Cmdlines.txt success

[Gerry Hickman]

Hi,

I posted a while back about the concern of building a new Win2k box over
the network in that a virus could get into the system before you'd even
had a chance to patch it (on a big enterprise network that is). e.g.
someone plugs in their home laptop and suddenly your new box is infected.

I tried the Cmdlines.txt facility today, with just one patch (RPC
roll-up), and it seems to apply the patch before the final reboot. All
in all, very easy to set up, and a total success. If the patch gets
supersceded you can even "adjust" your build with ease (unlike the IEAK
where you'd have to do a complete new build just for one silly patch).

Just remember to use short file names, and supply the params for "quiet"
mode.

 

[Dave Patrick]

Cool, thanks Gerry

 

[Oli Restorick [MVP]]

Thanks Gerry. That's a relief and good to know, as it's the method I've
used.

Oli

 

[Gerry Hickman]

Thanks Gerry. That's a relief and good to know, as it's the method I've
used.

Heh! I was wondering if you'd already tried this.

The only thing I'm not sure of is whether it "fully" protects the box
while it's building. The docs on Cmdlines.txt imply that "it will only
work if the patch is on a local drive", thereby implying no network
access is occuring at that time. Either way, it's still much better than
not having it at all! I also like the fact it doesn't alter the
integrated build in any way - it's still baseline Win2k SP4 and if a new
RPC patch comes out and supersedes this one, it's like a five minute job
to update it.

I did consider applying all patches to the initial build using the hacky
procedure you posted before from the deployment guide, but it's too much
grief, I mean two weeks later my build will be no good. At least this
way I can build it with RPC protection and then quickly apply the rest
of the patches as soon as I log in as Admin for the first time.

 

[Guest]

I have run into this problem as well. I work at a University where
unpatched Windows hosts get hacked into with Nachi within minutes of
being RIS'ed.

My question though, roughly how long is a machine on a network
vulnerable before cmdlines.txt gets processed? I am currently building
machines on a network that is behind a firewall to protect myself but I
want to get to the point where I can have my users rebuild their
machines from where they are located which is across 4 campuses and the
hardware is not available to buy a firewall for each router we have
networks on.

Thanks.

 

[Bill Curtis [MSFT]]

Your machine is still vulnerable to any RCP worm during GUI-MODE
installation. Applying the hotfix using CMDLINES.TXT does not protect the
system until the system is rebooted after the GUI-MODE installation. The
only supported way of slipstreaming hotfixes into a installation is to
follow the following KB article:

814847 How to Slipstream Hotfixes That Replace Pre-Existing Driver Files
http://support.microsoft.com/?id=814847


- Bill Curtis [MSFT]
“This posting is provided "AS IS" with no warranties, and confers no
rights.”

 

[Gerry Hickman]

only supported way of slipstreaming hotfixes into a installation is to
follow the following KB article:

814847

Thanks Bill!