If you're like most administrators I know, the title of this article probably makes you wonder: Why would you want to teach users how to patch their own systems? After all, one of an administrator's primary goals is to lock down workstations so that users can't do anything to them. However, there are some circumstances where teaching users how to do patch management themselves makes a lot of sense.
Companies that have small remote offices with little connectivity beyond dial up are good examples. In my experience, such offices generally have one to three badly neglected PCs with no constant connection to the outside world. In such an environment, it may be difficult or impossible to automate patch management. If you want to keep the systems up-to-date, you have a choice between sending a support person to the remote office every day or teaching the users how to patch their own system. It's most likely simpler and more cost effective in that situation to train the end user.
Also, many employees have a PC in their home, along with broadband Internet access that is always connected. These employees should have a basic knowledge of patch management because you never know when they might need to work from home. If the employee's home computer isn't properly patched, sensitive documentation could be accessible to the outside world. There is also the possibility that a virus or Trojan horse could attach itself to a file at the employee's home and find its way back to the office. If you teach employees about the importance of patching and show them how to execute the procedure properly, they are more likely to take the time to safeguard their machine at home (especially if you suggest or require it).
Patch management training meetings
So how do you go about educating users on patching systems? Just sending out an e-mail or a memo probably won't make your point -- half the people won't read it, and the other half won't take it seriously. Instead, try to set up a series of training meetings with smaller groups or departments to explain and demonstrate patch management. Try to keep the meetings small. The fewer in the group, the more likely the users will be to ask questions about things they don't understand.
As you discuss patch management with the users, you must keep in mind that most of them are not familiar with patching. You should also keep in mind that there are many patching myths floating around -- and some people whole-heartedly believe those myths. Give users specific dos and don'ts to patch their systems. Here are some of the points to consider discussing:
- Patches fix bugs as well as security holes.
- If you are running Windows XP, enabling Automatic Updates will keep Windows patched.
- Applications, such as Microsoft Office, occasionally need to be patched. Updating Windows does not update your applications. You need to check the application manufacturer's Web site for application-related patches
- If you are running an older operating system, you may need to visit the Microsoft Web site to see if any new patches are available for your version of Windows.
- If you are running an older version of Windows and your machine has sufficient hardware, an upgrade to Windows XP with Service Pack 2 is a good investment. (Be sure to warn users that the minimum hardware requirements for Windows XP are grossly understated).
- Microsoft does not send out security patches through e-mail. If you ever receive an e-mail message that claims to be a service pack, hot fix, patch or anything of the sort, do not even open the message, just delete it. These messages usually contain viruses.
- If users have specific questions about patching or security in general, they can contact you or visit www.microsoft.com/security.
How to make users listen
Patching can be a lot of work for users and not everybody will be immediately receptive to the idea. But there's one sure-fire way to sell patch management: fear.
For example, you might get the ball rolling by showing employees a hacker Web site that contains instructions for exploiting an operating system vulnerability. You could explain to them that unless a security patch is applied, anyone who visits that Web site could figure out how to attack your company's system. Give specific examples of what kinds of documentation is vulnerable, preferably particular to the group or department at the meeting. Then, show them the magic bullet: The patch that again makes them safe.
Sooner or later, someone is bound to ask why patch management is necessary for home computers. The common perception is that only large companies get hacked and your company already has security systems in place.
When that question is raised, ask the group how many of them have ever walked into a store and established an instant credit line. Almost everybody will remember having done so at one time or another. Explain that to get your business, stores will approve credit on the spot. Anybody with a decent credit score can walk in with no money and walk out with a $3,000 television.
Hackers frequently target home computers in an effort to steal personal information, such as a name, address, social security number, etc. With enough personal information, these unsavory types can apply for credit in your name, using your credit score -- and you'll soon be buying them a new television.
Someone may also question whether your specific recommendations are relevant to them; after all, every home machine is set up differently. This is a valid point. I can almost guarantee that the machine I am using to write this article is significantly different from the one you are using to read it. However, there is at least one mitigating factor working to your advantage: Windows XP.
Microsoft generally releases new desktop operating systems every two years, but Windows XP has been in use for an unusually long period of time. Most people with PCs less than four years old are running Windows XP (although you might have someone who uses a Macintosh or Linux). The fact that Windows XP is such a dominant standard means that the information you are presenting will be relevant to most of the people in the group. For the few Windows 98 stragglers in the room, you can take the opportunity to warn them of the dangers that they face and to encourage them to update.
Handouts to provide
You might consider providing some very clear and simple instructions on how to automatically update and manually download patches. You can pass these out at the end of the session and provide a URL for finding the instructions online. That way, you'll have fewer helpdesk calls and more users empowered in your fight to promote patch management.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
More information from SearchWindowsSecurity.com
This was first published in July 2005