LEVERAGING ACTIVE DIRECTORY GROUP POLICY TO PATCH COMMON WINDOWS APPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http://www.josephpfisher.com 2012 Rock Eagle Computing Conference.
Download ReportTranscript LEVERAGING ACTIVE DIRECTORY GROUP POLICY TO PATCH COMMON WINDOWS APPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http://www.josephpfisher.com 2012 Rock Eagle Computing Conference.
LEVERAGING ACTIVE DIRECTORY GROUP POLICY TO PATCH COMMON WINDOWS APPLICATIONS Joseph Fisher Systems Administrator Enterprise IT Services, University of Georgia http://www.josephpfisher.com 2012 Rock Eagle Computing Conference About The Presenter • Working in IT since 1996 • Started out assembling computers for free RAM • VMware, Linux, and Windows sysadmin at UGA About This Presentation • • • • Patch Management Windows Active Directory environment Brief Overview of Group Policy Objects (GPOs) Non-Microsoft Software – – – – Java Flash Reader Etc Are You Current on Your Patches? Best Malware Prevention Strategy • Limit over-privileged users – UAC, standard user accounts • User education – No more free screensavers • Anti-virus software – Only as good as the latest definitions • Update all software as soon as patches are available The Results • Average of 18.2 malware incidents per month in 250 PC environment prior to centralized patch management • Down to 1 incident in 6 months Options • Microsoft Systems Center – Powerful, but complicated, and expensive • Ninite Pro – Simple, effective, but still requires license outside of personal use • LANDesk – Like Systems Center, powerful but complicated and expensive • Active Directory Group Policy – Uses existing infrastructure, intermediate difficulty OVERVIEW OF GROUP POLICY OBJECTS Pre-requisites • Active Directory – Rights to create GPOs and link to OUs • Repository – Sysvol – File server • Need a share readable by all “Authenticated Users” Remote Server Administration Tools • From a domain computer, install Remote Server Administration Tools – http://www.microsoft.com/enus/download/details.aspx?id=7887 • Active Directory Users and Computers • Group Policy Management Console How to Apply GPOs • Link to an Organizational Unit (OU) – By default, GPOs apply to all child OUs • Able to block inheritance on specific child OUs • GPOs can override “block inheritance” by being set to “enforced” • Can view effective GPOs on an OU Group Policy Management Console Group Policy Management Console Group Policy Objects • Policies broken down into 2 groups: Users and Computers • Software installation should usually be performed at the Computer level Software Deployment • GPOs natively support MSI files • You can deploy other executables, but you’ll need to script these – Batch files are usually effective – Scripts deployed at the computer level are run with “system” privileges (i.e. administrators) Test, test, test! • Testing strategy: start with a single machine, then test a group, then a larger group, and finally bulk deploy • One GPO for each function – E.g. one GPO for Adobe Reader, another for Java, etc. – Easier to identify problematic GPOs • Virtual machines are handy! – Create a local VM using Virtual Box and snapshot it in a “clean” state – GPOs tattoo a system, always best to start clean SOFTWARE DEPLOYMENT Software Sources • Adobe Flash: http://www.adobe.com/products/flashplayer/distribution3. html • Adobe Reader: ftp://ftp.adobe.com/pub/adobe/reader/win/ – Customization Wizard: http://www.adobe.com/support/downloads/detail.jsp?ft pID=4950 • Firefox: http://www.frontmotion.com/Firefox/ • Chrome: http://www.google.com/intl/en/chrome/business/browser/ • Java: Offline installer at http://java.com Adobe Flash • Need to apply for a free Flash distribution license • Create a GPO for Flash and assign the MSI file under “Software Installation” Adobe Flash • Suppress update notification: http://helpx.adobe.com/flashplayer/kb/administration-configure-autoupdate-notification.html – Need to create a file on each workstation – Can accomplish this via Group Policy: • Create the file and put it in your repository (Sysvol, file share, etc.) • Deploy via Group Policy Preference: Computer Configuration -> Preferences -> Windows Settings -> Files Adobe Reader • Obtain installer from Adobe FTP • Customize the installation via Adobe Customization Utility – Suppress EULA – Disable Update Checks – Generates MST file Adobe Reader Firefox • Mozilla doesn’t provide MSI installers • FrontMotion Firefox Community Edition – Different logo – Same browser • Administrative Templates to manage – – – – – Default browser checks Update checks Default home page Proxy settings etc Firefox Google Chrome • MSI available directly from Google • Google also provides administrative templates Java • No MSI available directly from Oracle • Problematic under normal conditions • Newer versions require successful uninstallation of most recent installed version • Uninstallation failures prevent installation of new versions • Only recommended tool to remove failed installations is no longer available (MS Office Cleanup Utility) – And not scriptable Java • We need a script: – – – – Check if Java is the latest version Uninstall the previous version if a new version is available Install the new version Check to see that the new version works • http://josephpfisher.com/2011/11/java-wontuninstall-tips-for-end-users-and-enterprise-systemsadministrators/ • Assign the batch file as a startup script (computer level) Java • Still need to obtain MSI • Still need to generate a transform (MST) • Need Orca MSI editor – http://www.technipages.com/download-orca-msieditor.html • Run offline installer and monitor App Data folder – Start -> Run -> %APPDATA% – MSI installer should appear while offline installer is open Java • Open MSI in Orca • Create new transform (Transform menu -> New Transform) – Better than modifying the MSI directly • Go to “Property” table and modify: – – – – – – – AUTOUPDATECHECK = 0 EULA = 0 Iexplorer = 1 JAVAUPDATE = 0 JU = 0 Mozilla = 1 Systray = 0 • Go to “Transform” menu and click “Generate Transform” and save the MST file Java COMMON PROBLEMS Common Problems • Windows XP & Vista requires hotfix – http://support.microsoft.com/kb/974266 • Latest NIC drivers for gigabit adapters – From NIC manufacturer (i.e. not Dell) • Flush Group Policy history – Remove HKLM\Software\Microsoft\Windows\CurrentVer sion\Group Policy • Remove from domain and re-join Resources • Microsoft Technet Forums – http://social.technet.microsoft.com/Forums/enUS/categories • EduGeek – http://edugeek.net • IT Ninja – http://www.itninja.com QUESTIONS?