Re: MS Critical Updates and client management

[David Dewire <ddewire () PCT EDU>]

We have taken the approach that critical patches are exactly that,
critical.  They need to be pushed out as soon as possible (perferably
within 1 to 2 days) to prevent any major exploit from occuring.  The
risk of pushing them out that fast is definately worth preventing
numerous or possibly all of our systems from going down or being
exploited.  We may run into problems but they are nothing compared to
the damage that could be done.

As for all other updates, if they are not deemed critical (by Microsoft
or by us) then they are not installed until regular maintenance is
performed on those PCs.  The thought here is that the majority of
computer problems arise when changes are made to the system.  Pushing
out updates remotely that are not critical and in many cases updates
that are actually trivial, significantly inreases the chances of
something going wrong (especially considering their frequency) and in
many cases can cause PCs that might have other unknown issues to become
unstable.  In my opinion, the risk of possibly making PCs unstable just
so they have a trivial update is not worth taking.  We also do not wish
to annoy our users with every little update that comes out.

A policy of pushing out critical updates as soon as possible combined
with a policy for some form of routine maintenance for things such as
spyware/adware/malware cleanup, other MS updates, and other software
updates seems like the best way to go.  This is also by no means all we
do to protect our systems, it is one of many things we do so someone not
having the latest moderate level MS update is not going to be a major
issue.

Dave Dewire
Coordinator, Advanced Desktop Computer Applications
Pennsylvania College of Technology
ddewire () pct edu


> > > Daniel.OCallaghan () SINCLAIR EDU 7/16/2004 10:11:14 AM >>>

Ive searched the archives and effective practices, but haven't found
anything specific to this issue.
I'm looking for input on effective practices for MS Critical Update
deployment, specifically the timelines from MS release to client
deployment.
The majority of clients that authenticate to our domain are configured
using standard "images" based on the systems' intended use.  We recently
began using SUS to update clients, and it appears effective, but there
is disagreement over when the updates should be pushed.
Simplified, there are two schools of thought:
1. All client updates/patches should be installed and vetted on all
standard client image configurations in our test lab for 5-6 days prior
to deployment as the risk and potential impact of a patch breaking
something is greater than the risk of an exploit within this timeframe.

2. Critical updates should be installed and vetted on the most common
client image configurations in our test lab for 1-2 days prior to
deployment as the risk and potential impact of an exploit (as we
approach the zero day) is greater than the patch breaking something.

I realize this is an oversimplification of an industry-wide dilemma,
but am looking for the groups' input as to the current risk balance for
effective practice.
Or have we become so polarized that we are missing something?
(Abandoning MS is not a viable option)


Daniel V. O'Callaghan, Jr., CISSP
Information Security Officer
Sinclair Community College
444 West Third Street, 14-002
Dayton, Ohio 45402-1460
937-512-2452
daniel.ocallaghan () sinclair edu



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.