We were protected at the perimeter (firewalled the known ports it uses) however, the virus did get inside through other means. All unpatched boxes were infected.

I'd say take both recommendations and use it as a tiered strategy. If our admins would have done so, my life would have been much easier last week.

--TH13