LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

November 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS November 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Issue with pr_XP_Hotfixes
From:	"Wilusz, Mike" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Wed, 14 Nov 2007 09:06:28 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (182 lines)

Nate (and Mike King),

Thanks for the details on WSUS.  It makes a lot more sense in our environment as we host our own cluster of SUS servers for enterprise patching.  I'll change the requirement to use WSUS and test that out today.  I like Mike's recommendation on looking into the registry for the WSUS server configured.  I know I've seen that entry before.  So from a Windows patching standpoint, I'll require the following order:

1)  Ensure Windows updates are enabled
2)  Verify the registry has an entry pointing to our WSUS farm
3)  Verify the system is patched by running the WSUS requirement to compare to the WSUS config

I'll run it through our lab today and see how it goes.  Thanks again for the help so far.

Mike Wilusz, CCNA
Networking Systems Programmer
Price Chopper Supermarkets / The Golub Corporation
 
Office: (518) 379-1103
Mobile: (518) 788-3550
Fax: (518) 379-3382
E-Mail: [log in to unmask]

-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Nathaniel Austin
Sent: Tuesday, November 13, 2007 4:40 PM
To: [log in to unmask]
Subject: Re: Issue with pr_XP_Hotfixes

Mike,

You can normally tell from the logic statement by viewing the rule, but 
after a while you'll be able to see which one is causing you to fail by 
sight.

Michael just posted a very good alternative. The WSUS requirement. Note 
that this will work even with non-WSUS environments as you can point the 
client to the Microsoft Internet Servers as opposed to managed WSUS 
servers. This will not check against our rule set, but launch the WSUS 
agent on the client to do its own check with MS and return the result to 
CCA. It cuts down on detection algorithm inconsistencies between 
ourselves and Microsoft.

Nate

Wilusz, Mike wrote:
> Nate,
>
> Thanks for the snappy reply.  Once I switched from "optional" to
> "mandatory" the user succeeds.  Hrmm... that wasn't expected, as under
> optional it showed the user as red (indicating a failed requirement),
> but now as mandatory the user is fine (shows green in the report).  Is
> that expected?  Seems odd b/c an optional update shouldn't prompt a user
> if it's not failing when set to mandatory.  Also, how did you know I was
> failing on the flash check and not the other (SP1 and IE7)?  Is that
> distinguishable in the user report or can you determine that from
> running through the logic of the rule.
>
> Mike
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Nathaniel Austin
> Sent: Tuesday, November 13, 2007 4:18 PM
> To: [log in to unmask]
> Subject: Re: Issue with pr_XP_Hotfixes
>
> Mike,
>
> All failed checks don't necessarily lead to the requirement failing. The
>
> requirement is a logical statement that ORs and ANDs many different 
> individual checks.
>
> In this case, it is OK that you failed SP1, because you have SP2 
> installed. So even though you failed the check, that won't cause you to 
> fail the requirement. Same goes for IE7 (you passed the IE6 check).
>
> The one you are failing that is causing you to fail is 
> pc_KB923789_MS06-069_XP_SP2 so I'd focus on that. Check on your test 
> client. Does that registry key exist? If not, download that hotfix 
> manually and install. Does it pass then?
>
> Nate
>
> Wilusz, Mike wrote:
>   
>> Hope everyone has been well. Always watching this list for great 
>> insight. We're moving forward on our NAC appliance setup and have 
>> gotten pretty far in the test. I'm hitting this problem though. We 
>> have a vanilla Windows XP SP2 computer as a corporate test client. 
>> When using the canned pr_XP_Hotfixes check that comes from Cisco (and 
>> is updated by Cisco going forward), the user always fail. It appears 
>> the failure is due to the user not having SP1 installed (the desktop 
>> is imaged from an XP SP2 instance), along with failing for KB923789 
>> (Adobe Flash update) and IE 7.0 not being installed. You can see the 
>> details below. Would this behavior be expected? I would assume there's
>>     
>
>   
>> no need to check for SP1 if SP2 is installed, and requiring IE 7.0 
>> seems unnecessary. How is everyone here handling this? Do you create a
>>     
>
>   
>> custom rules using a tweaked version of pr_XP_Hotfixes, and thus have 
>> to update it every time Cisco updates the rule? I could tweak it and 
>> deal with the mess of sorting the logic of the Cisco rule (not their 
>> fault, there is a lot to check), but don't want to do that if it's not
>>     
>
>   
>> necessary.
>>
>> 1. *WSUS Updates* (/Optional/)
>>
>> o Passed Checks:
>> pc_KB938829_MS07-046_XP
>> pc_Windows-XP-SP2
>> pc_HotFix908519_XP
>> pc_HotFix904706_XP
>> pc_KB908531_MS06-015_XP
>> pc_KB932168_MS07-020_XP
>> pc_KB920683_MS06-041_XP
>> pc_MDAC_28_SP1
>> pc_KB914388_MS06-036_XP
>> pc_KB935840_MS07-031_XP
>> pc_KB930178_MS07-021_XP
>> pc_HotFix901214_XP
>> pc_KB917344_MS06-023_XP
>> pc_IE6_0
>> pc_Flash_6r79_Registered_LC
>> pc_Flash_6_0_79
>> pc_KB923191_MS06-057_XP
>> pc_KB935839_MS07-035_XP
>> pc_KB921503_MS07-043_XP
>> pc_KB938127_MS07-050_XP_SP2_IE6
>> pc_KB939653_MS07-057_XP_SP2_IE6
>> pc_MSXML3_MS07-042
>> pc_KB925902_MS07-017_XP
>> pc_KB928843_MS07-008_XP_SP2
>> pc_HotFix896358_XP
>> pc_KB927779_MS07-009_XP_SP2_MDAC_28SP1
>> pc_KB931261_MS07-019_XP
>> pc_KB920213_MS06-068_XP_SP2
>>
>> o Failed Checks:
>> pc_Windows-XP-SP1, Registry Check 
>> [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
>> NT\CurrentVersion\CSDVersion contains Service Pack 1]
>> pc_KB923789_MS06-069_XP_SP2, Registry Check 
>> [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed 
>> Components\{5056b317-8d4c-43ee-8543-b9d1e234b8f4}\ exists ]
>> pc_IE7_0, Registry Check 
>> [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version 
>> starts with 7.0]
>>
>> o Not executed Checks:
>> pc_MSXML4_MS07-042
>> pc_HotFix896423_XP
>> pc_KB918439_MS06-022_XP_SP2
>> pc_KB921883_MS06-040_XP
>> pc_KB913433_MS06-020_XP_9x_Flash
>> pc_KB918899_MS06-042_XP_SP1_2K_IE6
>> pc_HotFix902400_XP
>> pc_MSXML5_MS07-042
>> pc_KB918439_MS06-022_XP_SP1_IE6
>> pc_MSXML6_MS07-042
>> pc_Swflash_5_0_44
>> pc_Flash_6r79_Registered_UC
>> pc_KB918439_MS06-022_XP_SP2_JGDW
>> pc_KB938127_MS07-050_XP_SP2_IE7
>> pc_Swflash_4r28_5r44_Registered_LC
>> pc_KB939653_MS07-057_XP_SP2_IE7
>> pc_Swflash_4r28_5r44_Registered_UC
>> pc_KB918439_MS06-022_XP_SP2_JGPL
>>
>> o Description:
>>
>> -Mike
>>
>>     
>
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU