8

I just started working for a small-medium size company doing IT support. Maybe 150 or less users.

Right now every user has administrative rights to their own machine. This allows them to install updates or whatever else they would like to.

I'm tired of getting on user's machines that are bloated with crap they put on themselves. So my first thought would be to take away administrative rights to their computer. This would also have other advantages such as preventing a lot of drive-by malware on the web etc.

The problem arises that users are unable to install updates. (Even though I find most ignore these anyway)

How do large companies handle software updates on all client machines?

EDIT: Windows environment. Most servers are Windows Server 2003 Enterprise. Clients are all Windows. Win XP, Vista, and 7.

CT.
  • 731
  • 2
  • 8
  • 20
  • The real issue I have with users having admin is when they surf the net. How many virus do you find in a given week? – tony roth May 26 '10 at 16:54
  • @Tony, you don't need admin rights to infect a machine or to propagate a virus. All you need is a well written virus. – John Gardeniers May 26 '10 at 19:13
  • @John Gardeniers: Assuming no privilege escalation bugs are being exploited by the malicious software (or, for that matter, any software) a non-privileged user shouldn't be able to subvert the trusted computing base and make changes that affect other users of the machine. Obviously, no commodity OS is free of privilege escalation bugs, but adding the layer of security of limited privilege helps when it comes to defense-in-depth. Make the malware writers exploit a vulnerability in addition to exploting human fallability and you make it harder for them. Marginally, I'd agree, but still harder. – Evan Anderson May 26 '10 at 20:24
  • @Evan, my point was that there are viruses and other malware that exploit such bugs, meaning we must not assume a system is "safe" (relatively speaking of course) simply because the user has limited rights. – John Gardeniers May 26 '10 at 21:47
  • @John: Sure, but in this context that's a bit like suggesting there's no point locking your car doors because they can just smash the window anyway. – Chris Thorpe May 26 '10 at 22:03
  • @John and Chris: I agree with both of your points. Locking down arbitrary code execution (ala software restriction policy) helps even more, but it's still a defense-in-depth problem. The only "secure" computer is one that's disconnected from power (and, presumably, not perched on the edge of a high shelf where it might fall onto the head of an unsuspecting passer-by). – Evan Anderson May 26 '10 at 23:54
  • @CT Might want to take a look at my answer here: http://serverfault.com/questions/256958/suggestions-for-free-cheap-asset-patch-management-software-adobe-java-etc/265954#265954 – l0c0b0x May 04 '11 at 15:15

2 Answers2

8

Windows Server Update Services (WSUS) provides the server-side component to handle update deployment. Its provided by Microsoft as a no-cost add-on to Windows Server 2003 and up.

Computers (client PCs, servers, etc) are typically directed to the WSUS server to receive updates by way of Group Policy settings (that can also be done through simple registry manipulation, too). The Windows Update client software is configurable to allow the client to automatically download and install updates on a schedule, or to download and prompt for installation, etc. The client software can force the PC to reboot, or may optionally defer reboot if a user remains logged-on. There are a variety of options.

For third-party software you can create updates to distribute via WSUS by using the Sysmtem Center Updates Publisher as part of the Microsoft System Center Configuration Manager product. (There are some other tools that will allow you to publish non-Microsoft updates to WSUS, too-- I have no experience with them and can't recommend / comment on them. There's some talk about them in a comment to this Server Fault answer.)

I typically install software to client computers via Group Policy, so deploying updates typically involves rolling new packages that way. You can see more about that strategy in this Server Fault answer.

BTW: You're doing the right thing re: getting rid of Administrator rights for users. You'll see a dramatic improvement in PC reliability, and indirectly you'll be improving security. Having a network with client computers having restricted Administrator rights is a very nice place to be. At the very least, malware will be restricted to damaging the profile of an individual user, which makes cleanup as easy as restoring a copy of a pre-infection roaming profile from backup.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Is this just Windows Updates? How about third party updates? ex) Adobe, Java, etc? – CT. May 26 '10 at 16:06
  • @CT: I got ya' covered with an edit... >smile – Evan Anderson May 26 '10 at 16:07
  • 2
    @CT: In the same vein as Evan's BTW: Have a look at Microsoft's Software Restriction Policies. After we removed Admin rights everywhere, SRPs were used to further protect our users. We created whitelists for our application-compliment. *Significantly* reduced crap-ware infections, un-licensed software, non-approved downloads, etc. – jscott May 26 '10 at 16:19
  • @jscott: Oh, absolutely. Software Restriction Poliy (and the new AppLocker feature in Windows 7) is *great* if you can get the political backing to implement it. – Evan Anderson May 26 '10 at 16:28
  • Evan, thanks for all the good information. One last roadblock to throw in the mix. Would this work for remote users connected via VPN as well? – CT. May 26 '10 at 16:30
  • @CT: VPN clients can be a pain for WSUS, definitely. Microsoft has some instrutions for "publishing" WSUS via ISA Server (http://www.microsoft.com/downloads/details.aspx?FamilyID=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=en) which, basically, amounts to exposing WSUS to the Internet via SSL (but, interestingly, without any authentication to prevent "joe anybody" from using your WSUS server... Hmmm...). The document is worth a read because everything it describes could be done w/o ISA Server just using "port forwarding" to accomplish the same effects. – Evan Anderson May 26 '10 at 16:52
1

WSUS looks like it would be perfect for you.

Best of all, if you're running windows server in your environment, its free!

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47