Re: SMS only as security patch server

Tech-Archive recommends: Speed Up your PC by fixing your registry

It seems you have one of those classic design dilmmas. You have to figure
out what your top design priority is and decide where you can make trade
offs for your other desired outcomes.

SUS really just redirects the user's Automatic Update settings to use the
SUS server instead of the Microsoft.com update server. You have a little
control over what the user sees. I pulled this from the Automatic Updates
help:
"Automatic (recommended)
When you are connected to the Internet, Windows finds and downloads updates
in the background-you are not notified or interrupted during this process
and the updates do not interfere with other downloads. If you do not change
the default schedule, updates that have been downloaded to your computer
will be installed at 3 A.M.

If your computer is turned off during a scheduled update, Windows will
install the updates the next time you start your computer. If you need to
help complete the installation process, Windows will notify you. For
example, you might need to accept an End User License Agreement (EULA)
before some updates can be installed. If you need to restart your computer
for an update to take effect, Windows will notify you and will restart your
computer at the scheduled time."

So, if you really have to do it with absolutely no user interaction, SUS
won't do it for you. SMS can, but yes, you require the overhead of a domain
controller. You call out three concerns:

> However, using AD seems to mean too much change to customer. For example ,
> 1. They have to face different log on page with domain indication
Actually, the default logon screen just shows name and password. You have to
click Options to see the domain name. If you only have one domain, they
shouldn't get too confused. Or if it's an AD domain, you can retrain them to
log on using their User Principle Name (UPN) which looks like their email
address.

> 2. They have to comply with the constraint provided by directory policy
Are you talking about Active Directory Group Policy? You don't have to set
GPOs. There is a default GPO for the domain and one for the Domain
Controllers OU, but you don't have to configure additional GPOs unless you
want to.

> 3. It is possible that they private setting will be changed right after
> setting AD
I don't understand what you mean by this.

There's an article on microsoft.com about how to pick between the various
patch solutions. It might help you.
http://www.microsoft.com/technet/security/topics/patchmanagement/patchmanagement.mspx


--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Windows Enterprise Management Division User Assistance

Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.

"jcpark" <jcpark@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3A85CD11-C51A-477A-814C-C9B8C86848F9@xxxxxxxxxxxxxxxx
> Hi
> I have cusotmer wanting security patch server.
> First I have thought SUS, but since Automated security patch (patch is
> installed without notice of the PC user) is required, I had made a
> decision
> to go with SMS.
>
> They don't have a Directory service installed.
> Utilizing active directory seem to be necessary to install SMS ( i don't
> think use of NT domain is good idea) and to implement automated security
> patch.
>
> However, using AD seems to mean too much change to customer. For example ,
> 1. They have to face different log on page with domain indication
> 2. They have to comply with the constraint provided by directory policy
> 3. It is possible that they private setting will be changed right after
> setting AD
>
> In sum up, it seems to be too much to implement AD only to use SMS as
> security patcher. Is there any good idea about my concern?
> I would appreciate you much to help out of concern
>
> Thanks a lot in advance
>
>
>
>
>


.

Relevant Pages

  • Re: Cant Display .eml in Outlook Express and Printer Issues
    ... Bitdefender Internet Security '09 - Current ... Which two updates failed to install, ... I am running Bitdefender Internet Security and Prevx 2.0. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Virus in microsoft Patch
    ... "Windows must restart because the Remote Procedure Call ... your system and install the patch mentioned above. ... You can also configure Automatic Updates to automatically ...
    (microsoft.public.windowsxp.security_admin)
  • Re: windows cant check for updates
    ... What anti-virus application or security suite is installed and is your ... and never had a problem with my windows updates.. ... A Repair Install will NOT help! ...
    (microsoft.public.windowsupdate)
  • Re: I was referring to the svchost.exe errors...
    ... September 2006 patch day. ... If one sees the automatic updates yellow taskbar icon and installs the ... pending updates, on most systems they will install, but on a few the first ... where the initial svchost error box was closed, ...
    (microsoft.public.windowsupdate)
  • Re: I was referring to the svchost.exe errors...
    ... September 2006 patch day. ... If one sees the automatic updates yellow taskbar icon and installs the ... pending updates, on most systems they will install, but on a few the first ... where the initial svchost error box was closed, ...
    (microsoft.public.windowsupdate)