Re: MS Software Update Service
From: Anonymous (cripto@ecn.org)
Date: 02/21/03
- Previous message: travis.abrams@hklaw.com: "RE: MS Software Update Service"
- Maybe in reply to: Starks, Brad: "MS Software Update Service"
- Next in thread: Thane Walkup: "RE: MS Software Update Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Anonymous <cripto@ecn.org> To: focus-ms@securityfocus.com Date: Fri, 21 Feb 2003 21:47:53 +0100 (CET)
The biggest problem that I have with SUS is that in the scenario described below (roll out patches at 3:00 am), laptop (which are presumable at users homes) and workstations (which are sometimes turned off at night) will never get updated. Even if you tell users to leave their machines on you have no guarentees.
If a user doesn't have administrative privledge to their machine there are very few options for scheduling the install and reboot. Basicly you are forced to pick a time and make it happen. Which is better, at night when only workstation that have left on (or are in use) get the updates, or reboot in the middle of the business day (management loved this option)?
I'd use SUS if the client simply checked at boot up to see if it missed a scheduled update and, if so, performed it then.
Has anyone found a way around that?
Regards
-----------------------------------------
We have just implemented SUS last week on one of our active directory
domains. It was a pretty simple installation, downloaded, installed,
synchronized the updates (this pulls all the patches that are available on
windows update, so it can take awhile.) Since all of our workstations had
SP3 for windows 2000, it was a simple change to the Group Policy
Object. Every night at 11pm, the server synchronizes with the windows
update servers, and at 3 am, the workstations log in and grab the
patches. If someone is logged in (if they forgot to log out at the end of
the day) there is a message that pops up warning of an impending re-boot
(if needed), I believe the time is 5 minutes. Keep in mind that this is
basically a local, automatic version of the Windows Update web site. As
far as how well its working, I can only really check by going to a
workstation and seeing if a patch has been applied. It would be nice if
the administration interface would tell me at least a summary of which
machines have grabbed what and when. I believe that this info is stored in
the IIS log, but haven't had time to grep them. One tip on what not to
do; we had for some reason selected all languages, so it downloaded all
the patches for windows for every language. That took a heck of a long
time to synchronize.
Brian
At 04:42 PM 2/19/2003 -0800, Starks, Brad wrote:
>Hi everyone,
>
>Microsoft's Software Update Service has been out for awhile (they've
>recently released a service pack for it, too) and I was curious as to what
>folks think about it. If you're using this technology, are you happy with
>it? How well does it suit your needs? Is it comparable to other solutions
>like Update Expert, Hfnetchk Pro, Net Octopus, etc.?
>
>In addition, has anyone used the Feature Pack for SMS that contains the SUS
>(as well as all kinds of additional) components? How does that compare to
>the standard SUS?
>
>Thanks in advance,
>
>Brad Starks
>IST Security Team
>County of Marin
- Next message: neopara: "Re: Defeating password cracking"
- Previous message: travis.abrams@hklaw.com: "RE: MS Software Update Service"
- Maybe in reply to: Starks, Brad: "MS Software Update Service"
- Next in thread: Thane Walkup: "RE: MS Software Update Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
