Re: Deploying patches with a script
From: BrunoK (brunok_at_*NOSPAM*my-mail.ch)
Date: 09/12/03
- Next message: James Calvert: "KB824146 Scanner"
- Previous message: Dave Taylor: "Re: RSA Security Tokens"
- In reply to: JRentschler: "Deploying patches with a script"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Sep 2003 09:02:48 +0200
> I know virtually nothing about scripting, but understand that it is
possible
> to deploy patches and hotfixes across a network through scripts. Can
> someone please point me in the direction of some basic instruction on how
to
> do this?
Maybe this help you.. this is NOT an e-mail from me. Got it this morning
from NTBugtraq.com
Bruno
------- snip ---------
I didn't want to spend as many hours patching machines with KB824146 exploit
as I did with KB823980, so I tried out mbsafu.
Mbsafu is an automatic remote patching tool that applies Security updates
based on Microsoft Baseline Security Analyzer output.
This will patch NT4, WIN2k, WINXP, WIN2003 machines.
I patched 200-250 machines in our domain in 1<hour using the free tool:
Mbsafu. It works! We ran this against desktops and domain controllers.
Before deploying this, TEST IT on a few machines.
Steps to patch machines:
Download and unzip mbsafu. http://sourceforge.net/projects/mbsafu/
Read the usage.txt and readme.txt that come with the program. Read the
docs......
Download and install mbsa (Microsoft).
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/Tools/MBSAhome.asp
You need this to run mbsacli the mbsa command line scanner.
Run mbsacli scan against the computers in your domain.
Mbsacli -hf -d DOMAIN -o tab > output.csv
You can also run mbsacli on a range of ip addresses.
Look at the options...
Setup a network share with full privileges for the account you will patch
under. Set to full control for the domain admin account you will use.
Parse the output using mbsabarse
Type output.csv | mbsaparse \\server\share
Download all needed patches it detects using:
Mbsafetch \\server\share
Troubleshoot patches that did not download by manually downloading via
manual.htm
Determine the specific patch you want to apply.
824146 is the patch I want to apply.
Edit the patch files to only apply that specific patch.
The patch files contain the patches to apply for each machine, one patch per
line. If you remove all the lines except for the 824146 line, it will only
install that patch.
Set the command line switches for all the patches or the patches you want to
install:
mbsaswitch \\server\share all "-z -q"
Note: this is to do an unattended install without a reboot.
If you want to reboot after applying the patch, read about the switches you
need to set, I do not recommend this. I wrote a simple perl script to
determine if anyone is logged onto the computer, so you can reboot it later.
For NT 4 clients you want the switches to be="/z /q" <--- VERIFY THIS!
Change your domain admin password to use a character-number only password.
When I had my password set using alphanumerics, it did not work correctly.
Run the autopatch tool.
This uses windows scheduler to schedule the job to run on the target
machine. It should encrypt your password.
mbsascheduler.exe \\server\share domain\user pass timeout-in-seconds
> remote-results.csv
Runs process remotely, this is similar to psexec but does not encrypt your
password.
mbsaremote.exe \\server\share domain\user pass timeout > remote- results.csv
This will the schedule the remote machine to install the patch from your
network share using domain credentials, it uses windows scheduler so the
password is not sent in clear text to the machine.
Start the update using scheduler service wait 10 minutes for it to complete
on each machine, and log the results to remote-result3.csv
mbsascheduler.exe \\server\share domain\user password 600 > remote-
results.csv
As soon as it finishes, change your domain password.
It takes awhile to get started, so be patient, and it took 5 minutes before
I started getting connections on the network share with the clients
installing the patch.
Additional Items: Tools and Information I used to patch and verify:
Perl script to find computers no one is logged onto.
http://www.cs.montana.edu/~admin/MSO-039/no_one_logged_on.pl
Note, Pure Hack.
If you want to improve it and send me the improvements, go ahead.
Eventcombmt can be used to search for event logs relating to installation of
patches. Look for event 4377,8 Source:all Event Types:Informational
Text:KB824146
"shutdown /i /r /f" will allow you to interactively shutdown computers
remotely.
"Retina Network Security Scanner has been updated to identify this
vulnerability. http://www.eeye.com/html/Products/Retina/index.html
Also our FREE RPC scanner tool has been updated to check for this second
vulnerability. http://www.eeye.com/html/Research/Tools/RPCDCOM.html"
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
03-039.asp
Good Luck.
--Luke
Montana State University - Bozeman
Computer Science System Administrator, Bozeman MT 59717
- Next message: James Calvert: "KB824146 Scanner"
- Previous message: Dave Taylor: "Re: RSA Security Tokens"
- In reply to: JRentschler: "Deploying patches with a script"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
