Another method is to use the WSUS Package Publisher http://wsuspackagepublisher.codeplex.com/ , still you will need a software inventory solution or build your own, that is just basics for security, no way to be able to be effective at determining risk if you do not have a host and software inventory. The modification of the MSI is so it removes Java 6 if you do not use it, also remember there are more that one packaged version of Java, you have the JDK, JRE and some software even bundles it, so a proper inventory will help. You can use WMI or SMB Remote Registry to look for Java in the install/uninstall keys and set firewall rules so only the server segment or your management segment has access to the WMI/SMB ports (reduces chances of pass the hash in case of compromise). My recommendation build a lab, test, document and re-deploy in lab from clean, once you have the process down with each new version it is just a matter updating the package. WMI filters is a good way to determine if java is installed or not to determine to what host a policy applies to.
On May 21, 2013, at 10:08 AM, Guillaume Ross <[email protected]> wrote: > In the GPO itself you can mark a package to be installed after the removal of > a previous version as well. > > I don't recommend using GPOs to push software, especially software that is > updated so often and found vulnerable so often, because you will have little > information on how successful the deployment is. > One day or another, you will end up with a bunch of workstations still > running an old Java, or maybe stuck without Java. (One could argue - is that > really a bad thing? I guess it is if it's really needed). > > If you do use GPOs because you don't have anything else, consider using > something else (maybe something as simple as a script) to output some > information about the version of java on each workstation, and monitor those > logs. > > Guillaume > > On 2013-05-20, at 11:28 AM, Carlos Perez <[email protected]> > wrote: > >> 2 Methods depending on your inf, the first one would be to extract the MSI >> from the installer, open the MSI in Orca and modify it to remove previous >> version and publish the MSI via GPO. The second one would be using a third >> party patch management solution. >> >> On May 20, 2013, at 7:29 AM, Alex Kornilov <[email protected]> wrote: >> >>> Maybe very stupid question. Howto update (security patches) Java on Windows >>> 8? >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
