determining ms updates to install for non-internet connected servers

[zn]

I have inherited several servers that do not have access to the Internet
due to network security that prevents incoming and outgoing connections to
the Internet. Because of that, I can't run Windows Update. How can I
determine for 2000 Server and NT Server which updates need to be installed?

Thanks.

 

[Guest]

You can install your own SUS SP1 server.

http://www.microsoft.com/windowsserversystem/sus/default.mspx

br,
Denis

 

[Bill James]

Another alternative, and perhaps more practical for a small set of machines, is hfnetchk. I also have several machines that are firewalled for local use only and I cannot patch them from Windows Update.

Get hfnetchk here: http://www.shavlik.com/hfn_exe.aspx. You can run it against those remote machines using hostname or IP if you have IPC$ connection, but I find that to be very slow. As an alternative you can just extract hfnetchk.exe and copy it to each of the non-connected boxes and run locally. If you do that, each time before you want to scan those boxes you need to run hfnetchk on a box that is Internet capable in order to download the newest mssecure.cab file, then move that to the servers you want to check. It's all command line with lot's of switches/parameters, so I just use a batch file to avoid having to figure it out each time. Once I get the list I just download the required patches from MS, move them to that box and install.

Not practical on a large scale, but for a few machines it's a fairly simple free solution. I also use hfnetchk occasionally to audit other boxes that do use Windows Update, redirecting the output to a file for documenting the patch status.

--

Bill James
Microsoft MVP - Shell/User

Windows VBScript Utilities » www.billsway.com/vbspage/
Windows Tweaks & Tips » www.billsway.com/notes_public/