I'm going to go back to the Admins themselves here...... Yes, it's easy to spread a virus around the amateur users, (read: Home), but I constantly hear of large companies being brought down by a virus or worm..... That's unacceptable, Period.
The excuse that the constant patching is, IMO, just that... an excuse.
I have 650 workstations to manage from a security point of view. I own 350 of them and the others are managed by sysadmins of varying competence from average to absolutely incompetent. In this scenario I had to make a decision. It was clear that patching my machines when they are open to the other 300 that are less than well managed was a waste of time. Protecting my perimeter was the best I could do. So, I have the following list of precautions and policies in place for all network users:- (these are off the top of my head.... I'm not at work right now and it's friday night... ;)
1. Policy: Email may only be collected from the email client set up by the sysadmin of your organization.
2. Policy: You may not install any software without the explicit permission of your SysAdmin.
3. Policy: You will not use any form of Instant Messenger
4: Policy:You will not use any form of P2P network, see 2 above.
5. Policy: you will not try to circumvent any safeguard put in place by me or your SysAdmin.
6: Precaution: Firewall blocks all incoming then ports are opened to specific machines.
7: Precaution: Firewall blocks all outgoing ports then ports are opened as necessary.
8: Precaution: All publicly available machines are automatically patched daily, regardless of potential harm.
9: Action: Incoming mail is scanned for spam, spam is ditched to a hold folder.
10. Action: Incoming mail is passed to a virus scanner, viruses are removed.
11. Action: Incoming mail is passed to attachment scanner. Executables are ditched to a hold folder.
12. Action: Incoming mail is passed to a content scanner. Suspicious content is removed.
13. Action: Incoming mail is sent to a secondary mail server that rescans for viruses with a different scanner.
14. Action: Primary AV scanner is updated hourly, secondaries: 4 hours and daily.
15: Action: Except on specific machines Outlook denies access to potentially dangerous attachments, (level 1 files)
16. Action: Employ SurfControl to block access web sites that are not "authorized".
17: Action: IDS reports any machine other than SMTP servers sending outbound SMTP. (Firewall blocks them too).
18. Action: IDS reports any machine domonstrating scanning activity.
19: Action: IDS reports IM attempts, P2P attempts, webmail attempts etc. Users get "slapped"
I work for a non-profit so I don't have money to throw at problems but I am an entirely Windows shop....... I don't have the figures here but I will guarantee that my _entire_ expenditure has not exceeded $15,000 - that includes all the hardware.
My record over the three years many of these "precautions" have been in place:-
1. Prior to attachment checking got Kournoukova - killed in 2 hours.
2. During a "downtime" of SurfControl got Klez... <sigh> - Killed in 3 days
3. There is no three.....
I firmly believe that proper perimeter protection is the answer - Remember, my patch level on internal machines, frankly, sucks.... I would like to do better but the reality is I can't.... But the perimeter protection by a competent SysAdmin, (blowing my horn there, in case no-one noticed), is far better then wasting your time chasing patches around a network.
Just my $2.25...... :p