Software Update Services (SUS) may help you, see: http://www.microsoft.com/windows2000/downloads/recommended/susserver/default.asp or http://www.microsoft.com/windows2000/windowsupdate/sus/susfaq.asp If you don't trust automatic updates, don't bother reading any further (then again, if you have 30,000 hosts how else are you going to do it?). Setup a protected server to get the updates from M$. Then test the updates in your test environment. If the updates pass all your tests, then Approve and distribute the updates to another internal SUS Server. Your client hosts then pick up the only the updates that you have approved from your own internal SUS server. Trouble is, you need to have installed the Automatic Updates client software on all your Windows clients beforehand :-( It's available for Win2000 (included in SP3 but is also available separately) and WinXP but it's not available for WinNT :-( Valdis.Kletnie ksat_private To: Emeric Miszti <emericat_private> cc: incidentsat_private, (bcc: Toby Felgenner/ICC) 22-11-02 05:12 Subject: Re: Proxy server hit... Any ideas? AM On Fri, 22 Nov 2002 00:52:42 GMT, Emeric Miszti said: > 1) Ensure that you have an effective perimeter firewall that blocks all > incoming traffic to the new box Excuse me while I fall over laughing. I have some 30K hosts on my network, and there's no really scalable way to say "OK, this box is about to be upgraded, disable its HTTP access to anything other than windowsupdate" and then 3 hours later "OK, let it talk to the rest of the web again". The rest of Emeric's points are quite good - but sometimes it's not as easy as it looks... ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:31:41 PST