Re: Imaged System Patching Strategies was Re: DShield and Symantec report MSBlast in wild

[Michelle Mueller <muellerm () MTMARY EDU>]

Our users have "User" rights.  We do not allow "power users" or "admin"
except in special circumstances.  So, no, your users do not need admin
rights for this to work.  One big minus of this program is that you need
to have IIS running on the SUS server.

Here is an excerpt from the SUS Release Notes:


       Example1: IT admin wants installation to occur immediately
       following system startup

1.   IT administrator schedules update installations to occur every day
at 3 a.m.

2.   IT administrator sets the RescheduleWaitTime registry value to 1.

1.       Automatic Updates finds an update, downloads it, and is ready
to install it at 3 a.m.

2.       End user does not see the "ready to install" prompt because she
is does not have administrative privileges on her computer.

3.       End user turns her computer off.

4.       The scheduled time (3 a.m.) passes while the computer is off.

5.       End user turns on the computer.

6.       When Automatic Updates starts, it recognizes that it missed its
previously set scheduled installation time and that RescheduleWaitTime
is set to 1. It therefore logs an event stating the new scheduled time
(one minute after the current time).

7.       If no one logs in before the newly scheduled time, (1 minute
interval) the installation begins. Since no one is logged in, there is
no delay and no notification. If the update requires it, Automatic
Updates will restart the computer.

8.       The user logs in to the updated computer.

_________________

If the user is logged in when the update is pushed, they get
notification that the installation will take place in 5 minutes.  The
box remains up and counts down from 5 minutes.  They are told to save
their work.  They have the option to cancel this installation but you
can configure it so that option is grayed out.  After the installation
is complete, another box pops up telling the user that the machine will
reboot in 5 minutes.  Again, it counts down from 5 to reboot.  Again,
the user can cancel this unless you have that right denied.

This is all configured in group policy.

Feel free to ask me any more questions you have.  This program has been
a huge help and time saver to us.  I'd love to help others benefit from it.

Michelle



Stephen W. Thompson wrote:

> On Thu, 14 Aug 2003, Michelle Mueller wrote:
>
>
>
> > We use a Software Update Services server which is basically an internal
> > Windows Update Server.  You need to be using Group Policies to use SUS.
> > It's worked great for us.  When the notice came out about the RPC
> > vulnerability, I pushed the critical update out to all campus computers
> > using this server.  We were protected by the afternoon of that day.
>
> Michelle and others --
>
> I'm no Win sysadmin myself, so an illiterate question about this.  I
> mentioned hearing good things about SUS, and a support person dismissed
> it, saying that it would only work if the user had Admin privileges,
> which wasn't their policy.  So at a bird's eye view, what are the
> privilege requirements, do machines need to be kept on 24x7, does it
> run on a schedule or at domain authentication time, and so forth?
>
> Thanks!
>
> En paz,
> Steve, security analyst
> --
> Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
> thompson () isc upenn edu    URL=http://pobox.upenn.edu/~thompson/index.html
>  For security matters, use security () isc upenn edu, read by InfoSec staff
>  The only safe choice: Write e-mail as if it's public.  Cuz it could be.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.