March 20th, 2002, 06:59 PM
What do you think the best approach is to patching a 100% windows environment? We have about 400-500 machines across North America. I can almost guarantee that none of the machines know what a MS patch even looks like. We have SMS running, but the contstant reboots between patches would screw this up.
So what would you say is the best way to go about this?
Hey zigar! This is what you do for a living right? hehe What do you do?
March 20th, 2002, 07:24 PM
well ...you could dedicate your life to the pursuit...(and with 500 boxes...it would likely be all you did...hehe)
One tool that i've been messing around with is called Service Pack Manager from
i've only got the freeware version, which will enumerate missing service packs and hotfixes on all your network machines within a domain...(which is very valuable on it's own...)..the full version looks like you can remotely apply customized service packs for each machine...
i've no experience with it in real life...but it would be worth a look at...
a license for 500 machines is about 5 grand...but that's only 10 bucks a machine...seems to me that's pretty cost effective ...if it works as advertised...they do a have time limited fully functional demo...and the crippled freeware version...
from their site
Service Pack Manager 2000 enables system administrators to fix security vulnerabilities and stability problems in Windows NT/2000/XP and additional Microsoft products. The increasing number of viruses such as Code Red and Nimda worms and continuous discoveries of security flaws in Microsoft products mandate cost-effective security measures, provided by Service Pack Manager 2000, to protect both servers and workstations on the enterprise networks.
Service Pack Manager 2000 is an automated security utility that allows an IT professional to remotely detect, track, monitor, and install Windows NT/2000/XP Service Packs and Hotfixes on the enterprise networks from a central console. Remote inventory, research, and deployment of the security vulnerabilities patches and stability updates makes Service Pack Manager highly cost-effective tool when used on the enterprise LANs and WANs. More importantly, it makes the task of maintaining security of the large networks viable.
You can use the Manual Update Costs spreadsheet to estimate the costs of maintaining the security and stability of Windows NT/2000/XP machines manually, based on the network size, labor costs, update frequency, and other enterprise-related factors.
Service Pack Manager 2000 provides the solutions to many problems that you are challenged with while trying to keep your network secure:
- It provides easy-to-use detection of the hotfix installation on remote computers. The installation status of hundreds of hotfixes can be detected in minutes on any number of remote computers, and presented in easy-to-read report. The alternative of manual discovery of installation of multiple hotfixes on hundreds of computers is simply not viable.
- It provides easy-to-use Service Pack and hotfix installation. Multiple hotfixes can be simultaneously installed on multiple machines within minutes. The alternative of manual installation of Service Packs and multiple hotfixes on multiple machines is not viable, especially considering the fact that it requires to physically attend every target computer, whether it is located on the same building floor, another building, or a different geographical location.
- It provides capability of detecting a particular set of hotfixes that might have critical security importance to a particular Windows platform. For example a hotfix that prevents Denial of Service attack on Windows NT/2000 servers running Internet Information Services (IIS).
- It eliminates the need to write time-consuming and complicated scripts to perform the management tasks involved in managing Service Packs and hotfixes on the networked machines.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
March 20th, 2002, 07:31 PM
Sounds like a pretty nice toy...thnx for the info.
Yeah, it took me about 20 minutes just to patch one machine with everything it needed. Multiply that by 500, plus the fact that more than half of these machines are remote.......whoa just got dizzy. Better not think about it.
March 20th, 2002, 07:52 PM
Re: Patching windows
You can also use http://www.bigfix.com/website/enterprise/overview.html
I use the Bigfix client[freeware] and it works great.[a must have ]
i m gone,thx everyone for so much fun and good info.
cheers and good bye
March 22nd, 2002, 11:27 AM
Thax for the info, I'm just about to test the software
March 22nd, 2002, 03:24 PM
There was a recent thread on the Focus-MS mailing list at securityfocus about this, it's worth checking out. There are very many autoupdate software packages available based on hfNetCheck.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
March 22nd, 2002, 03:48 PM
Thanks for all the adivce on this one. I've been playing around with the hfnetchk utility too. Its a pretty nice little tool.
March 22nd, 2002, 04:31 PM
I can assure you it works (Service Pack Manager 2000). Lots of very well known names across all industries (from banks and insurance companies, hi-tech sector, through oil corporations, phone companies, and to Army, AFBs, Navy, Pentagon and NASA, and more - they all use it quite successfully, LANs or WANs...)
March 23rd, 2002, 05:36 AM
use qchain to link the hotfixes requiring 1 reboot...
ms knowledge base article Q296861