Educause Security Discussion mailing list archives
FW: MS Critical Updates and client management
From: Chad McDonald <chad.mcdonald () GCSU EDU>
Date: Fri, 16 Jul 2004 12:02:33 -0400
My thoughts are that if the potential for exploitation of a particular vulnerability are severe enough, then the 1-2 day lag that you discuss in item #2 is about 2 days to long. I am a big proponent of testing, but barring your enterprise servers, I think that the risk of someone taking advantage of a freshly advertised hole far outweighs the likelihood of a patch or update breaking a desktop application or causing data loss. I tend to agree with you on item #1, understanding that that this does not represent critical updates. Thanks, Chad McDonald, CISSP Director of Campus Computer Support Services Georgia College & State University Phone 478.445.4473 Fax 478.445.1202 Email chad.mcdonald () gcsu edu Home Page http://chadmcdonald.net <http://chadmcdonald.net/> _____ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of O'Callaghan, Daniel Sent: Friday, July 16, 2004 9:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MS Critical Updates and client management I've searched the archives and effective practices, but haven't found anything specific to this issue. I'm looking for input on effective practices for MS Critical Update deployment, specifically the timelines from MS release to client deployment. The majority of clients that authenticate to our domain are configured using standard "images" based on the systems' intended use. We recently began using SUS to update clients, and it appears effective, but there is disagreement over when the updates should be pushed. Simplified, there are two schools of thought: 1. All client updates/patches should be installed and vetted on all standard client image configurations in our test lab for 5-6 days prior to deployment as the risk and potential impact of a patch breaking something is greater than the risk of an exploit within this timeframe. 2. Critical updates should be installed and vetted on the most common client image configurations in our test lab for 1-2 days prior to deployment as the risk and potential impact of an exploit (as we approach the zero day) is greater than the patch breaking something. I realize this is an oversimplification of an industry-wide dilemma, but am looking for the groups' input as to the current risk balance for effective practice. Or have we become so polarized that we are missing something? (Abandoning MS is not a viable option) Daniel V. O'Callaghan, Jr., CISSP Information Security Officer Sinclair Community College 444 West Third Street, 14-002 Dayton, Ohio 45402-1460 937-512-2452 daniel.ocallaghan () sinclair edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS Critical Updates and client management O'Callaghan, Daniel (Jul 16)
- <Possible follow-ups>
- FW: MS Critical Updates and client management Chad McDonald (Jul 16)
- Re: FW: MS Critical Updates and client management Bill Frazier (Jul 16)
- Re: MS Critical Updates and client management David Dewire (Jul 19)