Re: Not patching clients??

[Jerry Parlee <[EMAIL PROTECTED]>]

Paul,
I think its suicide not to take care of clients. Once that Trojan gets 
behind your perimeter, are you sure it can't get to the servers? Can 
management predict what form the next attack will take? Where the next 
vulnerability will appear?

If your school is like mine, you have students running amok with laptops 
doing P2P and god knows what else, plugging in to any available ACO, and 
they have no idea what a patch is.

Of course, if you don't do anything important, why bother??? Perhaps you 
should ask management if they care about their data.

But it can be done for less, the only way I can get it done here. I 
maintain ~300 computers and ~15 servers by myself and have got it down so 
that it only takes a few hours a week. Zero problems in the last year. It 
did take some effort to get to the point where its automatic... Only thing 
I bought was Symantec AV, and now the University has seen the light and 
bought a site license for everybody.

Assuming Win2k or XP;
Set up Automatic Updates and enforce with a GPO (if you have AD). At this 
level you can't do much pre-testing. I'd rather roll something back that 
get compromised anyway.

Test with Hfnetchk, not the Pro version, just the command line. Nice if you 
can write a script that will parse the results and notify you when you need 
to do something.

Test your open ports with nmap.

And, a must in my opinion, run a managed antivirus. I think its hard to 
beat Symantc.

A fire wall like Symantec, or ZoneAlarm (free) is a good set of braces to 
go with that belt.

Then research and document the risks. Present updates to management on a 
regular basis.

BTW, how many clients are you talking about and what are they running?

Best,
Jerry Parlee
Psychology Dept, UT Austin


At 01:36 PM 4/29/2004, you wrote:
> Hi group,
>
> Recently there has been talk in our IS group that patching clients is 
> unnecessary and there will not be a dedicated person to research or 
> resolve outstanding issues. We are primarily a Novell environment and have 
> SUS running for a handful of systems, but that is about it.  We can push 
> out patches via ZEN, but this is only done in emergencies (think 
> Blaster).  Client-wise, that's absolutely scary.  We do however have 
> dedicated individuals to cover any server or back-office system, so we are 
> not in trouble there.  Our management's opinion is that network gear and 
> the perimeter will take care of the business, so patching clients is 
> irrelevant..
>
> My question or issue to present to the group is how do you approach a 
> situation when management considers it unnecessary to patch 
> clients?  Being a technical person I know the impacts, but of course 
> things don't change even after everyone talks about it.  We're in the 
> situation where it almost takes a major exploit to wreck havoc and change 
> opinions.  I'm surprised that only the server people are interested in 
> defending the patch issue and they are the only ones taking action.
>
> I know many people are (or were) in this situation.  After reading the 
> survey posting in the group earlier this morning, it does not shock me 
> that many organizations have only one person to handle this.  What do you 
> do if you essentially have no one?
>
> I'd like to see other's opinions or unique viewpoints on this.
>
> Thanks,
>
> Paul Nelson
> Network Specialist
> Medical College of Ohio
> (419) 383-3638
> [EMAIL PROTECTED]
>
>
> ---
> To unsubscribe send a blank email to 
> [EMAIL PROTECTED]



---
To unsubscribe send a blank email to [EMAIL PROTECTED]