Sasser remediation tale

Derek Martin invalid at pizzashack.org
Sat May 8 01:15:58 EDT 2004


On Fri, May 07, 2004 at 06:33:40PM -0400, Bob Keyes wrote:
> Well, this isn't really related to Linux as much as it is a hint for
> sysadmins.
> 
> At work, one XP user didn't do what he was told and do security updates.

I'd like to offer another hint: users are not reliable.  It is far
better to have some sort of scheduled maintenance period where PCs
will be collected or upgraded by the IT staff, than to try to rely on
the users to do critical updates.  Someone always fails to do them...

Of course, you have to weight the time IT will spend upgrading all
the PCs vs. the time you will spend cleaning up an infection and the
risk of lost data.  If you're really vigilant about safeguarding your
data (i.e. very regular back-ups) and you're nott too worried about
data loss or productivity loss, then it may still be better to try to
get the users to do it.

There are ways to make this maintenance less of burden on the user
community (though not so much on you).  The easiest way, if you can
manage it, is to build your IT environment so that anyone in your
company can sit at any PC and do their work.  If your company can
spend enough money on off-PC file storage, this is usually no problem
from a technical standpoint.  The only problem is the users -- they
need to get used to the idea that they must not store anything on the
local hard drive.

If you can do this, then all you need are a few spare PCs.  Upgrade
one, make a ghost image, and copy it to the others (or upgrade
manually).  Then swap out X number of users' PCs.  Rinse and repeat,
until you get them all.  This kind of maintenance policy gives you the
freedom and access to do all sorts of other maintenance activites,
should they be required (and invariably there will be some needs)...

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20040508/07bd44b1/attachment.sig>


More information about the Discuss mailing list