Re: Desktop patch management?

[Eoghan Casey <eco () CORPUS-DELICTI COM>]

Craig,

I am also interested in responses to this question for the purposes of the Effective Security Practices project. Most of the solutions that I have encountered do not address the "keep-your-hands-off-my-systems" situations that are common on higher education environments. For instance, commercial management software requires some access to deliver patches and change configuration. Automatic delivery of patches using a local SUS server requires systems to be in a domain. 

The only legitimate* method that I have encountered that does not require access to the system is the UConn NetReg Scanner (http://security.uconn.edu/uconn_response.html). If a scan determines that the system is not patched, it does not get on the network.

* illegitimate = exploiting the vulnerability to apply the patch

Eoghan Casey
203-645-2774

On Friday, September 12, 2003, at 01:03  PM, Craig W. Drake wrote:

> I was just wondering how everyone is handling desktop patch management in their environments.  We are in a situation where users/departments manage their own desktop systems.  We do not have any kind of Windows domain structure and do not have any kind of common administrator account/password on desktops university-wide.  Some users/departments have very negative attitudes towards our IT department and do not want anybody from our department "messing with" their computers. Management doesn't want to lose favor with those users by forcing them to comply with any kind of centralized IT policy. We have tried sending out emails to our users asking them to visit WindowsUpdate, but only about half of the computers get updated.  Does anybody have any suggestions on how to force all of the updates to all of the computers on campus in this situation?
>  
> Thanks,
>  
> Craig W. Drake
> Networking and Distributed Services
> Northeastern Illinois University
> C-Drake () neiu edu
>