Re: Desktop patch management?

[LaSandra DeLeon <ldeleon () MIRAPOINT COM>]

Is this a CIO forum related to Educause? How can I join?

~ LaSandra DeLeon
  -----Original Message-----
  From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Ariel Silverstone
  Sent: Friday, September 12, 2003 11:21 AM
  To: SECURITY () LISTSERV EDUCAUSE EDU
  Subject: Re: [SECURITY] Desktop patch management?


  I just submitted a very similar question to the CIO forum.  Will keep all
informed of replies there.



  Thank you,



  Ariel Silverstone


----------------------------------------------------------------------------
--

  From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eoghan Casey
  Sent: Friday, September 12, 2003 2:05 PM
  To: SECURITY () LISTSERV EDUCAUSE EDU
  Subject: Re: [SECURITY] Desktop patch management?



  Craig,

  I am also interested in responses to this question for the purposes of the
Effective Security Practices project. Most of the solutions that I have
encountered do not address the "keep-your-hands-off-my-systems" situations
that are common on higher education environments. For instance, commercial
management software requires some access to deliver patches and change
configuration. Automatic delivery of patches using a local SUS server
requires systems to be in a domain.

  The only legitimate* method that I have encountered that does not require
access to the system is the UConn NetReg Scanner
(http://security.uconn.edu/uconn_response.html). If a scan determines that
the system is not patched, it does not get on the network.

  * illegitimate = exploiting the vulnerability to apply the patch

  Eoghan Casey
  203-645-2774

  On Friday, September 12, 2003, at 01:03 PM, Craig W. Drake wrote:

  I was just wondering how everyone is handling desktop patch management in
their environments.  We are in a situation where users/departments manage
their own desktop systems.  We do not have any kind of Windows domain
structure and do not have any kind of common administrator account/password
on desktops university-wide.  Some users/departments have very negative
attitudes towards our IT department and do not want anybody from our
department "messing with" their computers. Management doesn't want to lose
favor with those users by forcing them to comply with any kind of
centralized IT policy. We have tried sending out emails to our users asking
them to visit WindowsUpdate, but only about half of the computers get
updated.  Does anybody have any suggestions on how to force all of the
updates to all of the computers on campus in this situation?

  Thanks,

  Craig W. Drake
  Networking and Distributed Services
  Northeastern Illinois University
  C-Drake () neiu edu


  ********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.