Educause Security Discussion mailing list archives
Re: Imaged System Patching Strategies was Re: DShield and Symantec report MSBlast in wild
From: Michelle Mueller <muellerm () MTMARY EDU>
Date: Thu, 14 Aug 2003 11:03:16 -0500
Our users have "User" rights. We do not allow "power users" or "admin" except in special circumstances. So, no, your users do not need admin rights for this to work. One big minus of this program is that you need to have IIS running on the SUS server. Here is an excerpt from the SUS Release Notes: Example1: IT admin wants installation to occur immediately following system startup 1. IT administrator schedules update installations to occur every day at 3 a.m. 2. IT administrator sets the RescheduleWaitTime registry value to 1. 1. Automatic Updates finds an update, downloads it, and is ready to install it at 3 a.m. 2. End user does not see the "ready to install" prompt because she is does not have administrative privileges on her computer. 3. End user turns her computer off. 4. The scheduled time (3 a.m.) passes while the computer is off. 5. End user turns on the computer. 6. When Automatic Updates starts, it recognizes that it missed its previously set scheduled installation time and that RescheduleWaitTime is set to 1. It therefore logs an event stating the new scheduled time (one minute after the current time). 7. If no one logs in before the newly scheduled time, (1 minute interval) the installation begins. Since no one is logged in, there is no delay and no notification. If the update requires it, Automatic Updates will restart the computer. 8. The user logs in to the updated computer. _________________ If the user is logged in when the update is pushed, they get notification that the installation will take place in 5 minutes. The box remains up and counts down from 5 minutes. They are told to save their work. They have the option to cancel this installation but you can configure it so that option is grayed out. After the installation is complete, another box pops up telling the user that the machine will reboot in 5 minutes. Again, it counts down from 5 to reboot. Again, the user can cancel this unless you have that right denied. This is all configured in group policy. Feel free to ask me any more questions you have. This program has been a huge help and time saver to us. I'd love to help others benefit from it. Michelle Stephen W. Thompson wrote:
On Thu, 14 Aug 2003, Michelle Mueller wrote:We use a Software Update Services server which is basically an internal Windows Update Server. You need to be using Group Policies to use SUS. It's worked great for us. When the notice came out about the RPC vulnerability, I pushed the critical update out to all campus computers using this server. We were protected by the afternoon of that day.Michelle and others -- I'm no Win sysadmin myself, so an illiterate question about this. I mentioned hearing good things about SUS, and a support person dismissed it, saying that it would only work if the user had Admin privileges, which wasn't their policy. So at a bird's eye view, what are the privilege requirements, do machines need to be kept on 24x7, does it run on a schedule or at domain authentication time, and so forth? Thanks! En paz, Steve, security analyst -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompson () isc upenn edu URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use security () isc upenn edu, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Imaged System Patching Strategies was Re: DShield and Symantec report MSBlast in wild Gary Flynn (Aug 13)
- <Possible follow-ups>
- Re: Imaged System Patching Strategies was Re: DShield and Symantec report MSBlast in wild Stephen W. Thompson (Aug 14)
- Re: Imaged System Patching Strategies was Re: DShield and Symantec report MSBlast in wild Michelle Mueller (Aug 14)