VMware VCentre protect

Those of us who have to manage patching have a massive problem. There are many vulnerabilities are in applications and plug-ins which aren't covered by any kind of automated process to apply, yes some do come with updating tools but require admin rights to apply patches and you have no visibility or control over what gets applied and when.
This is where products like VMware's VCenter protect come in. They allow you patch many different products, both freeware a paid for apps.
Great you may think, well yes in principle but ultimately a product like this needs to major or a three things
  1. Usability
  2. Reporting
  3. Applying patches
Unfortunately VVP fails on two of these, not just a little fail in my book but miss by a mile.

Yes it does apply patches, as best as I can tell, the fails are down to useability and reporting of information.

First fail is that there is no remote console, you can only run it on the server you installed it on. Bad.

You start by creating management groups for your computers, then add computers to these groups b various methods, AD groups, browses lists or from a vCentre. This is good, unfortunately once you have added them they don't actually appear anywhere, you can see the groups but the computers are not in there until you scan them, so you scan the group and the computers go in. Well no they don't if they are not switched on. the scan will tell you if it can't talk to a computer but you won't see it in the Machine view, new computers will not be visible until you scan them, adding them to AD is not enough. This is a major fail in my book, every other console either imports stuff in a dynamic way not a static list.
Agent less scanning should only be done out of hours as it kills the server and uses huge band width, I would certainly not do it across routed subnets.
The Agent configuration is poor and inflexible.
Creating scedules is ok but you can't change them afterwards

The console is awkward and odd to use. Updating of information is manual F5 process.

The whole product looks like a after hours project that went mainstream with out anyone actually finishing it off or doing some usability testing.
It is a Windows only product which in this day and age of Apple supremacy and BYOD is unforgivable.

Unfortunately the other products I have seen aren't a great deal better, Symantec uses their all in one SIM console which I loathe. It is overly complicated like most Symantec software these days and not nice to use.

Sophos seems to be taking it's first steps in to the world of patching which may be a better prospect if you buy in to their AV as well.

Comments

Post a Comment

Popular posts from this blog

Scripting DNS entries

For reasons to do with DR we needed to change our IP addressing scheme, either for our servers or for our PCs and printers and what not. Obviously changing PCs and printers was a whole lot easier due to the possible issues of inept developers’ hard coding IP addresses causing no end of problems with re-addressing the servers. This has entailed changing all the DNS entries for our printers, (whatever happened to the paperless office?) That in itself is no real challenge, they all have web interfaces so a quick connect and amend the setting then next printer. Updating the DNS entries was going to be a bit tiresome so I did a quick Google on how to do this with a script and up popped DNSCMD. You can run this from a CMD box on your PC, the main options you need to know are /recorddelete and /recordadd. To delete a record you simple need to type dnscmd <ServerName> /recorddelete <ZoneName> <NodeName> <RRType> <RRData>[/f] What does all that mean? Well i
Read more

Enterprise Vault - Failed Exchange Task

Here's another weird one. Enterprise Vault, we use this for e-mail archiving. It does a reasonable job. Probably no better or worse than any similar product. A couple of days ago I noticed that there was warning that it hadn't archived anything from one of our mailbox servers for a couple of days, not big issue as there is just a couple mailboxes on there as it used for testing at the moment. I had a look at the associated task and it was stopped. Started it and it failed. Error in the event log looked something like below The Task 'Exchange Mailbox Archiving Task for EXCH' failed to log on to Exchange server 'EXCH' using mailbox 'SMTP:EnterpriseVault@symantec.local'. Please ensure the mailbox has not been hidden, that the server is running and that the Vault account has sufficient permissions on the server. I went through every conceivable setting in AD, EV and Exchange trying to work out what had happened and why it wasn't working on thi
Read more

Windows Phone to iPhone - a painful transition

Windows Phone died a death due to a whole heap of incompetence from Microsoft.  My phone was an old Nokia 925, about 4 1/2 years old and bought and paid by my company. There were always low requirements for company phones, if it rung and you answered it, all was good. Then Hangouts reared its head (Google want to destroy MS, so WP support) but third-party support gave a stay of execution. The final nail was a requirement for out of hours support software that had no app for Windows Phone. I had to be “downgraded” to an iPhone 6s (yes, it is a low spec 2 version old iPhone, better hardware than my 925 but not really up there as a current version, how my company loves their staff, buy expensive crap rather than cheap crap). Stuff that just worked on my old phone, now needs 'me' to be re-engineered to work the Apple way.  This is only slightly less bad than the Google eat all your life and sell it back to you way, but it is like stepping back in to the 1990s Microsoft way
Read more