 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
We have a similar problem here in the Psych Dept UT Ausin, heavy duty off-the-shelf patch mgt is just too expensive and affordable stuff is either no easier than scripting my own solution or doesn't do what I need. Some thoughts: HfnetchkPro is, I'm sure, a fine solution, but there is no way we can afford it. The current retail price is ~$2000 for 100 seats, we have 600 seats and can't afford anything like $2000 anyway. We got a quote as a university, but it was still way above anything we could afford. SUS is "free", sort of. Our main problem with it is that it needs IIS and we're doing all our web serving over Apache. The learning curve for SUS and IIS was more than we wanted to take on. And, IIS is a security issue itself. And, at least in previous editions, it only patched the OS. We tried some cheaper solutions and found they were not satisfactory. Recently a heavyweight patch mgt solution gave a presentation to UT. It looked great, I'd kill for it. Then they sent a quote; $57,000 for 1000 seats.... simply boggled my mind... (and made me think I'm in the wrong business) So, it came down to the fact that if we were to have any automated patch mgt, we'd have to roll our own. I use hfnetchk (not the pro, the old command line version) with Shavlik's xml security file, and nmap to scan our machines and parse the output to useful info. AutoUpdates takes care of most of our OS patches (I've enforced it with a GPO), we ask users to do what they can, then we see what needs patching and take care of it using VNC. We're in the process of writing a script that queries every machine that boots on our subnets for patches. We expect to have automated patch installation and detailed machine info (location, applications, etc.) by mid summer. The advantage of doing it this way is you get your scripting chops up to snuff and you know your patches and users intimately. The disadvantage is that it takes all your time until you have useable code. The scary part is when MS moves the target, and I worry about other applications that I will have to patch (and learn about) in the future. If you want some code, Wally Beck has some interesting stuff here: http://www.gc.peachnet.edu/www/wbeck/. and I'd be happy to share my code if you think it would be useful. BTW, our situation is more complex than most. Department policy is: each professor buys their own computers, we can recommend, but not enforce specific computers and almost all computers are logged on as administrators to permit the user to modify the computer in any way. So, no two computers are alike either in hardware or software. Jerry Parlee Psych Dept UT Austin At 10:09 AM 4/1/2004, you wrote: Several months back, I mentioned my greenness and the overwhelming feeling all the choices (regarding patch management) gave me. I did some research and read a lot more posts. Currently, we do all patching manually and there is no budget for a patch management solution, which means my suggestion must be cheap. Norton's ghost seems cheap enough (we would only need 1 license) though hfnetcheck pro sounded reasonable as well. I did see that I would need to write scripts for the Ghost to do updates, that isn't really a task I'm ready to take on. Is hfnetcheckpro the same, will I inevitably need to learn how to script? Still confused but learning...Thanks as always.--- To unsubscribe send a blank email to [EMAIL PROTECTED]
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.