General discussion

Locked

Ptatch Management

By zackp ·
Hello all, i am new to the group. I have approximately 4 years IT experience mostly with a state agency here in Kansas. We had top of the line equipment and spent tons of money for the infastructure. Well I have moved on and currently work for a small bank in Kansas with approximately 30 branches spread through out the state. We are currently using Citrix servers to manage desktops and programs. The users do not store or use anything much on the PC itself, they act somewhat as thin clients. The problem lies in that some are NT some are 2000 and some are XP machines. They all are missing patches and they all only have 256k connections so bandwidth is an issue. I can not use SUS because it will download the patches over the internet wich is a DSL connection and the patches can not be pushed out over night. They have a policy to shut down PC's at night. I have considered using a log off script but then I run into other security issues like users are not admins other isssues. I am a bit flustered and would like any suggestions. Thanks,

Zack Phillips

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Patch Management

by TomSal In reply to Ptatch Management

Hi Zack,

There is a product that would fit your situation rather nicely I think.

Its called "Patch Works" and is made by RippleTech software.

I like it because it is complete patch management, meaning it'll will download patches for a multitude of vendor products not just Microsoft. You can set a schedule on when it searches for patches, determine which patches(Products) it seeks out, and what machines on your network get what patches pushed to them. There is on one machine needed to do the actual down loading from the 'net -- the patch server. From the patch server its pushed out to other nodes through your LAN.

Here's link to get you started.

http://www.rippletech.com/products/PatchWorks/Prod_PW_Overview.htm

Hope it helps.

Tom

Collapse -

Good thinking

by gshollingsworth In reply to Ptatch Management

Very wise to control admin rights. That in itself will help to contain security incidents. It can take alot to figure workarounds to application that "require" admin rights, but I think it is worth the effort. I practice that at home as well as work.

As far as SUS downloading patches over the DSL connection. It's an issue, but you need to get them somehow. It is much more efficient than each computer downloading them individually over that same connection. Even if you opt for something besides SUS, that model should be followed.

I assume the overnight shut down policy is to save on electricity. You need to find out that cost savings to compare to the cost of using the limited bandwidth during the day to keep computers patched. In addition, overnight you have underutilized bandwidth that is already paid for. Our company found it was more cost effective overall to leave desktops powered up overnight to accept patches than to pay for more bandwidth to accomodate daytime usage plus the additional required for patches.

Those NT(4.0?) machines should be upgraded. Microsoft is providing extremely limited support (almost none) for NT 4.0. They have already stated that patches for vulnerabilities in NT 4.0 are very likely NOT to be released.

Back to Security Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums