Executing Remote Commands with BatchPatch

One of the tasks that BatchPatch can help with is executing remote commands or processes across many computers at the same time. For systems administrators this is a common need, and our goal was to make it extremely easy to perform this task in BatchPatch. This way you can avoid manually writing a script that steps through each target computer one at a time, and instead you can use BatchPatch to execute the same command across your entire network of computers, simultaneously, in just a few seconds.

In the BatchPatch actions menu we have two different methods for executing remote commands. One method (Remote Commands 1 and 2) will simply execute the command or process and then report the exit code. The second method (Remote Commands 3 and 4) will execute the command or process and attempt to retrieve any output that the command or process created. Under the hood, the actual code used to execute remote processes differs with these two methods. As such, in some cases you may notice the behavior of the two different methods is a bit different. This is expected. In some cases it’s possible that a remote command will execute successfully under one method but not the other, though in many cases a remote command can be executed using either option. Because the process execution and parsing differs under the hood for the two methods, we’ve included both the non-logged and logged-output options to help maximize compatibility with remote commands.

We generally recommend that if you need to execute a command on a set of computers but you don’t need to see the output of the command, that you use the Remote Command 1 or 2 actions. An example command for this type of use case might be something like ipconfig /flushdns where you need to flush the DNS Resolver Cache on target computers. In that case you simply need the command to execute successfully, but the command itself doesn’t produce any output that you care to retrieve.

However, in the case where you actually need/want to see the output of a particular command, you should use the Remote Command 3 or 4 actions, which in BatchPatch are listed with “(logged output)” next to them to indicate that they will attempt to retrieve the output of any command that’s run on target machines. An example of a command you might run in this instance is ipconfig /all where you want to see the output of the IP configuration on target computers.

Executing commands remotely when you do not need to retrieve output from the command:

  1. Highlight your hosts in the BatchPatch grid and select Actions > Execute remote process/command > Create/modify remote command 1
  2. Enter your command in the new window that appears. In this example we’ll use ipconfig /flushdns
    BatchPatchRemoteCommand1
  3. Execute the command by clicking the “Execute” button. This option will actually save the command to the grid and then execute it immediately. However, if you instead choose to skip the immediate execution option and select to only save the command using the “Save” button, you can still execute it later by using Actions > Execute remote process/command > Execute remote command 1.
    BatchPatchRemoteCommand1Completion

Executing commands remotely when you need to retrieve output from the command:

  1. Highlight your hosts in the BatchPatch grid and select Actions > Execute remote process/command > Create/modify remote command 3
  2. Enter your command in the new window that appears. In this example we’ll use ipconfig /all
    BatchPatchRemoteCommand3
  3. Execute the command by clicking the “Execute” button. This option will actually save the command to the grid and then execute it immediately. However, if you instead choose to skip the immediate execution option and select to only save the command using the “Save” button, you can still execute it later by using Actions > Execute remote process/command > Execute remote command 3.
  4. You can see in the screenshot below that I’ve displayed the cell contents of the Remote Command Output Log by middle-clicking on the cell. We can see the output of the ipconfig /all command.
    BatchPatchRemoteCommand3Completion
Posted in Blog, General, Tutorials | Tagged , | Comments closed

How To Receive Notifications When Computers Go Offline Or Come Online

Let’s say you’re working through a list of computers to install Windows Update or a third-party software product, but only a percentage of the computers are actually online. The reason, of course, is because your organization provides laptops to its employees, but at any given time there are a lot of people who either aren’t in the office or are disconnected from the network for one reason or another. Wouldn’t it be nice to receive an email or hear an audio alert when the remaining, yet-to-be-updated computers come online so that you can get them updated before the users remove them from the network again? You can use BatchPatch to notify either via email or by playing a sound when a computer goes offline or comes online. Here’s how it works:

  1. Configure email settings: Launch the settings dialog by selecting Tools > Settings > Email Notifications. You’ll need to fill in the appropriate fields for your organization, which might include creating an email address specifically for the purpose of sending alerts. Once you’ve got everything filled out, make sure to verify the configuration by clicking the Test email settings button, which will send a test notification to the configured recipients.
    BatchPatch Email Notification Settings
  2. Configure default alert settings: Select Tools > Settings > Ping Status Alerts. The Global default alert settings for NEW rows section controls the default alert configuration of hosts that are added to the BatchPatch grid. However, after a host has already been added to a grid, it’s very simple to modify the settings for that particular host, which we’ll get to in a moment. For now you simply need to make sure that you’ve configured default settings for your installation of BatchPatch. For example, perhaps you love Star Wars and simply can’t help yourself from setting the online audio sound to a classic clip of Yoda speaking to Luke! Or you could opt to leave the default BatchPatch sounds as-is. I promise that no one will think less of you. 🙂
    PingStatusAlertSettings
  3. Configure alert settings for hosts in the grid: In your BatchPatch grid you have the option of configuring different types of alerts for different hosts. For example, you can configure some hosts to send email notifications when they come online, while having other hosts only produce audio alerts when they go offline. Highlight the hosts that you want to modify, and then select Actions > Ping status alerts. In the screenshot you can see that I’ve set host3 through host8 to only send email notifications when the host comes online. The other hosts in the grid are set to produce audio alerts when the hosts go offline or come online.
    BatchPatch Ping Status Alerts
  4. Configure email recipients for hosts in the grid: (Optional) If you want to configure specific rows in the grid to email particular administrators, you can do that by overriding the default email recipients for any particular row(s). Highlight the hosts and select Actions > Email notification > Override default email notification settings. In the screenshot I have configured host3 through host8 with ‘admin7@yourorganization.com’ as their only recipient for email alerts.
    Override email recipients
  5. Ping the hosts: The only thing left to do is start pinging the hosts in BatchPatch. Highlight the hosts and then select Actions > Start pinging. Hosts will only send email alerts or produce audible alerts while they are being actively pinged in BatchPatch. As soon as a given host’s ping changes from ‘TimedOut’ to ‘Reply from…’ you’ll receive an email notification or hear an audio alert, depending on the settings you configured for the row.
Posted in Blog, General, Tutorials | Tagged , | Comments closed

Hiding Windows Updates Remotely In a Non-WSUS Environment

If you’re using BatchPatch in an environment that has no WSUS server, there might be times when computers show more available updates than you actually want to install. For example, perhaps you don’t want to install new versions of IE or .NET when you’re installing Windows Updates, but you do want to install updates to the existing versions of IE and .NET. Well, if you had a WSUS server, the procedure would be as simple as removing the approval for the particular update on your WSUS server. This approval removal would then be seen by computers that report the WSUS server, and it would then no longer appear in the list of available updates on those computers. However, for those of you working in environments that do not include a WSUS server, you need a way to hide these updates. Fortunately, with BatchPatch it’s a simple process to hide specific updates, by name, so that they no longer appear as available or visible updates on target computers. In the same way that updates can be hidden, they can also easily be unhidden at any time with just a few clicks.

To hide an update on target computers using BatchPatch:

  1. First, let’s check for the list of available updates, so that we can see the titles of all the updates that are ready to be installed on the computer. Highlight the host and then select Actions > Windows Updates > Check for available updates. In the screenshot below we can see the list of updates on available on my computer at the moment.
    CheckForAvailableUpdates
  2. For the sake of this example, let’s hide the first update in the list, titled “Update for Windows 7 for x64-based Systems (KB2952664).” Highlight the hosts that you want to hide the update on and then select Actions > Windows Updates > Hide / unhide updates > Create/modify list of specific updates for hiding.
  3. In the new windows that appears, we have the option of either listing the exact title of the update or just a piece of the title. We can enter one entry per line. BatchPatch will examine the list of updates that are available, and if any of those updates contains one of these entries in the update title, the update will be hidden. Generally speaking, the simplest way to proceed is to enter the KB ID number for each update that we want to hide. However, occasionally an update title might not contain the KB ID, in which case we would simply copy and paste the exact title into the list. In this example I’ve input the KB ID of the update that we want to hide.
    CreateListForHidingUpdates
  4. Once we’ve added the update(s) to our list, we are ready to execute the action to hide the update. There are two ways to do this. We can either simply click the Execute button, which will hide the update on all selected hosts, or we can click the Save button, which will save this “Hide list” for all of the highlighted rows. Once the “Hide list” has been saved for a given row or set of row(s), to actually hide the update we would click on Actions > Windows Updates > Hide / unhide updates > Hide updates.
    HideUpdates
  5. We can see in the screenshot above that the update has been hidden. Now when we execute a new “Check for available updates,” the hidden update doesn’t appear in the list. When we install the available updates, the hidden update will not be installed. If at some point we decide that we want to view the list of installed updates and/or unhide the update, we can do so very easily by using Actions > Windows Updates > Hide / unhide updates > List hidden updates along with Actions > Windows Updates > Hide / unhide updates > Unhide updates.

    ListHiddenUpdates

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Create a Consolidated Report of Windows Update History

We have received numerous requests for the ability to create Windows Update history reports with BatchPatch. I’m happy to announced that the latest build of BatchPatch (2014.07.01) has a new reporting option that enables you to quickly retrieve the entire history of Windows Update actions from target computers. The output is consolidated so that you can look at all updates across all target computers in a single grid. This means that it’s now simple to retrieve a list of updates that have been installed on a particular computer or set of computers.

To generate an update history report, add hosts to a BatchPatch grid and then highlight the hosts that you want to include in the report. Next, click Actions > Windows Update > Consolidated report of update history. This will launch the Update History Report settings form.

BatchPatch_ConsolidatedUpdateHistoryReport

The report settings allow you to easily view just a specific date range, with the default set to show only the most recent 30 days of history. Additionally, you can choose to specify inclusion or exclusion criteria, so that only updates titles that match the text entries you provide will be included or excluded. This makes it easy to retrieve update history for only a specific update, or to exclude update history information for a particular update. Note that exclusion criteria will override inclusion criteria in the event there is a conflict when both search fields are used simultaneously. Using the inclusion/exclusion fields are completely optional. You may instead choose to simply retrieve all Windows Update history for a given date range, and then you can simply sort the report to view the information that is important to you.

The report is generated in real-time by querying each machine for information about its Windows Update history. The output includes the host name, update title, date installed/uninstalled, action performed (installation/uninstallation), status of the action performed (success/failure/in-progress), as well as the application that performed the action.

The final output is both sortable and exportable, and there is also a find feature that enables you to quickly jump to a cell that contains your search text. The export options give you the ability to create pipe-delimited, tab-delimited, or XML reports, which can then be opened in your favorite spreadsheet application or imported into a database.

Consolidated Update History Report Output

This new report feature should make it easier to monitor the status of Windows Updates on your PCs while maintaining compliance with the security guidelines of your organization. As always, if you have any questions, comments, or issues, please feel free to post a note in the forum or send us an email.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

BatchPatch – New Build Released July 2014

Hey everyone! We published a new build today, and I wanted to take a moment to share with you some of the updates that have been made. While this build was primarily a bug-fix release, we also included a few features worth noting. In particular, we’ve added some reporting options for Windows Update history, which many of you have been asking for!

Consolidated Windows Update History Reports

You asked for it and now you’ve got it! Windows Update history can be viewed very easily now using the report history option. To generate an update history report, add hosts to a BatchPatch grid and then highlight the hosts that you want to include in the report. Next, click Actions > Windows Update > Consolidated report of update history. This will launch the Update History Report settings form. From there, select the options you want and click Generate Report. More info on this feature is available here.

BatchPatch_ConsolidatedUpdateHistoryReport

Consolidated Update History Report Output

Exclude Specific Columns from Being Automatically Unhidden by BatchPatch

This minor addition makes it easier to customize BatchPatch so that it displays only what you want it to display. By default, when an action is executed in BatchPatch, BatchPatch automatically opens any column that is written to by the action. However, there are times where you might not want to ever see certain columns, and now it’s easy to exclude them from auto-unhide operations.

ExcludeColumnsFromAutoUnhide

New Row Index Column

A number of you have asked for a Row Index column to help keep track of your hosts. This has now been added, but it’s hidden by default. If you want it to be displayed at all times, simply untick the ‘#’ box in the “except these columns” form mentioned above.

RowIndexColumn

New Build Downloads Now Accomplished In-App

Some of you have had problems downloading BatchPatch from the “New Build Available” form using “Help > Check for updates.” These problems occur as a result of IE security settings. While it’s simple enough to whitelist https://batchpatch.com in the security settings to resolve the issue, we modified the code to now execute the download process inside of BatchPatch instead of launching the default web browser, which should ease some of the pain and confusion when updating your software. The web browser download will be used now only in the event of a failure of the in-app download.

UAC Elevation Code Update

Generally speaking there is no need to run BatchPatch with elevation. However, in the event that you are trying to perform actions on the computer that is running BatchPatch, as opposed to a remote target computer, BatchPatch does need to run as administrator. The code that warns you of this fact has been updated to be more accurate and robust. Previously there were certain conditions that would prevent the elevation prompt from appearing, but now BatchPatch should be better about telling you if you need to elevate.

Bug Fixes!

We fixed a number of very minor to slightly-less-minor bugs in this build. I’ve listed a few of the more notable ones below:

  • Fixed bug in Get Registry Key/Value so that quotation marks are automatically added, preventing Invalid Syntax errors
  • Fixed email notifications and HTML exports to not display Event Log, Remote Agent Log, and All Messages columns unless they are visible in the BatchPatch grid
  • Fixed bug in Remote Process/Command where WMIC commands would fail to execute under Remote Command 1/2 even though they would execute successfully under Remote Command 3/4
  • Fixed bug in concurrent thread maximum where trying to set it below the number of logical processors in the system would not change the setting at all
Posted in Blog, General | Tagged , , | Comments closed

BatchPatch Performance Tuning

Hey everyone! This week I’d like to take some time to talk about getting the most out of BatchPatch from a performance perspective. As you have probably already discovered, BatchPatch is geared toward doing a lot of things at once. One of the most important design elements for us was to figure out a way to allow the user to execute a lot of tasks in a very small amount of time. We didn’t want to bog down the user interface with a lot of extra windows requiring lots of clicks to get the software to do your bidding. We wanted to keep things simple, intuitive, and fast, while still being very powerful for getting the job done effectively.

We know that the large majority of BatchPatch users are highly skilled technical wizards (frequently referred to as sysadmins) who really know what they’re doing when it comes to computers and networking. We like to think of ourselves as more than just average power users, and we wanted BatchPatch’s interface to be driven as much as possible by function, giving the user as much control as possible, rather than dumbing-down the interface at the cost of functionality. We know as well as you do that there’s nothing more annoying than a clunky app that shields the user from the core functionality of the app so much that it begins to feel like you’re not driving the app, and instead the app is driving you.

There were a number of trade-offs that we made during the development process, always bent toward providing the user with maximum control, even if it meant that in some cases the user could dig him/herself into a performance bottleneck. For example, BatchPatch allows you to execute actions such as remotely installing Windows Updates, remotely installing software, or remotely executing scripts on an unlimited number of machine simultaneously. The awesome thing about this is that tasks can be accomplished extremely quickly since BatchPatch can be configured to allow a very large number of execution threads to run concurrently. The downside is that if you attempt to execute more simultaneous threads than the computer or network connection is able to gracefully handle, you could end up causing the computer to stutter a bit in its responsiveness while it completes all those tasks.

I know for myself that I don’t want to be limited by some over-protective factory setting that isn’t changeable. We we believe that our super-savvy users should have the final say over how the app runs rather than being limited to settings geared for less savvy users. One area where this holds true is with maximum thread count. BatchPatch is a multi-threaded app that takes advantage of the capability of modern processors to run numerous different execution threads simultaneously. In fact, if you happen to watch the ‘Threads’ column in the ‘Process’ tab of Windows Task Manager when you execute an action across a large number of hosts in BatchPatch, you’ll see that BatchPatch might quickly spin up many more threads than any other app running on your computer. Of course once the action completes those threads are released back to the OS.
TaskManager_BatchPatch

In the Tools > Settings window, we provide an option called “Concurrent Thread Maximum.” The default value is set to 100, but you can choose any number you like, with 0 being an unlimited number of threads. The concurrent thread maximum value is used to control the number of worker threads that will execute concurrently. If you execute a set of actions simultaneously on more computers than the concurrent thread max value is set to- so for the sake of this example let’s imagine executing a remote Windows Update installation on 200 computers when the concurrent thread max is set to 100- you’ll notice that the first 100 rows begin execution immediately while the second 100 rows show a status of ‘Queued.’ As computers in the first 100 rows complete their actions, their threads are freed up for the queued rows to begin executing.
ConcurrentThreadMaximum

If you’re running BatchPatch on a computer that doesn’t have a lot of CPU power and/or RAM you might want to decrease the concurrent thread max. If your computer has a lot of horsepower, you might consider increasing the concurrent thread max or even removing the limit altogether by setting it to 0. It’s your choice.

Posted in Blog, General | Tagged , , , | Comments closed

Wake On LAN with BatchPatch

BatchPatch provides Wake On LAN (WoL) capabilities, which makes it convenient when you need to remotely power-on (wake) computers on your network. Some folks like to use Wake On LAN in conjunction with their routine maintenance for patching / updating their computers. The reason this can work nicely is because once you have Wake On LAN configured for your computers, you’ll be able to patch them even if they are powered down when your maintenance window begins. With Wake On LAN you’ll be able to remotely power-on the computers, initiate the patching process, and then optionally shut them down again after completing the maintenance. Note, Wake On LAN needs to be enabled in two places before it will work. Below we will explain how to enable it in both the BIOS and in Windows.

Enable Wake On LAN in the BIOS


To access the BIOS on a computer, you’ll need to restart the computer while sitting watching the console. During the setup phase, you should be prompted to enter the BIOS by pressing a hotkey on your keyboard. For many BIOS manufacturers this is F1 or Delete, but it could be any key. Read what is displayed on your console and follow directions to enter the BIOS or SETUP. If you’re unable to proceed, consult the documentation for your computer hardware from the manufacturer.

Once you’ve entered the BIOS / SETUP for your computer, go to the power management section. You need to find the entry for WOL, Wake-up, PME (Power Management Events) or similar. Enable the setting. The AMC BIOS page for Wake On LAN is shown below under “PME Event Wake Up.”
PME_Event_Wake_Up

Enable Wake On LAN in Windows


Now that you’ve enabled Wake-on-LAN in the BIOS, you must also enable it in Windows. Launch the ‘Network Connections’ screen by opening the ‘Control Panel > Network and Sharing Center > Change adapter settings’ screen. You can also get to this screen by clicking ‘Start > Run,’ and then type “control netconnections” without the quotes.
NetworkConnections
From here, right-click on your ‘Local Area Connection’ and select “Properties.”
LocalAreaConnectionProperties
In the Local Area Connection Properties window click the “Configure” button. You’ll be presented with all of the configuration options for your network adapter. In the “Advanced” tab, find the option for Wake-on-LAN. This might be presented as “Magic Packet” or similar. Use your judgement to determine the correct setting since different network adapter drivers will present it slightly differently. In the screenshot below you can see that my computer lists it as “Wake on Magic Packet.”
WakeOnMagicPacket

Adding MAC addresses to the BatchPatch Grid


Now that you’ve configured your computer to wake when it receives the “magic packet,” you’re ready to use BatchPatch to initiate the wake-on-LAN process. The MAC address of the target computer is required for Wake-on-LAN, and you have a couple different ways to get it into the BatchPatch grid.

Option A:
Load the target host name into the grid and then retrieve the MAC address by using the “Get Information > Get MAC Address” option. Note, that under certain conditions if a machine has many MAC addresses with multiple active network adapters, it’s possible that BatchPatch will retrieve a MAC address for an adapter that is not on the network that you expect. In this case you might have to revert to Option B.

Option B:
Load the target host name WITH its MAC address by using the following syntax in the “Add Hosts” dialog:
targetHost1#1B6C65E5541D
targetHost2#1A5D27F3451B
targetHost3#1C4B38C2214C
BatchPatchAddHostsWithMACs
BatchPatchX3

Sending the Magic Packet


Now that you have your hosts and MACs loaded into the BatchPatch grid, you’re ready to send the magic packet to wake the target machines. Highlight the hosts and go to Actions > Wake on LAN.
BatchPatchWakeOnLANMagicPacketsSent

Subnet-Directed Broadcast for Wake on LAN


The default broadcast address that BatchPatch uses when performing Wake on LAN is 255.255.255.255. This address is used to specify the local network that the BatchPatch computer is connected to. If you wish to direct your Wake on LAN packets to a different subnet, you may modify the broadcast address in BatchPatch by selecting the row(s), and then clicking ‘Actions > Wake On LAN > Modify broadcast address / port‘. So for example if your BatchPatch computer is on the 192.168.0.0/24 network and your target computer to wake is on the 192.168.1.0/24, then you would use the broadcast address 192.168.1.255 to send the magic packet.

It’s important to note that routers are frequently configured to disallow subnet-directed broadcasts, so in order for this to work you would have to configure the routers involved to allow such broadcasts.

When testing Wake on LAN it always makes the most sense to start by having the device that is sending the WoL packets on the same network as the devices that will be woken up. First get everything working with the devices on the same network before you attempt to perform WoL to a different subnet. This way once you have gotten everything working on the same network, if you then subsequently have problems with the subnet-directed WoL you’ll know that the issue is due to the cross-network configuration, not with the target computer configuration.

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Remotely Install Windows Updates – A Guide To Updating Your Computers Remotely

It’s not necessarily as straightforward as it seems like it might be to remotely install Windows updates. Windows Server Update Services (WSUS) provides a significant amount of help with this process, but there are still a number of important considerations to keep in mind.

The great news about WSUS is that it’s free to use and easy to install and configure. With this step-by-step guide, the entire installation and configuration process can be completed in about 30 minutes.

The purpose that WSUS serves is to download from Microsoft all of the updates that your network of computers requires. Your computers are then able to retrieve updates from your local WSUS server rather than each individual computer having to connect directly to Microsoft. Aside from saving bandwidth, this means that your computers do not need direct access to the internet, so long as the WSUS has access. In more and more environments where security is important, disabling internet access for servers is becoming increasingly common. Additionally, WSUS gives you the ability to more easily approve or decline specific updates or groups of updates for your entire environment, thereby simplifying the overall management process. Lastly, WSUS provides some reporting functionality to help you stay up to date and keep in compliance with the security guidelines your organization follows.

The typical way that WSUS is used is with Group Policy. An administrator can configure Group Policy to control how often computers check for updates, download new updates, and install updates. The Windows Update section of the Group Policy Editor is pictured below.

GroupPolicyEditor_WindowsUpdate

The WSUS model can be seen as a kind-of “pull” model, whereby the individual machines check-in with the WSUS at a set interval (also configured in Group Policy) to retrieve and/or install available updates. Unfortunately there isn’t a way to use WSUS without a 3rd-party product to remotely install Windows updates on-demand at the click of a button.

What if you need a higher degree of control in your environment? What if the “pull” model isn’t enough for you, and in order for you to effectively do your job you need on-demand “push-install” capability for remotely installing Windows updates with real-time monitoring? That’s where BatchPatch shines! BatchPatch is an agentless application designed to be extremely simple and effective for administrators to remotely install Windows updates in their environments on any number of computers, whether it be just 50 hosts or as many as 1000. BatchPatch provides administrators with real-time control over the Windows update process. Install Windows updates remotely, on-demand, at the touch of a button, on all of your computers simultaneously. You can watch their progress in real-time as they search for, then download, then install available updates. And of course we all know that virtually every Windows update requires a reboot to complete the installation. Don’t worry, BatchPatch handles that too, automatically. Not only are you able to optionally include an automated reboot or shutdown, but you also have the ability to filter which updates are installed, install individual update packages instead of groups of updates, install third party software, wake on LAN, remotely execute scripts, and retrieve all sorts of information from target computers like registry values or configuration settings. The possibilities are virtually limitless.

The best news of all is that BatchPatch is free to try. The evaluation version is fully functional, only limiting the number of hosts that can be acted upon simultaneously. Even if you don’t have need to remotely install Windows updates, BatchPatch offers plenty more features. If you’re looking for a tool to help manage your entire network of computers, I would encourage you to give it a try. We are confident that once you test it out you’ll wonder how you ever got along without it. More and more sysadmins are adding BatchPatch to their collection of must-have systems management applications.
BatchPatch

Posted in Blog, General, Tutorials | Tagged , , , , | Comments closed

PsExec v2.1 – All Network Communication Is Now Encrypted

Hey Everyone – I just wanted to take a moment to announce to anyone who hasn’t already heard that PsExec, starting with version 2.1, which was released on March 7, 2014, now encrypts all communication between local and remote systems. No more passwords sent in the clear!

In previous versions of PsExec, if you specified credentials with the -u and -p parameters, those credentials would be transferred to the remote systems in clear, unencrypted text. Note that this did NOT apply to cases where Integrated Security was used (remember that with Integrated Security, the security context of the logged on user is used, so no separate credentials are specified). It only applied to the cases where you supplied alternate credentials.

BatchPatch supports the latest PsExec v2.11, so please go ahead and make sure you update your copy. You can download PsExec from http://msdn.microsoft.com/en-us/library/bb897553.aspx

PsExec_Usage


Additional Information About Hubs, Switches, and Encrypted Network Communications

While it’s definitely great news that PsExec now encrypts its network communications, for those of you who might not fully understand the ramifications of what this means, I’ll explain in a bit more detail. Sending passwords over the network in clear text sounds pretty bad, doesn’t it? Well, it’s actually not necessarily all that bad, in reality. It all depends on the details of your network setup. To be clear, I’m not saying that you shouldn’t have *any* concern about clear text credentials on your network. I’m just saying that you should understand exactly what the possible risks are so that you can determine if they are or are not a major concern for your situation. For the most part, while it’s definitely always better to encrypt credentials whenever possible, there are many situations where a clear text credential traversing a LAN is not the end of the world. There are other cases where a clear text credential traversing a LAN should be avoided at all costs.

First let’s clarify the difference between a hub and a switch. This is critical to understanding the security ramifications of sending data over the network without encrypting it.

HUB: A hub is essentially a network repeater. It’s not an “intelligent” device, per se. Any data that is sent from any port on the hub is then repeated to all other ports on the hub. This means that every port on the hub will receive (see) the same data that all the other ports see. Aside from being very inefficient, it also doesn’t provide any degree of security for the data that moves through it.

Imagine a 24-port hub with your computer connected to port 1, your target server connected to port 24, and then 22 other computers connected to the other ports on the hub. If your computer sends data to the target server on port 24, all other computers will see that data. In the event that you send a plain-text password to the target computer, if the machine plugged into port 7, for example, is setup to capture all of the data that it sees on its port, it will actually capture your password, even though your password is intended for the server on port 24.

SWITCH: Unlike a hub, a switch is a smart device. The switch actually learns what devices are connected to each of its ports, and it maintains a table to keep track of this information. When data is sent through the switch, the switch looks at the individual packets, and it forwards each packet only to the port or ports that the data is destined for. Not only is this much more efficient, but it also provides some security for the actual data.

Imagine a 24-port switch with your computer connected to port 1, your target server connected to port 24, and then 22 other computers connected to the other ports on the switch. If your computer sends data to the target server on port 24, NO other computers attached to the switch will see that data. In the event that you send a plain-text password to the target computer, if the machine plugged into port 7, for example, is setup to capture all of the data that it sees on its port, it will NOT capture your password. This is because a switch will send your data directly to port 24 without broadcasting it to all the other ports on the switch.

CONCLUSION: Since it’s now 2014, the very large majority of networks are built on switches, with very little or no use of hubs whatsoever. With regard to credentials being sent across a network in clear text, it’s not necessarily all that big of a deal when you’re dealing with a modern switched network. To be clear, I’m not saying that lack of encryption is good! I’m just saying that in relative terms, it might not be nearly as bad as it sounds. A malicious user wouldn’t simply be able to plug a device into an open port on the switch in order to be able to capture the data sent to all other ports on the switch. We generally recommend using encryption whenever possible. However, the point is that it’s always important to understand the nature of the problem you have so that you can best determine how to solve it or work around it. The clear-text credentials problem on a switched network is, for many network administrators, not necessarily the biggest problem. It depends on the particular network’s physical setup, the security requirements of the company that operates the network, as well as numerous other factors.

Posted in Blog, General | Tagged , , | Comments closed

Getting Started with BatchPatch

If you just downloaded BatchPatch for the first time, let’s go through the things that you need to have in place for the software to function properly.

  1. PsExec: Download PsExec from Microsoft
    1. PsExec needs to be placed in the Windows PATH of the computer that is running BatchPatch (target computers do *NOT* need psexec). The PATH is an environment variable that controls where Windows searches for an executable that is specified at the command line. We recommend that you simply put PsExec.exe in C:\Windows because the Windows directory is included in the PATH when Windows is installed. You can read more about the PATH here: http://en.wikipedia.org/wiki/PATH_%28variable%29.
      If you have trouble you can alternatively specify a custom filepath for PsExec.exe in BatchPatch by going to ‘Tools > Settings > Remote Execution > Use psexec.exe custom filepath’.
    2. Open a command prompt (start > run > cmd) and launch PsExec one time by typing ‘psexec’ without the quotes, and then press enter. Accept the End-User License Agreement for PsExec.
    3. Make sure the PsExec.exe is not blocked by Windows. Right click on PsExec.exe and select ‘Properties’ and then click on the ‘General’ tab. If you see the ‘Unblock’ checkbox as shown in the image below, check the box and click OK.
  2. Permissions: In order for BatchPatch to work properly, you must have access to a user account that is in the local administrators group on the target computers that you will be working with. In your environment, this might be as simple as logging on to your computer as a domain administrator, and then simply running BatchPatch. However, if you’re using local accounts with no domain, there are some additional configuration steps, so if you have any issues whatsoever with authentication with or without a domain, please first consult this link and read through it entirely to make sure you have everything setup properly: BatchPatch Authentication in Domain and Workgroup (Non-Domain) Environments
  3. Firewalls: In order for BatchPatch to communicate with target computers, firewall software on the target computers either needs to be disabled altogether (not recommended), or it needs to be configured to allow the appropriate services to be able to communicate (recommended). For more information as well as instructions on configuring Windows Firewall for use with BatchPatch, please see this link: Using BatchPatch with Windows Firewall. For specific information about port requirements, please see BatchPatch Port Requirements. After that, verify on target computers that the following items are working:
    1. The Workstation service is running (check using services.msc by going to start > run > services.msc)
    2. The Server service is running (check using services.msc)
    3. The Remote Procedure Call (RPC) service is running (check using services.msc)
    4. The Windows Management Instrumentation (WMI) service is running (check using services.msc)
    5. The Admin$ share is available (go to start > run > \\targetComputer\admin$ to test this connection)
    6. ‘File and Printer Sharing is enabled (no need to actually share anything)
  4. Lastly, if you are using WSUS, here are some guidelines for Group Policy settings that you might want to incorporate to get the most out of BatchPatch. WSUS is NOT required to use BatchPatch. Additionally, if you DO use WSUS, no special configuration is required. BatchPatch will work with your existing WSUS environment. Additional guidelines for integrating WSUS and Group Policy for BatchPatch
  5. Once you have everything in place, you can simply launch BatchPatch and add some computers to the grid!
  6. Troubleshooting Common Errors: If you run into any problems, this link explains how to resolve the most common errors that might occur: Troubleshooting Common Errors in BatchPatch
  7.  

    BP_GettingStarted

Posted in Blog, General, Tutorials | Tagged , , | Comments closed