Manual Installation of MS security patches and Antivirus updates without Administrator Rights

Hi, This is the my first time posting here so please bear with me if I made any mistakes.

My company have quite a lot of users using standalone laptop at remote sites. They will use dial-up to connect back to our mail servers to download or send their mails only.

Our recent management directives was that all these laptops must be patch with the lastest MS security patches and Symantec Antivirus Coporate edition virus defintation. The decision was to create a CD and dispatch them out to all these remote location and let the user manually install the patches theirselves.

The problem is that ALL the remote users are accessing the PC using a local restricted accounts. They only have rights up to "User" Level. Some are even using "Guest" account to login (locally).
They are not allowed to have any administrator accounts or rights under any circumstances. They also do not have any access to the internet.

How can I automate this installation for them without giving them the administrator account? Or is there a way to create an account that allow the user to install the patches but not any other programs like games?
Any help would be appreciated on this.

Thanks.
nszelingAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You can use the hundreds of 3rd parties out there to apply the patches, run M$'s WSUS to send the updates when they are connected, or have the updates scheduled, they will run as the system account and not the user account. Your AV will certainly allow you to schedule a task to check for updates, but on M$ to schedule a task you need admin rights, I'd suggest getting a hold of, or remoting into each one of these PC's to set up these scheduled tasks, they will even try to run when they haven't completed in a specified time.

The added benefit you have with users running as non-admin's is that they are less vulnerable to the threats that these patches and AV updates aim to protect them from... ironic ain't it ;) Vista for instance, will be following many of these best practices, just line Mac, BSD, unix/linux has for generations... 20-30 years later good `ol M$ catches on ;) http://www.betanews.com/article/Allchin_Suggests_Vista_Wont_Need_Antivirus/1163104965
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html
http://www.eweek.com/article2/0,1759,1891447,00.asp

As for keeping up with the company policy, and the fact that your not protected 100% with best practices, but rather 99.9% protected, there are things like the WMF vuln that came out a few months ago that an AV and or patch was needed to protect you.
If you can get them a CD, you can use various tools to automate the installs and updates... CD's are cheap and an effective media. All you really need to do is configure an auto-run file on the cd, and try my runas script (make sure it's the VBE) and or try these other tools
http://www.xinn.org/RunasVBS.html
http://nonadmin.editme.com/UsefulTools
-rich
0
 
nszelingAuthor Commented:
Hi, Tks for the post, was a bit busy.

I will go through this most prob the week after next as I will need to fly off to Taiwan for work and will not be back till the 27th!

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.