|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
Yes. There are post-installation tasks that minimize problems and more quickly allow effective use of UpdateEXPERT. For instance, upon completing a "Typical" UpdateEXPERT install, you may want to immediately do the following tasks as the fastest way to begin using the product effectively.
UpdateEXPERT
INITIAL SETUP
Enable IE file cache deletion 
(optional)
Initial Database Update (required)
File > Agent > Settings
Enter Proxy Settings
(required, if database update above fails)
Schedule Database
Updates (set by default, but configurable)
Turn on all logging
(good idea for troubleshooting/auditing)
Set up Validation
Defaults (optional)
(optional)UpdateEXPERT
USAGE
Enumerate Network (required)
Pick machines to Manage (required)
Set Credentials (required)
Perform Querying (required)
Set Background Query in "Agent
Settings" (optional)
Research patches
Deploy patches
Additional Tools
Enable IE file cache deletion: 
This is
not critical, and only needs to be done on the Master-Agent machine if
at all, but is one of those things that is a "good idea". Go
to "Tools | Internet Options",
"Advanced" tab, and
scroll to the bottom where security options are listed. Check "Empty Temporary Internet Files folder when
browser is closed". This prevents stale information from accumulating
in browser cache, and helps with file downloading in UpdateEXPERT. Why
you ask?... Improper credentials for a proxy server (for example) can
cause the proxy to return a 3KB rejection notice file instead of the 384KB
patch file you wanted (for example). Its easy enough to fix the proxy
problem, but then IE has the annoying habit of trying to fulfill your
next download request from cache, handing you the 3KB file again. You can delete the IE temporary files interactively
(2nd screen shot below), or you can configure IE to empty cache every
time you close your browser, or both.
Initial DataBase Update: Go to "Help | About" and note the database
build number. Go to "Help | Update
Database Now"... this will cause a connection to St. Bernard
to be established, and the latest remediation
database to be downloaded. If you already have the latest database,
a dialogue box will indicate this. Otherwise, you get a 30 second period
to "yes|no" the download, and then it usually takes a short
while (minutes or less) to download the database. If
you are "unable
to connect to St. Bernard",
that is a good indication that proxy settings are needed to access
the internet.
Tip: the browser plug-in uses IE settings, but the Master Agent requires that you enter the settings for database and patch downloads.
Enter Proxy Settings: If
your database update works, and if you can see the "UpdateEXPERT
User Web" home page below, you
don't need to worry about the proxy setting, just skip this paragraph.
If the manual database update fails, go to "File
> Agent > Settings > Internet
Tab" to enter proxy server information in UpdateEXPERT. Get
the proxy settings from IE itself, or contact a network administrator
(IE can know the proxy from a "script", so the data is not visible
to you). Test the proxy settings with the test button, or simply attempt
to update your remediation database again. Work the issue till you get
the database updated as the accuracy of "queries" is directly
affected by the database. If
using settings management (SecurityEXPERT) set proxy settings from:
Schedule Database Updates: Once you have updated
the database manually, go to "File
> Agent > Settings > Updates Tab".
You can keep the default periodic database update (default 360 minutes
or 6 hours), or create a timed update like every night at 1AM. Your
database will now be kept up to date automatically, and the accuracy of
your host queries and patch listings will be up-to-date at all times,
constantly reflecting newly released patches from Microsoft that are now
available for deployment.
Turn all all logging: Go to "File |
Agent | Settings", "Logging"
tab, and check all events. This will collect the maximum amount of data
in the ActorUserLog file, whose full path is:
C:\Program Files\Common Files\UpdateEXPERT\ActorUserLog.txt
You may want to create a shortcut to this file for easy access. You can set the size of the file (see "Log Size" in screen shot).
Setup Validation Defaults: You may not use Validation
right away, but it's a good idea to setup the recommended defaults in
the "Validation Tab" right
now, for use later.
Setup Language Defaults: You may want to explicitly
identify the "language"you expect
to be working with for the Master-Agent as a way to avoid occasional query
issues.
Enumerate Network: Now that automated
database updates and logging are setup, go ahead and enumerate part or
all of your network. Enumeration occurs automatically when you first expand
domains in the network pane. Thereafter, enumeration occurs manually with
a right-click on a domain name. When you have a patch you want to deploy
for a domain, you can enumerate just before deployment to make sure you
pick up any newly connected hosts. Enumeration can also be scheduled as
part of an automated background query schedule... See "Perform
Querying" below.
Tip: You can avoid enumerating all domains by selecting the "microsoft network" object (top of the network pane) and right-clicking to get a menu that allows for adding domains manually. Once the domain is added, you can enumerate just the one domain. This avoids enumerating many domains for a simple test, demo, or training.
Pick Managed Machines (Avoiding Cluster
Targets): You can enumerate
(discover) your network, but you can't necessarily query yet. You need
to use "Manage Selected"
to identify the machines you intend to manage with UpdateEXPERT. This
will decrement the licensed number of targets you can manage. You may
be prompted to set credentials when you attempt to manage a machine, this
is so UpdateEXPERT can write GUID information (Globally Unique Machine
ID) to the target for identification purposes. See:
Machine GUID's in UpdateEXPERT Premium
Managed machines are bold. If you make a mistake, you can "Unmanage Selected". If all machines are bold, you have an unlimited license. Now you should setup your credentials if you haven't already.
Set Credentials...: Set valid Administrative
credentials for query and patch deployment. Credentials can be set at
the Machine or Container levels. Use
the Container levels as much as possible. For example, a Domain account
credential on a Domain container will apply to all the machines in the
container, even newly added machines. Set Machine level credentials for
exceptions or testing. Credentials can be temporarily used for a single
session, or stored for ongoing use. There is much more to know, see:
Credentials Management in UpdateEXPERT Premium
Perform Querying: After setting credentials,
select one or more machines or a domain and right-click to perform querying.
If new, pick machines nearby that are not hardened or secured and see
if the query completes, giving you a list of installed vs. available patches.
Query relies on standard Microsoft networking ports/services for NON Leaf-Agent
machines. Leaf-Agent targets (secured targets) have much less reliance
on Microsoft ports/services and provide performance and security benefits.
See:
Why Should I Deploy Leaf Agents?
RedHat and Solaris targets (Unix) have their own requirements for querying and patch deployment. If you intend to support Unix targets, see:
Getting Started with RedHat & Solaris
Background querying and Enumeration: Can be scheduled to
occur regularly as shown below. Wednesday through Sunday at 3 in the morning,
we enumerate and query the managed machines specified for this Master
Agent. This keeps the network view "fresh". Ideally, we might
schedule a daily database download at 2:50AM so that the database is refreshed
right before the query, or we could rely on the 360 minute schedule.
Research Patches: UpdateEXPERT makes
it easier to research patches, but it does not eliminate the need to be
aware of what you are patching and why. Patches are typically referred
to by their filename, Q-article number (knowledgebase number), or "MS"
number (security patches).
Windows2000-KB822831-x86-ENU.exe (filename)
Q822831 (Knowledgebase ID)
MS03-026 (Security Patch ID)
Tip: Go to "View > Options > Preferences" and uncheck "auto navigate" item to prevent the patch research from changing every time you click on a different patch. You can still right-click on the patch and use "Information" to manually ask for the research page.
Deploy
Patches: Select machines,
right-click in the updates pane and "Install" patches. Policies
allow identifying "required updates", meaning updates that should
be installed to all applicable machines. See:
Named Policies in UpdateEXPERT Premium
Please research any new patch before deploying it, and it is a good idea to deploy to one machine first as a test, before deploying to many machines. See:
Additional References: There are UpdateEXPERT
features or tools that support more effective use as listed below. Please
refer to the Deployment Guide
(UpdateEXPERT program group), and the online
Users Guide ie "Help | Contents"
in UpdateEXPERT for more information. You can also search this knowledgebase.
Reboot and Send-Alert commands (See "Help | Contents" for these menu commands)
