Patch management has become extremely important for all organizations, and likewise, the number of solutions available for doing the same has also grown. There are various commercial packages available today such as MS SMS server, Novell ZENWorks, and offerings from Wise and Installshield. Most of these packages do much more than patch management, which you may or may not want to implement. Free patch management packages, such as MS System Update Services or SUS (covered in our last month’s issue), are also available. This however, is only meant for Windows network. Alternately, you could also do it using a clever combination of batch files. We showed how this could be done in our network security story last month. This time, we will refine the process further.
Before getting into the details, it’s important to know what you should keep in mind when deciding to go for a patch management solution. First, define what you want to update. Apart from the base OS, you also need to patch applications and services, such as databases, web/mail/DNS/DHCP, office suites, browsers and more. Also, there are updates for applications that protect you from viruses, spam and spy/ad-ware. And if you’re using Linux and think that you’re safe, you’re mistaken, as it also requires regular monitoring for patches. Next, ensure that you’re running only the applications you really need on your network, and disable/uninstall the rest. For instance, you may not need a Web server if you don’t have an Intranet, or host your company’s Web site with an ISP. Sometimes a patch itself can be buggy and cause problems on your system. To prevent this, first try it out on a test machine to ensure that it’s stable. Also, ensure that you back up your systems’ data regularly. In case a patch deployment corrupts data, you’ll have something to fall back to.
Create your own patch manager
Last month, we talked about how users can quickly install patches from a ‘server’ (which was actually just another, designated computer on the network). This time, we’ll take the same concept further and add more functionality to it. First, designate a machine as your patch management server. On this, create ‘updates’ folder, and under this create folders for all OSs on your network, such as Win 9x/ME/2K/XP. Create a separate folder for all the applications for which you need updates. Now every time you (the SysAd) download a new update, dump it in the appropriate folder. Next, you need to create a simple batch file for each patch executable file in these folders. This will pass additional parameters to the executable, to patch your installation smoother. Create the batch file in the same directory as the exe, and give it the same name as the exe file+.bat. For instance, if the patch is Q12345.exe, then create a batch file called Q12345.exe.bat.
Parameters for all Windows updates can be silently and automatically installed by using a combination of the following switches:
/Q or /Q:A: Quiet mode. No user interaction is needed and no progress dialog is displayed
/N or /R:N: Does not create a backup of the older DLLs
/Z: Does not restart after the installation
Finally, download the program called qchain.exe from Microsoft’s site and after extracting it, dump it in the main ‘updates’ folder. This program lets the system decide which DLL to use even if you install an older DLL after a newer one.
Now make some changes in the client scripts. First, you need to add an environment variable in either autoexec.bat or the user’s profile. Call it ostopatch, and it will contain the name of the OS. For each system, define the value of this variable to be the same as the one installed, as well as in the same format as the corresponding folder on the server. For instance, when on a Win XP system, set the value to be
WINXP.
Now create a new client script as below in each user’s local UPDATE folder.
@REM Update Script Version 2.0
@echo off
Cls
echo Connecting to server…
net use U: \\server\Updates
u:
echo Finding updates for your operating system: %OSTOPATCH%
cd %OSTOPATCH%
echo Please wait while installing the updates…
for %%a in (*.exe) do if not exist c:\Updates\%%a.txt (if exist %%a.bat (%%a.bat)
else (%%a))
for %%a in (*.exe) do if not exist c:\Updates\%%a.txt echo Installed %%a >
c:\Updates\%%a.txt
echo Finding any new patches for installed applications…
cd ..\APPLICATIONS
for %%a in (*.exe) do if not exist c:\Updates\%%a.txt (if exist %%a.bat (%%a.bat) else (%%a))
for %%a in (*.exe) do if not exist c:\Updates\%%a.txt echo Installed %%a >
c:\Updates\%%a.txt
echo Finishing Installation…
cd ..
if “%OSTOPATCH%”==”WIN2K” (QCHAIN.EXE)
if “%OSTOPATCH%”==”WINXP” (QCHAIN.EXE)
if “%OSTOPATCH%”==”WIN2003” (QCHAIN.EXE)
echo Done. It is recommended you reboot for all changes to take effect.
c:
This batch file does a lot more than the previous version. Here it is:
It first connects to the ‘server’s’ share and maps it to the U drive.
>>MUST CHECK |
|
n | WHICH SOLUTION Choice is between commercial packages, such as MS SMS server and Novell ZENWorks, free packages such as MS SUS, and your own solution using batch files |
n | BASIC PREREQUISITES Create a list of what you want to patch right from all the OSs, to the applications and services running on your network |
It then changes to the folder appropriate to the OS on the computer connecting. This is found from the OSTOPATCH variable.
Next, it iterates through each exe in that folder and checks if a file by that name + .txt exists in the local updates folder.
Only if it does not, it then checks if an update script (exe Filename+.bat) exists for additional parameters. If it does, it executes the bat file. But if it does not, it installs the exe directly.
It then creates the txt file in the local folder that signifies that the patch has been installed.
The script then moves into the applications folder and does the same stuff as above — that is, look for new exe and install from either a bat file or the exe itself.
Finally, it checks whether the OS is any one of Win2000/XP/2003 and if it is, runs Qchain from the main updates folder and exits.
This version of the script takes care of many of the issues that existed in the previous version. You can now control the patch installation much more effectively, even in a heterogenous network running different versions of Windows. Do write in if you find this script useful and would like to give suggestions for more features.