Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to round up all patches for post-SP2 XP?
- Thread starter mhyman
- Start date
Go to the Windows Update site, and expand the left menu option "Administrator Options"
There you will find the links for all XP patches, service packs, security hotfixes and device driver updates.
My question:
What are you going to do with them. You cannot just install every one. There is a managed process to determine whether you need, or should, use any of them. This is done either:
. through Windows Update
. or, through a SuS (soon to be WUS) server, or SMS server
There is a provision to add these to the installation image if you are doing a slipstream of these fixes. Microsoft expresses some reservations about applying any download patch without some intelligence:
(Or a Plain English version of the above: )
If you have SP2 applied, even with dial-up the Windows Update process is a better bet than something you create on your own.
Over time this may change. But currently, there is little reason not to use the formal process of Windows update, or a server-based solution using SuS or an SMS server.
There you will find the links for all XP patches, service packs, security hotfixes and device driver updates.
My question:
What are you going to do with them. You cannot just install every one. There is a managed process to determine whether you need, or should, use any of them. This is done either:
. through Windows Update
. or, through a SuS (soon to be WUS) server, or SMS server
There is a provision to add these to the installation image if you are doing a slipstream of these fixes. Microsoft expresses some reservations about applying any download patch without some intelligence:
(Or a Plain English version of the above: )
If you have SP2 applied, even with dial-up the Windows Update process is a better bet than something you create on your own.
Over time this may change. But currently, there is little reason not to use the formal process of Windows update, or a server-based solution using SuS or an SMS server.
Download and save your Office ones from -
- Thread starter
- #5
Hi, Thanks for the response.
If it wasn't completely clear, I am not an expert in MS systems management, my expertise is more in Unix and Linux.
That said, what I am concerned about is deploying new PC systems, or even reinstalls, and having them unprotected in the time it takes to get the necessary updates from the MS automated process. I am also concerned about trusting that the MS process will download and install only appropriate patches, since I can't review, test and appove them first. We are also using a couple of custom applications, and the same consern arises...how do I control patches if each machine is allowed to just grab whatever MS thinks it should have.
I have used the slipstream process to build a Win XP Pro CD with SP2 integrated. That is a very cool thing, I must say. I am not clear if you can do the same for Office 2003, or even the patches and hot fixes for XP.
The current client I am working with only has about a dozen machines, I am interested in doing the installs "the right way" so that when I am dealing with much bigger deployments, I have some experience behind me. It is not an option to buy SMS, or whatever it will be called, so I am wondering if there is something available that will provide some installation automation, without the huge expense?
Thanks again for the help, I appreciate it. And, if you need Unix/Linux/Networking/Database help, please send the Q's my way!
Regards...Michael
If it wasn't completely clear, I am not an expert in MS systems management, my expertise is more in Unix and Linux.
That said, what I am concerned about is deploying new PC systems, or even reinstalls, and having them unprotected in the time it takes to get the necessary updates from the MS automated process. I am also concerned about trusting that the MS process will download and install only appropriate patches, since I can't review, test and appove them first. We are also using a couple of custom applications, and the same consern arises...how do I control patches if each machine is allowed to just grab whatever MS thinks it should have.
I have used the slipstream process to build a Win XP Pro CD with SP2 integrated. That is a very cool thing, I must say. I am not clear if you can do the same for Office 2003, or even the patches and hot fixes for XP.
The current client I am working with only has about a dozen machines, I am interested in doing the installs "the right way" so that when I am dealing with much bigger deployments, I have some experience behind me. It is not an option to buy SMS, or whatever it will be called, so I am wondering if there is something available that will provide some installation automation, without the huge expense?
Thanks again for the help, I appreciate it. And, if you need Unix/Linux/Networking/Database help, please send the Q's my way!
Regards...Michael
I hope the following addresses your concerns. You have raised some very subtle security issues.
Beginning with XP Service Pack 2, Microsoft implemented hardware and software DEP. If your workstations have processors that support hardware DEP, the only attack surface for a worm, trojan or virus would be:
. from your LAN; malware cannot come from the internet
. from the time the machine is switched on, until it presents a logon screen.
If your workstation processors cannot support hardware DEP, the attack surface is larger:
. from your LAN; malware cannot come from the internet
. from the time the machine is switched on, until a logon occurs. This is longer of course than the attack surface offered with hardware DEP.
This is likely more protection than any Linux or other system you have used before. It is dramaticly different than any previous Windows OS version, including the original release of XP. The next OS version, codenamed Longhorn, and due next year, will in the second case restrict the attack surface to essentially the hardware DEP situation; and for the hardware DEP situation the plan is no attack surface whatsoever.
I note that there has never been an attack during the intervals discussed. The closest were the Blaster and Sasser worms. You can consider them as models as to what Microsoft intends cannot happen -- Nothing can happen from an Internet connection until logon. And on the only surface that is exposed when a machine is turned on -- your LAN, the protections offered by regular security updates should make even this exposure a reasonable risk.
I can understand that the scale of your planned LAN is too small to consider using SMS server. However, SuS is free. WuS is free, (SuS's planned replacement) as Beta at the level 2 release level. I can assure you it works very well. There is no intention to charge fees for using SuS or WUS.
It matters in your planning, as XP Professional is a lousy file server, and limited to 10 connections. This is a hard limit -- it will refuse further connections. In planning a LAN of "several dozen" workstations, you are realisticly saying you need a server product. Whether your final choice is a Linux with SAMBA or a Microsoft Server OS, you should consider the freeware SuS server.
As a final note, I hope I made it clear enough above that downloading every hotfix, path, security upgrade and device driver issued by Microsoft is a mistake. Some intelligance is needed on a workstation by workstation basis. Windows Update can provide this. And more formally SuS (WUS) can do this.
Best regards,
Bill Castner
Beginning with XP Service Pack 2, Microsoft implemented hardware and software DEP. If your workstations have processors that support hardware DEP, the only attack surface for a worm, trojan or virus would be:
. from your LAN; malware cannot come from the internet
. from the time the machine is switched on, until it presents a logon screen.
If your workstation processors cannot support hardware DEP, the attack surface is larger:
. from your LAN; malware cannot come from the internet
. from the time the machine is switched on, until a logon occurs. This is longer of course than the attack surface offered with hardware DEP.
This is likely more protection than any Linux or other system you have used before. It is dramaticly different than any previous Windows OS version, including the original release of XP. The next OS version, codenamed Longhorn, and due next year, will in the second case restrict the attack surface to essentially the hardware DEP situation; and for the hardware DEP situation the plan is no attack surface whatsoever.
I note that there has never been an attack during the intervals discussed. The closest were the Blaster and Sasser worms. You can consider them as models as to what Microsoft intends cannot happen -- Nothing can happen from an Internet connection until logon. And on the only surface that is exposed when a machine is turned on -- your LAN, the protections offered by regular security updates should make even this exposure a reasonable risk.
I can understand that the scale of your planned LAN is too small to consider using SMS server. However, SuS is free. WuS is free, (SuS's planned replacement) as Beta at the level 2 release level. I can assure you it works very well. There is no intention to charge fees for using SuS or WUS.
It matters in your planning, as XP Professional is a lousy file server, and limited to 10 connections. This is a hard limit -- it will refuse further connections. In planning a LAN of "several dozen" workstations, you are realisticly saying you need a server product. Whether your final choice is a Linux with SAMBA or a Microsoft Server OS, you should consider the freeware SuS server.
As a final note, I hope I made it clear enough above that downloading every hotfix, path, security upgrade and device driver issued by Microsoft is a mistake. Some intelligance is needed on a workstation by workstation basis. Windows Update can provide this. And more formally SuS (WUS) can do this.
Best regards,
Bill Castner
More information and resources on SuS and WUS:
Best regards,
Bill Castner
Best regards,
Bill Castner
- Status
Similar threads
- Locked
- Question