CLEANACCESS Archives

November 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Issue with pr_XP_Hotfixes
From:
Nathaniel Austin <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Tue, 13 Nov 2007 16:39:56 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (157 lines) 
Mike,

You can normally tell from the logic statement by viewing the rule, but 
after a while you'll be able to see which one is causing you to fail by 
sight.

Michael just posted a very good alternative. The WSUS requirement. Note 
that this will work even with non-WSUS environments as you can point the 
client to the Microsoft Internet Servers as opposed to managed WSUS 
servers. This will not check against our rule set, but launch the WSUS 
agent on the client to do its own check with MS and return the result to 
CCA. It cuts down on detection algorithm inconsistencies between 
ourselves and Microsoft.

Nate

Wilusz, Mike wrote:
> Nate,
>
> Thanks for the snappy reply.  Once I switched from "optional" to
> "mandatory" the user succeeds.  Hrmm... that wasn't expected, as under
> optional it showed the user as red (indicating a failed requirement),
> but now as mandatory the user is fine (shows green in the report).  Is
> that expected?  Seems odd b/c an optional update shouldn't prompt a user
> if it's not failing when set to mandatory.  Also, how did you know I was
> failing on the flash check and not the other (SP1 and IE7)?  Is that
> distinguishable in the user report or can you determine that from
> running through the logic of the rule.
>
> Mike
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Nathaniel Austin
> Sent: Tuesday, November 13, 2007 4:18 PM
> To: [log in to unmask]
> Subject: Re: Issue with pr_XP_Hotfixes
>
> Mike,
>
> All failed checks don't necessarily lead to the requirement failing. The
>
> requirement is a logical statement that ORs and ANDs many different 
> individual checks.
>
> In this case, it is OK that you failed SP1, because you have SP2 
> installed. So even though you failed the check, that won't cause you to 
> fail the requirement. Same goes for IE7 (you passed the IE6 check).
>
> The one you are failing that is causing you to fail is 
> pc_KB923789_MS06-069_XP_SP2 so I'd focus on that. Check on your test 
> client. Does that registry key exist? If not, download that hotfix 
> manually and install. Does it pass then?
>
> Nate
>
> Wilusz, Mike wrote:
>   
>> Hope everyone has been well. Always watching this list for great 
>> insight. We're moving forward on our NAC appliance setup and have 
>> gotten pretty far in the test. I'm hitting this problem though. We 
>> have a vanilla Windows XP SP2 computer as a corporate test client. 
>> When using the canned pr_XP_Hotfixes check that comes from Cisco (and 
>> is updated by Cisco going forward), the user always fail. It appears 
>> the failure is due to the user not having SP1 installed (the desktop 
>> is imaged from an XP SP2 instance), along with failing for KB923789 
>> (Adobe Flash update) and IE 7.0 not being installed. You can see the 
>> details below. Would this behavior be expected? I would assume there's
>>     
>
>   
>> no need to check for SP1 if SP2 is installed, and requiring IE 7.0 
>> seems unnecessary. How is everyone here handling this? Do you create a
>>     
>
>   
>> custom rules using a tweaked version of pr_XP_Hotfixes, and thus have 
>> to update it every time Cisco updates the rule? I could tweak it and 
>> deal with the mess of sorting the logic of the Cisco rule (not their 
>> fault, there is a lot to check), but don't want to do that if it's not
>>     
>
>   
>> necessary.
>>
>> 1. *WSUS Updates* (/Optional/)
>>
>> o Passed Checks:
>> pc_KB938829_MS07-046_XP
>> pc_Windows-XP-SP2
>> pc_HotFix908519_XP
>> pc_HotFix904706_XP
>> pc_KB908531_MS06-015_XP
>> pc_KB932168_MS07-020_XP
>> pc_KB920683_MS06-041_XP
>> pc_MDAC_28_SP1
>> pc_KB914388_MS06-036_XP
>> pc_KB935840_MS07-031_XP
>> pc_KB930178_MS07-021_XP
>> pc_HotFix901214_XP
>> pc_KB917344_MS06-023_XP
>> pc_IE6_0
>> pc_Flash_6r79_Registered_LC
>> pc_Flash_6_0_79
>> pc_KB923191_MS06-057_XP
>> pc_KB935839_MS07-035_XP
>> pc_KB921503_MS07-043_XP
>> pc_KB938127_MS07-050_XP_SP2_IE6
>> pc_KB939653_MS07-057_XP_SP2_IE6
>> pc_MSXML3_MS07-042
>> pc_KB925902_MS07-017_XP
>> pc_KB928843_MS07-008_XP_SP2
>> pc_HotFix896358_XP
>> pc_KB927779_MS07-009_XP_SP2_MDAC_28SP1
>> pc_KB931261_MS07-019_XP
>> pc_KB920213_MS06-068_XP_SP2
>>
>> o Failed Checks:
>> pc_Windows-XP-SP1, Registry Check 
>> [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
>> NT\CurrentVersion\CSDVersion contains Service Pack 1]
>> pc_KB923789_MS06-069_XP_SP2, Registry Check 
>> [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed 
>> Components\{5056b317-8d4c-43ee-8543-b9d1e234b8f4}\ exists ]
>> pc_IE7_0, Registry Check 
>> [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version 
>> starts with 7.0]
>>
>> o Not executed Checks:
>> pc_MSXML4_MS07-042
>> pc_HotFix896423_XP
>> pc_KB918439_MS06-022_XP_SP2
>> pc_KB921883_MS06-040_XP
>> pc_KB913433_MS06-020_XP_9x_Flash
>> pc_KB918899_MS06-042_XP_SP1_2K_IE6
>> pc_HotFix902400_XP
>> pc_MSXML5_MS07-042
>> pc_KB918439_MS06-022_XP_SP1_IE6
>> pc_MSXML6_MS07-042
>> pc_Swflash_5_0_44
>> pc_Flash_6r79_Registered_UC
>> pc_KB918439_MS06-022_XP_SP2_JGDW
>> pc_KB938127_MS07-050_XP_SP2_IE7
>> pc_Swflash_4r28_5r44_Registered_LC
>> pc_KB939653_MS07-057_XP_SP2_IE7
>> pc_Swflash_4r28_5r44_Registered_UC
>> pc_KB918439_MS06-022_XP_SP2_JGPL
>>
>> o Description:
>>
>> -Mike
>>
>>     
>
>

ATOM RSS1 RSS2