Solved

Manual Installation of MS security patches and Antivirus updates without Administrator Rights

Posted on 2006-11-08
4
156 Views
Last Modified: 2013-12-04
Hi, This is the my first time posting here so please bear with me if I made any mistakes.

My company have quite a lot of users using standalone laptop at remote sites. They will use dial-up to connect back to our mail servers to download or send their mails only.

Our recent management directives was that all these laptops must be patch with the lastest MS security patches and Symantec Antivirus Coporate edition virus defintation. The decision was to create a CD and dispatch them out to all these remote location and let the user manually install the patches theirselves.

The problem is that ALL the remote users are accessing the PC using a local restricted accounts. They only have rights up to "User" Level. Some are even using "Guest" account to login (locally).
They are not allowed to have any administrator accounts or rights under any circumstances. They also do not have any access to the internet.

How can I automate this installation for them without giving them the administrator account? Or is there a way to create an account that allow the user to install the patches but not any other programs like games?
Any help would be appreciated on this.

Thanks.
0
Comment
Question by:nszeling
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17927847
You can use the hundreds of 3rd parties out there to apply the patches, run M$'s WSUS to send the updates when they are connected, or have the updates scheduled, they will run as the system account and not the user account. Your AV will certainly allow you to schedule a task to check for updates, but on M$ to schedule a task you need admin rights, I'd suggest getting a hold of, or remoting into each one of these PC's to set up these scheduled tasks, they will even try to run when they haven't completed in a specified time.

The added benefit you have with users running as non-admin's is that they are less vulnerable to the threats that these patches and AV updates aim to protect them from... ironic ain't it ;) Vista for instance, will be following many of these best practices, just line Mac, BSD, unix/linux has for generations... 20-30 years later good `ol M$ catches on ;) http://www.betanews.com/article/Allchin_Suggests_Vista_Wont_Need_Antivirus/1163104965
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html
http://www.eweek.com/article2/0,1759,1891447,00.asp

As for keeping up with the company policy, and the fact that your not protected 100% with best practices, but rather 99.9% protected, there are things like the WMF vuln that came out a few months ago that an AV and or patch was needed to protect you.
If you can get them a CD, you can use various tools to automate the installs and updates... CD's are cheap and an effective media. All you really need to do is configure an auto-run file on the cd, and try my runas script (make sure it's the VBE) and or try these other tools
http://www.xinn.org/RunasVBS.html
http://nonadmin.editme.com/UsefulTools
-rich
0
 

Author Comment

by:nszeling
ID: 17953955
Hi, Tks for the post, was a bit busy.

I will go through this most prob the week after next as I will need to fly off to Taiwan for work and will not be back till the 27th!

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question