Re: [Dshield] Patch, patch, patch

Many places I have worked at use WSUS.  It is simple to setup, painless to 
administer, and can operate as "hands-free" as you want it.  You can 
automatically configure your desktops to use WSUS via GPO (and you can define 
patch install rules via GPO as well).  Plus it is free (minus the Server 2003 
license).  
 
Other things to do:
-Install Windows Defender on every computer (including servers).  It is free, 
has low overhead, and will work side-by-side with all AVs.  
-Enable full DEP support.  (NOTE: test all apps before deploying!!).  DEP is a 
neat feature that will help stop some zero-day viruses/exploits.
-Use the "corporate" version of AV software.  Most every vendor's offerings 
will have reporting functionality and central deployment/quarantine.  Plus they 
allow you to configure an uninstall password, so users can't remove the AV 
software.
-Don't give user's local administrator rights.  This is quite possibly the best 
way to reduce damage caused by viruses and users.  But (!) it is also the most 
difficult (both from a technical and political stand point).
 
As for your time commitment, you seem to be spending way too much time on 
desktops.  Your goal should be somewhere at or below 25% man hours dedicated to 
desktop work.  So you really need to invest time into engineering solutions 
instead of fighting fires.
 
Hope that helps,
Adam Stasiniewicz
 

________________________________

From: [EMAIL PROTECTED] on behalf of Anthony Rodgers
Sent: Wed 3/28/2007 1:07 PM
To: [EMAIL PROTECTED]
Subject: [Dshield] Patch, patch, patch



While we're venting about seemingly insurmountable frustrations such as
spam, I've had it with maintaining our users' Windows desktops. Over 75%
of our man hours are spent patching, upgrading, troubleshooting,
cleaning, scanning and repairing the damn things. There has to be a
better way.

What are the usable alternatives out there? Diskless workstations with
PXE boot? Citrix? VMWare? If anyone has successfully gotten out of the
desktop maintenance business in a 300+ seat enterprise, I'd love to hear
about it. Bear in mind that Vista when it comes along will be as foreign
to our users as, say, Ubuntu, so I'm open to alternative user shells. If
we provided something different to our users and told them it was the
"new Windows", they'd probably go along with it, if it "worked properly".

And while we're at it, a huge proportion of our budget goes on software
licensing. Here is a selection of what we use, for which I know OSS
alternatives exist:

Windows XP Pro
MS Office
MS Exchange with MS Outlook
Blackberry BES Server
Hummingbird DocsDM
Enterprise One

Bear in mind that we are a typical Windows-centric local government - we
have a number of business applications that are Windows-only, so we're
probably stuck with that, but I'd love to hear from organizations who
have successfully adopted OSS alternatives to the applications above.

Regards,
--
Anthony Rodgers
Business Systems Analyst
District of North Vancouver
Web: http://www.dnv.org <http://www.dnv.org/> 
RSS Feed: http://www.dnv.org/rss.asp
_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)


_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)