EH-Net

Hi,
 I am facing challenges where my most of the desktops and laptops are vulnerable for KB958644 patch missing.Due to this my networks are vulneranle for conficker.
I am patching and cleaning the machine manually.
Now i am looking for the solution in such way that when user login to domain it should crossverfiy the KB958644 patch missing status through net user logon script and deploy the patch if the same is missing.
Kindly suggest any script and runas script to execute the same without password prrompting and in hidden manner.
Help me to recover from situation.
Thanks in advance

Hi,
It's good you are being proactive about patching your systems, even if they are a bit out of date at the moment. The main problem I can see is that your systems will be vulnerable to exploitation over the network until someone logs into the domain.

I'm sure there is a better way to patch these systems, particularly if they are members of a windows domain. I'm sure someone here with a bit more windows admin experience might have something to add.

Cheers,
Jimbob

I think you are approaching this from the wrong angle.   I would sse MBSA to scan all workstation from a single machine for missing patches.   

http://technet.microsoft.com/en-us/security/cc184923.aspx (http://technet.microsoft.com/en-us/security/cc184923.aspx)

I already commented on your other post regarding similar concepts.  If you insist on using a script, use a Startup (not Logon) script configured through GPOs to detect the missing patch.  If you need to write the results to a central location somewhere on the Network, log your results to a temporary directory on each PC.   Then configure a separate Logon script to pickup the results and output them to a Network Share.   The Startup script will run under the SYSTEM account when the machine starts up.   The Logon script will run under a User's account (during logon) and will have access to network shares.   

You can also use some VBScript to send keys to the RunAs command.   There are plenty of google hits for this.   An example of such code is below:


It's not good idea to use the code above since it stores your password.   

You can also use the Sysinternals tools PSEXEC which will accept a password as a parameter.  Again, it's not a good idea passing a password like this to a script.

http://live.sysinternals.com/ (http://live.sysinternals.com/)

There are a number of tools out there that serve as RunAs replacements.   Some will allow for encryption.

All of the above is much more work than using a free tool like MBSA.   

Hi,
  currently i am useing ISS and MBSA scanner to detect the vulnerable systems.
To work just more proactive i am trying to fix the machine as soon as they are connected to network.
i generated a script to scan the system the reg file of vulnerable system but after scaning if the system is vulnerable then i need to patch the system using admin credentials with in script.
that where i got stuck.I am unable to find any mechanism where i can execute the script with admin credentials on the local system.

Have you looked at WSUS?

http://technet.microsoft.com/en-us/wsus/default.aspx

"Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network."

Jimbob

I know WSUS will resolve the solution after connecting to network but what is the way to block such systems to get connected to network?

Here is some nice command line kung fu you can use to check a computer.
http://blog.commandlinekungfu.com/2009/03/episode-16-got-that-patch.html

If your computers don't have the patch form October it sounds like there is a more systematic problem than missing one patch. I would highly suggest creating a patch management procedure and spending some money and time on something to deploy the patches.

One bugbear of mine is security systems that require you trust the client. If you install the scripts on the client (i.e. laptops) you are trusting them to audit themselves and enforce security. This spells FAIL on many levels; if the scripts are not installed, have been removed or it is an unauthorised device.

Your goal is to prevent unpatched systems hooking up to the network. All well and good, but these systems need to get their updates, right? Better to centrally enforce updates to clients with something like WSUS and having the option to block rogue devices on your switches.

Jimbob