Slashdot Mirror
Pushing Patches Across a Wide Area Windows Network?
meridian-gh asks: "Microsoft is releasing new patches and updates for their products continually. For those of us who have to deal with large, geographically diverse windows-based networks, managing patches can be a nightmare. You cannot trust the users to do it. Tools such as SMS and HFNetCHK Pro are neat, but incredibly expensive. Most free programs I have seen don't support Windows 98, which many of us are forced to deal with. My question is, how do you deal with the remote deployment of patches in a efficient (and cheap) manner?"
If you are going to pop the money for all those Windows licenses, licenses for SMS, or Zenworks or something isn't going to kill you. Or shouldn't if you budget properly. It's all part of the TCO. If the TCO of Windows is too high, perhaps it's time to look at something with a lower TCO.
-Brent
Put 'em in the login-script?
Or you could build a SUS server
As I recall it will handle 9x, although they only admit to 2K on this page. It is limited though. Won't do full SP's or actual apps.
Anybody have more experience with it?
Most people I know, and I personally have used batch scripts. Honestly, I've looked at using bash scripts to provide a more powerful scripting language for pushing patches from servers to workstations.
Can't you do something in autoexec.bat for just the win98 boxes. Last I checked, it still gets executed at startup, and most people reboot fairly frequently.
Open Source Identity Management: FreeIPA.org
this is an easy task:
.NET Server operating systems. This paper also presents solutions for some customer scenarios which Windows Update Corporate Edition addresses. This product will be available in Q2 / 2. http://www.microsoft.com/windows2000/windowsupdate /sus/default.asp Also, www.shavlik.com has an enterprise tool that will allow the remote installation of hotfixes.
first, go to this page at Microsoft TechNet, read everything about the Microsoft Baseline Security Analyzer.
This tool allows you to scan computers remotly if they installed all hotfixes.
This article says (somewehre in the middle):
Host Guest_Jerry_MS
Q: Guest_ AlanF : Can it install hotfixes on those machines remotely ?
Host Guest_rick_MS
A: Windows Update Corporate Edition. This white paper describes the features of Microsoft® Windows® Update Corporate Edition, a new tool for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows
I am no SysAdmin. Finding this information took me 11 min. using http://www.microsoft.com.
For our Windows 2000 workstations and Laptops we use the startup scripts to install applications and patches.
We have an unattended install for the laptops, when they reboot they are part of the domain and the startup scripts apply. They then run through (without user intervention) do an unattended install of office 97 and outlook 2000, apply several registry patches, update templates and W2k service packs.
Each time a laptop or a workstation starts up on the network the startup scripts run and check for updates. We use KiXtart to check version and apply patches etc.
Of course there are some apps that cause problems, but anything can be hacked (copy, move files, registry patches etc) in some form to do what you want it to.
without tcp/ip it's probably gonna be tricky
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
For patching IE/Outlook, simply use some widespread and well-known WAN patching tools: Melissa, I Love You, Klez to name a few.
..to be fair to the guy he described what he was up against "as is". I ain't he, but would wager he and his company are up against the current shaky and mostly stagnant economy, and the decision from higher-higher is probably something along the lines of "make what we got work as long as possible". Hmm, for that matter bet he ain't alone, similar is probably being ordered by the PHBs all over corporate-land.
kinda like picard uttering "make it so" to some *almost* unsolvable problem, heh
Each location has a Xenix based server, with anywhere from 2 to 20 or so Windows '95-'98 clients (each of the Windows boxes are identically configured). The Xenix based server occasionally communicates with the home office, and downloads updates.
Each Windows machine has it's own FTPd running on it, and when there's an update, the Xenix machine ftp's the update to the Windows box, gives it an autoexec.bat that will make the update happen, then forces the machine to reboot.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
I know it's not quite what you need, but since you said that the patch checking apps don't support Win98, how about BigFix? (www.bigfix.com)
As far as I'm aware, it supports Win98, but it does require users to actively follow through...
sig:- (wit >= sarcasm)
I can tell you my experience.
1) Seeing that applying patches is inevitable when security vulnerablities surface a couple of time every couple of days, management finally accepted to evaluate the necessity of a security assessment for their vast network of Windows boxens.
2) The report revealed that enomous amount of money has to be spent for software distribution system(aka SAM, software Assessment Management), management resorted to rely on human intervention - have a very handful of us to go around the organization to apply patches
3) The problem is, by the time we finished patching less than one-half of the boxens, new patches/vulnerabilities fixes released. There is 1000+ users we are talking about...
4) Having seen too much human resources has to be spent on apply patches, they get down to the basic and distribute patches files by email and CD and requires individual user to apply the patches.
5) as normal users do not understand the need of apply patches, or do not understand the whole thing about the patching things, end up only less than 20% of the boxens have applied the patches in time and new system vulnerabilities break-out every two week
6) Management sees the necessity to perform a new security assessment
7) Goto step 2)
Now management blames us for spending too much money to maintain organization network. They don't seem to remember it was them who believe Windows has low maintenance cost.
Before you invest too much time and money into a solution, I'd check to see if Microsoft is going to continue providing patches for you to apply. Last I heard, Win95, Win98, and NT4 were all on the chopping block for continued support. Another solution you could examine is Terminal Services. If you only have one system, keeping it patched is pretty straightforward. Or Citrix, if you need things like local disk access and printing. Using NT Workstation, or Windows 2000 Workstation, you can do that sort of thing with Group Policies, or Novell ZENWorks, which will do that and much more. Home-user OS's don't have support for this sort of thing natively, because they're not designed for this sort of application.
Dave Roth, a Windows consultant and author of several extensions for Win32 perl, wrote a paper on managing a WAN of NT machines, most of which can apply to W98, if you do some testing:
d . pp t
http://www.roth.net/conference/lisant/1999/
an
http://www.roth.net/conference/lisant/1999/NMMS
There's an old Mac program called RevRDist from Purdue that uses the same strategy. It might give you some good ideas, even if it's not for Windows. Another good site is on this problem in a more abstract way (centered on UNIX):
http://www.infrastructures.org/
The basic trick: use login scripts. Don't think that this won't help you if your LAN can't force people to actually log in to the PCs they use. Where Roth's idea is better is that he uses 1 special login account to install batch scripts scheduled to run everyday at specific times. The batch script runs scripts off a read-only share, so saving new scripts to the share you can do automatic updates on all machines every 24 hours, including updates to the scheduled batch scripts themselves. Your staff only has to "touch" each PC once by loging in as the special account, and there after everything is automatic, depending on your ability to write robust, correct scripts and do proper testing.
As for remotely installing OS patches from a central PC? Are you totally MAD? Any feature you can easily use to remotely change a computer can be used by a hacker or worm to adversely "update" every PC on your LAN. It doesn't matter if the so-called white paper says it's secure. Internet worms are more serious problem these days than ever, so give security serious thought before you deploy, no matter what solution you decide.
Democracy. Whiskey. Sexy. Pick any two.
It's kind of like asking: My Hyundai Excell keeps breaking down and it won't haul 6 tons of gravel - what can I do to make it work?
The real sloution, ditch the Hyundai and get a Terex
That truck looks waaay overkill for 6 tons of gravel - and it wouldn't help at all if you needed to haul it on a public road.
Seems a bit like recommending Solaris, Irix or AIX as a general purpose desktop OS.
Ok now wait a second here, who would be stupid enough to ask microsoft for advice??? Whether management was foolish enough to shell out for a support contract or nay...
Yes, the wrong problem. But since win9x is still around, there is obviously other issues involved.
In this situation, I would present the issues and say something like
"Windows 98 is a huge problem and is really messing things up. I can use gpo's, SMS, Zenworks, the chain tool etc etc etc to update the winnt based machines. We can also fully secure the network with the nt technology.
"Windows 9x is a security issue on our network and it is creating far more work for us. You know about the issues now and we have shown you possible solutions. Please make a decision."
Now it is into your management's hands and not yours.
-- DrZaius - Minister of Sciences and Protector of the Faith
All you need to do is put a few of the cygwin tools on the machines, use gpg, rsync, perl, and ar. sign packages with gpg, put them on a central server and have the clients rsync off the server, the packages you download should contain the changed files and a reg patch, so that on extracting into c:\ they go into the right directory. then have as well a .reg file that is merged into the registry after the new files, and finally a perl script writes that the patch is install and interfaces with the Win32 GUI to prompt the user to reboot. If you feel really good write the app in VB and sell it for thousands to clueless windows admins
First off -- you should be running two tiers of systems; one where a default set of applications are installed, and users' installs aren't guaranteed to stick; and one where a user assumes responsibility of his own machine and has to figure out his own problems.
Now your job is greatly simplified. Use a utility that overwrites the boot partition on a machine with the image stored on a CD. (Let users store their data files in a second partition.) Update the OS to the current level, and make an image CD using it. Then get a flunky to go to each machine and re-image it. (Do this after hours when the place is empty.)
Presto. You're updated.
Why not upgrade to mandrake linux?
Repeal the DMCA!
wait, i got marked as a troll because i had the audacity to suggest that this person should use his vendor for tech support?
/. readers should do anything to enable ms users. people should be helpful and all, but that seems overly masochistic.
here's the deal, ms is actively trying to squash free software development and deployment. i fail to see why the majority of
all i did was raise what i thought was a valid point. ms and ms-users are quick to tar free s/w users as grubby commies always wanting stuff for free. i don't see this ms user offering money.
and i honestly questioned why they wouldn't ask their vendor for help. they must have a lot of licenses from ms - surely they could net some support? is it really a good idea for free s/w users - already painted in a bad light by ms - to enable someone to violate ms licenses?
US Citizen living abroad? Register to vote!
then maybe the person requesting help should look into another vendor?
US Citizen living abroad? Register to vote!
First: You can't have too much overkill.
Second: I would like to have a Terex even though I have absolutely no use for it.
Third: I would want the best, the Unit Rig MT 5500 Terex Mining Truck. The other truck mentioned above has only 1050 horsepower! I just know I need the 2800 HP of the MT 5500. You know you have a real vehicle when it comes with a ladder that you climb two stories to get to the driver's seat.
Fourth: This is only off topic if someone else is choosing the topic.
Because Windows 98 is faster, and it runs MS Office natively. :-(
I don't recall seeing a license fee for BackOrifice anywhere, and if memory serves, it has many of the same features that SMS does.
- billn
You can do all sorts of things with vbscript and windows scripting host. Although, on Win98, WSH is a bug-ridden-security-exploit-waiting-to-happen. I looked into using it on a small network of Win98 computers, but ended up applying patches by hand because of all the possibilities for security problems. For "automatic" anything, Windows NT/2000 is a requirement from a security standpoint.
"I assumed blithely that there were no elves out there in the darkness"