I'm going to second the earlier recommendation of Shavlik's HFNetChkPro.
I recently purchased it for the network I admin (~50 users) and even at
that size, it's much better than manual updates or SUS / Windows Update.
It does real hotfix verification, not just registry checks, and it
doesn't send any information to Microsoft. It just downloads some XML
documents from MS, and then downloads the necessary patches. It's not
free, but I think the cost is definitely worth it. It's really the best
tool for the job.

-----Original Message-----
From: Tosh, Michael J (N-Joule) [mailto:michael.j.toshlmco.com]
Sent: Thursday, August 08, 2002 2:05 PM
To: 'Igor' Spivak'; focus-mssecurityfocus.com
Subject: RE: Another SUS / Autoupdate question

The hope is to not have any PC's raise red flags at MS. We own licenses
for
all installations of our operating systems, and then some, but to ease
our
work load, we installed w2k on one machine and just made 1600 copies of
it.
So we have 1600 pc's that have the same Product ID on them. I have
heard
recent stories of people getting locked out of XP due to fake product
ids
after visiting windows update, and if we get 1599 locked pcs, or worse,
an
MS audit, that will costs hundreds of thousands in man-hours to prove
ownership of that many licenses. If an SUS works exactly as the
Windowsupdate.microsoft.com site, then it is not what we are looking
for.
And manual installation of an update to 1600 pcs is also too time
consuming.
That is the main reason for using the auto update feature.

-----Original Message-----
From: Igor' Spivak [mailto:urbanachieverattbi.com]
Sent: Thursday, August 08, 2002 12:28 PM
To: focus-mssecurityfocus.com; Tosh, Michael J (N-Joule)
Subject: Re: Another SUS / Autoupdate question

> Has any set up an MS Software Update Service server on their network?
We
do
> not want any Product ID information to be accessible to ANYONE outside
of
my
> organization, including MS. If anyone has the SUS running, does it
forward
> the Product ID, Product version, Plug-and-play information, and IE
version
> of each computer that connects to it to one of the MS servers?

AFAIK no, the SUS server doesn't seem to log any specific information of
the
kind about the clients that use it. Also SUS server doesn't seem to log
IPs,
just a uniquely generated ID number of the client and various status
flags
on update success, etc.

My plan is
> to maybe point this SUS Server to itself for auto updates, give it no
> gateway address so it can only work inside our organization, and
manually
> move any updates over to it from another PC on our LAN.

you could do that by manually coping the windows update catalog and all
the
patches from the MS Download sites, but that is a chore. By default SUS
server synchronizes with windows update and downloads the catalog and
updates either on admin specified schedule, or by the admin manually
telling
it to.

Alternatively, you could use SMS to push updates. My question is, what
are
you hoping to accomplish by manually synchronizing the SUS server?

cheers,

IDS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]