LISTSERV 16.0 - MSUNAG Archives

I ended up implementing MS SUS about six to nine months ago.  We don't
use MS IIS for any other web hosting, so I was very leery of setting it
up, however, as long as the patches are up to date on the server, I
haven't seen any problems.

I just saw a notification yesterday that MS SUS will also now allow
network installs of service packs.  I had used a Group Policy Object
with Win2K SP3 and that took a long time to get every computer updated,
some never did get updated.  I am going to try SUS this time around
(SP4) and see what happens.

I have the group policy set (with the same admin template that Tony
Cooke mentioned) with basically the same settings.  The machines are set
to download approved updates daily.   I have one group of machines (six
total) that this does not work on (users can't be bothered with pop up
window to reboot when running an experiment), so I have not made this my
default domain policy, but rather have a Organizational Unit in Active
Directory with the policy.  The only administrative work I have is to
check what new updates were downloaded automatically by my SUS server
(again, daily) that I should approve or not approve for my workstations
(check or no check and click "Approve").  I also have to make sure that
any new computer added to Active Directory gets placed in the OU to get
the auto update GPO.

I use Altiris Deployment Solution and Altiris Inventory Solution to see
who has and doesn't have an update.  If you don't have these tools,
hfnetchk, the free version, will tell you.

I looked at the same products as John, and I also have Altiris
Deployment Solution, but that wasn't "great" either.  Most packages
(save HfNetChk - which does this for you in the latest version, but
didn't used to) you had to manually download the .exe, setup the
switches in .bat file, and then schedule for computers.  This was very
troublesome on the 350 Windows boxes I manage.  This could definitely
become a full time job for someone.  Of course, a lot has changed in the
past six to nine months, and I'm sure there are more robust packages
now.

I think, patch management tools will get better very fast, but they will
also be expensive.  Right now, SUS is free, and it has been working for
me.  In the last few rounds of virus problems, I had under 10 machines
with problems (note, I have over 350 computers I'm patching).

As far as faculty and remotely rebooting their computers... We told them
if we didn't they could lose their data/work/settings.  It only takes
one victim before the others will come running to get their machine
patched.

I hope I've helped and not confused anyone even more.  A bit of rambling
I'm afraid.

Katie Clark
National Superconducting Cyclotron Laboratory
Michigan State University
517.333.6338

-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of John Valenti
Sent: Thursday, September 18, 2003 4:41 PM
To: [log in to unmask]
Subject: Some notes on automated patching


FYI
I've been patching our department's computers (~75) manually. I know
there are packages available to automate this, but it didn't seem worth
the time and effort to deploy another application. The last two months
have changed my feelings, here are some of my findings:

(1) Microsoft SUS. This runs on top of IIS, so I rejected it as making
the problem bigger. (yes, I'm an anti-Microsoft bigot)

(2) Shavlik HFNetchk. They have a free download (LT version) that will
patch up to 11 computers. The Pro version seems to cost $1458 for 75
clients. I haven't checked on educational discounts yet. A nice feature
of the LT version is that it will scan unlimited computers for patch
status. http://www.shavlik.com/

(3) GFI Languard Network Security Scanner.
http://www.gfi.com/lannetscan/  I haven't tried this one yet, since they
strongly suggest reading the 127 page manual before installing. Cost is
$495 for 100 IP addresses, but they have a clause about "free for
non-commercial use".

(4) Hacking up something with utility programs... I found a program
called soon.exe at Microsoft. It lets you schedule a job on a remote
computer. It turned out to be buggy, but I found a similar freeware
utility called atnow.com. I ended up running a batch file like this:
    atnow \\belmanda "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q
    atnow \\holbrookeli "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q
    atnow \\kossekoffice "\\maytag\apps\w2k-kb824146.exe" -u -f -n -q
I'm moderately happy with this. I ended up with a few computers that
didn't take the patch, but I can use HFNetchk to find those pretty
easily.

Some questions for the list:

(1) What methods have you come up with for automated patching?
(2) Is there an open source program to do "WakeOnLan"?
(3) Most of the patches need a reboot. Have you worked out an agreement
with faculty about remotely rebooting their computers?

-John