Patch Management Recommendation

[adfreak]

Hello,

In light of the recent Blaster & RPC vulnerabilities, my client who up to
this point has to patch management process in place, has stopped all other
initiatives to put one in place. I recommended to them SUS. I've already
built a SUS server and synchronized it with the MS Windows Update site. Now
I need to put a plan of action together for updating our desktops with the
Automatic Update 2.2 client. Let me state that we do not have AD deployed
as of yet (in the planning stages as of this writing unfortunately). Our
desktops consist of everything:
XP SP1
XP
W2K Pro
98
95

I know that SUS can only be used with W2K SP3 or greater and XP SP1. My
client just purchased GFI's Languard NSS yesterday. We're using that tool
the past 24 hours to push our MS03-039. In the meantime, I need to get a
plan in place to do the following (let me know if I'm missing something).

For the W2K machines that are at SP2 or lower and the XP machines without
SP1, figure out a way to install the update AU client.
Since we're not running AD and cannot use GPO, once all the clients have the
AU 2.2 client, come up with a way to change the registry on them to point to
the inhouse SUS server I built.

What would be the easiest way to go about doing this taking into
consideration the 2 tools I have (SUS and GFI).

Thanks

 

[Guest]

You can use Group Policy Editor to effect changes (edit the Local Policy) on workstations from your administrative workstation even if you don't have Active Directory implemented yet. You just have to create a custom Microsoft Management Console (mmc.exe) and add some Group policy snap-ins. The downside is that you have to add the snap-in once for each computer that you want to manage. I did this to enable SUS on the 80+ Win2K workstations on my non-AD network and it worked very well. Although you still have to enable SUS on each workstation individually via its Group Policy snap-in in your MMC, you don't have to travel and can save a lot of time by editing the Administrative Template for SUS (wuau.adm) so that when you enable the SUS policy elements they will default to your preferred patch installation mode, SUS server URL, Rescheduling Updates and Auto-restart values. I also used this method to apply startup, login, logout and shutdown scripts

----- adfreak wrote: ----

Hello

In light of the recent Blaster & RPC vulnerabilities, my client who up t
this point has to patch management process in place, has stopped all othe
initiatives to put one in place. I recommended to them SUS. I've alread
built a SUS server and synchronized it with the MS Windows Update site. No
I need to put a plan of action together for updating our desktops with th
Automatic Update 2.2 client. Let me state that we do not have AD deploye
as of yet (in the planning stages as of this writing unfortunately). Ou
desktops consist of everything
XP SP
X
W2K Pr
9
9

I know that SUS can only be used with W2K SP3 or greater and XP SP1. M
client just purchased GFI's Languard NSS yesterday. We're using that too
the past 24 hours to push our MS03-039. In the meantime, I need to get
plan in place to do the following (let me know if I'm missing something)

For the W2K machines that are at SP2 or lower and the XP machines withou
SP1, figure out a way to install the update AU client
Since we're not running AD and cannot use GPO, once all the clients have th
AU 2.2 client, come up with a way to change the registry on them to point t
the inhouse SUS server I built

What would be the easiest way to go about doing this taking int
consideration the 2 tools I have (SUS and GFI)

Thank