Patch Management

ecksmen

ecksmen

ecksmen

Associate
Joined
25 Jun 2004
Posts
1,277
Location
.sk.dkwop.
Right, I'm looking for some suggestions. We use WSUS to patch our servers for Microsoft patches and also laptops. We're happy with this but we don't have anything to manage the likes of Adobe etc... Our security chap is doing his nut in and we need to come up with way to combat it.

What do you guys use for patching the likes of adobe flash / pdf etc...
 
Microsoft SCCM (Systems Center Configuration Manager - Formerly SMS), with SCUP (Systems Center Update Publisher).

It's how we publish (and force install) software and updates to client devices (including none microsoft software updates).
 
SCCM is a good solution. Altiris also offers a good solution.

Just a word to the wise, things that often get forgotten about in patching is the server remote management consoles. Usually a web based interface that lets you remotely manage the server. Get that patched and put some ACL rules in place!
 
paradigm said:
Microsoft SCCM (Systems Center Configuration Manager - Formerly SMS), with SCUP (Systems Center Update Publisher).

It's how we publish (and force install) software and updates to client devices (including none microsoft software updates).
Click to expand...

Does SCUP need SCCM to work? Or is it a standalone product? As I can't really see M$ giving away such a tool without making you have nigh on every SC* product under the sun.
 
MasterPlan1 said:
Does SCUP need SCCM to work? Or is it a standalone product? As I can't really see M$ giving away such a tool without making you have nigh on every SC* product under the sun.
Click to expand...

SCUP is a free download to extend the capabilities of System Center Configuration Manager or System Center Essentials.

So yes you need another SC* product, either of the above (System Center Essentials is cheap) :p
 
Last edited:
LizardKing said:
We use GPO for Flash and Reader and republish them when there has been an update.
Its a royal pain in the rear!
Click to expand...
Currently many of the small - medium businesses we deal with have to do this. It's such a drain on resources. Not to mention occasional incompatibilities which mean the machines hang before joining the domain.

I don't understand how a PDF reader can have so many exploitable holes in it...
 
As said, SCCM with SCUP or just create the packages in SCCM and deploy as you would other software, either way works well.
 
Thanks for the suggestions, how does SCCM cope with multiple AD domains with no trusts between them, or would you need an installation for each AD you have?

I'm currently installing GFI Langaurd - seems to offer everything I need, but I'll check out SCCM as well. I did go through the pain of installing it a year or so again with extending schemas etc... but didn't really get very far into it. It didn't strike me as being an easy to pick up product.
 
SCCM is great imho, been my bread and butter for a while (I was an SMS contractor days gone by).

Once setup properly it works well, but people do seem to have trouble setting it up and using oit properly.

But when done it's great.

Personally I'm not using SCUP at the moment, but keep meaning to get it setup and have a play.

Currently I'm just pushing out the updates to query based collections for things like flash, reader etc.

ecksmen said:
Thanks for the suggestions, how does SCCM cope with multiple AD domains with no trusts between them, or would you need an installation for each AD you have?
Click to expand...

There are articles on Technet that describe what you'd need to do in these scenarios.

It's been a fair while since I looked at this kind of setup though so would need to read up on it again to be sure :p

ecksmen said:
It didn't strike me as being an easy to pick up product.
Click to expand...

It's weird, SCCM seems to be something that isn't a popular skill set (have been told this by many a recruiter struggling to fill positions), but once you've had a good go with it it's very simple.

For instance the MCTS cert they do in SCCM is pretty easy and basic, imagine much more so than some of the server ones.
 
Last edited:
I've been playing with languard now for a few hours on a test vm and so far I'm very impressed. For such little work it offers some great rewards, reminds me a lot of vmware VUM. Set up is dead easy, you give it an IP range, some user credentials and set the type of scan. Once complete you can remediate the issues applying all manner of fixes and schedule then for when you want with prompting the user or just crack on.

Not exactly expensive either - 1,000 targets for a little over £5k.
 
Ev0 said:
SNIP
Click to expand...

The reason why it's so valued is easy. If you deploy SCCM out of the box (especially on Windows 2008) it's broken. You have to do a hell of a lot to fix it and then there's also the OS Deployment side to do as well as Patch Management and Software Distribution.

So there's a hell of a lot to it and finding someone with the skillset to deploy MSI's (and more importantly create the transforms, etc.) is quite hard.



M.
 
For a freebie solution, install via VBS deployed as a computer startup script via Group Policy, slap the update on sysvol share or a different share if using 2008R2

I use this method for our whole domain which has 1400 XP workstations attached, just dont apply it to domain servers and you're ok. Anything additional that isnt on the base image such as Flash, Shockwave, Adobe Reader, Smartcard software etc, piece of cake. If you can use GP i'll write you a small VBS for it
 
I'm the team leader for the centralised patch and software deployment team in Computacentre.

We provide a centralised patch management service to a large number of high profile clients and this is what we have found through experience.

WSUS is ok for small estates but it lacks the ability to control the reboots post patching. You can control reboot times etc via GPO but it lacks the control you have with something like SMS or SCCM. We recommend that WSUS isn't used by our clients. We have ended up having to manually patch estates with WSUS simply deploying the patches then connect to each server and manually patch and reboot the servers.

As for recommended toolsets we tend to go with Patchlink as a replacement for WSUS, it's able to seperate the patching and reboots al la SCCM/SMS and isn't all that expensive. Patchlink will also deploy non MS patchs and apps which covers off adobe reader, flash, java etc.

If our customers already have an SMS/SCCM then we're cool with that. It's able to handle the patching duties and also able to handle software deployment.

So in a nutshell:

Pathlink as a replacement to WSUS or for clients with smaller estates who don't have a toolset in place and don't have a requirement for software deployment. Price is competive.

SMS/SCCM for larger estates with or without software deployment, however the costs may be prohibertive depending on estate size.

anyway, enough shop talk ...
 
SCCM...

Yes the initial setup can be a little tricky but a day or two with technet and a VMWare lab and you can crack it.

Defo worth the effort once you've got it setup correctly.
 
You must log in or register to reply here.
Back
Top Bottom