Re: MS03-026 Update -- FYI by Jeff
Jeff
Tue Aug 12 22:46:28 CDT 2003
This is true, I did pursue it and decided it wasn't viable. The best
solution is to use Shavlik LT version or something like it.
For myself, I have developed some custom scripts to push patches remotely,
but I'm not at the point I'm proud enough to offer them for a security
patching project....the method still has too many problems I'm working
around. I've determined that I'm on the right track, basically what I've
developed is a set of scripting tools that work more the way that I want
than Shavlik does for specific conditions, but I'm not as bugproof as they
are.
The main problem I have with Shavlik is it's too slow, and it requires an
refresh from the Internet on every cycle....this is a fatal flaw for offline
patching. In addition, I need to be able to push patches from a remote
deployment point and Shavlik doesn't handle this well. I have multi-site
locations that I need the patches to pull from a location at the remote
site, not in the office where the patch management computer is running.
The common problem among these issues is that it's difficult to make patches
install without the certainty of Administrative rights and execution that
won't be interrupted. This isn't rocket science to realize, but it turns out
to be a bit iffy in deployment process. For instance, I have a remote
deployment script that consistently is successful in deploying a Service
Pack to a remote W2K/XP machine, but can't add an Environment variable at
that station! The why and wherefore of that if very frustrating.
I was making excellent progress on all of these tools and concepts for the
past several weeks when the worm declared "game time" and my experiments had
to stop and the push had to begin. Even as we are typing here, I am
fighting with a shavlik installation for precisely the reason I didn't;t
want to use it...bad web day.
"G" <maharg78@yahoo.com.au> wrote in message
news:ff10276c.0308121927.40141c02@posting.google.com...
> Hi Jeff,
>
> A while ago you spent some time trying to find ways of deploying Hot
> Fixes using Group Policy. I was wondering if you ever found a reliable
> solution. With all the buzz about the MS03-026 Update I am sure many
> are still looking for ways to deploy MS03-026 using GP. I have been
> spending some time on it but without a .msi file there does not seem
> to be a safe reliable way to use GP for the deployment.
>
> "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
news:<uf3wOmOYDHA.1640@TK2MSFTNGP10.phx.gbl>...
> > At this point I don't have enough information to qualify much of the
> > details. I've only gotten feedback from two of the sites I was having
> > trouble with.
> >
> > What I'm not seeing is that Internet Latency as a problem. The site I
could
> > get a VPN to but couldn't get the TS session running on the SBS had no
> > problem passing the TS session request right through the VPN to raise an
XP
> > Pro RDP session, and held it constantly during the period that the SBS
> > sessions either timed out sporadically, or wouldn't connect. The queer
thing
> > about the time outs was not that you would get no response from the
server
> > to the connection, in fact I was getting a session initiated but
couldn't
> > get to the desktop after the authentication screen. I was actually
getting
> > disconnects that stayed listed as disconnected sessions in the TS
Manager
> > sessions directory. When I was able to reconnect, I had 4 concurrent
session
> > on the SBS, two disconnected, two active. Attempting to reset the
> > disconnected sessions was extremely sluggish, often unsuccessful. The
whole
> > thing smells of a RPC problem because there were not event errors
reported,
> > and the performance of the VPN connection to the RDP session on the XP
> > station never wavered.
> >
> > The other sites with VPN connect problems I can't really explain because
I
> > have no insight as yet. The machines were unresponsive entirely, but
this
> > can be caused by many things, including Web sludge.
> >
> >
> > "Buzz Lightyear" <squeaker123@hotmail.com> wrote in message
> > news:eMmAoDOYDHA.2448@TK2MSFTNGP09.phx.gbl...
> > > so the scenario is: ??
> > >
> > > install ms03-026?
> > > VPN into network?
> > > create rdp to winxp on sbs lan?
> > > rdp fails or takes a long time?
> > > doing it a 2nd time works?
> > >
> > > Questions:
> > > 1. is sbs handling the incoming vpn? or is hardware?
> > > 2. does it only happen across the vpn connection?
> > >
> > > I would *guess* that internet latency will be high during the *patch
> > period*
> > > (few days tops).
> > >
> > > "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
> > > news:eaYgpSNYDHA.2308@TK2MSFTNGP12.phx.gbl...
> > > > I'm seeing similar behavior, not identical, but I'm rapidly losing
VPN
> > > > connectivity. As yet, I haven't been on-site to an affected location
to
> > > > determine what the nature of the error is. The behavior seems like
the
> > > > problems we've seen in the past with TS ports being claimed by
Exchange
> > > > services, but this is different because restarting the Exchange
doesn't
> > > > clear the error as it did for that. Knowing the nature of the patch
> > > > involved, I'm not really excited about what this could imply. I'm a
bit
> > > > suspicious of the combination of this patch and Shavlik HfNetChkLT
> > required
> > > > system updates, though I can't prove that.
> > > >
> > > >
> > > >
> > > > "Peter V" <info@ptsg.net> wrote in message
> > > > news:0ca101c360d2$ab758430$a601280a@phx.gbl...
> > > > > Since I have loaded the patch, when I VPN to my clients
> > > > > network and open Remote Desktop it hangs for a bit and
> > > > > than I try and open another session and it goes through,
> > > > > but I have to cancel the first one that is trying to
> > > > > open... Never happened before I loaded the security patch.
> > > > >
> > > > > Peter V
> > > >
> > > >
> > >
> > >