.

net user logon script to scan KB958644 patch missing

<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Thu Aug 20, 2009 9:17 am

net user logon script to scan KB958644 patch missing

Hi,
I am facing challenges where my most of the desktops and laptops are vulnerable for KB958644 patch missing.Due to this my networks are vulneranle for conficker.
I am patching and cleaning the machine manually.
Now i am looking for the solution in such way that when user login to domain it should crossverfiy the KB958644 patch missing status through net user logon script and deploy the patch if the same is missing.
Kindly suggest any script and runas script to execute the same without password prrompting and in hidden manner.
Help me to recover from situation.
Thanks in advance
<<

jimbob

Post Thu Aug 20, 2009 9:48 am

Re: net user logon script to scan KB958644 patch missing

Hi,
It's good you are being proactive about patching your systems, even if they are a bit out of date at the moment. The main problem I can see is that your systems will be vulnerable to exploitation over the network until someone logs into the domain.

I'm sure there is a better way to patch these systems, particularly if they are members of a windows domain. I'm sure someone here with a bit more windows admin experience might have something to add.

Cheers,
Jimbob
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Aug 20, 2009 10:18 am

Re: net user logon script to scan KB958644 patch missing

I think you are approaching this from the wrong angle.  I would sse MBSA to scan all workstation from a single machine for missing patches. 

http://technet.microsoft.com/en-us/security/cc184923.aspx

I already commented on your other post regarding similar concepts.  If you insist on using a script, use a Startup (not Logon) script configured through GPOs to detect the missing patch.  If you need to write the results to a central location somewhere on the Network, log your results to a temporary directory on each PC.  Then configure a separate Logon script to pickup the results and output them to a Network Share.  The Startup script will run under the SYSTEM account when the machine starts up.  The Logon script will run under a User's account (during logon) and will have access to network shares. 

You can also use some VBScript to send keys to the RunAs command.  There are plenty of google hits for this.  An example of such code is below:

  Code:
Set WshShell=WScript.CreateObject("WScript.Shell")
strCmd="C:\windows\system32\mspaint.exe"
strUser="Domain\User"
strPass="Password"
set WshShell=CreateObject("WScript.Shell")
WshShell.Run "runas.exe" & " /u:" & strUser & " " & strCmd
WScript.Sleep 1000
WshShell.Sendkeys strPass & "~"


It's not good idea to use the code above since it stores your password. 

You can also use the Sysinternals tools PSEXEC which will accept a password as a parameter.  Again, it's not a good idea passing a password like this to a script.

http://live.sysinternals.com/

There are a number of tools out there that serve as RunAs replacements.  Some will allow for encryption.

All of the above is much more work than using a free tool like MBSA. 
~~~~~~~~~~~~~~
Ketchup
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Thu Aug 20, 2009 10:38 pm

Re: net user logon script to scan KB958644 patch missing

Hi,
  currently i am useing ISS and MBSA scanner to detect the vulnerable systems.
To work just more proactive i am trying to fix the machine as soon as they are connected to network.
i generated a script to scan the system the reg file of vulnerable system but after scaning if the system is vulnerable then i need to patch the system using admin credentials with in script.
that where i got stuck.I am unable to find any mechanism where i can execute the script with admin credentials on the local system.
<<

jimbob

Post Fri Aug 21, 2009 3:29 pm

Re: net user logon script to scan KB958644 patch missing

Have you looked at WSUS?

http://technet.microsoft.com/en-us/wsus/default.aspx

"Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network."

Jimbob
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Sat Aug 22, 2009 7:54 am

Re: net user logon script to scan KB958644 patch missing

I know WSUS will resolve the solution after connecting to network but what is the way to block such systems to get connected to network?
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Sep 06, 2009 9:50 pm

Re: net user logon script to scan KB958644 patch missing

Here is some nice command line kung fu you can use to check a computer.
http://blog.commandlinekungfu.com/2009/ ... patch.html

If your computers don't have the patch form October it sounds like there is a more systematic problem than missing one patch. I would highly suggest creating a patch management procedure and spending some money and time on something to deploy the patches.
twitter.com/timmedin | http://blog.securitywhole.com
<<

jimbob

Post Mon Sep 07, 2009 1:17 am

Re: net user logon script to scan KB958644 patch missing

One bugbear of mine is security systems that require you trust the client. If you install the scripts on the client (i.e. laptops) you are trusting them to audit themselves and enforce security. This spells FAIL on many levels; if the scripts are not installed, have been removed or it is an unauthorised device.

Your goal is to prevent unpatched systems hooking up to the network. All well and good, but these systems need to get their updates, right? Better to centrally enforce updates to clients with something like WSUS and having the option to block rogue devices on your switches.

Jimbob

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software