RE: HFNetChk Pro vs. other means to push out updates

From: Ta Trung T (ta.tt@mellon.com)
Date: 03/21/02 

From: Ta Trung T <ta.tt@mellon.com>
To: "'Jackson, Ben (DPH)'" <Ben.Jackson@state.ma.us>, emann@questinc.org, brett@securityprofiling.com, focus-ms@securityfocus.com
Date: Thu, 21 Mar 2002 14:00:15 -0500

Very true... we run a few 9x systems because of hardware restraints...
netware does a good job of locking it down once it is up an running but of
course one can enter the system with a simple reboot. A bios password
prevents that from happening. Take care. Great topic!

Trung Ta
Information Systems
Mellon Bank, N.A., Canada Branch
Phone: 416-860-2453
Fax: 416-860-2439
Email: ta.tt@mellon.com

> -----Original Message-----
> From: Jackson, Ben (DPH) [SMTP:Ben.Jackson@state.ma.us]
> Sent: Thursday, March 21, 2002 10:46 AM
> To: emann@questinc.org; brett@securityprofiling.com;
> focus-ms@securityfocus.com
> Subject: RE: HFNetChk Pro vs. other means to push out updates
>
> Ah, but there are businesses that use 9x, I know there are a good
> portion of Netware shops that use 9x as their workstations and the
> NW client does a very nice job of locking down the 9x system. Just
> because 9x wasn't initially designed for the business environment
> doesn't mean it isn't used for such. Microsoft made the system
> so they should really support it.
> ~Ben
>
> --
> Ben Jackson - Asst LAN Admin - MA Dept. of Health - Bureau of Health
> Stats.
> ben.jackson@state.ma.us - bbj@shore.net - http://piro.dnsq.org/~bbj
> Sysadmining - Hours of frustration punctuated by moments of sheer terror.
>
>
> -----Original Message-----
> From: emann@questinc.org [mailto:emann@questinc.org]
> Sent: Wednesday, March 20, 2002 3:17 PM
> To: brett@securityprofiling.com; focus-ms@securityfocus.com
> Subject: RE: HFNetChk Pro vs. other means to push out updates
>
>
> In the grand scheme of this category of products, and I mean the category
> as
> a whole, yes, win9x/me needs to be considered, as would UNIX variants, but
> HFNetChk is a product designed specifically for Microsoft's business level
> operating systems. Many of the readers here deal with homogenous
> Microsoft
> environments I'm sure, so they really are not concerned with anything
> aside
> from MS operating systems. And since this product was designed for
> business
> level operating systems, which win9x/me are not, there would be no such
> support in this particular product, nor would I see a huge need for it any
> other package in this category of products that was Microsoft-only based.
> The Win9x platform was never suited well for business IMHO, and it is
> vastly
> old and outdated, and I can fully understand why someone would not invest
> the time to provide support in this type of product for it.
>
>
> -----Original Message-----
> From: Brett Oliphant [mailto:brett@securityprofiling.com]
> Sent: Wednesday, March 20, 2002 12:23 PM
> To: focus-ms@securityfocus.com
> Subject: Re: HFNetChk Pro vs. other means to push out updates
>
>
>
>
> This catagory of product is awesome. This is needed for every
> organization.
> No one has time to do this by hand. However since this is a new catagory
> of
> product ... aren't we overlooking some important considerations?
>
> There are several packages out there. But long term doesn't this type of
> product need to support third party applications? Doesn't it also need to
> cover other operating systems than just windows NT ? There are still tons
> of
> Windows 9x out there. And what about unix? Do we care not about the total
> solution?
>
> <caution> Judgement may be skewed for our product SysUpdate does exactly
> what I have said.
>
> Brett Oliphant
> SecurityProfiling, Inc.
> www.securityprofiling.com
> 765.532.3123
>
>
>
> > I'm giving a public webcast presentation on HFNetChk on April 9th.
> >
> (http://support.microsoft.com/default.aspx?scid=http://support.microsoft.c
> om
> /servicedesks/webcasts/wc040902/wcblurb040902.asp)
> > (above URL is wrapped)
> >
> > Among other items, we will discuss how hfnetchk always verifies the
> > existence of patches via fileversions and checksums. The presentation
> will
> > also include a discussion of the next version of the XML schema and
> hfnetchk.
> >
> > In order to assist with performing a quick scan, the default action will
> > first try to determine if the patch may have been applied by looking for
> > the presence of a patch specific registry key. If this key is not
> found,
> > we assume the patch was not applied and label it as not found. If the
> key
> > is present, we verify the patch really is installed by checking the
> > fileversions and checksums of all involved files. In any case, we don't
> > rely on the presence of a registry key alone to state that a patch has
> not
> > been applied. (this has been the default behavior since the first
> version
> > of hfnetchk)
> >
> > If you are concerned that registry keys may not have been written, or
> have
> > been overwritten, etc. you can disable the reg checks altogether so that
> > existence or absence of the patch is verified solely by the checksum and
> > file version assessment. Use the -z switch as documented in KB article
> > Q303215. This feature has also been available since the first release
> of
> > the tool.
> >
> > FIY - SMS ships the same version of hfnetchk - an SMS add-on pack
> includes
> > the files necessary to automate the hfnetchk scan, file download, and
> patch
> > installation.
> >
> > At 09:44 AM 3/19/2002 -0800, Colin Stefani wrote:
> > >One product we use for patch distribution is PatchLink
> (www.patchlink.com),
> > >which has been good. It's an agent based product that is licensed on a
> per
> > >machine/node basis. We use it for all our servers and then use SMS for
> > >sending out to the workstations, since our workstations are fairly
> > >standardized the patches are all the same but our servers are different
> from
> > >each other in many cases.
> > >
> > >Patchlink takes some tweaking, but the company is helpful and willing
> to
> > >work with you. It's a commercial product, so it does cost money to use,
> but
> > >we felt it did a better job than HFNetChk in terms of looking at
> > >applications in addition to OS patches as well as the fact is allowed
> for
> > >silent distribution and automated reboots. It also performs check
> summing
> > >and version checking of files in addition to registry entries, which at
> the
> > >time of our evaluation hfnetchk didn't do (or do well) and was
> something
> we
> > >wanted and felt made a patch product more complete.
> >
> >
> > <snip>
> >
*****************************************************************
DISCLAIMER: The information contained in this e-mail may be confidential
and is intended solely for the use of the named addressee. Access, copying
or re-use of the e-mail or any information contained therein by any other
person is not authorized. If you are not the intended recipient please
notify us immediately by returning the e-mail to the originator.

Relevant Pages