TheCabal's Journal: Interesting application for patch management

Since patch management is one of my primary duties, I've developed a rather extensive framework for validating and enforcing compliance with our patching scheme. My tools will validate a computer when someone logs in and will attempt to install any missing patches automatically. If a system continues to be noncompliant, it is automatically shut down and the account disabled. Works pretty well...

One of the biggest problems we've had has been that most of our users are not local Administrators of the workstations they log on to, so they can't install patches, even with my tools since they run as part of the user's login script and therefore under their security context. Using RUNAS isn't an option, since we would have to have a password for a privileged account in plaintext in the login script. If we encrypted the login scripts, we'd have to have the decrypt key somewhere accessible on the network that could be track down and used.

Well, foes, freaks, fans and friends, I found the most interesting application from Microsoft today. I'm suprised I've never heard of it, and MS is being very low key about it. It's called EPAL, or Elevated Privileges Application Launcher, and it's basically the Windows equivalent of sudo.

You authorize the application by running EPAL and providing a couple of arguments, including the path to the executable you wish to authorize. EPAL creates a new account and security group, hashes the file and stores the hash in an application partition in AD. The security group is for putting user accounts that you wish to allow to run the app with elevated privileges. Lastly, you must place the newly greated user account in a privileged security group, since EPAL will run as this account when it is invoked.

Now that's all done, your users can invoke the application by using EPAL and supplying the path to the executable. If the path is the same as when you authorized it, and the hash matches, it runs as the elevated account that was created. Users must be in the security group created for this application to be able to do this.

I've found that this may be the final piece we need for a comprehensive patch management solution, which can safely allow unprivileged users to install patches without any undue risk.

Yes, we use SMS, but it's unweidly and the SMS guys don't push patches all the time. SUS isn't allowed, so we had to roll our own.