The Practice of Network and System Administration

2ndchance2ndchance MemberMember Posts: 62 ■■□□□□□□□□
I'm curious to hear how many people have read this book? I just read on page 289 that new computer deployments should be done in a section of the network that has no Internet access. This is in order to ensure the computer's OS and applications are fully patched before the computer can connect to the Internet. The authors claim that a computer will be scanned for vulnerabilities within two minutes of being connected to the Internet.

I figure that could be done pretty easily through a VLAN with an ACL that permits only the IP ranges that include DCs, file shares for software group policy, and WSUS. All other network IDs would fall under the implied deny.

Comments

  • dynamikdynamik Senior Member Banned Posts: 12,312 ■■■■■■■■■□
    I haven't, but that is a recommended practice. 2 minutes sounds high though. I'm pretty sure it's a matter of seconds, and I thought I'd heard of cases being under a second. Keep in mind though, you're not often connecting machines directly to the internet; they're usually NATed behind a firewall.
  • Bl8ckr0uterBl8ckr0uter Senior Member Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I second this. WE use WSUS and we put new machines into a vlan with no route to the net. You can use VACLs to define what vlans can talk to which.

    VLAN ACcess Lists (VACLs) - Cisco Systems
  • veritas_libertasveritas_libertas Greenville, SC USAMember Posts: 5,746 ■■■■■■■■■■
    Honestly I don't see that it matters the way it use to. For example, I have been modifying our Ghost images for our specific department. In doing so I make sure that Windows, Office, Java, etc. are all up date with patches and service packs. With that in mind all the PCs should be up to date before they ever touch the Internet. At times we have been known to create a new Ghost image weekly.
    Keep in mind though, you're not often connecting machines directly to the internet; they're usually NATed behind a firewall.
    Groan, you beat me to saying that... icon_sad.gif
  • Bl8ckr0uterBl8ckr0uter Senior Member Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Honestly I don't see that it matters the way it use to. For example, I have been modifying our Ghost images for our specific department. In doing so I make sure Windows, Office, Java, etc. are all up date with patches and service packs. With that in mind all the PCs should be up to date before they ever touch the Internet.

    Wouldn't you have to constantly build a new image? Each time a new patch comes out you have to redo your ghost images. To me that seems like more work than just using WSUS.
  • 2ndchance2ndchance Member Member Posts: 62 ■■□□□□□□□□
    dynamik wrote: »
    I haven't, but that is a recommended practice. 2 minutes sounds high though. I'm pretty sure it's a matter of seconds, and I thought I'd heard of cases being under a second. Keep in mind though, you're not often connecting machines directly to the internet; they're usually NATed behind a firewall.

    I believe the example was used in the context of an e-commerce site. I was thinking the same in terms of most computers are behind a firewall. I think the authors could have been a little clearer on that point. Overall, however, this seems to be a really good book.
  • veritas_libertasveritas_libertas Greenville, SC USAMember Posts: 5,746 ■■■■■■■■■■
    knwminus wrote: »
    Wouldn't you have to constantly build a new image. Each time a new patch comes out you have to redo your ghost images. To me that seems like more work than just using WSUS.

    Our time frame wouldn't work well with that. We at times need to deploy a new PC and send the user overseas within hours.
  • Bl8ckr0uterBl8ckr0uter Senior Member Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Our time frame wouldn't work well with that. We at times need to deploy a new PC and send the user overseas within hours.

    And I'm sure those machines have a local WSUS server or something overseas right?
  • veritas_libertasveritas_libertas Greenville, SC USAMember Posts: 5,746 ■■■■■■■■■■
    knwminus wrote: »
    And I'm sure those machines have a local WSUS server or something overseas right?

    Just so you know I wasn't disagreeing with you. Having a WSUS server in an Enterprise environment is very important.

    Yes, but only some locations. FOBs and third-world countries (where HR folks go to hire nationals) often have horrible bandwidth icon_wink.gif

    If you remember trying to download Windows service-packs and new versions of IE back in the dial-up days than know what we deal with at times.
  • Bl8ckr0uterBl8ckr0uter Senior Member Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Yes, but only some locations. FOBs and third-world countries (where HR folks go to hire nationals) often have horrible bandwidth icon_wink.gif

    If you remember trying to download Windows service-packs and new versions of IE back in the dial-up days than know what we deal with at times.

    Sorry I can only imagine lol
  • 2ndchance2ndchance Member Member Posts: 62 ■■□□□□□□□□
    We image our computers with Altiris Deployment 6.X. We build an image for every desktop model we run. Fortunately, we have a pretty strict purchasing policy, so we only have 7 desktop models in deployment with the overwhelming majority of our units comprising 3 of those models. Can you update 3rd party apps via WSUS?

    Prior to this year, our policies were pretty poor:

    * We build a new image once a year, typically during the summer. This image would contain the latest version of Adobe Reader, Java, Flash, and Office.
    * The majority of computers we re-imaged during the summer.
    * We had no provision to update anything but Windows and Office through WSUS.
    * Teachers/Staff had administrative rights to their computer.
    * Security attacks were addressed using AV, Malwarebytes Removal, and Combo Fix. Final resort was a re-image.

    In other words, computers were kept current on security updates only for a few weeks at best. We probably had 200 security attacks on computers; no servers were hit (praise God).

    Here are some changes we are implementing this summer. I don't mean to brag, but the majority of these are coming from me; the fruits of certification and determination.

    * Still one image per year, and most computers to be re-imaged.
    * We are using Software GPOs to keep Adobe Reader, Java, and Flash updated. Do you guys recommend any other software?
    * I like the idea of putting computers in a restricted VLAN during the imaging process; probably going to add this.
    * Teachers/Staff no longer have admin rights to their computer.
    * We are publishing a written security policy. The policy will explain why we are taking away admin rights; security, desktop maintenance, and licensing compliance (a BIG one there)!

    I'm expecting a lot of work orders from people complaining that they can't install their retarted screen savers or their pirated copies of Print Master 3000, but I think we are going to see fewer work orders relating to security issues.
  • JBrownJBrown Senior Member Member Posts: 308
    2ndchance

    Don't forget to implement software monitoring(inventoring) system, such as Spiceworks. That will keep you upto date with what happening on the workstations. Such as newly installed software( some techies enjoy installing pirated **** more than regular users do), outdated Adobe/Java/ Media players on the network, and a 20 GB of movie file appearing from nowhere on the teacher's workstation.
    I have implemented WSUS on my network (650+ workstations and going towards 1500), but some users manage to miss weekly forced WSUS updates, by not rebooting or restarting their workstations for months.
  • dynamikdynamik Senior Member Banned Posts: 12,312 ■■■■■■■■■□
    2ndchance wrote: »
    I believe the example was used in the context of an e-commerce site. I was thinking the same in terms of most computers are behind a firewall. I think the authors could have been a little clearer on that point. Overall, however, this seems to be a really good book.

    It's a common practice with servers as well. The filtering device(s) get the publicly-accessible IP(s) and port-forwards/reverse-proxies to the server. You're going to want a hardware device on the perimeter that can efficiently discard/inspect all the garbage that's destined for your server. In the real-world, I think this is much more of a concern of a concern for all the neophyte users that are connecting a single machine to a DSL or cable modem.
  • rfult001rfult001 Senior Member Member Posts: 407
    2ndchance wrote: »
    Do you guys recommend any other software?

    BMC BladeLogic Client Automation. It is part of the BladeLogic suite for automation and configuration management and has a Patch Management module that allows you to push application updates.

    BMC BladeLogic Client Automation (formerly Marimba) - BMC Software
Sign In or Register to comment.