My not so uninteresting notes

Misc notes about truecrypt

mat — Mon, 07 Dec 2009 00:54:00 +0300

Truecrypt is a very handy tool for disk encryption, but it lacks for an enterprise use the capacity to have a remote rescue mode. It's a kind of second very complicated password that you will dictate to the user when he was s****** enough to forgot his boot password.

Well the good news with free software it's that you can always do something as you have the source code. And in the case of Truecrypt it turns out that it seems not so complicated. Here are my notes for someone (maybe me) who wants to add this option.

In Boot/Windows/BootMain.cppBoot/Windows/BootMain.cpp (to support dual password that's all that is needed)

Make OpenVolume read 2 sector instead of 1
Try to read each sector to see if the entered password correspond to one of the two sector
In repair menu define the offset for the second sector holding rescue/admin encoded key

In Common/BootEncryption.cpp (so that when creating the volume a second password can be added)

Make Prepare installation create two volume header (one with the normal password and one for rescue/admin)
Make InstallVolumeHeader install the two volume header

And a few things for password but I didn't investigated much (yet).

Openvpn GUI improvments

mat — Mon, 21 Sep 2009 22:56:00 +0400

Openvpn is a great VPN tool and further more it has client for Linux, Mac OsX and Windows. The latter has also a simple GUI that allow people less familiar with computer to use a VPN.

Unfortunately I found the current version 1.0.3 too limited when dealing with a user with limited right (ie. without administrative rights) so I produced a version 1.0.4 that provide the following improvements:

allow unlimited timeout for the pre-connection script (useful when prompting a user for password)
provide a better feedback to the user on the real status of the connection when using service managed connections
allow to run post connection script per connection when using service managed connection
allow to run a post non connection script per connection when using service managed connection (that is when a connection is though to be unsuccessful)
allow service to be terminated on user logoff or on suspend

I attached to this entry the binary openvpn-gui-1.0.4.exe, the patch from 1.0.3 to 1.0.4 and also a patch to allow to crosscompile openvpn on linux using mingw32 crosscompile environment.

Making DHCP interim still work when bind9 only accept signed requests

mat — Sun, 06 Sep 2009 17:34:00 +0400

Having workstations names updated in the DNS is quite cool and very usefull (the more you use it the more it becomes important to you ...).

The problem is that once you active DDNS update directly from Windows workstations like it's describe here or here it that it usually breaks DHCP interim updates (also known as the second way to make DDNS update works).

You might wonder, why bother to use DDNS update from the workstation if we can achieve it from the DHCP server ?

Well it's simply because sometimes you have resources which IP address is not defined by DHCP server (ie. fixed IP workstations or servers or most important: workstations connected through VPN). We can also wonder why use DHCP interim if DDNS from workstation work, well it's because not all the workstation are for the moment able to update their DHCP records (ie. Mac OsX, Linux, printers, ...).

So you sometimes you want to take the best of the both world, the good news is that it's possible and it's even not very complicated !

This small guide suppose that you have already DHCP interim that was working before you decided to activate signed DDNS (that are used by the Windows workstations), if not please check on this internet for guides like this one or this one

Why DHCP Interim has to be disactivated when signed DDNS is used ?

So most of the tutorial about DHCP DDNS use a configuration like this to authorize updates from the DHCP server:

  allow-update { key dhcpupdate; };

But Bind9 do not accept both allow-update and update-policy

The solution

The solution is to migrate from allow-update to update-policy to do so you have to add something like that to the update-policy for your DNS zone: grant dhcp.example.org subdomain example.org A AAAA; so that the whole thing looks like:

   update-policy {
        grant dhcp.example.org  subdomain example.org A AAAA;
        grant EXAMPLE.ORG ms-self * A AAAA;
   };

Once that done you have to search for the definition of the dhcp update key (here dhcpupdate in my example) and replace it to dhcp.example.org (where example.org is your DNS domain). Usually tutorials propose to create a separate file for storing the key or propose to add a key stanza in the named.conf. Anyhow you have to change it to have something like this:

key dhcp.example.org {
  algorithm hmac-md5;
  secret "YOURKEYGOESHERE";
};

The last step is to modify the dhcpd.conf to replace all the occurrence of old key name to the new one (ie dhcpupdate to dhcp.example.org). Last note: if your dhcp server is on a different server than the DNS server and that the key is stored in a separate file then you need to modify the name of the key in this file as well.

Once every thing is modified you have to restart dhcpd and bind9 and everything should work (you can verify as your mileage can vary ...)

DDNS, Bind9 and MS Active Directory

mat — Sun, 06 Sep 2009 16:54:00 +0400

If you are interested to make Bind9 accept DDNS request directly from Windows workstation (XP, Vista, Seven) or server (2003, 2008, ...) the way proceed is not much different from this one. So reading the howto of Samba4 about DDNS is a good starting point.

The only difference is that by default you do not have an access to the DNS keytab. Hopefully this email give all the needed informations, you need to:

Create a user into your active directory, I suggest bind9 as the login name and also as first name and make the password not to expire (Password never expire)
Modify the /etc/bind/named.conf.option so that the entry tkey-gssapi-credential contains "DNS/bind9.example.org";
Use ktpass to extract the credentials as a keytab:

ktpass -out dns.keytab -princ DNS/bind9.example.org@EXAMPLE.ORG -pass * -mapuser bind@example.org

Of course you should adapt example.org and EXAMPLE.ORG to the name of your AD realm ...

DDNS with Windows and Samba4

mat — Thu, 03 Sep 2009 17:15:00 +0400

I recently tried Dynamic DNS updates (aka DDNS) with Windows XP (but that's valid for anything newer) and Samba4. Globaly the explaination that comes with Samba4 are good but I noted a few points that need to be tweaked (or checked at least) to be sure that it works.

Activate signed DDNS updates

Once you configured the bind server accordingly with the documentation, it will only accept signed updates. On my test systems it turns out that XP didn't send signed updates by default.

To change this you have two choices:

Use GPO
Use local policy editor, this choice is not recommended as the modification has to be done on every workstation in the domain but for testing it's just fine !

To change the DDNS parameters you have to go in Computer Configuration -> Administrative templates -> Network -> DNS Client, if the choice is not present it's mostly likely that you miss the needed adm file (system.adm) they can be found here

Then enable Dynamic Update and Update Security Level (set the latter to Only Secure or Unsecure followed by Secure) select also Register PTR Records if you want PTR record as well. If you choose the GPO way you have to wait for the workstation to update its policy (well you can help it with gpupdate /force).

Configure correctly the reverse zone

Check the SOA record of your reverse zone, the primary name server must be valid an point to your DNS server (the DNS server is the name just after SOA in the record). To check use dig on any ip address of your zone (here my range is 10.6.1.0/24 with the dns server at 10.6.1.1) :dig 1.1.6.10.in-addr.arpa. SOA @10.6.1.1

You should get something similar to this

; <<>> DiG 9.5.1-P2 <<>> 1.1.6.10.in-addr.arpa. SOA @10.6.1.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4956
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;1.1.6.10.in-addr.arpa.         IN      SOA

;; AUTHORITY SECTION:
1.6.10.in-addr.arpa.    604800  IN      SOA     test.smb4.tst. root.localhost. 2009090320 172800 14400 3628800 604800

;; Query time: 2 msec
;; SERVER: 10.6.1.1#53(10.6.1.1)
;; WHEN: Thu Sep  3 19:07:17 2009
;; MSG SIZE  rcvd: 103

Test, test and test

The easiest way to test is to use ipconfig like this ipconfig /registerdns, it will force a Windows to update its DNS records in the DNS server.

Note: This KB from Microsoft explains quite well what are the option for the DNS client in case that you had specials constraints.

Updating wireshark dissectors

mat — Sun, 16 Aug 2009 11:24:00 +0400

Last weeks I've been pretty busy on wireshark dissectors.

Apart from some small modifications in the NTLMSSP dissector, I've been working hard on DCE/RPC dissector for netlogon.

Both lastest patches for this are attached to this entry.

me @ twitter

mat — Thu, 25 Jun 2009 00:15:00 +0400

As a lot of people I just created an account on twitter ! Let see !

NTLMSSP 2

mat — Mon, 04 May 2009 21:35:00 +0400

No it's not the sequel of a film, just an updated version of /public/Download/patchs/patch_ntlm_040509 patch for wireshark. This version add the following updates

Support for DCE/RPC with direct NTLMSSP auth
Support for DCE/RPC with SPNEGO with NTLM auth mechanism

I also started to work on the verfier verification (sic) but it didn't work for DCE/RPC (I didn't get the right HMAC MD5), and I need also to find a way to update information into wireshark to reflect the fact that MD5 (and also NT challenge also in case no good password can be found).

Xerox 7232 & Samba : Veni Vidi Vici

mat — Sat, 02 May 2009 00:35:00 +0400

Well almost ! Last week I've been chasing down problem(s) that prevented this printer to work with samba, or more exactly to be served through samba print server. It's reported here, if you look at the first comment you'll find some idea for the workaround.

Basically the idea is to setup a printer locally give it the same shared name as the one on server, then export the entry into .reg file, then you define the driver for the printer on the server it will generate some error messages but you can ignore them. Then open the server registry (through a XP workstation for instance), load your exported registry entry into server registry, safely ignore error message.

Et voilà you can enjoy your shared printer on a samba server !

Patch for NTLMSPP auth mechanism

mat — Sat, 25 Apr 2009 18:00:00 +0400

I'm quite proud to produce here my first real patch for an opensource project: Wireshark.

The attached patch allow to decode LDAP traffic encoded using NTLMSSP scheme. Even if now kerberos tends to be more and more used for authentification and encryption (through GSSAPI), NTLM and NTLMSSP mechanism is still used frequently by Microsoft products (either as a fallback when kerberos is unavailable, or as the only secure choice like SPA mode in outlook).

So I think that this patch will definitly be useful to others.

The patch is attached to this entry ! (see bellow)

Creating LDAP account in Outlook

mat — Sun, 15 Mar 2009 19:19:00 +0300

I spent a few hours to improve this script to allow creation of multiple LDAP entries with login and password. The result is here: addldap.vbs. It fix some flaws of the previous scripts such as:

only one ldap account
user has a popup on next outlook startup

It works perfectly with anonymous LDAP, but setting a password do not work very well: you can pass an array representing the password obtained by a manual setup.

But It will only work with this account because the password is encoded using DPAPI which use the user personal key to encrypt the data. Trying to deploy this to other user will badly fails (as outlook will find the whole ldap account broken).

There is a way to mitigate this problem: when using SPA authentication outlook will firt use the credential of the logged user before those supplied in the account creation (if they are different). So if you want to have a non anonymous access to LDAP and what the logged user to provide his credential you just have to call the script and supply the username, an empty array as password and set doSPA parameter to 1.

I also discovered that unlike email accounts, LDAP accounts do not prompt the user when the password is wrong. Which reduce the number of prompt the user receive when a password has expired.

At the end the only two cases where this script is useless are:

accessing an LDAP with a generic account
accessing an LDAP that do not support SPA (aka NTLM authentication)

I guess those case are pretty rare (well I hope)

Putting all together

mat — Sun, 19 Oct 2008 20:07:00 +0400

I have been busy last weeks making L4SUS more friendly or at least less complicated !

I am quite happy of what I acheived so far. As the title says I put everything together to make a real install guide and some documentation.

All of this is the 0.1 release you will need the zip and the tar file because it was easier to package one for windows and the other one for Unix/Linux/....

Enjoy !

l4sus_0.10.zip and l4sus_0.10.tar.gz

Fighting with call progress tones

mat — Sat, 11 Oct 2008 17:08:00 +0400

If you are like me a happy owner of any sippura (or now linksys spa) ata device and you are not living in US, then configuring the regional part of the device can be complicated. Especially the "Call Progress Tones" part.

First you have to know that the real important part is the following tones:

Dial Tone
Second Dial Tone
Outside Dial Tone
Prompt Tone
Busy Tone
Reorder Tone
Off Hook Warning Tone
Ring Back Tone

All this tones use a rule with the following syntax:

 freq1@db_level1,freq2@db_level2,...,freqn@db_leveln;
 num_seconds(frequency_sequence1,frequency_sequence2,...,frequency_sequencen)

With frequency_sequence with this syntax: num_seconds_on/num_seconds_off/frequencies

With this explainations 480@-19,620@-19;10(.5/.5/1+2) is quite simple to understand it is a signal of two frequencies :
480Hz and 620Hz both at -19dB during 10 seconds both frequencies (due to 1+2) will be played with this rhythm: half of second (.5) on and half of second off.

This more complicated one: 985@-16,1371@-16,1777@-16;*(.380/0/1,.274/0/2,.380/0/3,0/4/0) consists of 3 frequencies:
985Hz, 1371Hz and 1777Hz all at -16dB they will played forever (until status change for instance ...) with the following rhythm: 985Hz during 0,380 seconds then 1371Hz during 0,274 seconds then 1777Hz for 0,380 and finally no tone during 4 seconds.

If you are searching for the frequency for your country indications.conf from asterisk is your friend.

Fighting spam part 1: Spamtrap

mat — Thu, 04 Sep 2008 19:58:00 +0400

Why do we need to train the filter

Bayesian filters use a statistical approach to classify emails, in order to make it works you need to train the filter at the beginning with both know spam and not spam (ham) emails so that the filter knows which events are statistically present in spam emails and which are not. This is often done by the administrator (otherwise the bayesian part is not activated in most filters) but the day to day training is not so often done and not so well which leads to reduced filter efficiently as time goes by.

But in fact it's very important that the filter stays up to date with new spam messages so that it can gather new hints of spams and stays at the top. If the filter is not usually fed continuously with new spam messages it's because the task is not so easy.

So far I found 3 way to feed the filter with new spam messages:

Setup ham and spam folder for every users, fetch emails in each folder and inject them into the filter as new training email
Setup ham and spam email address, extract initial email from the message and inject it into the filter as new training email
Setup a spam trap so that all the email that go in will be injected in the filter for training.

The ham/spam folder solution

I won't talk much about this solution in this post, but this solution implies that you can easily read the email into this folder, IMAP server is then a necessity and emails have to be accessible. sa-learn-cyrus is a good script that helps you to do implement such kind of training.

The ham/spam mailbox

This solution shares lot of aspects with the previous one, it can be used even if you do not access to the raw email on server or if emails do not stay on server (ie. POP3 access). I will come back later in my series on a script to help to automate the analysis of emails sent by users. Basically you have to extract the real email and give it in input to the learning program of your filter (ie. sa-learn for spamassassin).

Problems with first 2 solutions

Each solution relies on the fact that users will classify emails, of such kind of behavior you can never be 100% sure. For misclassified spam (that is a valid message classified as spam) you can expect that you will get the information back because the user will be really annoyed that his email was wrongly classified that he will either put a copy in the dedicated directory or forward you to the appropriate mailbox.

But for the spam, people tends to just delete spam emails that are not classified (instead of forwarding them to the appropriate mailbox or moving it to the spam folder), and if they do it it won't be their priority so the training will be done later when it will not be so useful.

And last but not least problems is that users still continue to receive spam, most probably "bleeding edge" spams and so the filtering service is percepted as no so efficient which is sad !

The spam trap

The idea behind the spam trap is simple: setup a couple of mail address not used and that will not receive real emails and train the filter with those emails as new spams. One might ask which addresses should be used and it's a good question because you must be sure that the address will receive (enough) spam so that it will be useful.

At this task, the bad habits of spamers of trying any combination of letters and numbers might be of a great help to find addresses to trap spam. In deed if your mail server is well configured, it should have a list of valid recipient and if an email arrive for an invalid recipient it will (should?) be rejected by your server (if not I suggest that you start with this because it's a rather good practice).

In my case I use postfix and when an email is rejected I have the message : User unknown in local recipient table, for instance:

postfix/smtpd[32180]: NOQUEUE: reject: RCPT from unknown[85.102.177.38]:
  550 5.1.1 <64e4cf71d8d4f61c9f34e@matws.net>:
  Recipient address rejected: User unknown in local recipient table;
  from=<udp@neath-porttalbot.gov.uk>
  to=<64e4cf71d8d4f61c9f34e@matws.net>
  proto=ESMTP helo=<dsl85-102-45350.ttnet.net.tr>

So with the following command :

grep "User unknown in local recipient table" mail.log \
 | perl -ane 'm/ to=<([^@]+@[^>]+)> /; print "$1\n";'\
 | sort  | uniq -c | sort -n

I get a list like this:

     14 knfipen@matws.net
     18 2ec8fcca3ffcbb7cb960e@matws.net
     33 fixeq@matws.net
     45 lxyfxdybbh@matws.net
     48 gzxyvsf@matws.net
     65 kfiptmh@matws.net

So kfiptmh@matws.net or gzxyvsf@matws.net seems to be good target (or not so bad) for trapping spam. As we tend to receive a lot of spam once that our email is "discovered", you can expect to receive more spam shortly after starting accpeting email on a trap address which in our case is a good thing !

Now that we have identified potential addresses, you just have to instruct the mail server to send all the emails for those address to a script that will chunk them and train the filter. Here is a recipe when using postfix using the catch_spam script attached to this post

Adapt parameters

At the top of the script, adjust the parameters:

$host, host or ip address of the server running the spamd daemon, set to undef to desactivate this parameter (will use localhost as spamd server)
$user, Unix account for which the spam will be learned, set to undef to desactivate it (will use the .spamassassin directory of the user which started the script)
$dir_base, base directory holding new potential spam when not running in quiet mode, this directory must be writable by the user that will run the postfix service (ie. nobody)
$conf, a YAML configuration file (see example attached to this post) for filtering out some good email (based on regexp in header)

Create a new postfix service

We are about to create a catchspam service into postfix, this service will process all the emails caught by the trap, to do so add the following lines into /etc/postfix/master.cf:

catchspam unix  -       n       n       -       -       pipe
  user=nobody argv=/usr/local/script/catch_spam -q

Adapt:

argv so that it reflect the path where you installed the catch_spam script
user so that it reflect the Unix account with whom you learn spam (in which home directory bayes token are stored ...)

Add transport maps and tune delivery

In the /etc/postfix/main.cf add the following lines:

catchspam_destination_recipient_limit = 1
transport_maps = hash:/etc/postfix/transport

The latest line can already be in your /etc/postfix/main.cf, in this case there is no need to duplicate it.

Add the emails to valid recipient list

After settling on a list of emails that will be used for trapping spams, you need to add them to the list of valid recipient. Just add them to /etc/aliases with nobody as pair alias, ie:

# For kfiptmh@matws.net
kfiptmh: nobody
# For gzxyvsf@matws.net
gzxyvsf: nobody

Run newaliases, to make postfix aware of the change. Starting from now you are accepting emails for those trap addresses (gzxyvsf@matws.net and kfiptmh@matws.net in my example).

Create/Update /etc/postfix/transport

The latest step is to instruct postfix to forward emails for trap addresses via the postfix service created above, instead of trying to resolve the alias. We create or update /etc/postfix/transport by adding lines following the template bellow for each trap address

<trap_address> catchspam

For instance for my two trap addresses:

gzxyvsf@matws.net catchspam
kfiptmh@matws.net catchspam

Run the following command so that postfix can really use this file:

postmap /etc/postfix/transport

And finally restart postfix so that all the modification will be active in postfix.

Starting from now, the trap is working and any email send to the trap address will be automatically sent to spamassassin bayesian filter for spam training

Fighting spam part 0: Introduction

mat — Tue, 02 Sep 2008 15:42:00 +0400

I am about to write a few articles about not so bad technics to fight efficiently spam, along the past years I developped some technics to fight spam. The latest ones seems to provide a high ratio in term of efficiency it means high quantity of spam catched and almost no false positive. I started developping this for my own personnal domain and due to my current job expand and enhance this for the company where I work for.

At the beginning it was quite simple because for my personnal use, I work with thunderbird and it includes since a long time a very good spam filter which require not so much trainning before achieving a very good filter quality and so I didn't worried much about the quality of filtering done right on the server by the SPAM filter.

But, alas, thunderbird (as many other opensource project btw) is not corporate enougth and we are stuck with outlook ... The Junk filter of the latest is rather complicated and rather unusefull. So if you want to reduce the cries of the users about SPAM you have to find a good solution on the server.

The technics that I'll present are built around spamassassin and bayesian filtering, that's not revolutionnary technologies but with a fairly good (and not complicated) and quick tuning you can acheive a very good result.

It might seems unlogical (and it is a little bit) but I'll start this serie by an article on how to train automaticaly an already running spam filter based on bayesian filtering, article about how to setup it will follow but a bit later. My reason for this is that there is tons of guides on Internet on how to setup bayes in spamassassin, whereas articles on how to train it (without the help of the standard users feedback) are rare.

Part 1: setting a spamtrap

Microsoft my worst nightmare part 1.

mat — Mon, 23 Jun 2008 20:26:00 +0400

Intro

It is going to be a long story with a high number of sequels it seems.

I must confess that I do not have a high esteem for Microsoft products in general but my day work force me to use them or at least support user using it and more often than not I face real stupidity in the product.

Right now my key target is Outlook from Office 2003 edition.

Using Outlook, so remove Outlook Express ?

Well it might seems logical that if you know for sure that you will use Outlook then you won't need Outlook express. If you were ready like me to remove this component with image creation tools like nlite I should not recommend you to do so !

Why ? because if you do so and try to access to a IMAP/POP3 server, it will not work because you'll need registered DLL that comes with Outlook Express and could not be provided by Outlook. Sounds good ! I spend a few hours last week on this and find no way real way to escape ! (copying DLL failed because they need to be registered, copying + trying to register with regsrv32 failed on registration, reinstallation of Outlook failed). Don't get me wrong I didn't say that you can't manage is some situation to manage to register or install outlook (especially if you do not have installed security fixes but you might run into troubles.

There must be a good reason for this, and I can understand that maybe Microsoft guys wanted to mutualise code between two versions, cool good idea, but when you install Office if one or more DLL is missing then setup should install it and do what ever is needed so that thoses DLL will be installed and registered !

L4SUS update

mat — Sun, 22 Jun 2008 20:50:00 +0400

My first public release included some bugs.

I just release right now the version 0.02, it fixes lots of typo in my first release.

The whole system is pretty stable now, but it rely on automation both on the client and the server so now it's time to move on something else:

Create installer for windows using something like nsis so that simple configuration and scheduled tasks can be created automaticaly
See with OCS Ng what can be done to go further in the automation
Use offline database wsusscn2.cab to save bandwith when checking for updates (at least as an option)
Dig more deeply in the documentation of WSUS API in order to have more informations about updates.

The lastest version is here

To be continued ...

L4SUS

mat — Sun, 01 Jun 2008 21:04:00 +0400

From the theory to practice there is a huge gap use to say my teachers.

Well I faced them well trying for real the script described here in short every thing was mostly but in order to get something that is really exploitable more efforts were needed.

Now it's done and I packaged every thing in the zipfile attached to this post. This is mostly 3 scripts (and a few subscripts) bundled together, it require a samba server. I called this L4SUS and it stands for Linux For Server Update Service.

Using L4SUS should be quite simple:

Extract all .vbs script in a folder on each computer you want to manage updates
Rename updatelist.conf.example to updatelist.conf and adapt configuration (ie. the name of the samba server and the root path serving update)
Install perl script in the samba server, make it executable (chmod a+x) and adapt paths at the top of the script ($dest_base_dir and $update_file_dir)
Verify that Windows update is configurated to search (and only search) from udpates
On the samba server create a directory called files in the directory pointed by $dest_base_dir, and for each computer a directory of the name of the computer also is the directory pointed by $dest_base_dir

The most tricky part is that $dest_base_dir (in download_winupdate) must be exported as the value of filePath (in updatelist.conf).

Main components of this systems are :

getupdatelist.vbs, this script search for applicable updates on the computer where it is running, it create a file in its own folder called yyyymmddproposedupdate.log which contains a list of all updates, their id and their file's url.
download_winupdate, provide a computer name to this script and it will parse the latest proposedupdate.log file, then download missing updates files and create a command list:: upatelist which indicate to doupdates.vbs how to do the updates
doupdates.vbs, this script execute as most quietly as possible the different updates listed in updatelist

You can get a nearly automatic systems by scheduling the scripts via cron and windows scheduler. Of course in this case it does mostly the same as using directly windows update (well it should use less bandwidth but it seems not as clever as windows update when it comes to do all the updates quietly ...).

Expect more updates soon, because it still a bit rough and should need more polish.

Listing Windows Updates for fun ... and profit

mat — Sun, 18 May 2008 19:29:00 +0400

A couple of month ago I was searching for a solution for managing windows updates (and maybe more).

Out of the box you've got two solutions :

Standard Windows Update mechanisms
WSUS (Windows Server Update Service)

Both were not ok for my needs in a small sized company, here are the reasons:

Standard Windows Update

When you have non IT users (which is the case of nearly every companies) you must enable automatic updates.

Main drawbacks of this methods is that you don't control which updates are installed and which are not and each computers download a copy from internet which is inefficient and a pure waste of bandwidth and could even be a big problems when the size of company grow beyond a few tens of users.

WSUS

WSUS is a good solution from Microsoft to address the problems of standard update.

You setup the service and it will manage to find available updates, then you select the one you want and they will be downloaded. On the client you just have to change the address of the update server to point to your own update server and voilà everything is working !

But It oblige you to have a Windows 2000 or 2003 server and I really hate the strategy of lock down done by Microsoft.

As both solutions didn't suits my needs, I started looking for others. I found LSUS which is available into Samba-edu as it is an opensource project, I am pretty sure that it is quite easy to extract the LSUS part but I decided not to investigate more in this way.

At this moment I decided to investigate different solution and through Windows Update API manage to have something even not complete. The script listupdates.vbs is this result. This script for the moment just output the name and the url for the different updates, but it should not be very difficult to add the missing parts.