Corporate Edition, a new tool for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows
I am no SysAdmin. Finding this information took me 11 min. using http://www.microsoft.com.
You're fighting the wrong problem.
You're trying to push a mostly single-user desktop operating system into being somthing it's not: a robust, managable, network desgigned operating system.
Of course ther're going to be problems.
It's kind of like asking: My Hyundai Excell keeps breaking down and it won't haul 6 tons of gravel - what can I do to make it work?
The real sloution, ditch the Hyundai and get a Terex . Ditch MS-Windows and get Solaris, SGI, UNIX, AIX. Hell, get Mac OS-X.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
For our Windows 2000 workstations and Laptops we use the startup scripts to install applications and patches.
We have an unattended install for the laptops, when they reboot they are part of the domain and the startup scripts apply. They then run through (without user intervention) do an unattended install of office 97 and outlook 2000, apply several registry patches, update templates and W2k service packs.
Each time a laptop or a workstation starts up on the network the startup scripts run and check for updates. We use KiXtart to check version and apply patches etc.
Of course there are some apps that cause problems, but anything can be hacked (copy, move files, registry patches etc) in some form to do what you want it to.
without tcp/ip it's probably gonna be tricky
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
For patching IE/Outlook, simply use some widespread and well-known WAN patching tools: Melissa, I Love You, Klez to name a few.
..to be fair to the guy he described what he was up against "as is". I ain't he, but would wager he and his company are up against the current shaky and mostly stagnant economy, and the decision from higher-higher is probably something along the lines of "make what we got work as long as possible". Hmm, for that matter bet he ain't alone, similar is probably being ordered by the PHBs all over corporate-land.
kinda like picard uttering "make it so" to some *almost* unsolvable problem, heh
at some point in the NEAR future, everything invested in MS software will only server to hold your company back. Upgrade to Linux now, and you'll have a whole new set of problems, and those are problems you can invest in solving, and that investment will last.
Linux in 2003 makes #2 desktop (over Mac), in 2004-2005, I see number 1. How do I know this to be fact? I'm psychotic.
believe me now, hear me later.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Each location has a Xenix based server, with anywhere from 2 to 20 or so Windows '95-'98 clients (each of the Windows boxes are identically configured). The Xenix based server occasionally communicates with the home office, and downloads updates.
Each Windows machine has it's own FTPd running on it, and when there's an update, the Xenix machine ftp's the update to the Windows box, gives it an autoexec.bat that will make the update happen, then forces the machine to reboot.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
I know it's not quite what you need, but since you said that the patch checking apps don't support Win98, how about BigFix? (www.bigfix.com)
As far as I'm aware, it supports Win98, but it does require users to actively follow through...
sig:- (wit >= sarcasm)
Group Policy
Setting up a group policy to push the patch out to the clients works great. Don't know what the advantage of SMS is but with group policies you really don't need it(for this).
I can tell you my experience.
1) Seeing that applying patches is inevitable when security vulnerablities surface a couple of time every couple of days, management finally accepted to evaluate the necessity of a security assessment for their vast network of Windows boxens.
2) The report revealed that enomous amount of money has to be spent for software distribution system(aka SAM, software Assessment Management), management resorted to rely on human intervention - have a very handful of us to go around the organization to apply patches
3) The problem is, by the time we finished patching less than one-half of the boxens, new patches/vulnerabilities fixes released. There is 1000+ users we are talking about...
4) Having seen too much human resources has to be spent on apply patches, they get down to the basic and distribute patches files by email and CD and requires individual user to apply the patches.
5) as normal users do not understand the need of apply patches, or do not understand the whole thing about the patching things, end up only less than 20% of the boxens have applied the patches in time and new system vulnerabilities break-out every two week
6) Management sees the necessity to perform a new security assessment
7) Goto step 2)
Now management blames us for spending too much money to maintain organization network. They don't seem to remember it was them who believe Windows has low maintenance cost.
Before you invest too much time and money into a solution, I'd check to see if Microsoft is going to continue providing patches for you to apply. Last I heard, Win95, Win98, and NT4 were all on the chopping block for continued support. Another solution you could examine is Terminal Services. If you only have one system, keeping it patched is pretty straightforward. Or Citrix, if you need things like local disk access and printing. Using NT Workstation, or Windows 2000 Workstation, you can do that sort of thing with Group Policies, or Novell ZENWorks, which will do that and much more. Home-user OS's don't have support for this sort of thing natively, because they're not designed for this sort of application.
Dave Roth, a Windows consultant and author of several extensions for Win32 perl, wrote a paper on managing a WAN of NT machines, most of which can apply to W98, if you do some testing:
d . pp t
http://www.roth.net/conference/lisant/1999/
an
http://www.roth.net/conference/lisant/1999/NMMS
There's an old Mac program called RevRDist from Purdue that uses the same strategy. It might give you some good ideas, even if it's not for Windows. Another good site is on this problem in a more abstract way (centered on UNIX):
http://www.infrastructures.org/
The basic trick: use login scripts. Don't think that this won't help you if your LAN can't force people to actually log in to the PCs they use. Where Roth's idea is better is that he uses 1 special login account to install batch scripts scheduled to run everyday at specific times. The batch script runs scripts off a read-only share, so saving new scripts to the share you can do automatic updates on all machines every 24 hours, including updates to the scheduled batch scripts themselves. Your staff only has to "touch" each PC once by loging in as the special account, and there after everything is automatic, depending on your ability to write robust, correct scripts and do proper testing.
As for remotely installing OS patches from a central PC? Are you totally MAD? Any feature you can easily use to remotely change a computer can be used by a hacker or worm to adversely "update" every PC on your LAN. It doesn't matter if the so-called white paper says it's secure. Internet worms are more serious problem these days than ever, so give security serious thought before you deploy, no matter what solution you decide.
Democracy. Whiskey. Sexy. Pick any two.
if you're using microsoft software, shouldn't you be asking them? surely you have some support contract from them.
or do you have so many illegal copies of microsoft applications that you're afraid to talk to them?
why should we help you violate microsoft's licenses?
US Citizen living abroad? Register to vote!
We had similar problems especially when SMS was totally new and didn't work
well at all. We setup our own system that included several things.
1. Packages stored on local file servers and the package store was replicated
to each server.
2. Packages are automated installations for upgrades, etc. You see the choices
being chosen during install and there's hot red border telling the user not to
touch anything or attempt to interupt the install.
3. After a package installs a DLLStack is run against the system. This checks
for fubar'd installs that overwrite DLL's they have no business changing. The
PC is rebooted when the stack finishes.
4. The users can choose packages based on their security level, a tech will see
a bigger list of software than a regular user. Users are not allowed to
install a package if they don't have access to it.
5. To automate a package, it can be completely kicked off from the command line
so a login script works very nice for forcing an update when the user logs in.
It's a lot like the Red Hat RPM system but entirely designed for Windows.
Although we run NT, it can work on other Win OS versions. In fact the OS and
build are detected and different choices are presented for each. Of course
each package has to be rebuilt for each OS.
This is a hell of a lot of work and testing. The reason it mostly works is
because we have the workstations so locked down the users cannot do much to
screw them up. Win9x is not even remotely secure so how do you stop a user
from installing something nasty?
I feel the author's pain. Win9x is not the way to go. The corporate world is
either on NT or Win2k and it works (sometimes). You may be able to hack together
a nice system like we did using VB, and some decent programmers.
If I had to work on something like this I would take a long hard look at Python. It's
got some really nice Windows features such as Registry editing and excellent file
manipulation. It runs rather well in Windows. http://www.python.org to get started. If
I remember you'll actually want the ActiveState Python as it includes the Win32COM
abilities. You can automate just about anything with a COM interface. Unfortunately,
one has to get creative to reverse engineer just what is available from an application
through COM as it's rarely documented.
For the winnt/2k/xp boxxen (which are the only ones left with new patches being made), Languard Network Scanner can tell you which machines have which patches missing, then allow you to deploy them all across the network. For the win98 machines (where no new patches are being made), push a one time autoexec.bat and large-directory-full-of-chained-hotfixes that brings them up to final Microsoft edition, and make sure any new Ghostings/imagings include these patches. corporate.windowsupdate.microsoft.com was the best source for all the patches, but sadly, it's been discontinued in favor of a program which I haven't evaluated.
Bonus about that Languard tool: it doubles as an awesome network security / rogue client scanner. Give it a shot!
I recognize people by their sigs. Is that a bad thing?
I've used VNC server/client combinations to update and check on remote *nix systems for a little while now. Copies for many different operating systems, including Windows 98, can be checked here. It's simple, but it gets the job done. I like it because I can administer from wherever I need to.
Timbuktu has similar features, but its Windows compatibility is less extensive and its not free (in either way). It does have a more extensive feature set though, so I reccommend at least giving it a look if you look at VNC.
The main issue I've found with these is their use of bandwidth. Even then, quality can be reduced and compression can be increased for responsiveness. Good luck.
Twelve fingers or one, its how you play. ~Gattaca (Vincent)
All you need to do is put a few of the cygwin tools on the machines, use gpg, rsync, perl, and ar. sign packages with gpg, put them on a central server and have the clients rsync off the server, the packages you download should contain the changed files and a reg patch, so that on extracting into c:\ they go into the right directory. then have as well a .reg file that is merged into the registry after the new files, and finally a perl script writes that the patch is install and interfaces with the Win32 GUI to prompt the user to reboot. If you feel really good write the app in VB and sell it for thousands to clueless windows admins
Well, I know that W2K has it, and I think 98 MIGHT have it, is a little something called AUTOMATIC UPDATES. Guess what? It's built-in. AND, you can set it up to install patches at a certain time with no user intervention required. Go figure.
First off -- you should be running two tiers of systems; one where a default set of applications are installed, and users' installs aren't guaranteed to stick; and one where a user assumes responsibility of his own machine and has to figure out his own problems.
Now your job is greatly simplified. Use a utility that overwrites the boot partition on a machine with the image stored on a CD. (Let users store their data files in a second partition.) Update the OS to the current level, and make an image CD using it. Then get a flunky to go to each machine and re-image it. (Do this after hours when the place is empty.)
Presto. You're updated.
Why not upgrade to mandrake linux?
Repeal the DMCA!
That's an uninformed answer. Microsoft is the last organization you should go to if you want information about Microsoft.
First: You can't have too much overkill.
Second: I would like to have a Terex even though I have absolutely no use for it.
Third: I would want the best, the Unit Rig MT 5500 Terex Mining Truck. The other truck mentioned above has only 1050 horsepower! I just know I need the 2800 HP of the MT 5500. You know you have a real vehicle when it comes with a ladder that you climb two stories to get to the driver's seat.
Fourth: This is only off topic if someone else is choosing the topic.
Because Windows 98 is faster, and it runs MS Office natively. :-(
I don't recall seeing a license fee for BackOrifice anywhere, and if memory serves, it has many of the same features that SMS does.
- billn
You can do all sorts of things with vbscript and windows scripting host. Although, on Win98, WSH is a bug-ridden-security-exploit-waiting-to-happen. I looked into using it on a small network of Win98 computers, but ended up applying patches by hand because of all the possibilities for security problems. For "automatic" anything, Windows NT/2000 is a requirement from a security standpoint.
"I assumed blithely that there were no elves out there in the darkness"
at my job, we either just wait till the summer to rebuild every machine (useing norton ghost) and just get the most current patches then, but that isan't a good decision for Microsoft's hughe security holes, so otherwise, we use novell's zen works to make program "X" run at user login. it isan't a perfect solution, but it works for us