why spend the time re doing the RIS image when you can use an old one when as soon as the box hits the LAN it grabs the updates off WSUS.. waste of time isnt it

why spend the time re doing the RIS image when you can use an old one when as soon as the box hits the LAN it grabs the updates off WSUS.. waste of time isnt it

No. When you roll out 100+ new images for a department thats a hell of a lot of unesssary network traffic from WSUS thats slowing everybody else down, not to mention all the extra processing that slows down PCs in the users first few minutes of use.

Also:
Firewalls at the perimeter wont protect you from people that bring unclean machines in or malicious users inside your network.

Obviously the firewall wont protect activity inside the LAN but an unclean machine should be detected on a well set up network, and if youve got a malicious user inside your LAN face it all the patches in the world arent going to save you in reality are they?

 

No. When you roll out 100+ new images for a department thats a hell of a lot of unesssary network traffic from WSUS thats slowing everybody else down, not to mention all the extra processing that slows down PCs in the users first few minutes of use.

Thats spot on you always want your RIS images exactly how you intend the pcs being when theyre finished - any dynamic updates after are going to play hell with the network (Ive learnt this the hardway lol!!)

Disagree. Updates and patches have been known to bring down whole networks before now and personally on an important business system I think youd be crazy to install either until its been released for a awhile and thoroughly tested. If youve got a decent f/w and AV solution in place you dont need to patch software to stay safe - simple as that.

Im not talking about patching willy-nilly...Im talking about building a solid base image. It dosent matter how many firewalls or of what type...theyre not going to stop someone a legitimate user from somewhere on the network from using a known exploit.

Not bothering to patch the image you roll out, knowing there are unpatched holes wating to be exploited is just like saying "can I have some trouble, please?"

unpatched machines are a security risk.

Yes testing should be done before deploying patches, but leaving a machine unpatched is foolish.

Have any of your "unpatched" people considered, what about the road warriors?

Hotel dial up internet access means often commercially sensitive material is actually only defended from the wilds of the internet by its own clientside system.

Granted.... antiviruses are great, but once again you completely forget the actual menace in that situation.

If its a wireless network, there will be undoubtedly someone there who is au fait with computers, gets bored one night, decides to enumerate all the shared folders or something similar. You are all connected to the same wireless router/access point, its a piece of piss to gain access to company information on a hotel network.

Ask deviance, I found his CV simply enumerating shares on his IP that I found via IRC  (this was after he asked me to btw).


If its dialup, your on the net... you have hell on the otherside of your little wooden gate.

Insecure and unpatched machines are menaces. End of.

Im just waiting for someone to read my CV out of My Shared Folders, scary stuff this

What if it wasnt your CV.

What if infact I logged onto your machine as $ipc, enumerated your users, ran fgdump and grabbed the hashes, then ran lc5 and cracked said hashes, logged into your machine as admin, and simply did whatever I wanted.

The above was an example shown to us, and what we were taken through during just 1 hour long lecture... the vulnerabilities exploited were those of a unpatched machine, using XP firewall for protection. Put (think it was 3 or 4 patches) them on, and the hack just didnt work anymore.

It only takes an enterprising individual to compromise your security.

Fantastic. Most wouldnt bother though. Anyone that knows better wouldnt rely on XP Firewall either.

Simple fact is, hackers dont care about Joe Blogs computer, they want the challenges.

Reading this stuff is going to make you paranoid.

Ive yet to meet anyone that has been hacked in such a way, and while Im not denying it happens, I think you are overestimating the scale of the problem. I dont tend to take my full tower system and router into hotels with me either  :mrgreen: