.Net Security Vulnerabilities

Deepak Bisht 1 Reputation point
2022-09-29T07:12:37.92+00:00

Hi,

I am manually trying to take care of EOL security vulnerabiility for .Net. "EOL/Obsolete Software: Microsoft .NET Framework 4.5.2 - 4.6.1 Detected" is what am trying to fix on Windows 2012 R2. Post updating .Net to 4.8, i now get few more which weren't there earlier..

Microsoft .NET Framework Security Updates for August 2020
Microsoft .NET Framework Denial of Service Vulnerability - February 2021
Microsoft .NET Framework Security Updates for October 2020
Microsoft .NET Framework Remote Code Execution (RCE) Vulnerability for September 2022
Microsoft .NET Framework Denial of Service (DoS) Vulnerability for May 2022
Microsoft .NET Framework Denial of Service (DoS) Vulnerability for April 2022
Microsoft .NET Framework Denial of Service (DoS) Vulnerability for January 2022
Microsoft .NET Framework Security Updates for May 2020

Is there a single patch/update which i can use which'll take care of all of these? Dont want to install each and every since there are 15-20 servers which need updating.

any help would be appreciated.

thanks
Deepak

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,529 questions
.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,119 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,931 Reputation points
    2022-09-30T09:01:42.203+00:00

    Hi,

    Thank you for your question and reaching out.

    I understand that you wanted to install updates on multiple PCs at once. Keeping your machines patched is an important part of keeping your network and your data safe. However, it can be a time consuming process when done manually and allowing the machines to automatically reboot when finished it not always an option. This how to will give you the ability to download and install updates on many machines at once while allowing you to postpone reboots until a more convenient time.

    This how-to involves the (optional) use of up to three scripts to initiate the download and install of Windows updates. Alternately, the main script (Script 2) could be added as a scheduled task on the individual machines.

    Step 1: Download the following scripts
    Run command on all computers in an OU (SCRIPT 1) http://community.spiceworks.com/scripts/show/1084-run-command-on-all-computers-in-an-ou

    Download and install updates with our without a reboot (SCRIPT 2) http://community.spiceworks.com/scripts/show/1075-download-and-install-updates-with-or-without-reboot

    Reboot all computers in an OU or a list of specific machines (SCRIPT 3) http://community.spiceworks.com/scripts/show/1085-reboot-all-computer-in-an-ou-or-a-list-of-specific-machines

    Step 2: Download psexec
    PsTools http://download.sysinternals.com/Files/PsTools.zip

    Step 3: Copy files to appropriate locations
    PsExec will need to be somewhere in your path (C:\Windows\System32)

    Create a folder called MaintScripts (or whatever you would like) on each remote machine you will want to update and copy Script 2 to it. (Name the script WSUS.ps1 if you don't want to have to modify Script 1)

    Step 4: Change the PowerShell ExecutionPolicy setting
    You'll need to change the ExecutionPolicy setting on any machine you want to run this on remotely. For the sake of simplicity we're going to set it to Unrestricted, however, if security is a concern you can Google how to digitally sign the scripts.

    The following registry key needs to be modified either through group policy, a powershell command run on the machine or manually:

    HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIDs\Microsoft.PowerShell Value: ExecutionPolicy Type: REG_SZ Value: Unrestricted

    the powershell command is:
    set-executionpolicy -executionpolicy unrestricted

    Step 5: Run the remote execution script
    Edit the value of the strOU variable in Script 1 to point to the OU where the machines to be updated are located.

    When you launch Script 1, you will be prompted for your domain credentials (domain\user format) and then the script will attempt to ping each machine before trying to run a command on it.

    There are two variables passed to the Download and update script (Script 2): the first is yes or no to download and install, the second is yes or no to reboot. If you haven't modified Script 1, the default is set to download and install without rebooting.

    You can monitor the progress of the update script (Script 2) as a window will open up showing the status of each machine.

    Step 6: Reboot the computers to finish updating
    Script 3 can be run at any convenient time to reboot all the machines that you just updated or just to reboot a container full of machines for any reason. Just modify the strOU variable to point to the OU you want to reboot.

    If you only want to reboot a list of specific machines, enter them into the strSpecific variable separated by commas. If the value of strSpecific is anything other than "", strOU will be ignored.

    There you have it. I currently use this to install updates on 300 servers spread across 50+ physical locations. Without these scripts, it normally takes two days of manually remoting each machine and telling it to install updates. With the scripts, it takes about a half an hour.

    -----------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments