Zube's Policy on Windows PC Patching, Take 35 <click> And Action!

[None of this should be much of a surprise; what is described is the current 
reality, written down.]

The short version of the Windows PC patch policy is:

* If it's on the network, it must be patched.
* If it isn't patched, it can't be on the network.
* If a machine is hacked, trojaned, rootkitted or whatever, it 
  comes off the network and *stays* off the network until it is 
  completely fixed to my satisfaction, which, because of my
  schedule, could be quite a while and may require a complete reinstall.

These rules refer to the physical networks I maintain only.
If you have a wireless card and are using the CSU VPN or if you 
have a connection somewhere else, have at it.  Do or don't patch, it 
doesn't matter to me.  ACNS might care, though.

There are two sets of machines out there:

* machines that I personally patch ("hands-on")
* machines that should be patched by the owner after an alert notice 
("hands-off")

Most of the hands-off machines are laptops.  I don't patch most laptops
for a variety of reasons, ranging from complete trust to unbridled
apathy.  When I initially set up a machine and turn it over to the
primary user, it is as secure as it ever will be.   From then on, it is 
up to the owner/user to keep it secure or to bring it to me once a month 
for patches.  

I have no problem patching any department machine or providing tune-ups
to machines with a fair amount of lead time, but I no longer have time
to nag, pester, cajole, or plead for people to patch, nor do I have
time to try to track down a laptop multiple times just to beg for the
honor of patching it.  With the various labs included, I'm patching over
200 machines in a little over 52 hours.  There's just no slack time anymore.

So, if your laptop is on the network and it starts spewing garbage, or it
is attacked and compromised, I pull the plug in the closet and the machine
goes to the back of the queue; it is therefore in both our best interests 
for one of us to patch.

If you want me to patch your laptop, let me know.  You must make sure
the laptop is nearby sometime on or after the second Tuesday of each
month (the day when Windows patches are released).  Otherwise, you are
on your own, which is fine (less work for me), but do remember the
consequences of not patching, please, especially when the network stops
working.

If you have any questions, please email.

Zube