#151532 - 2005-11-16 10:09 AM
Re: Automagic Windows patching
|
masken
MM club member
Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
|
@sixdoubleo, I think you're mixing too many things together. But yes, there are in som cases need for something else than WSUS.
But in your case though, it seems like internal policies should be revised than building custom, hard to maintain solutions to go around the problem instead of solving it.
First of all, why can non-controlled PC's be added to the domain at all? If anyone has these credentials in your domain, patching will do nothing for security in your domain anyhow.
Secondly, how do do you handle installations? Isn't there standard images for example? Have you considered image-based installations using RIS or similar solutions for example?
Then, if WSUS still doesn't meet your needs, you might want to look at other solutions, like SMS server or completing WSUS with scripts. For example, if you want patches at startup, all you really need to do is make sure that the PC's are up and running at the time that you want to patch them. Translated, a policy that says that the personell whould leave their PC on when they go home. WOL-waking during non-business hours could be another alternative. You could also script an automatic shutdown when you've checked that it's patched.
Also, don't forget to consider the days of risk. Ie, the number of days a machine stays unpatched. For each patch for every OS that you maintain, there's a risk that you have to put a manual hand on it in order to get the workstations patched. This increases the days of risk substantially. Many times, just because of this factor, an automated solution that makes sure the workstations DOES get patched automatically might be better, even though it might not endorse all the policies the company has set up internally. Ie, it could be better to revise the policies instead.
I know that in coming generations, might even be in service packs, network quarantine functions with IPSec will be improved substantially.
Edited by masken (2005-11-16 10:10 AM)
_________________________
The tart is out there
|
|
Top
|
|
|
|
|
#151533 - 2005-11-16 03:46 PM
Re: Automagic Windows patching
|
sixdoubleo
Starting to like KiXtart
Registered: 2004-02-06
Posts: 118
Loc: California, US
|
Quote:
Quote:
"No workstation will log onto our enterprise network without being fully patched. Ever. Period."
Hmmm... somehow I doubt that. It's Monday and 1,200 machines logon - all patched. It's now Tuesday and Microsoft/Oracle/WinZip/Citrix have all issued numerous CRITICAL patches that allow any user to easily gain FULL access to an infected system.
I seriously doubt you have any method in place to KNOW and PREVENT all 1,200 systems from logging in.
You might be able to patch them that day or the next day, but that is not the same as your statement.
Remember I'm using startup, not login. Startup happens before login. If a machine fails the MBSACLI scan, it wont be allowed to logon. It will either apply the right patch(es) to satisfy MBSA, or it will continue looping. (scan, apply patch, reboot, repeat). In fact, early on this was a problem we had where machines would loop forever on a patch that wouldn't apply. I added some logic to detect this and now they will notify if the same patch is trying to install twice. On top of that we have our hourly maint task which will scan/update as well...we currently set that to a 12 hour allowance though.
So yes, they truly can not log in unless they are patched. (with Microsoft patches)
Quote:
Sounds like you have it working though how you like in general, but don't forget that Glenn Barnas also posted some advanced scripts to work with WSUS and manage many of the shortcomings using KiXtart.
Yep...that's the code I was referring to when I said I was looking at a WSUS backend/scripted front end. I think using some code to control the update agent you would get the best of both worlds.
|
|
Top
|
|
|
|
|
#151535 - 2005-11-16 04:22 PM
Re: Automagic Windows patching
|
sixdoubleo
Starting to like KiXtart
Registered: 2004-02-06
Posts: 118
Loc: California, US
|
Quote:
Having a policy that all machines must be fully patched is an invitation for trouble. How can there be any testing of patches and staged deployment? Deploying patches without first testing how they might impact a production system is not a best practice.
We do that. We don't just deploy patches the day (or sometimes even week) they come out. We have an initial test group, and then a pilot test group. After a period of testing they are released.
When we say "fully patched" we don't necessarily mean each and every latest patch that MS has released. Our "fully patched" refers to the patches we have tested and deemed safe/compatible for our environment. We also take into account the severity of the updates and the applicability within our environment.
But we do want to know that of the patches we are deploying...that they actually get deployed and there is a verifiable way to ensure that.
|
|
Top
|
|
|
|
|
#151536 - 2005-11-16 04:37 PM
Re: Automagic Windows patching
|
sixdoubleo
Starting to like KiXtart
Registered: 2004-02-06
Posts: 118
Loc: California, US
|
Quote:
But in your case though, it seems like internal policies should be revised than building custom, hard to maintain solutions to go around the problem instead of solving it.
Well, rewind to 2003...at the time not much was available. SUS 1.0 had just come out and it was hardly a solution. 1.2 promised a few fixes and never delivered. Therefore I scripted a solution.
Quote:
First of all, why can non-controlled PC's be added to the domain at all? If anyone has these credentials in your domain, patching will do nothing for security in your domain anyhow.
Secondly, how do do you handle installations? Isn't there standard images for example? Have you considered image-based installations using RIS or similar solutions for example?
We use ghost images for our base OS. These are updated about every 3-6 months to contain the latest patches. All software is packaged and pushed down through GPO.
However, we're in a somewhat distributed environment and for various political reasons we have staff who can add machines to the domain within their delegated OU. They also sometimes perform manual software installs on their own machines. I know this is a problem, but it's one of those political battles that is beyond my control.
Therefore as soon as you bootup in the domain we scan/patch the machine.
On top of that we have about 300 laptops out in the field for months at a time. Then they come back to the office for 1 day to update assignments, and they're back out again. So for that 8 hours they're on the network they need to be patched...so we scan/patch them before they even login via the startup script.
Again, I am aware that a scripted solution is not ideal....but when the products out there don't address the needs you have that's when you turn to scripting. My scrips only required one major code change...that was the switchover from HFNETCHK to MBSACLI...about 8 hours of my time. Look at the major upgrades you would have incurred if you had gone SUS 1.0, SUS 1.2, WUS (what ever happened with that?) and now WSUS.
Nonetheless I am looking to replace the scripted solution, and it seems WSUS+Client script is the way to go.
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 657 anonymous users online.
|
|
|
