Can you script a security patch to run on clients computers 1

[ftoddt]

I am new to scripting and it looks like you can write a script to run programs. I have been trying to make a script to run some security patches but have been unsuccessful. I have examples of scripts to say open up the calculator:
set objShell = WScript. CreatObject("WScript.Shell&quot
objShell.Run ("calc.exe&quot
Wscript.Echo "Script completed."
pause
But even the above did not work. Not sure where I am going wrong. Using W2K server and clients.
Would rather have SMS but no funding as of yet. Is is possible to use scripts to install service packs and patches?
Thanks.

 

[markdmac]

Why don't you give SUS Server a try. It is a free download from Microsoft and is intended to do exactly what you are trying to do.

http://www.microsoft.com/windowsserversystem/sus/default.mspx

 

[ftoddt]

Thanks Mark,
I thought there was something out there that was free but was told by another tech where I work that it was not free. I was probably confused in my initials of svs versus sms...
This is going to save me a ton of time.
Thanks
Todd

 

[markdmac]

I like SUS, just make sure you only pick one language to support. I made the mistake at an International Company to select 3 languages that they supported and it was going to take forever to download all the patches.

After you install SUS, it will DL all the hotfixes to date. You can then pick and choose what you want deployed by "Authorizing" those hotfixes.

The latest version of SUS is SP1 which added support so it would not automatically reboot a server. Version two is still in development, it will support the ability to roll back a hotfix, so look out for that update as it can be very valuable.

Microsoft will continue to provide this free of charge as part of the Secure Computing initiative.

 

[ftoddt]

Ok, I just went over the sus tuitorial. Since before, the win2k clients automatic updates were set to download and install every day at such and such a time, can I assume that all updates are then done whereas sus lets one weed out a lot of updates that are not needed especially the language ones. I just want to make sure that they are always done based on being hacked not too long ago and it was because of lack of service packs and recent patches.
The tutiorial did not go into selecting the clients individually or by OS. Can you send out both XP and Win2k at the same time and is there anything one can do for Win98se.
Also it looks like the patches and updates are sycronized and downloaded automatically to one of my servers, How does it know how far back to go with the updates or does it just give them all to you. I am not sure which updates to start with or do you just do them all. Can you download indiviual patches relating to certain problems your are experiencing on you network and just install those?
Thanks. This looks like fun

 

[markdmac]

Yes, the SUS server will let you select which patches will be deployed. You will set in GPO the name of the SUS server and it will change the clients so they look to that server instead of Windows Update. This saves a lot of bandwidth on top of giving you control over what is deployed. In the beginning it will download everything. Look at the service dates. You can tell it not to deploy anything older than the latest service pack. It will grab service updates for Win98 up to XP/2003. 98 support will soon be going away since that is past its life cycle and MS will no longer be making security patches for it. Time to upgrade those machines is now.

 

[Zelandakh]

Mark,

Any chance you could do an FAQ in this forum for SUS especially the GPO part? I know its in the tutorial on SUS (and I'm running it here too), but it would be helpful for newbies to this area.

I don't see that SUS merits its own forum, but def should have an FAQ.

 

[ProfFate]

Sorry, SUS (non-SMS version) only works with Win2k SP2 and up. It does not push out updates for Win9x or WinNT.

MikeL

 

[ftoddt]

Thanks you guys for all the input. Since you brought up SMS ProFate, will SMS push any software in additon to windows updates? Roughly how exspensive for educational liscense with 150 clients for SMS?
Thanks

 

[ProfFate]

Yes SMS can be used to push just about any application you can think of. It also does hardware and software inventory, and some help desk functions like remote control. SMS 2003 is somewhat on the pricey side. Although, if you consider what it does and the time it can save it's worth the money. If all of your 150 clients are in one location, you can get by with one SMS server. If you have WAN sites you might have to put SMS servers at those locations. There is a bit of a learning curve with SMS. So just don’t try to install it, without first doing a lot of reading.

SMS Server license with 25 CALs = $1,900
20 SMS CALs = $1,000
SQL Server = ???
Deadcated SMS Server = ???

MikeL

 

[ftoddt]

Thanks Mike,
I usually do a lot of research and reading before I install most everything. It does look pricy but this particular school district does not have a lot of funding for a full time IT type. I usually spend 1-2 days a week there and am having some trouble getting everything done and was thinking this SMS might be a big help for time crunch individuals. We are located in one building with 6 Win2k servers handling 2 domain controllers, isa server, file/print server, exchange server, and web site server.
We have a mix of OS in the client end by are migrating to all Win2k or XP Pro. This is a sideline for me that I want to develop into a second job and perhaps full time when I retire from my primary job.

 

[ProfFate]

Schools generally get some big discounts from MS. You might check that out.

MikeL

 

[markdmac]

You should be aware that SMS is not something you can just quickly deploy and that it would also mean needing an extra server or two. SMS is the best product of its type, but it is still the WORST product Microsoft makes. I'm a former MS employee from Premier Support. SMS tends to create twice as many problems as it solves and is typically used for much larger organizations than you are talking about. For example, my customer had 65,000 desktops with 150 servers dedicated just to SMS and a team of 10 to support it. If you are not full time to them, you would be doing them a dis-service to push SMS.

Unless you need to utilize the inventory functions of SMS, you are better off with SUS. If you need to go beyond patch management and also do application deployment you have two options that I would recommend. First is to learn how to make packages. Free software is on the Win2K CD to do it in the Veritas directory. You can then deploy and publish apps using AD. All you need is one clean machine to use for your packaging. A second option would be to look at Altiris software which is a bit easier to use but costs a few bucks.

 

[ftoddt]

Thanks Mark,
I often wonder if I get carried away. I have an IT friend that thought it was the way to go and his Lan is smaller than mine but he is also full time with an assistant IT type. I mean after all it is only 150 computers and if I keep the service packs, patches, and fixes up to date, I should be covered.
I will probably just take the extra time to do some individual client work. I will definitely look at the other two suggestions. I like free and I have the extra time to study and research. Deploying using AD sounds good and I'll check out Altris software.
Thanks again
Todd

 

[ProfFate]

I wouldn't choose SMS just to push patches. To make it worth the cost, you really have to take advantage of its other features too. If you are looking for something to push out patches, but what something with more features than SUS I recommend HFNetChkPro. We use it here to push out patches to our servers (300+).

http://www.shavlik.com/pHome.aspx

MikeL

 

[search66]

Good suggestion Mike. Shavlik does a pretty good job.

 

[ftoddt]

Markdmac,
I looked over my Win2k Pro disk and cannot find the Free software is on the Win2K CD to do it in the Veritas directory. I looked on the disk and am unsure as to what I am looking for.
Thanks

 

[markdmac]

Here you go

http://support.microsoft.com/default.aspx?scid=kb;en-us;257718&Product=win2000

CDDrive:\Valueadd\3rdparty\Mgmt\Winstle\Swiadmle.msi

 

[ftoddt]

Thanks Mark

 

[softrends]

Dear ftoddt,

Check out

http://www.managesoft.com

They have a product called Service Patch Management, it will fit your needs.

Regards,