Re: Remote rollout script for ms03-026

From: Jonathan Goldberg (jgoldberg_at_NOWLDEF.ORG)
Date: 08/06/03

  • Next message: Russ: "Re: Windows 2003 IIS IP Binding - Bad default behaviour/security problem ..."
    Date:         Wed, 6 Aug 2003 10:23:38 -0400

    Steve (and others),

    First, thank you for sharing this method with the community. I distribute
    patches to all of my Win2K workstations with a similar method, it's
    incredibly quick and effective. I offer the following as caveats and
    constructive criticism, and in no way do I mean to devalue your work, or
    your willingness to share it.

    1) psexec is a great tool, but you should be aware that it passes the
    administrator password in plaintext. There's a way around this which
    involves calling at.exe (a CLI interface to the Task Scheduler) to schedule
    a task for, say, 5 minutes from now. You do this while logged in at your
    computer, and at.exe allows you to specify the remote computer.

    2) Many systems have wscript.exe removed as part of their hardening process.
    My method (which I won't share publicly because it's actually embarrassingly
    kludgy, people can e-mail me off-list if they'd like a copy) uses freeware
    tools and batch files to accomplish a similar goal to your .vbs file.

    Free tools that I use:
    Getver.exe - a CLI tool that returns the version of an exe/com/dll/etc.
    Available at
    Reg.exe - This is part of the free WinNT resource kit download.
    Queries/updates the registry from the commandline. Available at
    Now.exe - Available for free at
    p, it outputs the date/time to a logfile. You can use environment variables
    %date% and %time% as well, but now.exe works on Win9x as well, so I use it
    on Win2K for easier parsing of logfiles that patch both OSes.

    A quick example (this is part of a login script that patches Win9x for
    MS03-023, unless it's already patched):
    \\server1\netlogon\getver "c:\Program Files\Common Files\Microsoft
    Shared\TEXTCONV\html32.cnv" | find "5426" > nul
    If errorlevel 1 \\server2\sys\Updates\patches\823559usa8.exe /q /r:n

    Thanks again for your scripts,

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Russ: "Re: Windows 2003 IIS IP Binding - Bad default behaviour/security problem ..."