RE: HFNetChk Pro vs. other means to push out updates

From: Jackson, Ben (DPH) (Ben.Jackson@state.ma.us)
Date: 03/21/02 

From: "Jackson, Ben (DPH)" <Ben.Jackson@state.ma.us>
To: emann@questinc.org, brett@securityprofiling.com, focus-ms@securityfocus.com
Date: Thu, 21 Mar 2002 10:46:11 -0500

Ah, but there are businesses that use 9x, I know there are a good
portion of Netware shops that use 9x as their workstations and the
NW client does a very nice job of locking down the 9x system. Just
because 9x wasn't initially designed for the business environment
doesn't mean it isn't used for such. Microsoft made the system
so they should really support it.
                                                        ~Ben 

--
Ben Jackson - Asst LAN Admin - MA Dept. of Health - Bureau of Health Stats.
ben.jackson@state.ma.us - bbj@shore.net - http://piro.dnsq.org/~bbj
Sysadmining - Hours of frustration punctuated by moments of sheer terror.

-----Original Message-----
From: emann@questinc.org [mailto:emann@questinc.org]
Sent: Wednesday, March 20, 2002 3:17 PM
To: brett@securityprofiling.com; focus-ms@securityfocus.com
Subject: RE: HFNetChk Pro vs. other means to push out updates

In the grand scheme of this category of products, and I mean the category as
a whole, yes, win9x/me needs to be considered, as would UNIX variants, but
HFNetChk is a product designed specifically for Microsoft's business level
operating systems.  Many of the readers here deal with homogenous Microsoft
environments I'm sure, so they really are not concerned with anything aside
from MS operating systems.  And since this product was designed for business
level operating systems, which win9x/me are not, there would be no such
support in this particular product, nor would I see a huge need for it any
other package in this category of products that was Microsoft-only based.
The Win9x platform was never suited well for business IMHO, and it is vastly
old and outdated, and I can fully understand why someone would not invest
the time to provide support in this type of product for it.

-----Original Message-----
From: Brett Oliphant [mailto:brett@securityprofiling.com]
Sent: Wednesday, March 20, 2002 12:23 PM
To: focus-ms@securityfocus.com
Subject: Re: HFNetChk Pro vs. other means to push out updates

This catagory of product is awesome.  This is needed for every organization.
No one has time to do this by hand. However since this is a new catagory of
product ... aren't we overlooking some important considerations?

There are several packages out there. But long term doesn't this type of
product need to support third party applications?  Doesn't it also need to
cover other operating systems than just windows NT ? There are still tons of
Windows 9x out there.  And what about unix? Do we care not about the total
solution?

<caution> Judgement may be skewed for our product SysUpdate does exactly
what I have said.

Brett Oliphant
SecurityProfiling, Inc.
www.securityprofiling.com
765.532.3123

> I'm giving a public webcast presentation on HFNetChk on April 9th.
>
(http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com
/servicedesks/webcasts/wc040902/wcblurb040902.asp)
> (above URL is wrapped)
>
> Among other items, we will discuss how hfnetchk always verifies the
> existence of patches via fileversions and checksums.  The presentation
will
> also include a discussion of the next version of the XML schema and
hfnetchk.
>
> In order to assist with performing a quick scan, the default action will
> first try to determine if the patch may have been applied by looking for
> the presence of a patch specific registry key.  If this key is not found,
> we assume the patch was not applied and label it as not found.  If the key
> is present, we verify the patch really is installed by checking the
> fileversions and checksums of all involved files.  In any case, we don't
> rely on the presence of a registry key alone to state that a patch has not
> been applied.  (this has been the default behavior since the first version
> of hfnetchk)
>
> If you are concerned that registry keys may not have been written, or have
> been overwritten, etc. you can disable the reg checks altogether so that
> existence or absence of the patch is verified solely by the checksum and
> file version assessment.  Use the -z switch as documented in KB article
> Q303215.  This feature has also been available since the first release of
> the tool.
>
> FIY - SMS ships the same version of hfnetchk - an SMS add-on pack includes
> the files necessary to automate the hfnetchk scan, file download, and
patch
> installation.
>
> At 09:44 AM 3/19/2002 -0800, Colin Stefani wrote:
> >One product we use for patch distribution is PatchLink
(www.patchlink.com),
> >which has been good. It's an agent based product that is licensed on a
per
> >machine/node basis. We use it for all our servers and then use SMS for
> >sending out to the workstations, since our workstations are fairly
> >standardized the patches are all the same but our servers are different
from
> >each other in many cases.
> >
> >Patchlink takes some tweaking, but the company is helpful and willing to
> >work with you. It's a commercial product, so it does cost money to use,
but
> >we felt it did a better job than HFNetChk in terms of looking at
> >applications in addition to OS patches as well as the fact is allowed for
> >silent distribution and automated reboots. It also performs check summing
> >and version checking of files in addition to registry entries, which at
the
> >time of our evaluation hfnetchk didn't do (or do well) and was something
we
> >wanted and felt made a patch product more complete.
>
>
> <snip>
>

Relevant Pages