I can respond to the AUS/SUS questions:
We are using the AUS at the client level. Granted, this is not ideal as it
will cause each individual client to connect 'to Microsoft' and get updates,
but it's a heck of a lot better than running around to each machine
individually (been there, done that). Installing an SUS server would be
nice, as this eliminates a lot of unnecessary internet traffic, and gives
you the control to approve/decline which updates your clients receive - but
an SMS server would be better yet, as it would keep a rolling inventory
about which client are/aren't patched with what.
So back to SUS... We are using an Active Directory GPO to force the AUS
configuration to the client. Big tip here: get the updated *.ADM template
from Microsoft in order to get all of the options available for AUS (minus
writing your own GPO template). It can be found here:
Read: http://support.microsoft.com/?kbid=328010
Download:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA-D274-42E6-
8025-8C667B4C94E9&displaylang=en
How we have it configured:
Clients automatically download updates and attempt install at 3AM, every
day.
If a user is logged in, they are prompted to install the updates <yes/no>
with a 5 minute countdown timer. If no action is taken after 5 minutes, it
defaults to <yes>. After updates are installed, the user is prompted to
reboot their computer <yes/no> - there is NOT a default at this screen. This
way the user will not lose any unsaved work.
If there is not a user logged in, the computer automatically installs and
reboots.
If the computer is not on at the scheduled install time: the process begins
5 minutes after the machine is powered on, and resumes the cycle as
explained above.
Hope this helps.
Also, I see you've mentioned GFI's LanGuard below. Have you tried eEyes'
'Retina'? It feels like a pretty well rounded product and would be good for
auditing your network.
Regards,
Tony
-----Original Message-----
From: John Valenti [mailto:[log in to unmask]]
Sent: Thursday, September 18, 2003 4:41 PM
To: [log in to unmask]
Subject: Some notes on automated patching
FYI
I've been patching our department's computers (~75) manually. I know
there are packages available to automate this, but it didn't seem worth
the time and effort to deploy another application. The last two months
have changed my feelings, here are some of my findings:
(1) Microsoft SUS. This runs on top of IIS, so I rejected it as making
the problem bigger. (yes, I'm an anti-Microsoft bigot)
(2) Shavlik HFNetchk. They have a free download (LT version) that will
patch up to 11 computers. The Pro version seems to cost $1458 for 75
clients. I haven't checked on educational discounts yet. A nice feature
of the LT version is that it will scan unlimited computers for patch status.
http://www.shavlik.com/
(3) GFI Languard Network Security Scanner.
http://www.gfi.com/lannetscan/ I haven't tried this one yet, since they
strongly suggest reading the 127 page manual before installing. Cost is
$495 for 100 IP addresses, but they have a clause about "free for
non-commercial use".
(4) Hacking up something with utility programs... I found a program
called soon.exe at Microsoft. It lets you schedule a job on a remote
computer. It turned out to be buggy, but I found a similar freeware
utility called atnow.com. I ended up running a batch file like this:
atnow \\belmanda "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q
atnow \\holbrookeli "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q
atnow \\kossekoffice "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q
I'm moderately happy with this. I ended up with a few computers that
didn't take the patch, but I can use HFNetchk to find those pretty easily.
Some questions for the list:
(1) What methods have you come up with for automated patching?
(2) Is there an open source program to do "WakeOnLan"?
(3) Most of the patches need a reboot. Have you worked out an agreement
with faculty about remotely rebooting their computers?
-John
