On Thu, Jun 24, 2004 at 12:49:24PM +0800, Ian Dexter R. Marquez wrote: > On Wed, 23 Jun 2004 19:33:09 -0600, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > well in some scenarios it is not advisable to let windows update run freely. > > in our company only approved patches/fixes are installed because not every > > patch that microsoft releases is *guaranteed* to work. > > > Yes, having windows update running freely on workstations is not > advisable. (Got a first-hand taste of how it craps on one of my > servers -- a domain controller to boot -- which barfed errors after > installing a service pack from the net.) What I do in my network is > have *dedicated* machines (one for each OS: XP, 2000, 98SE) download > all patches from Windows Update in a given schedule, then have those > patches made available through the LAN in shared directories. That > way, I have control over what patches to apply to the workstations. > It's a bit tedious, though -- but it's gotta be done. We also get > discs of cumulative patches and updates from MS, like the one > containing security updates from Jan to May2004. It was given free, I > think, in one of their gigs. > > What you probably want to do is block it through your firewall, AND > through ACLs in squid. HTH.
True. iptables && squid-acl should do the trick.
However, consider this:
* Turn off useless (and memory/swap hogging) processes on your Win*
hosts, especially BACKGROUND procs:
+ Windows Update - don't run this, instead do as Ian said ;-)
+ Remote Desktop - who needs this anyway, you can always get ssh
(PuTTY for Win* folks)
+ Toys, Screensavers, Porn Dialers, Junk - especially WebShots
Desktop, since that gets gfxs from the Web, might even be spyware
+ Anti-Virii (Optional) - You might want to remove this to get
better performance, but that's entirely up to you--perhaps an even
better idea would be to setup anti-virii protection at the
transparent proxy level (both on HTTP and SMTP)
Other (more sinister) ideas:
* Convince your Win* users to use FOSS tools (OO instead of OfficeXP,
GIMP instead of Photoshop, less instead of more)
* Design a virus that insidously deletes Windows partitions
*piecemeal*, by slowly crosslinking partition entries, and blame it
on LongHorn not coming by 2005 (hehe ;)
Cheers,
Zakame
--
|=-------------ZAK B. ELEP (Registered Linux User #327585)-------------=|
|| Web: http://zakame.spunge.org GPG ID: 0xFA53851D ||
|| http://zakame.homelinux.org ICQ UIN: 33236644 ||
|| Location: Daet, Camarines Norte Running Linux 2.6 ||
|=----------1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D----------=|
Debian - When you've got better things to do than to fix a borken system
signature.asc
Description: Digital signature
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
