Pushing Patches Across a Wide Area Windows Network? 70
meridian-gh asks: "Microsoft is releasing new patches and updates for their products continually. For those of us who have to deal with large, geographically diverse windows-based networks, managing patches can be a nightmare. You cannot trust the users to do it. Tools such as SMS and HFNetCHK Pro are neat, but incredibly expensive. Most free programs I have seen don't support Windows 98, which many of us are forced to deal with. My question is, how do you deal with the remote deployment of patches in a efficient (and cheap) manner?"
Sorry, but Windows is an expensive investment (Score:4, Insightful)
-Brent
Re:Sorry, but Windows is an expensive investment (Score:4, Insightful)
Expense notwithstanding, the first thing I would do is upgrade to a _business_ operating system, i.e., Windows 2000. Windows 98 is oging to be dead soon anyway from what I understand. Microsoft is dead-ending their old software really agressively these days (of course, the same will be true for Windows 2000, which is a shame).
After that, there are tons of solutions available.
I know it's not realistic to expect PHB's to upgrade the OS, but in the next year or two it's going to be mandatory if you want continued support.
Re:Sorry, but Windows is an expensive investment (Score:3, Informative)
Speaking as someone who's dealt with a very wide variety of hardware and software combinations (it being the nature of my job), I can tell you that this is not a unified solution. Newer does not equal better by any means. We have several customers who've insisted on taking the plunge and upgrading to (formatting and re-installing; not upgrading the installed components) Windows ME, Windows 2000, or Windows XP (home or pro) and hav actually CAUSED themselves problems, rather than solve them. Many of them have reverted to Windows 98 to solve their problems because it 'worked' moreso than the "professional" operating systems (ME notwithstanding).
To make this post doubly effective, I'll also respond to your parent poster; the article submitter stated specifically that he was interested in a solution that would avail him automated updates for Windows 98 systems - something I, myself, have also been looking for. SMS does NOT support anything but Windows 2000 or Windows XP - period. SMS is NOT an option. Were this not explicitly stated in the article I'd agree with the Insightful mods, but sadly I'm afraid it's more aptly classified as redundant.
For the record, I'm also interested in an automated solution to upgrading client computers ranging from Windows'98 through to Windows XP Professional (we don't support anything older than Windows'98) without having to significantly alter the users' computer. The notion of using our own in-house Windows Update server is potentially viable, except I understand that Windows would then look to that server for future updates. Moreover, I haven't found a decent method by which to automate this process even a little bit; including the ability to download, in raw form, all updates to all Windows versions.
The setup I'm interested in is analagous to the article submitter, except I'm not dealing with a single geographically diverse network, I'm dealing with a geographically diverse cross-section of business and residential customers. Many of whom do not have access to broadband Internet access, so a solution that is portable by means of CD-R would be preferable.
Presently our solution is to (transparently) proxy the machines while on our work benches in order to decrease the time required to download all updates. Some updates (IE6, some criticals) are proxy-friendly, but many simply will not cache, and therefore must be repeatedly re-downloaded from Microsoft. As I pointed out earlier, Microsoft's "Automatic Update" feature, while an apt solution to the apathetic mass customer base, causes problems for a setup like ours. For approximately three full business days after Microsoft's release of their recent VM security update, we simply could not access the Windows Update site with any degree of reliability. It took upwards of an hour to two hours just to download the ActiveX controls and scan for updates; applying them was another story entirely (timeouts, re-tries galore). When I was on location at customer premeses, this made updating their computers all but completely impossible. (If I'd attemped to bill them for an additional four hours to sit and stare blankly at their monitors in turn, I'd never see payment of that invoice!)
I look forward to reading the remainder of the responses and see if anybody else has come up with anything viable. Microsoft, of course, reccomends either direct use of windowsupdate.microsoft.com or SMS. No help there.
Re:Sorry, but Windows is an expensive investment (Score:2)
I've also worked with quite a few machines, some with '98 (for game playing), mostly with 2k and XP (for development use both at work and at home) and unless those machines that were upgraded had some really old or funky hardware, your experience is vastly different from mine.
Still, I realize I wasn't really helping the poor guy, but the fact remains that the crystal in Windows 98's palm is going to start flashing pretty soon. Microsoft is going to make sure that it does everything it can to force users to upgrade, whether they like it, or need it, or not.
If an administrator is willing to do the work that Microsoft cannot or will not do, it should be possible to locate and download hotfixes and security patches so that you don't have to rely on Microsoft's servers. I used to always do that and keep a local copy of everything for the next time I wanted to set up a machine or reinstall the OS. However, as you stated, this is getting harder and harder to do. I'm not sure you can download a full installation of IE (although you probably can order it on CD for a nominal fee), however, all fixes come with a KB article number and I believe if you look the article up in the KB there is usually, if not always, a download link.
Like another poster said, "Spend the money!" Anything else means you will spend it anyway in man-hours, with less assurance of a good result.
Re:Sorry, but Windows is an expensive investment (Score:1)
http://www.broomeman.com/support/wsiedown.html
credit goes to my work colleague John who pointed this out (Hi John if you're reading !)
Re:Sorry, but Windows is an expensive investment (Score:1)
Re:Sorry, but Windows is an expensive investment (Score:2)
When you upgrade a Microsoft OS, you never know what kind of huge, bloated, poorly-tested, insecure, labyrinthine technology you will be roped into using. I can't speak for the Linux world since I don't have much experience, but Microsoft's attitude is often:
If it works, screw with it, so the marketing monkeys have something to trumpet about. If it breaks, fix it in a service pack, but not until people complain.
Re:Sorry, but Windows is an expensive investment (Score:2)
What the FUCK? You must be thinking of Windows 2000's built in software distribution; SMS 2.0 doesn't support 2K or XP properly until you get SPs 2 and 3 installed. But it sure as hell does support the 9x series.
Re:Sorry, but Windows is an expensive investment (Score:2)
sPh
Re:Sorry, but Windows is an expensive investment (Score:2)
Actually, if you look more carefully at that table, these products aren't going to "End of Life" until June 30, 2004. They're going into a one-year "non-supported phase" after June 2003. The difference (I guess) is that during the non-supported phase online self-help support is all that is available. It's unclear whether they will still publish patches for 98 and NT during the non-supported phase.
Belloc
Re:Sorry, but Windows is an expensive investment (Score:1)
I thought they had a solution called M$ Technet, usually carries the service packs as they come out. while it doesn't normally carry hotfixes, I don't see why you can't download those to your server as a 'corporate' install option, and then burn those to cd-rom. while that doesn't really take care of the patch-push issue, you might be able to work the burned cd's into the scenario either by pushing those out to the systems' hard drive at login time and then having them run a batch script to patch the system.
Re:Sorry, but Windows is an expensive investment (Score:2)
Well, it depends on your application. I've found that most people just choose to use Windows without any real evaluation to actual needs or TCO.
Your application might be best implemented with Java, or Web Services, or as a thin client environment running on Solaris.
The most amazing thing I've found is that in a corporate environment the fat client model rarely scales.
-BrentRe:Sorry, but Windows is an expensive investment (Score:1)
Re:apt-get update virus for Windows 98 (Score:2, Insightful)
and do what? (Score:3, Funny)
Re:and do what? (Score:1)
My old company uses some sort of startup script, but I promtly disabled it. Damn developers.
Err (Score:5, Informative)
Or you could build a SUS server [microsoft.com]
As I recall it will handle 9x, although they only admit to 2K on this page. It is limited though. Won't do full SP's or actual apps.
Anybody have more experience with it?
Put 'em in the login-script -- absolutely (Score:2)
Batch Scripts (Score:2, Interesting)
easy (Score:4, Informative)
first, go to this page [microsoft.com] at Microsoft TechNet, read everything about the Microsoft Baseline Security Analyzer.
This tool allows you to scan computers remotly if they installed all hotfixes.
This article [microsoft.com] says (somewehre in the middle):
Host Guest_Jerry_MS
Q: Guest_ AlanF : Can it install hotfixes on those machines remotely ?
Host Guest_rick_MS
A: Windows Update Corporate Edition. This white paper describes the features of Microsoft® Windows® Update Corporate Edition, a new tool for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows
I am no SysAdmin. Finding this information took me 11 min. using http://www.microsoft.com.
Re:easy (Score:3, Informative)
You obviously didn't read his question closely either because he said they are mostly concerned with performing these updates on Windows 98.
From the article:
Host Guest_Jerry_MS
Q: Guest_ Viper : Am I correct to assume that the MBSA is designed for 2000/XP OS? It did not come up with much information or problems with Win 98/ME systems that we have on our network. I know for a fact that 98 isn't that secure What is up with this?
Host Guest_rick_MS
A: Supported platforms: Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP. MBSA does not scan win98/ME systems.
Re:easy (Score:2)
+5 informative my ass.
Re:easy (Score:2)
>Karma: Excellent
ROTFL.
At least you were honestly mistaken, not trolling.
You already got your gentle rap from the cluestick, I wish I could give the moderators a whack or two.
Wrong problem... (Score:1, Offtopic)
You're trying to push a mostly single-user desktop operating system into being somthing it's not: a robust, managable, network desgigned operating system.
Of course ther're going to be problems.
It's kind of like asking: My Hyundai Excell keeps breaking down and it won't haul 6 tons of gravel - what can I do to make it work?
The real sloution, ditch the Hyundai and get a Terex [terex.com]. Ditch MS-Windows and get Solaris, SGI, UNIX, AIX. Hell, get Mac OS-X.
Re:Wrong problem... (Score:1)
Also, you have a very good and appropriate point.
to be fair... (Score:2)
kinda like picard uttering "make it so" to some *almost* unsolvable problem, heh
Re:Wrong problem... (Score:3, Insightful)
The real sloution, ditch the Hyundai and get a Terex
That truck looks waaay overkill for 6 tons of gravel - and it wouldn't help at all if you needed to haul it on a public road.
Seems a bit like recommending Solaris, Irix or AIX as a general purpose desktop OS.
Slashdot saying: You can't have too much overkill. (Score:2)
First: You can't have too much overkill.
Second: I would like to have a Terex even though I have absolutely no use for it.
Third: I would want the best, the Unit Rig MT 5500 Terex Mining Truck [terex.com]. The other truck mentioned above has only 1050 horsepower! I just know I need the 2800 HP of the MT 5500. You know you have a real vehicle when it comes with a ladder that you climb two stories to get to the driver's seat.
Fourth: This is only off topic if someone else is choosing the topic.
Re:Wrong problem... (Score:2)
In this situation, I would present the issues and say something like
"Windows 98 is a huge problem and is really messing things up. I can use gpo's, SMS, Zenworks, the chain tool etc etc etc to update the winnt based machines. We can also fully secure the network with the nt technology.
"Windows 9x is a security issue on our network and it is creating far more work for us. You know about the issues now and we have shown you possible solutions. Please make a decision."
Now it is into your management's hands and not yours.
Startup Scripts (Score:4, Interesting)
We have an unattended install for the laptops, when they reboot they are part of the domain and the startup scripts apply. They then run through (without user intervention) do an unattended install of office 97 and outlook 2000, apply several registry patches, update templates and W2k service packs.
Each time a laptop or a workstation starts up on the network the startup scripts run and check for updates. We use KiXtart to check version and apply patches etc.
Of course there are some apps that cause problems, but anything can be hacked (copy, move files, registry patches etc) in some form to do what you want it to.
Easy solution for Windows (Score:3, Funny)
the place i work for apparently does this: (Score:3, Interesting)
Each Windows machine has it's own FTPd running on it, and when there's an update, the Xenix machine ftp's the update to the Windows box, gives it an autoexec.bat that will make the update happen, then forces the machine to reboot.
Re:the place i work for apparently does this: (Score:1)
But, in any case, it does work.
Not quite what you want... (Score:2)
As far as I'm aware, it supports Win98, but it does require users to actively follow through...
Two Words: (Score:1)
Setting up a group policy to push the patch out to the clients works great. Don't know what the advantage of SMS is but with group policies you really don't need it(for this).
Can't help much but (Score:2, Insightful)
1) Seeing that applying patches is inevitable when security vulnerablities surface a couple of time every couple of days, management finally accepted to evaluate the necessity of a security assessment for their vast network of Windows boxens.
2) The report revealed that enomous amount of money has to be spent for software distribution system(aka SAM, software Assessment Management), management resorted to rely on human intervention - have a very handful of us to go around the organization to apply patches
3) The problem is, by the time we finished patching less than one-half of the boxens, new patches/vulnerabilities fixes released. There is 1000+ users we are talking about...
4) Having seen too much human resources has to be spent on apply patches, they get down to the basic and distribute patches files by email and CD and requires individual user to apply the patches.
5) as normal users do not understand the need of apply patches, or do not understand the whole thing about the patching things, end up only less than 20% of the boxens have applied the patches in time and new system vulnerabilities break-out every two week
6) Management sees the necessity to perform a new security assessment
7) Goto step 2)
Now management blames us for spending too much money to maintain organization network. They don't seem to remember it was them who believe Windows has low maintenance cost.
Support (Score:2, Insightful)
A good paper on this problem (Score:4, Informative)
http://www.roth.net/conference/lisant/1999/
an
http://www.roth.net/conference/lisant/1999/NMMS
There's an old Mac program called RevRDist from Purdue that uses the same strategy. It might give you some good ideas, even if it's not for Windows. Another good site is on this problem in a more abstract way (centered on UNIX):
http://www.infrastructures.org/
The basic trick: use login scripts. Don't think that this won't help you if your LAN can't force people to actually log in to the PCs they use. Where Roth's idea is better is that he uses 1 special login account to install batch scripts scheduled to run everyday at specific times. The batch script runs scripts off a read-only share, so saving new scripts to the share you can do automatic updates on all machines every 24 hours, including updates to the scheduled batch scripts themselves. Your staff only has to "touch" each PC once by loging in as the special account, and there after everything is automatic, depending on your ability to write robust, correct scripts and do proper testing.
As for remotely installing OS patches from a central PC? Are you totally MAD? Any feature you can easily use to remotely change a computer can be used by a hacker or worm to adversely "update" every PC on your LAN. It doesn't matter if the so-called white paper says it's secure. Internet worms are more serious problem these days than ever, so give security serious thought before you deploy, no matter what solution you decide.
Re:why are you asking us? (Score:2)
Re:why are you asking us? (Score:2)
here's the deal, ms is actively trying to squash free software development and deployment. i fail to see why the majority of
all i did was raise what i thought was a valid point. ms and ms-users are quick to tar free s/w users as grubby commies always wanting stuff for free. i don't see this ms user offering money.
and i honestly questioned why they wouldn't ask their vendor for help. they must have a lot of licenses from ms - surely they could net some support? is it really a good idea for free s/w users - already painted in a bad light by ms - to enable someone to violate ms licenses?
Re:They can't tell you. (Score:2)
Try this (Score:1)
Bonus about that Languard tool: it doubles as an awesome network security / rogue client scanner. Give it a shot!
Re:Try this (Score:1)
<a href="http://www.microsoft.com/windows/lifecycle/
Remote control? (Score:1)
Timbuktu [netopia.com] has similar features, but its Windows compatibility is less extensive and its not free (in either way). It does have a more extensive feature set though, so I reccommend at least giving it a look if you look at VNC.
The main issue I've found with these is their use of bandwidth. Even then, quality can be reduced and compression can be increased for responsiveness. Good luck.
Cygwin (Score:2)
CD image (Score:3, Insightful)
Now your job is greatly simplified. Use a utility that overwrites the boot partition on a machine with the image stored on a CD. (Let users store their data files in a second partition.) Update the OS to the current level, and make an image CD using it. Then get a flunky to go to each machine and re-image it. (Do this after hours when the place is empty.)
Presto. You're updated.
Re:CD image (Score:2)
Imaging a wide area network isn't as simple as all that. Having a 'flunky' image, say, 2000 machines within a (potentially) 500KM radius would be a week-long endeavour; during business hours as well as overtime. Distributed imaging solutions would chew up precious WAN bandwidth, not to mention time, not to mention the high potential for failure over a less-reliable-than-LAN link, so you'd require a person on-site at each location. This person would update their local copy of the workstation image (which, BTW, would probably fit on three or four CDs; not one) on an imaging server and push the image to the local clients.
This chews up a lot of LAN bandwidth and time, even after hours, and requires a lot of manpower (someone physically at each location). This would push the changes across the entire WAN in a very long time period. In other words, by the time you were done 'updating' your WAN, you'd have to start the process all over again with the next batch of updates.
This, of course, is assuming that each and every workstation configuration is identical. Hardware and/or software differences mean different workstation images. So now you have to have a copy of each hardware configuration in your lab to create/update each new image before you make it available. You then have to account for all software differences (ie; graphics artists will have one suite of applications while CAD designers another, marketting/sales people another, accounting people another, etc.) meaning the potential for several images per hardware setup, meaning an entire day of image, update, test, re-create image on server, image a second workstation, test, verify, push image to remote location(s), repeat for next image / hardware setup.
Imaging workstations is only ideally suited for environments with similar hardware and software needs, converged into large, localized groupings on high bandwidth connections. Satellite offices on a corporate WAN aren't a likely candidate for such an update procedure.
Re:CD image (Score:2)
Yes, sending a CD image over the internet can burn a lot of bandwidth. Use sneakernet instead. Heck, if you're in a hurry, Fedex it. Otherwise the updates may be DAYS late -- horrors!
As for workstations not being identical -- if they aren't, and you've got thousands of them, your IS department is going to be humongous. Most places will standardize the systems rather than try and support all the possible combinations of software. At worst, you shouldn't see more than three or four different installs, at least that IS is responsible for.
Re:CD image (Score:2)
That sounds like theoretical versus actual management. Have you ever worked in a large IS department? (Greater than 250 workstations in each of more than one location)
Windows 98? That's insane (Score:2)
Re:Windows 98? That's insane (Score:2)
The gang at cDc would be happy to help you. (Score:2)
Delivered Apps (Score:1)