FW: MS Critical Updates and client management

[Chad McDonald <chad.mcdonald () GCSU EDU>]

My thoughts are that if the potential for exploitation of a particular
vulnerability are severe enough, then the 1-2 day lag that you discuss in
item #2 is about 2 days to long.  I am a big proponent of testing, but
barring your enterprise servers, I think that the risk of someone taking
advantage of a freshly advertised hole far outweighs the likelihood of a
patch or update breaking a desktop application or causing data loss.  I tend
to agree with you on item #1, understanding that that this does not
represent critical updates.



Thanks,

Chad McDonald, CISSP

Director of Campus Computer Support Services

Georgia College & State University

Phone   478.445.4473

Fax       478.445.1202

Email    chad.mcdonald () gcsu edu

Home Page       http://chadmcdonald.net <http://chadmcdonald.net/>



  _____

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of O'Callaghan, Daniel
Sent: Friday, July 16, 2004 9:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MS Critical Updates and client management



I've searched the archives and effective practices, but haven't found
anything specific to this issue.

I'm looking for input on effective practices for MS Critical Update
deployment, specifically the timelines from MS release to client deployment.

The majority of clients that authenticate to our domain are configured using
standard "images" based on the systems' intended use.  We recently began
using SUS to update clients, and it appears effective, but there is
disagreement over when the updates should be pushed.

Simplified, there are two schools of thought:

1. All client updates/patches should be installed and vetted on all standard
client image configurations in our test lab for 5-6 days prior to deployment
as the risk and potential impact of a patch breaking something is greater
than the risk of an exploit within this timeframe.

2. Critical updates should be installed and vetted on the most common client
image configurations in our test lab for 1-2 days prior to deployment as the
risk and potential impact of an exploit (as we approach the zero day) is
greater than the patch breaking something.



I realize this is an oversimplification of an industry-wide dilemma,  but am
looking for the groups' input as to the current risk balance for effective
practice.

Or have we become so polarized that we are missing something? (Abandoning MS
is not a viable option)





Daniel V. O'Callaghan, Jr., CISSP

Information Security Officer

Sinclair Community College

444 West Third Street, 14-002

Dayton, Ohio 45402-1460

937-512-2452

daniel.ocallaghan () sinclair edu



********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.