Re: Desktop patch management?

["Craig W. Drake" <c-drake () NEIU EDU>]

Thank you everyone for your input.  I am going to digest all of this
information and try to come up with the best course of action for us
here at NEIU.  I'll make sure to keep the list updated on our progress. 

-Craig


Craig W. Drake
Windows NT/2000 Server Administrator
Networking and Distributed Services
Northeastern Illinois University
Phone: (773)442-4386
Email: c-drake () neiu edu



-----Original Message-----
From: Melissa Guenther [mailto:mguenther () COX NET] 
Sent: Saturday, September 13, 2003 12:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Desktop patch management?


Thank you!  It is so good to hear someone is not forgetting the key to
security. The Blaster situation would not have happened had individuals
:
a) knew what to do - update the patch
b) knew how to do it
c) wanted to do it - understood their responsibility towards Heads Up
Computing.

Making it easy for users to do the right thing is great advice.
----- Original Message -----
From: "Dan Roberts" <ddrobert () KENT EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Friday, September 12, 2003 10:38 PM
Subject: Re: [SECURITY] Desktop patch management?


> Craig,
>
> Unless you have the staff and infrastructure to force patches down to 
> desktops and deal with the reprocussions when things go wrong (and 
> they will go wrong), I would avoid going down that road.  Instead, try

> some social engineering..
>
> Make it easy for your users to do "the right thing"
> - Run a local SUS server to ensure availability of updates
> - Educate your userbase about the basics of good desktop management
> - Establish a webpage to communicate advisories and patching 
> instructions
> - Ensure that your helpdesk can assist users with patching procedures
if
> they have difficulties
>
> Create a fair penalty system for failure to keep systems patched.  
> Turn
off
> network connections to PC's which are compromised or vulnerable, and 
> then require them to be patched and charge the user a fee to restore 
> connectivity.  Obviously this requires management buy-in, but it 
> leaves
the
> individual users/departments to decide the best way of carrying out 
> their own system maintenance.  This is particularly important in those
situations
> where staff do not want you touching their PC's, and even more 
> importantly reduces your liability.  Because, you know.. as soon as 
> you start messing with someone's PC, you suddenly become the scapegoat

> for all of their problems.
>
> If you provide enough support to your users, and enforce some 
> consequences for endangering the rest of the network, I bet you'll 
> find 95%+ of your users will gladly play along.  Also be ready to 
> address the loud
minority..
> use those opportunities to reinforce your position.
>
> Dan Roberts
> Senior Systems Programmer
> Administrative Computing Services
> Kent State University
>
> 330-672-5373
> ddrobert () kent edu
>
> ---- Original Message ----
>
>
>    Date:         Fri, 12 Sep 2003 12:03:49 -0500
>    Reply-To:     The EDUCAUSE Security Discussion Group Listserv
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
>

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.