Better way to perform Microsoft security patching?
From: Exibar (exibar_at_THELAIR.COM)
Date: 09/18/03
- Previous message: Tony: "Re: DNS Hijacking: The largest single breach of privacy and security thus far online..."
- Next in thread: Ernst Lopes Cardozo: "Patch 22, eh, make that Catch 22"
- Reply: Ernst Lopes Cardozo: "Patch 22, eh, make that Catch 22"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 10:41:05 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
What tools will get 100% of the 30,000+ machines an Administrator of large
corporate networks use to perform all this patching? Sure there are a few
tools out there that will do the job, all with big "IF's" attached, non will
get 100%, or even close.
Microsoft's own SMS isn't too bad: Sure will push out patches, but
requires pretty big overhead on the machine in the form of the SMS client
agent, and requires local Admin rights, and requires that users not tamper
with it. Not too realistic when you are in a corporation that creates a
product that contains a windows based computer and not all the "development
labs" will allow any additional processes to run on the machines that they
are developing for use in your product. Let alone they won't allow admin
access to those machines in fear that one of the many admins will change
something and ruin weeks or months of testing. Oh yah, you also have to
know where all the machines are on your network. What network or security
admin of a company of 30,000+ machines can honestly say that they know what
and where every machine is on their network worldwide....
HFNETCHK Pro 4.0: Is a better solution, it will perform network
discovery, doesn't require an agent, has nice logs. Similliar to SMS, but
it doesn't require a local agent, no baggage to slow down a loacl machine.
A very nice feature for those development labs. But, it also requires admin
access to the machine in order to apply the patches. So we're back to the
"don't have admin access" problem.
Ok, so if we use the two products, SMS and HfNetCHK pro 4.0 AND SMS we
might be able to get 75% - 85% of the total machines. What about the
others? There has to be a better way, a way to get 99% - 100% of the
windows machines on your network. Perhaps it's the automatic patching Bill
Gates was talking about? Perhaps it's built into the entire login process,
part of the Domain Controllers. A machine isn't allowed to connect to the
network unless it has ALL mandated patches. I'm not talking a login script
or a policy that can be canceled or eliminated by a clever user, I'm talking
part of the network authentication itself. Better yet a machine isn't
allowed to get a useable network IP address unless it is patched completely.
Sort of like using a SecureID fob to connect to a network. Only part of the
process is a patch level check, if you don't have the correct patches, your
connection gets dropped.
That is what we need.
Mike B
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----
- Previous message: Tony: "Re: DNS Hijacking: The largest single breach of privacy and security thus far online..."
- Next in thread: Ernst Lopes Cardozo: "Patch 22, eh, make that Catch 22"
- Reply: Ernst Lopes Cardozo: "Patch 22, eh, make that Catch 22"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
