Patching anyone?

On March 15, 2005, in Rants, Security, by

From the mailbag today comes the question…. how do you let workstations automatic update and still be restricted user at the same time.


Answer…..


You can’t.  Not that I’ve found anyway.


Ah, great there Susan, you are the one advocating restricted user and now it makes me MORE insecure?  Ah, no.  There’s a way around this.  Several options in fact.


You see there’s this thing called SUS and soon to be WUS or MUS or whatever the marketing folks decided this week to call the current and future centralized patching tool.  As long as you set the updates to automatically install at a certain time, the machine is turned on, the patches will deploy [you’ll have to check the event log files or scan the machines with MBSA to confirm the install.


Right now SUS is fully supported, WUS is in beta.  My strong guess is that sucker will be shipping before July of 2005 come h-e-double toothpick or high water.  [Spell it out, my mother taught me never to swear…not on blogs anyway they get caught by my Trend e-manager filters, I lose more Rory blog posts  and get the ‘Removed by Exchange content scanning service’ notifications to know that those filters cross over from my inbox into my newsgator folders ] 


Why you ask?  Because if I were in Steve Ballmer’s shoes I wouldn’t be going back in front of a crowd of Microsoft partners at the WorldWide Partner conference another year without something ready.  He first announced it when SBS 2003 was launched in New Orleans in October of 2003.  Now that that very vocal rant is out of the way, you are probably asking what the other method is….


Shavlik.  My FAVORITE once a month control thrill is my Shavlik Patch tool.  With it on my desktop I can insert the domain credentials and remotely patch ALL workstations in my office.  As long as those machines are merely turned on, they are patched.  I even deployed my XP sp2 in this manner and only had one ‘gotcha’.  [Nvideo digital video card driver, rolled it back to the SP1 version and all was well]


With these tools you don’t have to have local admin rights on the desktop, and in fact can patch remotely.

 

Comments are closed.