Few would argue that security is not important. By keeping a PC up-to-date we stand the best chance of assuring that the data, network and identity of its clients are protected. IST goes to great lengths to help maintain a PC and keep it current. This typically means more than just keeping the operating system up-to-date. It also means locking it down in ways that still allows access to data and services that are required by the user.
Applications can be just as vulnerable. If they are not kept current the same risks of exposure exists as it does with the OS, and vulnerabilities can be exposed. To mitigate these risks, IST manages:
· Patches via both WSUS servers for “not-directly-managed” workstations, and a System Center Configuration Manager (SCCM) server for “managed” computers
· Application updates via automatic updates for non-managed clients and SCCM for managed ones
· Firewalls and system settings to protect and lock down critical functions and settings best suited for a corporate environment. Some of these are assigned via the IST “image” that the PC is delivered with. Others are assigned via group policy or SCCM. Some are repeated in both cases because they are so important.
· And Endpoint protection is enabled. IST recommends the Microsoft solution for endpoint protection and anti-malware. This is Microsoft’s Security Essentials for personal PCs and System Center Endpoint Protection (SCEP) for managed UW-owned PCs. More information is available here: http://windows.uwaterloo.ca/Nexus/System%20Center%20Endpoint%20Protection%20in%20Academic%20Support.htm
Every OS has a slightly different security model so whenever there is a new release of Windows, we take our time configuring the newest OS and testing it with our corporate and departmental apps to verify all can still do their jobs.