The tale of the server who was not to be updated

Dear friends,

Now I relate to you a take of perill.

It concernes a Windows 2000 server with Cisco VOIP software that we did not know about. No one had ever told us about it.

We have been pushing to get all of our servers to some kind of patch standard.. a mammoth task, 200 servers, and nothing even resembling a patch management infrastructure.

I had installed WSUS, and added all clients that where on the old SUS server over, this included mostly PCs and Laptops, but also a bunch of servers, including the one in question, because we didn’’t know it was a server.. its account was included in our Workstaiton OU.

WSUS, and other vulnerbility scanning software such as Windows Update and MBSA2, requires a newer version of the Windows Update client. This is usually installed automaticly when you connect a server to the WSUS. This process is called self-update.

Anyhow, we recieved an email alerting us to the fact that this server may not be updated with the latest patches, that only Cisco approved windows patches should be installed.  Also was it explicitly not allowed to run our standard Mcafee virusscanner! Most likely it would mess up the software and bring the box down!

Like I said, this server was already on the WSUS as far as I knew, so I mailed them that back, but before I did, I ran an MBSA2 scan of the box to see weather it was or was not up to date. It was not. I chalked this down to the fact that this server is never rebooted, causing installed updates never to take effect, and effectively blocking the update process from continuing.

However.. that was, as it turned out, not the reason it was out of date. It had, in fact, never recieved the new Windows Update clients from the WSUS server.. Even though its policy was pointing it at our WSUS server, seflupdate had failed all those months ago, and we never new, cause an automated MBSA scanning cycle had never been used on the system, as it was not in the IP subnet we administered.. Like I said, we didnt know about the server explicitly, even though we had moved its computer account about with the SUS to WSUS migration.

The moment I scanned the box with MBSA2, something happened that I had forgotten about. It installed the new Windows Update client.. the same one that WSUS installs. It then proceeded to register itself with the WSUS server, and started downloading and isntalling all the missing updates! (20 or so).


Now, because these mails where going round about this box, another admin on a different site, decided to log into the box to see what it was about.

No one had logged in to the box for over 6 months.

Now you should know, that, in the last few weeks, my manager, who also administers, made a script that runs at logon time for most ordinary users. This script installs the latest version of the Mcafee virus scanner.

This script is set up using computer policy,  on our workstation OU.  Now remember, we did not know this VIOP server… was a server.. its account was included in our workstation OU.

So guess what happened when this guy logged on?


So now.. its fingers crossed to see what happens the first time we reboot this server.
In the meantime, I have put it in a seperate OU with a seperate policy, and a seperate group in WSUS, so we can carefully control what this particular server gets and doesnt get.