Re: Desktop patch management?

[Dan Roberts <ddrobert () KENT EDU>]

Craig,

Unless you have the staff and infrastructure to force patches down to
desktops and deal with the reprocussions when things go wrong (and they
will go wrong), I would avoid going down that road.  Instead, try some
social engineering..

Make it easy for your users to do "the right thing"
- Run a local SUS server to ensure availability of updates
- Educate your userbase about the basics of good desktop management
- Establish a webpage to communicate advisories and patching instructions
- Ensure that your helpdesk can assist users with patching procedures if
they have difficulties

Create a fair penalty system for failure to keep systems patched.  Turn off
network connections to PC's which are compromised or vulnerable, and then
require them to be patched and charge the user a fee to restore
connectivity.  Obviously this requires management buy-in, but it leaves the
individual users/departments to decide the best way of carrying out their
own system maintenance.  This is particularly important in those situations
where staff do not want you touching their PC's, and even more importantly
reduces your liability.  Because, you know.. as soon as you start messing
with someone's PC, you suddenly become the scapegoat for all of their
problems.

If you provide enough support to your users, and enforce some consequences
for endangering the rest of the network, I bet you'll find 95%+ of your
users will gladly play along.  Also be ready to address the loud minority..
use those opportunities to reinforce your position.

Dan Roberts
Senior Systems Programmer
Administrative Computing Services
Kent State University

330-672-5373
ddrobert () kent edu

---- Original Message ----


   Date:         Fri, 12 Sep 2003 12:03:49 -0500
   Reply-To:     The EDUCAUSE Security Discussion Group Listserv

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.