Integrated SP4 got infected while being built!

[Gerry Hickman]

Hi,

I build an SP4 integrated workstation the other day (unattend.txt), and
it got infected with a virus (RPC exploit) while it was building itself!
Seems there was a rogue laptop on the network at the time.

Since I can't guarantee this wont happen in the future, I'm worndering
if it's possible to "integrate" some of the post SP4 hotfixes too, so
that as soon as the network goes live, the RPC port is protected?

 

[NIC Student]

re: rogue laptop

In my environment, we just spent the last 8 days cleaning the Welchia worm
from our network, it started from users ignoring our plea to have all
laptops patched before returning to work. We had about 2000 desktops
patched via SUS but the rest were legacy or for other reasons were not
patched (most didn't have Win2K SP2 or later). Welchia dropped our network
bandwidth to zero in many places. Why is it always the enemy within...?

You ask a good question. Have you tried editing the answer file [GUIRunOnce]
section to run the patch install after booting up - but I guess this makes
the machine vulnerable on that first reboot.

--
Scott Baldridge
Windows Server MVP, MCSE


"Gerry Hickman" <

 

[Oli Restorick [MVP]]

I have applied MS03-039 in my cmdline.txt file, but even that would leave
the machine vulnerable for a short period of time.

Have you seen these two articles, which both mention how to integrate
hotfixes? I haven't implemented this. Last time I looked at it, I thought
it was a bit "hacky".

http://support.microsoft.com/default.aspx?scid=kb;EN-GB;q296723
http://www.microsoft.com/technet/tr...dtechnol/windows2000serv/support/spdeploy.asp

Cheers

Oli

 

[Gerry Hickman]

I have applied MS03-039 in my cmdline.txt file, but even that would leave
the machine vulnerable for a short period of time.
Yes.

Have you seen these two articles, which both mention how to integrate
hotfixes? I haven't implemented this. Last time I looked at it, I thought
it was a bit "hacky".

Thanks. I don't like the look of that! It may well be the answer though...

 

[Nathan Reilly]

I don't think the intergrated intalls are "hacky at all",
I have successfully done this and it works fine, if you
are intalling via RIS, download the patches, extract them,
the run from a command prompt: "%patch lotation%
\setup\setup.exe /s:\\%shared install location%", that is
the only way to build the machine "protected".

 

[Oli Restorick [MVP]]

That doesn't sound like the method I've seen documented, in which you must
edit setup files in the i386 directory and replace other files to ensure
that Windows' own file protection doesn't take exception to the patch files.

Could you expand on your method for the sake of clarity?

Thanks

Oli

 

[Ralph Farmer [MSFT]]

This article describes deploying hotfixes:
http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/hfdeploy.asp

 

[Nathan Reilly]

Hi Oli,

Sorry if I sounded a bit short before,

The way I intergrate SP/hotixes is the copy the contents
of the w2k CD to C:\w2k\, the download the hotfix to
C:\downloads\, start a command prompt and change directory
to the location of the hotfix, and run C:\downloads\"%
hotfixname% -x" to extract the files.

then run from the command prompt C:\downloads\%
hotfix_folder%\update\update.exe /s:C:\w2k

Then you can run the RIS install from the folder C:\w2k

You should get a dialog box saying that it completed.

Again, sorry if I sounded short before

Any questions, please let me know.

Cheers

 

[Gerry Hickman]

The way I intergrate SP/hotixes is the copy the contents
of the w2k CD to C:\w2k\, the download the hotfix to
C:\downloads\, start a command prompt and change directory
to the location of the hotfix, and run C:\downloads\"%
hotfixname% -x" to extract the files.

then run from the command prompt C:\downloads\%
hotfix_folder%\update\update.exe /s:C:\w2k

Hmm, this does seem completely different to what it says in the SP4
deployment guide... (says the same as Oli).

It does sound like a simple solution if it works!

 

[Cary Shultz]

-----Original Message-----


Hmm, this does seem completely different to what it says in the SP4
deployment guide... (says the same as Oli).

It does sound like a simple solution if it works!

Gerry!

Take a look at some of the posts that I have made in the
last three weeks or so. In a few of them you will see how
I have done this:

Using RIS - integrate SP3 ( or SP4 ) to the I386 folder so
that I have a WIN2000 SP3 ( or WIN2000 SP4 ) set up right
from the start. Then, I use the $OEM$ folder, QCHAIN and
CMDLINES.TXT to install the vast majority of the
hotfixes. I then install IE6SP1 ( which I can not quite
to get to work with the GuiRunOnce with any consistency )
and then I use a simple .cmd file to install the rest.
With Windows XP it is even easier as IE6SP1 is already
there if you are using XP SP1!

HTH,

Cary

 

[Cary Shultz]

-----Original Message-----
Hi Oli,

Sorry if I sounded a bit short before,

The way I intergrate SP/hotixes is the copy the contents
of the w2k CD to C:\w2k\, the download the hotfix to
C:\downloads\, start a command prompt and change directory
to the location of the hotfix, and run C:\downloads\"%
hotfixname% -x" to extract the files.

then run from the command prompt C:\downloads\%
hotfix_folder%\update\update.exe /s:C:\w2k

Then you can run the RIS install from the folder C:\w2k

You should get a dialog box saying that it completed.

Again, sorry if I sounded short before

Any questions, please let me know.

Cheers

a
.

I am going to take a look at this. I like this ( at first
glance ). Nathan, do you also run DirectX 9.0b and WMP
and their associated patches in your set up?

 

[Oli Restorick [MVP]]

Not at all. I was just curious as to the exact method.

This doesn't look nearly as bad as the original KB articles I've seen. I
like to try things myself first, but that looks pretty cool.

Thanks for the info.

Oli

 

[Gerry Hickman]

Hi Cary,

I have done this:

Using RIS

CMDLINES.TXT to install the vast majority of the
hotfixes.

Well I don't have RIS, and I was under the impression CMDLINES.TXT would
leave the machine vulnerable for a short while before the CMD lines
actually run. The concept of "integration" is that the patched files
would actually be copied over the network right from the get go?

 

[Gerry Hickman]

I am going to take a look at this. I like this ( at first
glance ). Nathan, do you also run DirectX 9.0b and WMP
and their associated patches in your set up?

Eeek. I guess this isn't so bad for you, as you've got the "OEM
special", but out of interest, I note WMP9 and 9.0b both require some
kind of EULA acceptance (over and above the usual). I already know about
the WMP9 one, but have you looked at the DirectX 9.0b small print to see
what's it's about? Are you in the States?

 

[Martin Resch]

Hi Nathan,

does this work with kbxxx-Hotfixes??
When I tried, I got a "dont know the -s switch"

Martin

 

[Al Dykes]

I have applied MS03-039 in my cmdline.txt file, but even that would leave
the machine vulnerable for a short period of time.

Have you seen these two articles, which both mention how to integrate
hotfixes? I haven't implemented this. Last time I looked at it, I thought
it was a bit "hacky".

http://support.microsoft.com/default.aspx?scid=kb;EN-GB;q296723
http://www.microsoft.com/technet/treeview/default.asp?url=

Cheers

Oli

A little OT, but is a NAT firewall enough to block RPC viruses when
setting up a new machine ?

I just need enough time to hit update.microsoft.com so I can install
critcial updates on a fresh install and install Zone Alarm.

Thanks