Tag: Microsoft

Automating Windows Updates via Group Policy

A little bit of background information for this one. In the company I work for, we tend to patch everything, it’s a fine practice but when it comes to Windows Servers which we have close to 80 of, all of them are currently being updated by hand.

Now, other than being tedious and annoying it’s a pretty large overhead and consumes quite some time… never mind those which needed to be done outside of office hours.

So, my solution?

Well, the new year had come, I could see the horrific patch day Tuesday on the horizon (second Tuesday of every month) and decided to stamp my foot down.

First thing first, decide a time when this can happen, I opted for 3-5am where there are no Back-Up jobs going on, it’s outside of AV scans etc. This is now called the Update Window

Secondly, split a domain of servers up into groups based on different things, what ESX host they were on, what services run from them etc. One thing I kept in mind was to reduce any potential strain on our VM setups (Our hosts are a little crowded!) during the machine start ups the machines were distributed evenly between the two security groups.

Next thing was to construct the group policies and as a picture speaks a thousand words, here’s mine

GP

Once this GPO is published and applied the only other step is to exclude your 2 security groups (Romeo & Juliet in this case) from the default/predefined WSUS GPO’s

And that’s about it! 85% of our internal servers are currently auto-updating every Friday (You never know Microsoft and those damn extra hotfixes!)

TL;DR Make 2 security groups, exclude these from default WSUS GPO’s… copy the GPO above, publish, apply and enjoy.


Using PortQry to Test Firewall Rules

Firstly, what is PortQry?

Well, it’s a little program which can be used via command line or through a GUI to test specific ports on an IP.

You can obtain it here.

Now how can it be useful?

Sure, you can use Telnet [Port#] to the same effect (Kind of) but this little program can be scripted to allow you to test rules on both software and hardware firewalls.

I originally used it to module test rules on our Cisco ASA5510, since then I’ve moved on to a more advanced script which I’ll share.

So a little explanation, this script will allow you to enter a server name or IP to test again, you then specify the port and it’ll test that port against the specified IP with some TCP traffic.

Again, this can be built on but there is a more robust Powershell script which I’ll post at a later date for this purpose.

Either way, a cool little program.