System management appliance improves school's software deployment

By Ron Condon, U.K. Bureau Chief 16 Feb 2009 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

That was in 2007, and it took three weeks to get the machines properly configured and the right software installed, using tools that had clearly ceased to be adequate for the job.

At the time, he and his team of two technicians relied on WinInstall to deploy software to a total of 300 desktop machines and a further 180 laptops, but the DOS-based tool was limited to batches of 10 machines at a time. "We needed a tool that would at least allow us to update an ICT suite of 30 to 32 machines in one go,"Ellis said.

Ellis looked at upgrading to a more powerful version of WinInstall, which he said was quite expensive and in tests failed to deliver what he wanted. "We found that reporting on the machines that did not complete set tasks was very poor. If we tried to upgrade 30 computers, it might tell us five had failed, but it didn't say what they failed on. And it wouldn't tell us which applications had deployed successfully and which hadn't."

More on network security at school To provide a more efficient network service for school staff and pupils, Mark Gosden, network manager at Sutton Valence School in Kent, tried out a new NAC product.

It was intended to be a product that could run at off-peak hours overnight, but the unreliable results made it impractical. "When we tested it, we'd have two-thirds of the computers that had rebuilt the OS, but of those, you might have 80% that installed the applications, and then you had some machines that were still sitting there with a DOS screen, having done nothing. It was a mess," Ellis said.

He then briefly examined a number of virtual desktop products which would allow software to be managed from a server and would therefore be easier to manage. "There were some nice benefits to that approach, but in the end we decided to stick to what we knew and do our physical installation," he said.

It was around this time that he came across KBOX, a system management appliance from the U.S. vendor Kace Networks Inc., which was only then dipping a toe into the U.K. market. A prolonged evaluation of the product convinced Ellis that it would not only solve his immediate problem of keeping machines properly configured, but it could also save money by replacing other software tools he was using.

The KBOX 1000 was installed just before a further 160 new machines were due to be introduced, and which needed to be installed with up-to-date system images. The process this time took just two days, and required no manual follow-up.

The system has not only allowed him to retire WinInstall, but it has provided savings from some other sources, too. Ellis had been using the HFNetChk tool from Shavlik Technologies LLC to carry out patch management, but now the KBOX administers that as well, although he admits "it lacks a few of the niceties of some other patching solutions."

Kace said that with its new version 4.3 , which Ellis eagerly awaits, patch management and remediation (enabled by an OEM deal with PatchLink Corp. and Lumension Security Inc.) will provide the necessary improvements.

Software asset management had been handled using Visual Audit Pro from Visionsoft Ltd., but that too is now redundant with KBOX, which also does software metering. The metering function allowed Ellis to see what packages are not being used and to remove them.

A final saving comes from the help desk functions incorporated in the KBOX. Ellis said the school had been looking at some expensive packages to handle help desk functions, but that is now one investment he will not have to make.

The main benefit, however, comes from being able to manage the PC estate centrally. Combining KBOX facilities with Microsoft Active Directory, Ellis is able to deploy different software to different rooms in the school, using a system of labels that link machines to a certain room. This means that if they need to rebuild a machine from scratch, the whole process can be done automatically with the machine being assigned to the right domain, and then being installed with the software that is associated with the room where it is located.

"With WinInstall, if software wasn't packaged in an MSI file, we had to package it up ourselves because it would not deploy executables. With KBOX, we can have a choice: we can deploy from an executable, we can create a batch file to call the installation; we have multiple ways to do the installation. It works very well," he said.

"It is much easier than before. When we needed a test machine, we had to package it all up into an MSI file then deploy it as an MSI package, and make sure it was not conflicting with anything else. Now I can just use the manufacturers' executables setup and just call it as a silent install. It works, and it's saved us an awful lot of time."

Not that Ellis is completely happy with KBOX. The patching, as he said, leaves much to be desired, although the next version, 4.3, promises to solve that and other shortcomings. "We are waiting for the next version of KBOX to come out to help us fix a few things -- mainly around the scheduling side," he said. "At the moment, it decides to run things whenever it wants rather than when it's supposed to. That has caused us a few problems with messages going out at the wrong time, and computers getting shut down at the wrong time."

He also hopes that the next version will enable him to schedule automatic shutdown of systems at night, which will offer further energy cost savings.

Tags: Endpoint and NAC Protection,  Threat and Vulnerability Management,  Platform and OS Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary