Tunables for Linux hosts serving Win* clients (was Re: Re: DOS on Squid)

On Thu, Jun 24, 2004 at 12:49:24PM +0800, Ian Dexter R. Marquez wrote:
> On Wed, 23 Jun 2004 19:33:09 -0600, 
> ramfree26-s8PdfxpoPdHk1uMJSBkQmQ@xxxxxxxxxxxxxxxx
> <ramfree26-s8PdfxpoPdHk1uMJSBkQmQ@xxxxxxxxxxxxxxxx> wrote:
> > well in some scenarios it is not advisable to let windows update run freely.
> > in our company only approved patches/fixes are installed because not every
> > patch that microsoft releases is *guaranteed* to work.
> > 
> Yes, having windows update running freely on workstations is not
> advisable. (Got a first-hand taste of how it craps on one of my
> servers -- a domain controller to boot -- which barfed errors after
> installing a service pack from the net.) What I do in my network is
> have *dedicated* machines (one for each OS: XP, 2000, 98SE) download
> all patches from Windows Update in a given schedule, then have those
> patches made available through the LAN in shared directories. That
> way, I have control over what patches to apply to the workstations.
> It's a bit tedious, though -- but it's gotta be done. We also get
> discs of cumulative patches and updates from MS, like the one
> containing security updates from Jan to May2004. It was given free, I
> think, in one of their gigs.
> 
> What you probably want to do is block it through your firewall, AND
> through ACLs in squid. HTH.

True. iptables && squid-acl should do the trick.

However, consider this:

  * Turn off useless (and memory/swap hogging) processes on your Win*
    hosts, especially BACKGROUND procs:
    + Windows Update - don't run this, instead do as Ian said ;-)
    + Remote Desktop - who needs this anyway, you can always get ssh
      (PuTTY for Win* folks)
    + Toys, Screensavers, Porn Dialers, Junk - especially WebShots
      Desktop, since that gets gfxs from the Web, might even be spyware
    + Anti-Virii (Optional) - You might want to remove this to get
      better performance, but that's entirely up to you--perhaps an even
      better idea would be to setup anti-virii protection at the
      transparent proxy level (both on HTTP and SMTP)

Other (more sinister) ideas:

  * Convince your Win* users to use FOSS tools (OO instead of OfficeXP,
    GIMP instead of Photoshop, less instead of more)

  * Design a virus that insidously deletes Windows partitions
    *piecemeal*, by slowly crosslinking partition entries, and blame it
    on LongHorn not coming by 2005 (hehe ;)

Cheers,
Zakame

-- 
|=-------------ZAK B. ELEP  (Registered Linux User #327585)-------------=|
||      Web: http://zakame.spunge.org           GPG ID:  0xFA53851D     ||
||           http://zakame.homelinux.org        ICQ UIN: 33236644       ||
||      Location: Daet, Camarines Norte         Running Linux 2.6       ||
|=----------1486 7957 454D E529 E4F1  F75E 5787 B1FD FA53 851D----------=|
 Debian - When you've got better things to do than to fix a borken system

signature.asc
Description: Digital signature

--
Philippine Linux Users' Group (PLUG) Mailing List
plug-sJCYDywXB4m9hMQLrSLElQC/G2K4zDHf@xxxxxxxxxxxxxxxx (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie