Tools in place: SMS (yes, SMS, not SCCM) KACE 1000 and 2000 (effectively replacing SMS for software distribution) McAfee ePO, including an Agent Handler in the DMZ to update remote clients not connection via VPN WSUS VMWare vCenter Protect (was Shavlik)
We have two SE's and four Level1/2 tech's (we have no dedicated level 1 person, the level 2 guys do level 1 stuff as well), but only the SE's are tasked with the anti-virus/patching of the endpoints (along with our usual Active Directory/GPO/server maintenance/security and similar projects duties), the SD guys are break fix/PC deployment-redeployment/office and cell phones/conference set ups, etc. I have a loose benchmark on the anti-virus and looser on the patching. With the fluidity of our endpoints, to get to and maintain 97+% on the anti-virus via McAfee ePO is about 5-7hrs/week, and to get to 99% is another 3-4 hours, as occasionally one or two endpoints are simply time consuming. Patching currently occupies about 1-2hrs/week but I'd bet the compliance is only around 85% at any time. We don't have a good test/release process in place, it's largely "throw it out a week or so after Shavlik has processed it and see if anyone reports anything". Kace and vCenter Protect are certainly underutilized at this point. With Kace all we currently do is see who uses what machine so when they call we know what machine we need to remote to and the like. Dave From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, March 12, 2013 7:51 AM To: NT System Admin Issues Subject: Re: Keeping 550+ systems maintained Question: How long is it taking now? I'd be surprised if you don't have some sort of benchmark already. Even though you've provided some good info, so much of this is subjective and relies on other factors, like: -- what tools are currently in place? -- how many admins do you have, and how much scripting do they do? -- are your employees the kind that go for months without change, or require help every 5 min? In any event, that's a good bit of steady work for a couple admins. ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Tue, Mar 12, 2013 at 10:39 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: Scenario: * 550 Windows workstations, with 100+ of them remote. * Active Directory (W2K8R2 and W2K3 DCs). * Windows 7 and Windows XP. * Users are local admins. * Some remote users VPN in daily, others only VPN in once/month, a few others almost never * 30+ onsite users frequently jump between wired and wireless (in my experience this occasionally trips up DNS and thus management agents for a bit) * Systems are cycled out at the rate of about 30 machines every quarter (relevant because finding a noncompliant machine often means knows if a system has been decommissioned or not). Systems are not always immediately removed from AD for various reasons. Task: Keep them up to date on anti-virus and patches, incl. 3rd party (Java/Adobe/Chrome/etc.). This includes coordinating (with select users) installing/testing the patches on their systems before full rollout to the rest of the org. Is this enough info to give a SWAG for how many hours/week you would you tell management this would take? A rough number works. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) 503.267.9764<tel:503.267.9764> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
