Pigs will fly on the day that a single automated tool will provide a decent sized organization with all the features and functions it needs to stay up to date.......SUS, SMS, Tivoli, Symantec, MSUpdate, CSA, EPolicy, all have some valuable funtions, but for a large organization to rely on a single tool to do everything, and do everything well, is quite frankly a pipe dream...IMHO

Anonymous User 1/28/2005 3:49:52 PM

Nice article and follow on comments. No matter what tools one uses to keep devices patched, updated and secure......if you don't have a policy in writing, enforceable and supported by management your success will be limited at best...

Anonymous User 1/28/2005 3:36:12 PM

Very nice article. I also agree that patch management should never be performed by the user and that users should never have administrative rights. In our organization we are currently using Update Expert by St. Benard Software. We test all patches with in the IT department and then deploy them out to the rest of the network. Update Expert allows us to schedule the patches to install after hours and those users who do work durring that time are told be off their computers durring the patch process. The next morning we review the patch results and contact the users who did not get patch the night before and take their systems down to be patched.

Anonymous User 1/4/2005 9:35:27 AM

SUS doesn't protect against viruses. You need an enterprise antivirus management solution from companies such as Symantec or Network Associates (McAfee).

A way that you can get management to buy into patch management software such as SMS 2003 is to show them how much it costs *not* to invest in patch management software. Take a history of the number of hours spent per week/month/year on manual patch management, and do a project cost based on that figure.

I also did not see the figure on XP SP2 intrusions.

PASSERWIP1/3/2005 5:39:10 PM

Windows XP in a Server 2003 environment can be configured through group policy to restrict what code it will run.

JEFF12/29/2004 7:57:20 AM

What you are saying is right but i have seen windows 2000 crash multiple times after I have set up a pc for a user with all its apllicatins,because i did windows update.The problem is that some patches and hotfixes,if they are done together i personally had blue screens.Microsoft should consider that...

Anonymous User 12/29/2004 12:59:21 AM

SUS is fine if your users will install the updates when prompted instead of canceling the installation. In my environment I've seen patches delayed for weeks because a user cancelled the installation and then shutdown their computer
while they went on vacation for a week or two then come back and canceled the install a couple of more times before SUS forced the install. I'm going to bite the bullet recommend to my
company to invest some $ in a package that will push the Windows updates as well and being able to deploy the non-Microsoft updates.

Anonymous User 12/28/2004 1:35:57 PM

I'm going to forward your article to my management, as it is a pretty accurate synopsis of the current computing landscape. However, I believe from an enterprise perspective, providing tools for end users to manage updates is going about it from the wrong direction.
The responsibility for maintaining most corporate desktops lies with the IT staff, not end users. Relying on end users to keep systems updated is asking for problems because they won't do it diligently or often enough.
My wish is for Microsoft to provide a corporate version of their desktop operating system utilizing AD and GP, but incorporating functionality like Cisco's CSA to prevent code from being run that wasn't explicitly allowed by the IT staff.
The current situation is too open to start with and requires much modification and administration. It requires a change of approach from "Allow all, restrict whatever hole is found next" to "Restrict all, allow only what has been approved". Home users could still purchase swiss-cheese versions as the responsibility for maintaining their machines is (still) their own.

Anonymous User 12/28/2004 1:11:26 PM

SUS worked for me. Single-handedly patched 350+ servers and several thousand workstations for the past year and a half with 0 virus infections.

KIRK12/28/2004 11:22:26 AM

I didn't catch how often the XP SP2 system was compromised.

Great statistics on attacks and speed of compromise of systems...makes me wonder why Windows systems I manage have never been compromised? Lots of reasons of course but gloom & doom is not required.

Good recommendation to MS regarding patch application permissions. While local admin permissions are a known no-no, in today's environs they represent a resonable compromise versus unpatched systems.

RENE'12/28/2004 11:19:23 AM