Re: Remote rollout script for ms03-026
From: Jonathan Goldberg (jgoldberg_at_NOWLDEF.ORG)
Date: 08/06/03
- Previous message: Dan Sackinger: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
- Maybe in reply to: Steve Shockley: "Remote rollout script for ms03-026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Aug 2003 10:23:38 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Steve (and others),
First, thank you for sharing this method with the community. I distribute
patches to all of my Win2K workstations with a similar method, it's
incredibly quick and effective. I offer the following as caveats and
constructive criticism, and in no way do I mean to devalue your work, or
your willingness to share it.
1) psexec is a great tool, but you should be aware that it passes the
administrator password in plaintext. There's a way around this which
involves calling at.exe (a CLI interface to the Task Scheduler) to schedule
a task for, say, 5 minutes from now. You do this while logged in at your
computer, and at.exe allows you to specify the remote computer.
2) Many systems have wscript.exe removed as part of their hardening process.
My method (which I won't share publicly because it's actually embarrassingly
kludgy, people can e-mail me off-list if they'd like a copy) uses freeware
tools and batch files to accomplish a similar goal to your .vbs file.
Free tools that I use:
Getver.exe - a CLI tool that returns the version of an exe/com/dll/etc.
Available at http://thunder.prohosting.com/~ladi/e_cmd32.html.
Reg.exe - This is part of the free WinNT resource kit download.
Queries/updates the registry from the commandline. Available at
http://download.microsoft.com/download/winntsrv40/rktools/1.0/NT4/EN-US/sp4r
k_i386.Exe.
Now.exe - Available for free at
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/now-o.as
p, it outputs the date/time to a logfile. You can use environment variables
%date% and %time% as well, but now.exe works on Win9x as well, so I use it
on Win2K for easier parsing of logfiles that patch both OSes.
A quick example (this is part of a login script that patches Win9x for
MS03-023, unless it's already patched):
\\server1\netlogon\getver "c:\Program Files\Common Files\Microsoft
Shared\TEXTCONV\html32.cnv" | find "5426" > nul
If errorlevel 1 \\server2\sys\Updates\patches\823559usa8.exe /q /r:n
Thanks again for your scripts,
Jon
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Dan Sackinger: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
- Maybe in reply to: Steve Shockley: "Remote rollout script for ms03-026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
