From: "Geo." 

"Jan van Hoek (NL)"  wrote in
message news:VA.000001ca.017a6586{at}xs4alldot.nl...

> Everything that SUS offers is quarantined and tested first in our testing
> environment for correct working.

Ah ok that makes it a lot more acceptable.

> Anyway, whatever its drawbacks are, SUS is always 500% better than having
> everyone running Windows Update on their own devices.

I agree, given the choice I'd rather use SUS for internal machines. But
there is another choice, isolate the internal network by breaking it into
security sections and don't patch. I don't know if you can do that at a
bank but that's what I've been doing on our internal network. Instead we
put our efforts into making sure stuff doesn't get in, machines that go out
and in are isolated from the unpatched network machines.

In fact it's kind of like the setup at the bank, there is outside the
building (the internet), Inside customer area (for machines that go out and
in), behind the counter area (for normal desktops) and the vault (for the
internal servers). More restrictive firewall rules all along the way.

> To conclude: I agree with the underlying risks that you mention. But as
> long as we don't have something better, we have to cope...

I think the risk of a trojaned patch is somewhat less than with Linux
because source is not easy to come by (although it is out there) and
because things are signed. By my concern was more one of automatic
unapproved updates getting out to desktops which you said isn't how it
works. So I'm less concerned about that now.

Geo.

--- BBBS/NT v4.01 Flag-5