Post #55,826
10/9/02 5:59:29 PM
|
You out there Peter? (or other win gurus)
I think I know where the band Blood Sweat and Tears got the name. One of 'em had a prophetic dream about tech support in the age of Microsoft.
Here's the deal- another entity within the corporation has responsibilty for antivirus. They assigned it to someone who evidently is not too familiar with windows. Our setup uses Macafee AV with program and signature updates coming from an inside-the-firewall company server. One problem. The updates haven't worked for some time now (domain name change). This explains why we got hit so hard (and still seeing the effects) by the Bugbear virus. The solution this person has come up with is to email out to everyone instructions on how to upgrade to the latest approved release and a .reg file to get the software pointing to the correct update server for signature files.
Leaving aside for the moment the wisdom of taking the app server offline 15 minutes after sending out the email telling people to use the app server to get the program update, the .reg fix for win2000 assumes our users have rights to make registry changes. They don't. Also, the Macafee that gets installed is password protected and we are not allowed to tell anyone the password so they can manually point the damn thing to the correct signature update server.
It is now our problem to get this to work with the given constraints. A little brainstorming gave us the following- Send the reg fix file and then have the affected users call us for handholding to walk them thru logging on to the local system as administrator, install the regfix and then hope they forget the admin password. Idiotic, I know. Any other ideas out there?
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
|
Post #55,828
10/9/02 6:08:13 PM
|
Remote admin tools? PC Anywhere?
You were born...and so you're free...so Happy Birthday! Laurie Anderson
[link|mailto:bepatient@aol.com|BePatient]
|
Post #55,856
10/9/02 8:54:52 PM
|
Use VNC
It has clients and servers for almost any known OS out there:
[link|http://www.uk.research.att.com/vnc/|[link|http://www.uk.research.att.com/vnc/|http://www.uk.research.att.com/vnc/]]
Good luck!
[link|http://games.speakeasy.net/data/files/khan.jpg|"Khan!!!" -Kirk]
|
Post #55,893
10/9/02 11:51:32 PM
|
None I can use.
Corporate security policies donchaknow.
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
|
Post #55,940
10/10/02 7:52:39 AM
|
Ah yes, the PHBs foiling all the serious stuff
Corp Security Policies that prohibit:
Remote Access
Chat Programs
Instant Messingers
File Sharing Programs
Open Sourced Programs
Sometimes they are so strict that they prohibit the use of WinZip or any other archive program, but then how in the world are you supposed to download and use those updates in Zip files for your programming package? Fbog!
[link|http://games.speakeasy.net/data/files/khan.jpg|"Khan!!!" -Kirk]
|
Post #55,832
10/9/02 6:25:12 PM
|
How many users?
If you've got a licence for TVD or McAfee ePolicy Orchestrator, this is the way to go - you can make policy changes (like changing the name of the server used for updates) and push it out to all users.
Vanilla TVD ships with a thing called the "management edition". It's pretty agricultural, but sort of gets the job done. However, any policy changes will have to be explicitly pushed by you.
ePO is smarter. The agent that gets installed on the desktop PCs periodically queries the master server to see if there are any updates - either DAT files, or policy changes. Policy is enforced at a pre-defined interval.
Alternatively, you could use the Installation Designer that ships with TVD to make your own deployed version of VirusScan, with the updated auto-update configuration, then publish that application to your users. However, this assumes an all-Windows 2000 and AD setup.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #55,836
10/9/02 6:57:09 PM
|
500+ W2K users
Those sound like great tools. We, of course, don't get to use them because that would infringe on the role of the antivirus administrator. I will see if he has these and explain to him what they can do.
The problem however is that the server these endusers are looking for no longer exists with the name as recorded on the endusers system. Domain names got changed to reflect our new company name. This broke things quite nicely for many of us in many areas.
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
|
Post #55,946
10/10/02 8:17:38 AM
|
At some point...
...you are going to have to violate some security policy (given the set of constraints that you've posted)...so someone in Security (or the AV guy) is gonna have to deal with a little infringement.
You need to remotely access 500 machines...or manual touch 500 machines and you need to do it with admin rights or the remote software available from the antivirus vendor.
There's not alot of other options...except leave them all broke and get whacked by the next virus to come along.
You were born...and so you're free...so Happy Birthday! Laurie Anderson
[link|mailto:bepatient@aol.com|BePatient]
|
Post #55,963
10/10/02 10:15:28 AM
|
About what I thought.
Our security policies are a hell of a mess.
"A civilian gang of thieving lobbyists for the military industrial complex is running the White House. If to be against them is considered unpatriotic -- Hell, then call me a traitor."
-- Hunter S. Thompson
|
Post #56,132
10/11/02 1:28:58 AM
|
Find someone in Security to help.
Often, those guys are allowed to break security policy for various reasons. I know - I used to be one of them! :-)
You also need someone else with some power to agree that the current anti-virus administrator is a) probably the wrong person or b) doesn't have the access or authority or knowledge to do their job properly.
Fixing security policies is a long and slow task, especially when you're not in security. Best not fight that one now.
Wade.
"Ah. One of the difficult questions."
|
Post #56,363
10/12/02 10:42:14 AM
|
sneakernet :(
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
"Therefore, by objective standards, the leading managers of the U.S. economy...are collectively, clinically insane."
Lyndon LaRouche
|
