Re: Hfnetchk.exe
From: Jeff Cochran (jcochran)
Date: 07/21/02
- Next message: knsa: "Please help!!!I'm Desperate!!!"
- Previous message: Jon Paskett: "Re: Domain Policy"
- In reply to: Benjamin Farkas: "Re: Hfnetchk.exe"
- Next in thread: Jeff Cochran: "Re: Hfnetchk.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jcochran at naplesgov dot com (Jeff Cochran) Date: Sun, 21 Jul 2002 15:39:53 GMT
>Here is my defence from my orignal posting against using WU.
>
>"Why WU is not good...
Windows Update may not be the ideal tool in *your* situation, but that
hardly makes it a sin for anyone to use it. A responsible admin will
use the tools appropriate to their situation.
>1. I have to WALK to each workstation and click on Start Windows Update
>[wasting my time]
Or use a remote access tool...
>2. If I have Windows XP machines with the automatic Windows Update, I am
>relying on my end users to click on "ok" to load. This just doesn't happen.
>All machines in the office are going to pull down the same patch. In order
>to
>confirm that they did the install, I once again have to walk around to each
>machine and see if they did it....
Or set it to automatically install...
>Thus... WU and WU only will not give you ANY confirmation that all machines
>in
>your network are patched. All it takes is a weak link to get in....
Installing by running a patch file gives you no confirmation to speak
of, and you'd have to walk around to the stations to run them or use a
scripting method anyway.
>3. There are instances where certain hotfixes will not load via WU. You
>must
>shut down the underlying service in order to run WU.
Hmm... I've never run into any, but it sounds plausible. If you find
some, perhaps you'd share them.
>4. IMHO the only logical, "control" with verifiable "yes I did the patch on
>that particular day and I can confirm this with a printout" is to
>
>a. Purchase Update Expert from St. Bernard's Software or
>b. Shavlik's hfnetchkpro
I have no issues with pushing out patches using SMS, or any other
updates or software for that matter.
>Every third party security resource that I defer to [we're talking
>NTbugtrak,
>SANS yadda yadda... indicates that you should use a combo of BOTH hfnetchk
>and
>Windows Update to check your server. Just using one does not do the job.
Actually, using both won't do the job either. Unfortunately, security
actually requires an admin, and one that's vigilant and sometimes a
bit anal.
>5. There have been known cases where the patches that are identified via WU
>are not the same as hfnetck needed patches"
Gee, and HFNetChk keeps telling me to install a patch that I can't use
too. Again, there aren't any automated tools that can do it, it
requires an admin who isn't automated. And who knows what he's
installing and why.
The bottom line on this was your blanket statement never to use
Windows Update. On that I disagree, but on almost everything else
we're in a similar alignment.
Jeff
- Next message: knsa: "Please help!!!I'm Desperate!!!"
- Previous message: Jon Paskett: "Re: Domain Policy"
- In reply to: Benjamin Farkas: "Re: Hfnetchk.exe"
- Next in thread: Jeff Cochran: "Re: Hfnetchk.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
