How do you have your users certify they are patched?

[Rilescat]

What processes are you using to ensure your users are patched with required windows updates, and how are you certifying that whay they are saying is true?

Thanks for any info.

 

[MiniDoom]

Microsoft Baseline Security Analyzer

 

[spyordie007]

a group policy object to force the machines to update (regardless of user actions) and MBSA periodically to ensure they are getting installed correctly.

 

[mikecel79]

We use SMS where I work which gives us error reporting if a patch is not applied correctly. SMS uses MBSA to verify patch installation which check registry as well as file versions to make sure a patch is installed.

 

[Rilescat]

Originally posted by: spyordie007
a group policy object to force the machines to update (regardless of user actions) and MBSA periodically to ensure they are getting installed correctly.

Ahh...in my case, I am not allowed to put the users in a domain. We have a freaky kind of setup at a large company that has many IT rules but no sense.

Basically, I run a small subgroup of users (approx. 280 systems) in comparison to the rest of the company.

Any ideas without using a domain?

Baseline Security Analyzer requires me to have an Admin account on the system, does it not? Can I do the scanning without an admin acount?

 

[spyordie007]

you're going to want to be doing it with enough rights to ensure registry entires exist and file versions are correct; to do this you need to be able to authenticate with the clients

 

[mikecel79]

Ahh...in my case, I am not allowed to put the users in a domain. We have a freaky kind of setup at a large company that has many IT rules but no sense.

Basically, I run a small subgroup of users (approx. 280 systems) in comparison to the rest of the company.

Any ideas without using a domain?

Baseline Security Analyzer requires me to have an Admin account on the system, does it not? Can I do the scanning without an admin acount?

Oh my. No domain? That must be management hell. You need admin rights on a machine so MBSA can connect to WMI on the machine and enumerate the patches installed on the machine. Also you need admin rights to remotely read the registry keys.

 

[Smilin]

Originally posted by: Rilescat

Originally posted by: spyordie007
a group policy object to force the machines to update (regardless of user actions) and MBSA periodically to ensure they are getting installed correctly.

Ahh...in my case, I am not allowed to put the users in a domain. We have a freaky kind of setup at a large company that has many IT rules but no sense.

Basically, I run a small subgroup of users (approx. 280 systems) in comparison to the rest of the company.

Any ideas without using a domain?

Baseline Security Analyzer requires me to have an Admin account on the system, does it not? Can I do the scanning without an admin acount?

It sounds like your company doesn't understand the concept of responsibility and authority.

They can't really give you the responsibility to ensure the updates are applied without giving you the authority to do so.

 

[Rilescat]

Originally posted by: Smilin

Originally posted by: Rilescat

Originally posted by: spyordie007
a group policy object to force the machines to update (regardless of user actions) and MBSA periodically to ensure they are getting installed correctly.

Ahh...in my case, I am not allowed to put the users in a domain. We have a freaky kind of setup at a large company that has many IT rules but no sense.

Basically, I run a small subgroup of users (approx. 280 systems) in comparison to the rest of the company.

Any ideas without using a domain?

Baseline Security Analyzer requires me to have an Admin account on the system, does it not? Can I do the scanning without an admin acount?

It sounds like your company doesn't understand the concept of responsibility and authority.

They can't really give you the responsibility to ensure the updates are applied without giving you the authority to do so.

That is pretty much my thoughts exactly. However, I am an Admin stuck in a non-IT group, so I am stuck with a number of mandates.

--Here is my idea. I have a script to generate a userID and password on a system and place it in the Admin group. I think I will send this script to everyone in my org and force them to run it. I will then scan all the systems with the MBSA. IT shouldn't have to much of a problem with it, as they are the goons that tell me I must certify everyone has a patch, but won't let me have the tools to do it correctly.