Order of patching new XP installs

[Karen Gallaghar]

I've posted this before, and have received one response
in the peer version, but it doesn't really resolve my
issue, and I'm pretty sure my situation isn't unique.

With the blaster and its' relatives, it has become almost
impossible for me to build a new XP Pro workstation. I
work in a University supporting about 200 XP workstations
and 9 servers. Virtually pure MS products (two Linux
special java web servers). All other servers are Windows
2000 SP4, IIS 5 on two, SQL Server 2000 on two, and I
just upgraded to Active Directory in my own forest. All
my workstations are XP Pro, some are the Corporate
version, some are OEM versions (retail or academic), and
some are commercial versions donated by MS HR
recruiting. As a result, the machine and when it was
purchased, determines which CD I use when building, or
rebuilding a workstation to try to stay compliant with my
various licenses for the same product. As I am on a
college campus where our IT department doesn't "support
computers", each department/college either has their own
support, or several departments/colleges pool their
resources to hire their own support (my case, four
departments) or has no support and each user maintains
their own. While the Univerity does block ports from off
campus, and recently from the student residences, they do
not block within the campus buildings. Even if they did,
many units share the same building and subnets.

The result is there are currently always machines
unpatched which infect me before I can finish an
install. Last week I tried to create an MSI job that
contained all the patches (downloaded from the Windows
update catalog). I was infected before the patches were
finished, and thus I now have a great MSI for installing
blaster.... So I burned a CD with all the patches (from
Windows Update Catalog) on it, and tried installing with
a batch file. I don't know the order (just critical
patches, not drivers or recommended updates). I was
infected after completing the patching - which implies
that one patch overwrote the blaster patch, which was
included. I have to run 3 batches to complete patching,
as some patches don't recognize qchain, and thus need to
reboot, and there are two reboots required. My first
patch is all the qchainable patches, then two batches of
pre-qchain. Having spent parts of 5 days, and four
complete reinstalls, without success, I really need some
help.

I can't slipstream to create a fully patched install CD,
or I would have to do some 60 or so CD's to cover all
versions (and do it again later as new "blaster-like"
issues arise). I don't have the resources to create an
internal windows update server, and it wouldn't work with
so many infected machines currently on campus, for the
same reasons that windows update doesn't work. When the
university scans a machine and finds it vulnerable, they
block it from the internet (and thus from windows
update). Sadly, this doesn't block them from other
machines within the subnet.

What I really need is a rollup patch that applies all
patches up through blaster. Or an MSI job that would do
the same (that I'd create if I had the details of exact
order of patching). But I would settle (and beg you for)
a list of all required patches (currently 60, I believe)
that all of the flavors of XP Pro need, and the exact
order they should be installed to properly protect an XP
Pro installation. Then I can make my patch CD with
confidence, and maybe even build my MSI file.

I read the blaster conference teleconfence, and it didn't
address this type of situation, so I don't think you were
planning to release such a listing. Maybe you could have
it as a link on the windows update catalog?

Thanks in advance,

Karen Gallaghar

 

[Nicholas]

When you install Windows XP, simply do not establish a live internet connection.
You should install Windows XP, turn-on its built-in Firewall, then apply
the MSBlast patch. Afterward, establish an internet connection.

According to Microsoft, there is no way, out of the box, to slipstream hotfixes.
Ref: http://www.microsoft.com/technet/tr.../itcommunity/chats/trans/winxppro/wxp0505.asp

How to Install Multiple Windows Updates or Hotfixes with Only One Reboot
http://support.microsoft.com/default.aspx?scid=kb;en-us;296861


--
Nicholas

---------------------------------------------------------------------------------


| I've posted this before, and have received one response
| in the peer version, but it doesn't really resolve my
| issue, and I'm pretty sure my situation isn't unique.
|
| With the blaster and its' relatives, it has become almost
| impossible for me to build a new XP Pro workstation. I
| work in a University supporting about 200 XP workstations
| and 9 servers. Virtually pure MS products (two Linux
| special java web servers). All other servers are Windows
| 2000 SP4, IIS 5 on two, SQL Server 2000 on two, and I
| just upgraded to Active Directory in my own forest. All
| my workstations are XP Pro, some are the Corporate
| version, some are OEM versions (retail or academic), and
| some are commercial versions donated by MS HR
| recruiting. As a result, the machine and when it was
| purchased, determines which CD I use when building, or
| rebuilding a workstation to try to stay compliant with my
| various licenses for the same product. As I am on a
| college campus where our IT department doesn't "support
| computers", each department/college either has their own
| support, or several departments/colleges pool their
| resources to hire their own support (my case, four
| departments) or has no support and each user maintains
| their own. While the Univerity does block ports from off
| campus, and recently from the student residences, they do
| not block within the campus buildings. Even if they did,
| many units share the same building and subnets.
|
| The result is there are currently always machines
| unpatched which infect me before I can finish an
| install. Last week I tried to create an MSI job that
| contained all the patches (downloaded from the Windows
| update catalog). I was infected before the patches were
| finished, and thus I now have a great MSI for installing
| blaster.... So I burned a CD with all the patches (from
| Windows Update Catalog) on it, and tried installing with
| a batch file. I don't know the order (just critical
| patches, not drivers or recommended updates). I was
| infected after completing the patching - which implies
| that one patch overwrote the blaster patch, which was
| included. I have to run 3 batches to complete patching,
| as some patches don't recognize qchain, and thus need to
| reboot, and there are two reboots required. My first
| patch is all the qchainable patches, then two batches of
| pre-qchain. Having spent parts of 5 days, and four
| complete reinstalls, without success, I really need some
| help.
|
| I can't slipstream to create a fully patched install CD,
| or I would have to do some 60 or so CD's to cover all
| versions (and do it again later as new "blaster-like"
| issues arise). I don't have the resources to create an
| internal windows update server, and it wouldn't work with
| so many infected machines currently on campus, for the
| same reasons that windows update doesn't work. When the
| university scans a machine and finds it vulnerable, they
| block it from the internet (and thus from windows
| update). Sadly, this doesn't block them from other
| machines within the subnet.
|
| What I really need is a rollup patch that applies all
| patches up through blaster. Or an MSI job that would do
| the same (that I'd create if I had the details of exact
| order of patching). But I would settle (and beg you for)
| a list of all required patches (currently 60, I believe)
| that all of the flavors of XP Pro need, and the exact
| order they should be installed to properly protect an XP
| Pro installation. Then I can make my patch CD with
| confidence, and maybe even build my MSI file.
|
| I read the blaster conference teleconfence, and it didn't
| address this type of situation, so I don't think you were
| planning to release such a listing. Maybe you could have
| it as a link on the windows update catalog?
|
| Thanks in advance,
|
| Karen Gallaghar
|

 

[Karen Gallaghar]

Thanks, but I need to know the proper order to install
patches downloaded so one patch doesn't unpatch another
(like when the October SQL patch undid the July SQL
Slammer patch). Slipstreaming wouldn't work in the case
I've described, even if it were possible, as I have
multiple licenses/versions of XP Pro and could not
legally use a single slipstreamed corporate version on an
OEM licensed box, or an academic licensed box, or a
donated retail licensed box when I rebuild them (which is
done often enough). I'm not trying to apply any
hotfixes, just the critical update patches (60 of them,
as of last week). Blaster is only the worm-du-jour, so I
am looking for a longer term solution. I do appreciate
your suggestion, though.

Karen

 

[Bill Sisk [MSFT]]

Please take a look at the Security Readiness Kit. Link below for image.

http://download.microsoft.com/download/5/3/3/53306a04-f4c9-4c94-8f9d-127ea24
4f6df/srk41-rtm.iso

What the Security Readiness Kit is:
This kit is an ITPro-oriented CD containing the latest Critical Security
Patches and recommended service packs for Microsoft Windows Server System
products, as well as current security tools, guidance, and some
Blaster-specific content. The CD contains local executables for most of
the security content, with an xml-driven user interface containing some
links to the Microsoft website as well, for such things as "More
information" buttons. Finally, the CD user interface contains a new
capability called "Check for Updates" that goes out to the Microsoft
website and searches for an updated "table of contents" file. If a newer
table of contents has been published on the website, as it will be in the
event of new critical patch release, the CD user interface will reflect
that by displaying a new (microsoft.com) link for the user.

Please let me know if this helps.

Bill Sisk[MSFT]
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.