Archived from groups: microsoft.public.win2000.security (
More info?)
Hi,
This can depend on how many clients you need to path? One option would be to
setup SUS (Software Update Service). This can be downloaded from Microsoft
for free and setup on Windows 2000 or Windows 2003 server. With SUS you can
patch computers running Windows 2000 SP3 or newer operating system.
In SUS you can specify when clients will install patches that you approved
on SUS. If they miss the installation time (e.g. computer was turned off)
you can specify when the computer should install the patch after computer is
started. Microsoft usually releases new patches once a month. You can
subscribe to Newsletter where you will be informed of new patches that were
released. Next thing you would need to do is make sure that SUS is
synchronized with WindowsUpdate server and approve new updates for
installation.
It is SUS that "calls" WU for new updates and not the other way around --
this is one step of assuring that downloads are official. Only if someone
hijacks your server this could be changed for SUS to visit some other site,
but it case of hijack you will have bigger problems to solve. Next steps
that make sure that updates come from Microsoft is use of SSL. SUS will
require that WU provides some identification and it will use Microsoft
certificate for identification. If WU fails to authenticate, synchronization
will fail. Last thing, all patches and service packs are digitally signed by
Microsoft. If you change only one bit in the package, digital signature
comes invalid and patch will not be installed.
To check if your clients are up-to-date, you can use MBSA.
Microsoft Baseline Security Analyzer v1.2.1 (for IT Professionals)
http://www.microsoft.com/downloads/details.aspx?FamilyID=b13ebd6b-e258-4625-b0a3-64a4879f7798&DisplayLang=en
Software Update Services 1.0 with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=a7aa96e4-6e41-4f54-972c-ae66a4e4bf6c&DisplayLang=en
Software Update Services Deployment White Paper
http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx
I hope this helps,
Mike
"Sherman H." <shung@charter.net> wrote in message
news:10lf2h6559gj3ce@corp.supernews.com...
> What would be the most effective way to maintain security patches up to
> date? Can the "Autoupdate" work on 2000 servers? I guess, I am concerned
> two things:
>
> 1. Timing issues
> 2. How to make sure the patch downloads are the official?
> 3. How to detect the compatibility issue with the existing issues?
>
> Do we have good products in the market to help on this?
>
>
Facebook
Twitter
Instagram