Our organization has less than 100 people all on laptops running Windows XP. We encourage Firefox, though a number of people still use IE7. But lately we've gotten some spyware/virus attacks that have come in through outdated plugins. Everyone is at different levels with plugin updates, and it tends to be the case that we don't find out about someone neglecting updates until they are affected by it in the form of some webpage with spyware in it crawling through an old Java or Flash version.
We have System Center Essentials set up to keep all the computers up to date as far as Windows Update. We also have Trend Micro which has protected us well so far, so the issue is only of preventative maintenance at this time.
What is the best way that we ensure that everyone's computers are kept up to date with the latest versions of Flash and Java? Can we use some sort of automated check to scan everyone's computers, akin to Mozilla's Plugin Check but on a widespread scale? Can System Center Essentials come in handy for this? Those of you who manage computers like this, how do you keep everyone's plugins up to date?
-
If you don't need it, remove it. Java is not necessary in most cases. Adobe Flash Player has a built-in update function, encourage people to push the update button.
Updating Adobe Reader take a long time, and vulnerabilities are regularly found. Consider an alternative, like Sumatra PDF.
You could also make disk images, using utilities like Norton Ghost or Clonezilla, and set it back in an interval. Documents should be stored on a different drive (or a network drive if possible).
mfinni : "Java is not necessary in most cases." Hardly true. My bank website requires it. At work, we have any number of web applications, particularly our Learning Management and Timecard system, that require it. Also - Java isn't only for websites. It's required for, at my work, HP Service Manager, HP OpenView, our backup agent, and our LDAP browser.Ricket : Sorry, it is needed. We don't install Java by default, so they are the ones installing it. But we need to keep it up to date once they do so. Adobe, on the other hand, is used extensively by the design people and the alternative programs simply don't cut it.jftuga : Most corporate users do not run at Admin level so they can't use the built-in Flash update function. Also, Sumatra is not very good when it comes to actually printing out documents.Ricket : Ah I didn't even see that, yeah, encouragement isn't working. I can spout all the geek-scare I want about spyware and viruses crawling in through old versions of Abobe but they will continue to ignore the updates.From Lekensteyn -
I have Flash Player, Java and Adobe Reader all deployed via Group Policy, since they are increasingly becoming the target for "drive by and get owned" type attacks.
For the Java page on Active Directory deployment, see here.
To deploy Adobe Reader and Flash Player, you have to sign up for a distribution agreement with Adobe here (this is free), which is usually sorted in about an hour.
The installation instructions for Adobe Reader are in this PDF.
For Flash Player, the distribution agreement confirmation email you get will contain a link to the msi installers. Note that there are 2 installers - one for Internet Explorer (the ActiveX control) and another for plugin based browsers (Firefox, Opera). I install both of these on the same Group Policy, as they both need to be kept up to date, even if only one browser is used.
A problem you might have is that the machines are all laptops. If your laptops are anything like my laptops, software deployment via Group Policy is incredibly hit and miss (more miss than hit unfortunately). You can enable the setting to wait for the network to become available before allowing logon, but this will probably increase logon times and just frustrate your users.
From Ben -
use a configuration manager tool like wpkg or the Microsoft server manager tool (do not remember its new name, it used to be called SMS). Wpkg is free software and works very nicely, its all xml so you can keep it in version control easily. Windows pc's pull the changes daily (or whenever you plan it) so it is the perfect partner for unattend(ed).
You write a package definition with the commands necessary to install/update the plugins, and the Windows clients will do it on their next run. It works very nicely. No windows domains necessary, by the way, it kan work off a samba share.
flash instructions Java instructions
Ricket : System Center Configuration Manager is the new SMS according to http://en.wikipedia.org/wiki/System_Center_Configuration_Manager - and judging from the name, System Center Essentials that we're using is probably a stripped-down version (the "essentials"). I'm looking to see if I can use Ben's info and our SCE server to push to everyone without getting involved with Active Directory.From natxo asenjo
0 comments:
Post a Comment